Personal responsibility is key to cybersecurity
Servio Medina, one of the Defense Health Agency’s Health Information Technology leaders on cybersecurity, implores his audience to practice positive cyber hygiene. (MHS photo)
SImple human error, such as walking away from an unlocked computer or not having a passcode on a phone, accounts for more than half of all data breaches according to the Society of Human Resource Professionals. A Defense Health Agency official believes cutting down on the number of data breaches takes more than training. Employees need to be “nudged” into better cybersecurity behavior.
“Cybersecurity training ensures that everybody gets some common core knowledge and has been exposed to certain principles,” said Servio Medina, one of the Defense Health Agency’s Health Information Technology leaders on cybersecurity. “A healthy cyber culture requires engagement at all levels, which should include training, education and even marketing.”
Medina pointed out that federal employees are required to take yearly cyber awareness training and comply with Health Insurance Portability and Accountability Act (HIPAA) guidelines for protecting health care information. Medina calls the hour or two of training “inadequate” because roughly 80 percent of cybersecurity breakdowns can be traced back to human error after training, according to a 2015 Department of Defense memo that included a plan to close the gap.
Part of the solution involves what Medina calls “nudges,” like pop-up notifications when a website’s security certificate is unverified.
During the Healthcare Information and Management Systems Society (HiMSS) 2017 conference in Orlando, Florida, Medina pointed out the importance of understanding what influences people in order to make the small changes that result in positive cyber hygiene.
Medina tries to understand why some people adopt security best practices while others participate in risky behavior, such as clicking on a link in what turns out to be a phishing email. In the process, he has spoken with behavioral psychologists to understand what influences human behavior and see how positive influences can be applied to cybersecurity. He suggested that breaches continue to happen because cyber hygiene is not part of everyone’s mindset. “For many, it is perceived as little more than an inconvenience and/or a disruption to their workday.”
Human errors in cybersecurity can happen for many reasons, but often result from carelessness, ignorance or poor judgement, said Medina. Helping people understand how cyber hygiene impacts their jobs and their lives outside of work can help make a personal connection. Medina used speeding as an example. Drivers tend to slow down when they see their speed displayed on the side of the road, or glimpse a traffic camera at an intersection, he said.
“We need nudges, we need reminders,” said Medina. He believes it takes three months to change a habit, six months to change a behavior and one year to change a lifestyle.
Similar to seeing speed displayed, configuring a web browser to provide those pop-up notifications can bring cybersecurity front and center at a critical moment.
“People can be influenced to obey speed limits while driving,” said Medina. “We can and should learn from successful efforts like these to influence behavior so we can promote and sustain positive cyber hygiene.”