CASE STUDY
Data Risk Management helps safeguard your private medical information
This Michigan-based data security consulting firms relies on years of experience — and Infosec IQ — to help doctors secure Protected Health Information.
Everything in healthcare data is changing: more electronic patient data, more threats to that data, more regulatory rules, greater fines for non-compliance, increased auditing, and increased litigation for data breaches. Based in Rochester, Michigan, Data Risk Management specializes in security best practices for medical, dental and related business offices and uses Infosec IQ for security awareness and phishing training. They say numbers don’t lie, but this is hard to believe. The average total data breach now costs businesses $3.92 million, according to the 2019 Cost of a Data Breach Report from Ponemon Institute and IBM Security. The numbers should be eye-opening for organizations big and small — $1.42 million in lost business, breaches caused by a malicious cyberattack took longer to discover and lasted longer, requiring 314 days to recover. BEC attacks increased 100% last year.
Outsmarting the bad guys starts here.
See for yourself how Infosec IQ will empower your employees to outsmart cybercrime at work and at home. With over 2,000 awareness resources and phishing simulations at your fingertips, it’s easy to keep your employees secure and engaged in training, regardless of their location, preferred language or learning style.
Jim Carter's recipe for success
Most security pros agree you can have the best software and protection tech available, but a well-run security awareness training program and a culture that supports it are still critical front-line defenses against cybercriminals.
We asked security industry veteran Jim Carter, the founder and managing member of Data Risk Management, LLC how he helps mitigate phishing risk for his clients through security awareness and training. Jim’s recipe for success includes strong customer focus, communication and the best education tools available from Infosec IQ.
How do you run awareness and training programs with Data Risk Management clients?
Jim: The primary thing we do is information security strategy consulting in a proactive sense. As an advisor to my clients, sometimes I operate in the role of a virtual CISO.
When I sit down with a client, one of the first conversations is about four things, and you’ll notice that these aren’t technical. First of all, what are your business needs for information security? Do you have external drivers like regulatory compliance, contractual, or statutory compliance obligations you have to meet? Or is it an internal desire to not have anybody mess with your data?”
The second thing I like to explore is their risk tolerance. Answers will be different from one company to the next because not everybody has the same level of tolerance. Some don’t mind writing a check to resolve a problem and some don’t ever want to do that.
The third thing is to ask about the organization’s culture. I want to know what I’m up against. I don’t want a hundred people working against me, I want a hundred people working with me. So we have to figure out how we’re going to achieve the latter.
And the last thing is the budget. If we can get all four of those components in alignment, then we’ve got a good chance of having a solid information security program. It’s not going to go from zero to a hundred miles an hour overnight. It’s going to be something that we build on and mature over time.
Infosec IQ security awareness and training fit nicely into this process because it’s a good starting point. I tell my clients: if you do nothing else, at least for now, start with training your employees.
And I say it’s the best bang for the buck in cybersecurity because while there are a lot of things that I can recommend, this is one of the most cost-effective and has the greatest return. We can strongly mitigate the greatest threat to your sensitive data, which is email phishing.
How do you communicate results?
Jim: I like to send an email to managers and everybody who completed the training and scored 100% on the quiz. That’s a big accomplishment and not easy to do. I copy all the members of the executive management team on the email, too. Firstly, it shows the executives that the campaign is working and secondly, it recognizes the employees who are committed and engaged in the training.
The employee appreciates being complimented “in front of” the executives. They get a pat on the back they wouldn’t otherwise receive. My hope is it also leads to dialogue when they see me come down the hallway. Instead of hiding under their desk they reach out to me and ask, “hey, I had this question on my computer at home,” or “I have this question about an email.” That opens up an opportunity to answer a question or provide coaching.
You run your security programs with a lot of empathy. Is that part of the reason employees respond so well to your programs?
Jim: IT and security trainers can move the security conversation forward with empathy and adopting a helpful stance. I like to say, “If you have questions about it, if you fell victim to a phishing email, please come talk to us. We would love to help.”
As security awareness and training managers, we need to build employee trust and show them we are not trying to trick them with a phishing simulation. I’m trying to help them, to make them stronger. I’m not trying to embarrass them. I’m not trying to have the heat come down on them from the management team and I encourage the management teams not to focus so much on the phishing rate.
We know the program works if people do the training. The phishing rate will take care of itself. It’ll come down. It’ll be down in the 1% to 3% range over time if we can engage people with the training. I prefer the standard 12-month Infosec IQ program as a good starting point. I might make some changes here and there as the program continues. With new modules and new content coming regularly, I like to work those in because it gives me something to build on as we establish a foundation of learning.
What is the one bit of wisdom you would share with industry peers and colleagues?
Jim: My recommendation is to focus on the people, not on the technology. We can do a lot to protect our systems and components, but the reality is, if that email is in your inbox, it’s already past all of your perimeter defenses. It’s already past all of your anti-whatever software. And our last line of defense is our people.
Now if they open that phishing email, they take the very last step before stepping on the landmine. When they click on the link, open the attachment or enter data, the damage is done. The best defense we have is to build a human firewall so that when these things get past our other tools, we have a decent chance of avoiding the threat. That comes by raising awareness.
When I visit my clients, I could play the role of Internet Cop or the Grim Reaper who tries to catch somebody who has a yellow sticky note with their password stuck on the monitor. They would all hide under their desks!
But instead, I would rather be a human being with whom they can communicate — a resource for my clients and their staff to help them become stronger. They want to be stronger and nobody likes getting fooled by a phishing email.
Because of that desire, I present to them a human face and a resource that’s really more of a coach. I catch them doing something good and reward them. The Infosec IQ security awareness and training platform gives me the opportunity to do that because while we can look at phishing simulation open rates, click rates and other metrics, we also can see the participation rate on training. Who’s taking the training? How are they doing on the assessments? And then we reward those who are completing the training and scoring well on the assessments or quizzes.
Products
- Infosec IQ