A couple of years ago, I wrote a blog post discussing how employee engagement is more about leadership than free coffee mugs and prizes.
Debbie Laskey has posted a great selection of ideas for engaging employees in the workforce. Some will apply to security awareness … some won’t. But well worth reading. Here’s the link: 25 Employee Engagement Tips to Improve Your Workplace
OK … so here it is … the secret recipe for success in security awareness training. It’s taken years and years of work in the classroom and online to figure it out, but I’m going to share this secret with you right now.
Two articles that I came across today highlight the serious risk of poor data destruction procedures.
The National Health Service in Surrey (UK) has been fined £200,000 (about US$300,000) for failing to completely remove patient data from recycled PCs – some of which ended up on an online auction site. The problem was spotted when a member of the public purchased one of these PCs via the auction site and discovered that it contained sensitive patient data relating to 900 adults and 2000 children. Continue reading
Far too many security awareness training programs start with a series of horror stories about hackers and identity theft, lost money and damaged reputations, privacy breaches and deleted computer files. Before long, the average student starts to tune out – after all, if it’s that bad out there, there’s not much that can be done about it.
I was reminded of this when I came across an article about climate change – How to get action on climate change? Hint: Don’t scare us out of our wits – which points out that dire warnings about global warming may well be counter-productive.
Now, I’m not saying that we shouldn’t tell students about the potential consequences of poor information security, but that should be just one small part of our message, with the rest of it being positive – how we can make things safer to our mutual benefit. A carrot is often is often better encouragement than the threat of the stick.
Some Further Reading
Hackers don’t always try to break into computer systems through the Internet, or by using malicious software (malware) in email attachments. If they can gain physical access to computers, there’s often a simpler way.
Several public libraries in the UK have reported finding keyloggers attached to the back of PCs. These devices, which look a lot like normal USB flash drives, monitor the keystrokes – including usernames and passwords – of all users of the PCs. So, if you used one of these PCs to access your bank account, your Facebook profile, or your email, your identity might have been compromised.
Hardware keyloggers are very small and, unless you look carefully at the back of the computer – and know exactly what you’re looking for – they can be almost impossible to detect. Here’s an example:
Another reminder – as if we needed it – that smart phones and mobile devices are increasingly the targets for hackers.
This time, it’s an iPhone issue. German researchers claim to be able to steal passwords stored on a locked Apple iPhone in just six minutes … without cracking the iPhone’s passcode.
Read more in this post on the Sophos blog: VIDEO: How to steal passwords from a locked iPhone
The FTC has posted a useful guide to “medical identity theft” for health care providers and insurers.
Medical identity theft occurs when someone obtains health care services e.g. treatment, prescription drugs … using the identity of someone else, or when they use another person’s identity to submit false bills. The guide – Medical Identity Theft: FAQs for Health Care Providers and Health Plans – covers:
- red flags that might indicate a problem,
- advice on responding to incidents, and
- how to help your patients avoid identity theft.
Another useful resource is the FTC’s Facts for Consumers: Medical Identity Theft – a brochure in PDF format which can be made available to your patients.
Looking for a video to show your staff some of the ways that they might breach the HIPAA Privacy and/or Security rules?
Here’s a short (5 minute) YouTube video from UNLV called HIPAA Happens that illustrates some possible scenarios.
Send the link around to your staff in an email or, better still, post it to your Cosaint training portal with a short mastery test so that you can track students’ understanding of the subject.
Cloud computing is filled with buzzwords and, for many people, fear of the unknown. And a lot has been made of the security risks that might result from cloud computing. However, for many organizations (especially small businesses and non-profits), judicious use of cloud computing applications can have significant security benefits.
This article from PC World – What Cloud Computing Means For the Real World – is an excellent overview of some of the benefits that you can reap by replacing insecure practices commonly found in the workplace.
Further Reading: You can find out more about cloud computing security through the resources available at the Cloud Security Alliance.
With few exceptions, rules relating to privacy and security such as HIPAA and GLBA (Gramm Leach Bliley) cover the information, and don’t specifically relate to any particular technologies. So, they apply whether you’re using your PC, a fax machine, a photocopier, a USB flash drive, or even your cell phone.
Here’s an excellent post on the subject – HIPAA: It’s About the Information! – from Rebecca Herold (“The Privacy Professor”). It focuses on fax machines (a topic that we covered in an earlier post on this blog) but the same thinking applies to any equipment that you use to access, process, or store sensitive information.
For more about this topic, see these posts from our blog: