Share with Your Network
A recent survey of 1,200 workers conducted by TalentLMS revealed some surprising trends in cybersecurity habits, hygiene, and awareness. Survey participants answered a simple seven-question quiz testing them on their ability to spot potential threats online and gathering intel on cyber habits and knowledge of best practices.
Across the board, the results were dismal. Yet as TalentLMS diced its survey results by industry, one group of participants stood head and shoulders above the rest: healthcare workers.
Compared to information services, finance, education, and software, healthcare workers scored significantly better with a passing rate of 57%.
|Healthcare and social assistance||Information services and data||Finance and insurance||Education||Software|
Source: TalentLMS Cybersecurity Survey
We’ll dive into healthcare’s unique challenges in a minute. But the survey results caused us to do a double-take. Namely, we struggled to posit why the two most tech-saturated industries scored lower than all others: information services and data had a shockingly poor passing rate of just 17%, and software companies fared little better at 27%. Could it be that tech-rich businesses are somehow more cavalier about cybersecurity in general? Ours certainly isn’t, and none of our partners are either. And yet the results are what they are. Perhaps as tech companies these users assume they have it figured out and simply can’t be tricked which, if true, is an expensive mistake to make.
Finance and insurance, as well as education, each performed better than the tech businesses. They’re doing something right, or at least they’re getting more of it right. Yet one could argue a failure rate of 68% (for finance) and 57% (for education) still isn’t anything to brag about. Read on for suggestions of what all of these organizations can do to improve the way they project their data, networks, and infrastructure.
A high-risk environment demands vigilance
The reason for healthcare’s superior cyber awareness may be environmental; the uniquely high-stakes and challenging environment of healthcare demands it. Broad, interconnected attack surfaces, an uptick in remote employees, and the brisk criminal market for healthcare records have positioned healthcare entities as an attractive target for threat actors. So workers have been forced to stay vigilant and skilled at spotting threats.
But even with a passing rate of 57% there is still considerable room for improvement when it comes to cybersecurity hygiene and awareness. Historically, healthcare takes five times longer than leading industries to close half of their vulnerabilities. And from a remediation coverage standpoint, healthcare comes in dead last.
For more on vulnerability management performance by industry, download a copy of Prioritization to Predication, Volume 3: Winning the Remediation Race.
The strain on healthcare is costly
Putting even more strain on an already fatigued target, the COVID-19 pandemic overwhelmed healthcare providers both physically and in terms of cyber attacks. Stretched thin and left vulnerable, hospitals and their IT staff faced an onslaught of aggressive attacks ranging from network-server attacks, ransomware, sophisticated phishing campaigns, and more. Providers have been forced to pay historic high ransoms and recovery costs to keep their operations running and doors open during these most critical times.
Cybersecurity (and cybersecurity training) needs an overhaul
Doing a better job of cybersecurity training of course will help healthcare employees improve how they help secure the front lines. (A recent blog outlines some key ways to help accomplish this.) And while it’s a worthwhile and necessary effort in this ongoing cyber battle, training alone isn’t the answer.
A modern, risk-based vulnerability management (RBVM) program can help shut off attack vectors, even if threat actors have successfully duped an employee to open the wrong file or visit the wrong site. By identifying and closing weaknesses in infrastructure and applications, a comprehensive RBVM program gives attackers fewer opportunities to gain a foothold in your organization.
Compared to traditional vulnerability management, a modern RBVM approach focuses on isolating the organization’s biggest vulns using data science, predictive modeling, comprehensive threat and vulnerability intel, and context. Rather than chase thousands of so-called “critical” vulns scored by the Common Vulnerability Scoring System (CVSS), the best RBVM solutions use the latest technologies to identify the 2-5% of all vulnerabilities that actually pose a real risk to an organization. Establishing a risk-based approach to vulnerability management will help companies optimize resources, remediate their riskiest vulnerabilities first, and streamline security operations.
When a Fortune 500 medical provider went risk-based
When Quest Diagnostics decided it had enough of trying to power through its seemingly endless list of vulnerabilities using a homegrown prioritization tool, the healthcare giant decided to go risk-based. As a Fortune 500 medical provider, Quest knew it couldn’t settle for less-than-stellar vulnerability management. The company deployed Kenna.VM to effectively and efficiently prioritize its riskiest vulnerabilities.
The results were meaningful. Instead of investigating and scoring a long list of vulnerabilities, Quest was able to gain actionable insight that helped them remediate its biggest risks. A risk-based approach also helped Quest gain back significant time previously spent remediation and reporting, cutting time spent on remediation by up to 50%, and time spent reporting by up to 75%. For a closer look at Quest’s experience, check out their case study.
Give attackers nowhere to go
With cyber risk growth showing no signs of slowing, and with another wave of COVID-19 disrupting return-to-work plans, the time to transition to a risk-based vulnerability management strategy is now.
Data breaches are too costly to rely on employee training alone. The survey data proves that even the most cyber-aware workers are fallible when it comes to cybersecurity. Acknowledging this—and doing something about it—is the only effective way forward.