
MRIoA recently added to its information security staff to help meet the ever growing needs in this highly demanding and important department. One area we hope to improve on with this additional resource is with respect to our ongoing staff security awareness training. Historical evidence of past breaches in the healthcare sector have shown that social engineering and lack of awareness by staff has been the number one attack point. Improving employee awareness and behaviors can only improve this troubling statistic.
After a long discussion about the many important topics we felt we needed to cover, we realized that we were really uncertain as to the existing knowledge of our staff across the wide scope of information security topics. To help us better understand this so that training could be targeted to the true areas of weakness, we chose to investigate the actual knowledge of our employees.
A mandatory awareness survey was created to explore a number of topics and to find out whether the actual concepts were understood. Instead of the typical multiple choice type answers many awareness quizzes utilize, we asked our employees to explain their understanding of the concepts. These ranged from why strong passwords are beneficial to how encryption actually protects data. The results of this test will be used to tailor our security awareness program to areas of most concern with the least amount of understanding. Our hopes are to truly help people with the fundamental understanding of how they are integral to our company actually being secure. I will follow up with our findings in a future article.
Donald W. Murphy Jr. MS, CISSP
Vice President, Information Technology