On Tuesday, October 18 at AHIMA’s Annual Convention and Exhibit, Robert Brzezinski, MBA, CHPS, CISA, president, BizWit, LLC, will deliver his presentation, “Do Not Blame Hackers, You Are the Weakest Link: Why Security Awareness Programs Matter.” The session will take place from 3:15 p.m. – 4:15 p.m. in room 310 of the Baltimore Convention Center. The Journal recently spoke with Brzezinski for a preview of his session.
What are you hoping members will take away from your session?
I hope my presentation will help attendees better understand and communicate that end users and administrators are an integral part of the technology we use today. Ultimately there are no technical safeguards or tools that will provide 100 percent protection for organization systems or data. That’s why we have to educate end users about the most common mistakes, how these mistakes can lead to security incidents, and why and how hacking attacks happen. Hopefully the presentation will help build the business case for funding security awareness programs. I think we still greatly under-appreciate the return on investment from employee training.
What should HIM professionals be focusing on now in regards to security awareness?
HIM professionals should be focusing on specific behaviors that create or contribute to security incidents within their organizations or within their lines of business. For some it could be the use of unapproved cloud services, for others it may be misdirected e-mails containing PHI or exposure to malware infections resulting from phishing campaigns. Keeping track of incidents and analyzing the root cause is essential in prioritizing and customizing security awareness training topics. In addition, frequently communicating ongoing privacy and security challenges, sharing examples of security incidents and threats, and rewarding good behaviors should be another focus area.
What can attendees hope to learn from previous security incidents?
I want to make a distinction between security incidents and data breaches—not all security incidents result in data breaches. But I strongly advocate for keeping track of security incidents because you can learn from that data, identify patterns and trends, and better understand the root cause of the incident and draw more accurate conclusions. Some security incidents, like policy violations (password sharing or software downloads), will point to misbehaviors and will support disciplinary actions. Others will point to so-called Indicators of Attack (IoA) (failed login attempts, malware detection/quarantine, pinging from suspicious IP addresses) and some will point to Indicator of Compromise (IoC) (a PC communicating with malicious IP, log file deletion, account creation or password change). If I see frequent malware detection/quarantine on a certain employee’s computers, that may be an indication that there is a need for some additional security awareness training as they may be falling for e-mail phishing attacks or using PCs for non-work related purposes and browsing non-reputable websites. Failed login attempts may point to network configuration issues or someone trying to access a PC using password spraying or brute force. How is that possible? Well maybe an installed application such as Free RDP is making this PC visible on the Internet.
Security Incident and Event Management (SIEM) tools are essential in providing necessary visibility and detection capabilities, allow us to dig a little deeper to understand and address security issues, and prevent serious security incidents from happening or allowing us to respond quickly and minimize impact. Cloud-based technologies make advanced security tools available to smaller organizations. Formally documenting serious security incidents using a structured Security Incident Report (SIR) format and incorporating a follow-up evaluation of how you responded is an invaluable tool in improving security incident response and security posture of the organization.
How can attendees start incorporating the lessons from your session in their organization right away?
First, maybe some of the facts and figures from the presentation will help build and communicate arguments for security awareness training and will help secure necessary resources. Second, small organizations should conduct general security awareness training for staff and focus on security issues and incidents pertinent to the company (talk to your IT staff to identify those). For larger organizations, you may want to start with training select departments or users. And finally, October is National Cyber Security Awareness month so push some security-awareness messages in company-wide communications like an e-mail from the president or a company newsletter. You can use some ideas and materials from staysafeonline.org.
Is there anything else you would like members to know about security awareness?
Security and security awareness cannot be an annual event—we learn through repetition. So talking more about these issues allows us to better understand threats and security. This reinforces secure behaviors which helps us develop security incident-detection capabilities—which is the ultimate goal. My message is always: focus on security and compliance will follow.