{"id":4041,"date":"2021-09-16T11:22:46","date_gmt":"2021-09-16T16:22:46","guid":{"rendered":"https:\/\/blogs.luc.edu\/compliance\/?p=4041"},"modified":"2021-09-16T11:22:46","modified_gmt":"2021-09-16T16:22:46","slug":"security-awareness-not-just-an-it-and-compliance-responsibility","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=4041","title":{"rendered":"Security Awareness &#8212; Not Just an IT and Compliance Responsibility"},"content":{"rendered":"<p><em>Marisa Polowitz<\/em><\/p>\n<p><em>Associate Editor<\/em><\/p>\n<p><em>Loyola University Chicago School of Law, JD\/MPP 2023<\/em><\/p>\n<p>Since the start of 2021, cyber-attacks have dominated headlines across every industry. From governments and government organizations, healthcare companies, and banks, to gaming companies and <a href=\"https:\/\/www.nytimes.com\/2021\/05\/08\/us\/politics\/cyberattack-colonial-pipeline.html\">oil pipelines<\/a>, <a href=\"https:\/\/www.vice.com\/en\/article\/jg84q3\/a-third-of-global-companies-have-experienced-ransomware-attack-survey-finds\">ransomware has impacted<\/a> organizations of all types and sizes. The scale and scope of these attacks have continued to grow and have far reaching consequences. Despite current agency attempts to strengthen cybersecurity through regulation, individual users continue to pose a serious threat due to insufficient security education. \u00a0 <!--more--><\/p>\n<p><strong>Who is responsible for protecting an organization from cyber-attacks?<\/strong><\/p>\n<p>Traditionally considered the domain of information technology (\u201cIT\u201d), security of the data collected and\/or stored by an organization has expanded far beyond IT and well into the concerns of those on the business side. Privacy, security, and compliance have become inextricably intertwined with regular business. While an organization\u2019s IT security department can, and should, build robust technical protections to secure data, a daily recurring and grave risk to security arises with a system\u2019s users.<\/p>\n<p><a href=\"https:\/\/us-cert.cisa.gov\/ncas\/tips\/ST04-014\">Social engineering<\/a>, an attack leveraging human interaction to gain entry to an organization or its systems, relies on the actions of what is often the weakest point in a security program \u2013 the individual. <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/tips\/ST19-001\">Ransomware<\/a> is commonly delivered via the social engineering tactic of <a href=\"https:\/\/www.consumer.ftc.gov\/articles\/how-recognize-and-avoid-phishing-scams\">phishing<\/a> emails. While the Federal Bureau of Investigations (\u201cFBI\u201d) noted substantial <a href=\"https:\/\/www.fbi.gov\/news\/stories\/incidents-of-ransomware-on-the-rise\/incidents-of-ransomware-on-the-rise\">a rise in ransomware<\/a> attacks since 2016, but 2020 and 2021 have shown an unprecedented increase in the frequency, scale, and impacts of ransomware attacks. In 2020 alone, ransomware losses were estimated at <a href=\"https:\/\/www.ic3.gov\/Media\/PDF\/AnnualReport\/2020_IC3Report.pdf\">over $29.1 million<\/a>. Victims of phishing attacks (and its voicemail\/phone\/text counterparts) <a href=\"https:\/\/www.ic3.gov\/Media\/PDF\/AnnualReport\/2020_IC3Report.pdf\">numbered over 240,000<\/a>.<\/p>\n<p>The National Institutes of Standards and Technology (\u201cNIST\u201d) created <a href=\"https:\/\/www.nist.gov\/cyberframework\">cybersecurity guidance<\/a> for industries such as healthcare, financial services and banking, retail, and architecture\/engineering. These organizations are strongly encouraged to provide regular security education for all employees, system users, and anyone accessing the organization\u2019s network. Traditionally, organizational training necessary to satisfy regulatory requirements has been the responsibility of compliance departments. IT security has long been viewed as solely within the domain of IT departments.<\/p>\n<p><strong>Technology is fully integrated into business functions <\/strong><\/p>\n<p>As more elements of daily life are completed online, organizations have more to protect, and systems are becoming increasingly vulnerable to cyber-attacks. The days of security awareness as purely a compliance and IT concern are over. The cybersecurity threat no longer pertains only to credit card data and protected health information \u2013 entire electrical grids, hospital systems, and other essential services rely on the security of technological systems. As evidenced in the Colonial Pipeline hack, amongst other examples, <a href=\"https:\/\/complianceandethics.org\/7-things-to-know-about-cyber-crime-and-what-will-keep-you-safe-against-it\/\">if a tool is connected to the internet<\/a>, it\u2019s vulnerable.<\/p>\n<p>Bad security education practices have impacts far beyond the IT department \u2013 a lack of security awareness can cause major real-world issues. Along with an increase in ransomware attacks, the <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2021\/08\/ransomware-crisis\/\">average demand amount<\/a> has increased as well. Colonial Pipeline <a href=\"https:\/\/www.pbs.org\/newshour\/nation\/why-ransomware-attacks-are-on-the-rise-and-what-can-be-done-to-stop-them\">paid over $5 million in ransom<\/a>, while the meat-packing company, JBS, paid $11 million in ransom after cybercrime forced them to close facilities due to ransomware. The cascading impacts of cybercrime have prompted the federal government to respond. The US Senate <a href=\"https:\/\/www.cnn.com\/2021\/06\/16\/politics\/bill-report-cyber-breach-24-hours\/index.html\">put forth a bill<\/a> requiring both public and private entities to report security breaches within twenty-four hours and included penalty increases against cybercriminals in its <a href=\"https:\/\/www.pbs.org\/newshour\/show\/4-main-issues-fueling-congressional-debate-over-biden-infrastructure-plan\">infrastructure package<\/a>. The White House issued an <a href=\"https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/\">Executive Order<\/a> focusing on improving cybersecurity across the U.S. The message is clear: cybersecurity has become everyone\u2019s issue. A proactive response to that call is expansive, robust, and increases attention to cybersecurity awareness across all sectors.<\/p>\n<p><strong>Owning the responsibility of meaningful stewardship<\/strong><\/p>\n<p>Education systems, oil pipelines, electric companies, healthcare providers, governments \u2013 virtually every sector is internet-dependent, and therefore every sector is vulnerable. Each individual user within a network poses a potential threat to the system\u2019s security and should in turn be considered a steward of that system. Through the lens of meaningful <a href=\"https:\/\/www.merriam-webster.com\/dictionary\/stewardship\">stewardship<\/a>, individuals accessing an organization\u2019s network should be required to complete security awareness training, and those with access to sensitive systems or tools should be required to complete awareness programming commensurate with the risk presented by that access.<\/p>\n<p>To improve cybersecurity across all sectors, organizations must acknowledge that security is no longer solely the domain of the IT team, nor is security education strictly a compliance responsibility. Everyone at every level of organizations should be provided with education teaching them responsible internet hygiene. Ultimately, security awareness education must become a high business priority, and the responsibility of keeping systems secure must be shouldered by everyone, at every level.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since the start of 2021, cyber-attacks have dominated headlines across every industry. From governments and government organizations, healthcare companies, and banks, to gaming companies and oil pipelines, ransomware has impacted organizations of all types and sizes. The scale and scope of these attacks have continued to grow and have far reaching consequences. Despite current agency attempts to strengthen cybersecurity through regulation, individual users continue to pose a serious threat due to insufficient security education. \u00a0<\/p>\n","protected":false},"author":90,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[321,468,473,571,575,1014,1181,1182,1623,1690,1802,1953],"class_list":["post-4041","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-breach","tag-compliance","tag-compliance-program","tag-data-privacy","tag-data-security","tag-healthcare","tag-it","tag-it-security","tag-cybersecurity","tag-regulation","tag-security-awareness","tag-technology"],"_links":{"self":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/4041","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/users\/90"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4041"}],"version-history":[{"count":0,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/4041\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4041"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4041"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4041"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}