Importance of Employee Awareness and Training For Cyber Security
The healthcare industry is one of the last sectors of the society that practice regular update cycles for their computer systems, that is the main factor why cybercriminals love to target it. Hospital records contain a lot of personally identifiable information and due to the limited funding of hospitals, especially public hospitals, credible cybersecurity systems are usually not in place. Viruses, Trojans, theft of critical information, denial of service attacks, and malware, in general, are threats, which in recent times are becoming almost daily incidents.
For the past decade or two, we witnessed a remarkable success of different standards to implement strategic models of information security; COBIT, COSO, CMMI, ISO 17799-ISO and ISO 27001. If we analyze some of these regulations, one of the factors that should be established at the beginning is the set of policies, principles, and compliance requirements in the Company, which will establish the focus on security management.
These documents must be published and known by all employees, established by means of a simple and easy to understand wording, the standards considered necessary for compliance with the established requirements, together with the general and specific responsibilities in terms of security management, including the mechanism to follow to report any incident. Last but not least, it will be necessary to establish the consequences of the violations of the security policy and rules that the Directorate has approved. The various security standards define as a key point the establishment of roles, responsibilities, and functions for all employees, and how to establish these security premises for any employee hired by third parties with access to Company information.
Despite the technical measures, the necessary resources and any policy or regulation that the Company can elaborate and enforce, one of the most important assets in any security approach is the personnel themselves and any worker who handles information and manages resources according to the attributions and responsibilities assigned. This may seem obvious, not in all organizations is analyzed and treated with the same relevance as the implementation of any technical tool that affects the systems, such as a firewall, an antivirus or an access control system serving as a perimeter defense of an organization from the outside world we all know as the Internet.
The awareness should remember the policy and responsibilities permanently, either through the publication of brochures or informative days, and its purpose is that individuals can recognize security problems and incidents and respond according to their role and job. The training should focus on different aspects, such as specific policies, legal responsibilities, correct use of resources and technical measures, disciplinary process, etc. Any organized activity must be carried out according to the professional profiles or the defined roles.
As part of the contractual obligations, employees should accept and sign the terms and conditions of their employment contract, which should establish their responsibilities as well as those of the Company with regard to safety. The conditions and terms of the employment contract, in any of its modalities, should contain:
- The general policy defined and approved by the Management
- A commitment of confidentiality and non-disclosure of the information they will discuss during their work in the Company.
- Specific responsibilities related to regulations that affect the Company
- Responsibilities for the classification of the information and the treatment of it.
- Responsibilities for the handling of the information received by other companies or third parties.
- Responsibilities for the treatment of information outside the usual facilities.
- Actions to be taken in case of non-respect of safety requirements by the employee.
The organization’s leadership should establish defined culture-based responsibilities in the field of security in the workplace, it is clear that the systems, complex and safe as they may seem, are in the hands of users. Mechanisms should be established to publicize the general rules and mandatory requirements, but without forgetting that it is the user who deals with the information and who must possess the appropriate knowledge and specific training so that we can trust all the procedures and technology acquired. by the organization in achieving a reliable and secure environment. These principles are very timely to practice, especially today, as many countries and even regional block like the EU wants to protect their nationals from threats of cyber attacks and data breaches.