The breaches of Hollywood Presbyterian Medical Center and the United States Office of Personnel Management (OPM) have been hot topics in the last month. Hollywood Presbyterian because it’s so fresh in our minds and the OPM because of the fallout resulting from it, including House Oversight Committee hearings and the (forced) resignation of its CIO.
Since the two intrusions have already been discussed so thoroughly in many other places, I’ll spare you a lengthy recap. Hollywood Presbyterian was the victim of a ransomware attack, while the OPM was breached by attackers alleging to be operating from China.
What I found so fascinating about both intrusions was how preventable they both were. I’m not even talking about prevention through technology, though the right solutions certainly would’ve helped in each instance. I’m referring to the astonishing lack of security awareness shown throughout both organizations.
As described in this article, the type of ransomware attack conducted against Hollywood Presbyterian is usually perpetrated through “what appears to be a routine email with an attached file such as a bill or invoice” sent to an employee. “By clicking on the attached document, an ‘enable content’ yellow bar pops up. If that is clicked on, the malicious software starts to lock files with a password or key that cyber criminals or attackers hold.”
In the case of the OPM, an OPM Inspector General actually advised the CIO and Director to shut certain systems down until they could be properly fixed. The systems were operating in violation of federal regulations and failed to meet security guidelines. It even was stated that in current condition, they were a risk to national security. The recommendation was ignored though, and within months, the agency fell victim to the breach.
The first situation unfortunately isn’t all that uncommon. I can name a number of instances where Identity Automation has encountered organizations whose employees are not trained enough in the basics of security to recognize a potential risk. The second situation is far more alarming since the CIO, one of the people who’s supposed to be most knowledgeable of security protocol, explicitly left the agency open to an attack.
The Value of Security Awareness & Training
While the employees responsible were at much different experience levels, the two situations are similar. Both Hollywood Presbyterian and the OPM showed a lack of security awareness among employees. That lack of awareness was a direct cause of the intrusions both suffered. Had the Hollywood Presbyterian employee received even a basic level of security training, he or she would’ve recognized the email and breach attempt as out of the ordinary. The OPM CIO violated a basic security principle - don’t take unnecessary risks.
Many argue that organizations need to devote more investment to sophisticated security systems in order to avoid attacks like these. I agree with that sentiment, but would add, you also must invest in training your users on understanding basic corporate security principles. You could have the fanciest, most expensive, most highly rated technology in the world, but if you have issues with your users understanding basic personal security protocol and the expectations on them, you’re still at risk.
Train your users - full-time and contingent. Make it a part of their official onboarding process. Show them examples of suspicious activity and instruct them on what to do if they encounter anything similar. Make sure they know your security processes and the IT approved systems and applications. And then, enforce your processes.
You don’t want to be the next example of a breach. With the right security and the right approach to managing your users, you can avoid it.
Other blog posts that might interest you: