UK Information Commissioner ’ s Office ( ICO ), approximately 90 % of data breaches reported to the ICO in the UK were attributed to human error , such as misdirected emails , failure to use BCC in email and sending sensitive data to the wrong recipients . Human-targeted cyberattacks are designed to exploit this vulnerability in human behaviour rather than a technical weakness .

Cybercriminals will attempt to take advantage of employees by manipulating them into sharing sensitive information , making mistakes or bypassing security protocols . There is no way to stop criminals from enacting human-targeted attacks , but there are ways to make those attacks less likely to be effective .

Healthcare organisations can build organisational resilience by adopting a security-first culture . An organisation is only as secure as its weakest link and therefore requires all staff to commit to good cyber hygiene . This requires senior leadership to promote secure practices that address the risk of phishing , malware and social engineering through regular , role-specific training and awareness programmes . Developing a robust cybersecurity approach that mitigates human-targeted attacks also involves addressing vulnerabilities with tools that enable employees to avoid common errors without complicating workflows and harming productivity .

With ransomware having such a destructive impact on healthcare organisations , even leading to the cancellation of operations earlier this year in multiple London hospitals , it is similarly important that organisations embrace some form of inbound email threat detection software to block phishing , malware and spoofing attempts before they reach employees or patients .

Limiting access to sensitive data through rolebased access controls and the principle of least privilege is another effective strategy for addressing human-targeted attacks . This is also beneficial for achieving regulatory compliance with GDPR and HIPAA and reduces the risk of data being misused by ensuring fewer staff have access to confidential patient information .

Multi-Factor Authentication ( MFA ) is another minimally disruptive tool that requires staff and patients to undergo two or more verification factors before gaining access to valuable sensitive information . This means that if a password becomes compromised , there is another line of defence for cybercriminals to overcome .

Finally , implementing data loss prevention ( DLP ) policies is a great way to minimise human error . DLP is a cybersecurity strategy designed to prevent the unintentional sharing of sensitive information . It ensures data is protected in transit and at rest , preventing unauthorised access through encryption , access controls and real-time alerts .

By embracing security strategies as part of everyday workflows and outsourcing security to technical tools , medical staff can prioritise patient care without compromising patient privacy .

Limiting access to sensitive data through rolebased access controls and the principle of least privilege is another effective strategy .

NADINE HOOGERWERF , CISO , ZIVVER

WWW . INTELLIGENTCISO . COM 29