According to Verizon’s 2018 Data Breach Investigations Report, phishing or other forms of social engineering cause 93% of all data breaches.  In order for phishing or social engineering attacks to be successful, the attacker needs a target to take the bait.  Your employees often are the targets, aka the fish that bite.  Therefore, in conjunction with the implementation of IT security measures, training your employees is of paramount importance to preventing these types of cybersecurity attacks.  Employers must make employees aware of the risks associated with clicking on a link in a phishing email, downloading an attachment from an unknown sender or responding to requests for credential/login information or other data. 

Employee training is one of the least expensive and most effective tools an organization can use to reduce the risk of a cyberattack. This training can be both formal and informal.  Formal training would include training on your organization’s policies and procedures as well as specific incident response training. For informal training, organizations should consider periodic e-blasts to employees detailing current threats and simulated phishing attacks with follow-up feedback.  For example, e-blasts could include reminders that: (1) during the holiday season they are  likely to see  phishing emails that purport to be from UPS or FedEx, requiring a user to click a link related to a package; and (2) employees should never provide log-in credentials when requested via email even if the email appears to be legitimate.  Also, organizations should consider providing payroll staff an annual refresher on the increased likelihood of a W2 phishing scam in December, January and February.  During this time period, payroll staff are most likely to receive an email, purportedly from the CEO or CFO, requesting all employee W2 information.  Overall, these types of reminders are a great way to ensure that cybersecurity stays on the forefront of your employees’ minds in between more formal training sessions.

Practical training methods should not stop with an organization’s general workforce. In addition to the employee training described above, companies should consider engaging in tabletop exercises that prepare an organization to react in the unfortunate event it experiences a breach.  Specifically, these exercises simulate a data breach incident and allow an organization’s executives to test the organization’s ability to respond in the event of an attack using its formal policies and procedures.  Overall, through frequent exposure and regular training, your organization will develop a culture of cybersecurity awareness.

Lastly, as indicated in our launch of Cybersecurity Awareness Month, we would be remiss if we did not note that the Department of Homeland Security created a Toolkit to provide companies with resources to promote the importance of cybersecurity awareness.

If you have any questions regarding security policies and procedures and/or cybersecurity training, please contact us.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Daniel J. Kagan Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and…

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha’s Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.