The COVID-19 outbreak has affected almost every area of our pre-pandemic “normal” lives including more telework, a surging demand for toilet paper, and a shrinking workforce, just to name a few. Almost no industry has been spared when it comes to the contagious disease’s impact. In particular, cyberattacks are on the rise in nearly every business, reaching unprecedented numbers since the start of the 2020 virus lockdown.
How We Got Here
When the COVID-19 crisis started, workers suddenly transitioned to a remote environment, and management became more focused on merely surviving day-to-day than spending dollars on IT security. As a result, the doors opened up for cybercriminals to seize new opportunities.
According to one report, 93% more cyberattacks occurred in the first half of 2021 than during the same period in 2020. At the same time, the number of global incidents increased by 29%. Unfortunately, the “perfect storm” has resulted in massive amounts of personal information being breached as well as millions of dollars being spent on mitigation, response, and recovery efforts.
For healthcare providers, the situation becomes even more dire. A ransomware attack can not only disrupt business operations and affect the bottom line but also have a negative impact on direct patient care. Even with up-to-date backups, it can take several hours or days to get a system back up and running after a ransomware attack, and most providers (and the patients they serve) will feel a negative impact because of the delay.
How to Train Your Workforce
One of the easiest and cheapest ways to prevent cyberattacks is to train your employees. Yes, implementing two-factor authentication and investing in computer security and protection measures are important, but supplementing those steps with effective employee training will drastically reduce the likelihood of an attack.
We’re seeing more and more attacks that could have been prevented had an employee been properly trained and known what to look out for. For example, phishing scams (i.e., perpetrators send e-mails with attached malware to individuals, appearing as if they came from a legitimate sender) are on the rise. Cybersecurity training can help employees identify suspicious e-mails and protect against the scams.
Cybersecurity training shouldn’t take a “one-and-done” approach but rather should be ongoing and periodic. It can be conducted internally by someone within the IT department or externally by a contracted third-party. I recommend a combination of both, using third-party’s expertise and training programs in conjunction with the institutional and operational knowledge of someone in-house.
While employees should always be trained upon hire, they also should undergo periodic training thereafter. I recommend cybersecurity training at least once a year. Additional, more frequent training may be warranted if you encounter a significant shift in technology, a change in policy/procedure, or an increased threat.
Whenever training is conducted, whether internally or externally, it should be documented. The documentation should include the date the training was conducted, the employees who were trained, the topics discussed, and a copy of any materials that were used. If a breach occurs, the documentation will become extremely important during the investigation.
Bottom Line
In light of the current environment, all employers and healthcare providers in particular should be conducting appropriate, periodic cybersecurity training as a first line of defense against ransomware attacks.
Kelli Carpenter Fleming is an attorney with Burr & Forman LLP. You can reach her at kfleming@burr.com.