In our previous Director’s Cut column “An Imaging Leader’s Role in Cybersecurity,” we discussed why you as an imaging leader should pause to consider this topic as well as alerted you of some ways your employees can cause cyber breaches. This article is a continuation of helping you to be cyber-ready!
From our last column, hopefully you have worked alongside your IT/security team and helped develop or been presented with an insider threat risk assessment. In tandem with a tailored risk matrix, you’re now aware of organization-crippling insider threat risks. As an imaging leader, it falls on you to help do something about it. How in the world do you even begin to deal with insider threats?
The first step, after identification, is to begin planning. Shocking right? You need to develop preemptive countermeasures. Too often, we get stuck in identification mode and wait for IT to pick up the pieces. However, as an imaging leader you need to be proactive on these countermeasures.
Enhance employee access control, expedite cybersecurity training, double down on information protection and compartmentalization, bolster your data security, have maintenance staff and procedures in place, and start using legitimately secure technology are all countermeasures you can put in place.
Some of you have already exceeded these preliminary phases of insider threat management. In that case, you can finally start preparing your strategies to mitigate the impact of insider threats when they inevitably happen. Here is a five-phase process you can use.
Five-phase process
Insider threat mitigation isn’t as easy as inserting your response plan into a gaping hole caused by a threat. Instead, each security breach requires careful consideration. This process, known as the “respond” phase, is phase four of the five insider threat mitigation phases.
Upon detecting an insider threat, prepared organizations traverse the following “responding” phases:
- Response planning: Preceding any intervention, teams must assess the situation to ensure the threat is understood. Engage as many people as needed to evaluate the threat.
- Response communication: Sometimes overlooked, your department’s communication plan is often the most influential factor when assessing the long-term stability of your response team. Stakeholders, department heads and teams, necessary C-suite executives, and consumers are all privy to pertinent security information. Your team’s documentation needs to be meticulously reviewed and organized by those who use it the most.
- Analysis: As a leader, you’re hardwired to respond to stimuli. It’s tempting to want to immediately deploy the cybersecurity strategies that you’ve been working on for so long. However, working around insider threats takes a single mistake for a malicious user to cover their tracks. Spend the time to do a deep dive analysis. Give teams time to asses and investigate the incident. Incident reports can be generated within hours if all the training and preparation serve their purpose.
- Mitigation: The mitigation strategies are only one piece of the puzzle, like the “execution” phase of similar project management methodologies. Without the other phases, mitigating insider threats is merely a band-aid solution to your organization’s gaping wound.
- Improvements: Finally, once your hard-working team helps dismantle and eliminate the insider threat, it’s not time to staple the papers. Every incident is an opportunity.
Weaved into the following “recovery” phase, the “improvements” sub-phase outlines the practices you and your team need to undergo to evaluate your performance, reflect on the situation, and prepare for the next time it happens.
Like a post-game interview or post-match review, teams will often dive deep into the analytics and data collected to systematically identify as many faults and weaknesses as possible, developing new risk matrices, response plans, and mitigation strategies for new threats they may find.
Mitigation – The strategies
Now, you’re familiar with the overarching mission behind mitigating insider threats. While there are countless examples, and how you decide to respond depends on your organization’s team and resources, amongst dozens of other factors, here are some example courses of actions deriving from threats your institution may face:
Risk: Employee’s limited knowledge of risks involved, unawareness of cybersecurity practices, or inexperience preventing insider attacks
When faced with a risk like this, consider what consultants and resources your institution may provide to rectify the risk of limited education and training. For example, you can pioneer a learning program for new and existing employees to understand your organization’s cybersecurity risks better.
When developing strategies, ensure you denote continued analysis and mitigation steps, like setting S.M.A.R.T. goals. You must ensure everything you’re doing is sustainable.
In this example, you may schedule annual, quarterly or monthly risk training alongside contracting with education and consulting firms.
- Risk: Systemic cyber risk arising from team inexperience with significant cyber events, threat uncertainty, dissemination concerns, the lack of cohesive data about events, and unknowns around the long-term impacts of cyber breaches
As one of the most intimidating cyber threats within institutions, especially in younger and smaller organizations, you mustn’t let a lack of experience cloud your IT team’s ability to defend patient data.
Contrary to the employee-centric risk above, this risk and its associated vulnerabilities stem from fragile infrastructure, new policies and unweathered data. Many security-conscious organizations contract consultation check-ups, audits, performance reviews, and simulated attacks from cybersecurity providers to help ensure their patient data is safe.
For long-term success, running continuous experiments and stress tests on your system helps ensure that you consistently fight and, if not, are aware of operational risks. Surprise simulated incidents, long-term consultation, performance contracts as well as scheduled, spontaneous and periodic training programs contribute to a reliable cybersecurity force.
- Risk: Employees misuse, tamper or rig hardware
A glaringly obvious risk when considering insider threats is the risk of employees or stakeholders misusing security hardware to capitalize on that vulnerability later.
You may elect to invest in more reliable, rigid utilities and weekly coordinate maintenance of all critical security devices to prevent people from becoming complacent. You could also create a digital accountability system to track who used specific devices and when filtering out routine from unauthorized or suspicious device usage.
- Risk: Quickly stacking unforeseen costs of threat mitigation and maintenance
Suppose you or your organization isn’t in the financial position to fund large-scale cybersecurity operations. In that case, the pressure often falls on leaders to find something to put towards security. If you’re planning long-term or have a hand in building departments, allocating a cut of the quarterly or annual budget to cybersecurity can drastically help fund a small-scale operation.
Consistent and scheduled financial/budget analyses, budgeting, and expenditure reviews are also great ways to identify where and how your organization can contribute to cybersecurity expenses. Companies may also turn to managed service providers (MSPs) to provide subscription cybersecurity services to reduce costs and significantly increase the return on investment.
These strategies may not be directly applicable to your organization or department. Still, they contextualize the responsibility you have as a leader to contribute to developing your insider threat mitigation strategies. The Ponemon Institute found that 90% of health care institutions are targeted yearly, each incident chasing a different invaluable asset from your organization.
Some malicious actors seek money or equipment. Some may test themselves to see how long they can leave your hospital without power. And some insiders may want to get revenge on their co-workers by ruining their patients’ lives.
You may not know why insiders do what they do, but you should know you don’t want to wait to find out.
