The password is the first and sometimes only line of defense online, yet we typically make big mistakes in choosing a password. Texas Tribune CIO Rodney Gibbs shared guidelines for selecting a secure password, which should be mandatory reading for everyone from your CEO to your elementary-school-aged children. The most common mistake, at least from my own experience, is including full English words in a password. Pass these tips on to employees so they make the most of the first (and sometimes last) step in security.
Unfortunately, a successful phishing email will beat any password. Brian Shipman of Heritage Auctions shared an article about an attack against the White House stemming from a spear phishing email. With approximately 91% of hacking attacks starting with a phishing email, it may be time to remind employees of best practices for avoiding this type of attack.
The Healthcare Information and Management Systems Society annual conference is underway in Chicago this week, and healthcare IT leaders took to Twitter to share advice from their peers. St. Norbert College CIO Raechelle Clemmons raised the point that defensive measures don’t necessarily translate to flawless security: 30% of breaches are “unintended disclosures.” This is yet another argument for the indispensable role of user education in any security program.
There’s a reason healthcare breaches are drawing an inordinate amount of security press. This slide shared by Sue Schade of University of Michigan Hospitals sums up the watershed breaches that have brought the healthcare vertical to the forefront of the security discussion. Her slide exhibits stats from breaches at CHS, Anthem, and Premera, including the 78 million records compromised at Anthem. One of the main challenges for healthcare security teams is the high price medical records draw on the black market: ten to twenty times that of a stolen credit card number.
These numbers should be more than enough to get organizations thinking about the final line of risk management: cyber insurance. Ken Piddington, formerly of Global Partners, posted a guide from Deloitte outlining the benefits, limitations, and misconceptions around cyber insurance. A particularly useful tool is the matrix outlining coverage from different types of insurance, from property to crime to cyber.