Getty Images
How Northwell Health Runs Its Cybersecurity Training and Awareness Program
The New York health system uses a variety of tactics to keep its cybersecurity training and awareness program fresh and engaging for its entire workforce.
When it comes to cybersecurity, costly technology and high-end tools can only get organizations so far. Implementing a robust and dynamic cybersecurity training and awareness program is crucial to reducing risk and establishing a culture of cybersecurity throughout the workforce.
At Northwell Health, New York State’s largest private employer and healthcare provider, security training and awareness is a priority across the health system, where more than 81,000 employees receive regular security education and guidance.
“I would say it is probably the most important thing that my team does,” Kathy Hughes, VP and CISO at Northwell Health, said of security training and awareness during an interview with HealthITSecurity.
“People are the last defense in any type of cyberattack that might occur. And it's important that people are aware of what the threats are, what the risks are, and how they can protect not only themselves and their personal information, but also the Northwell systems and data as well.”
Understanding the Importance of Security Training and Awareness
A March 2022 survey by the Center for Generational Kinetics (CGK) found that poor password hygiene left organizations vulnerable to cyber risks, especially as remote work became more popular. More than 65 percent of respondents admitted to choosing passwords that were easy to remember, rather than opting for secure combinations.
Additionally, a 2022 report by KnowBe4 found that consistent security training and awareness efforts can greatly reduce the likelihood of a successful phishing attack. But after one year of training, researchers observed a significant decrease in the number of employees who clicked on simulated phishing emails.
With an understanding that every workforce member must play an active role in security, Hughes’ team began by raising awareness from the top down.
“It really started by making sure that there was an awareness even at the highest levels of the organization from our senior leadership and getting buy-in and collaboration from key areas like our corporate communications department, our compliance area, human resources, risk management, even our corporate security team, our office of legal affairs, and our crisis management department as well,” Hughes said.
“Through the collaboration and the education and awareness that my team and I gave that group, we were able to obtain the buy-in, and then develop the program from there.”
Along the way, Hughes and her team discovered what worked and what did not. Security training is not one-size-fits-all, nor is it a process that has a finite timeline. Creating targeted, engaging, and continuous content has proven crucial to the success of Northwell’s program.
Crafting Targeted Content For Different Areas of the Workforce
With a variety of roles and responsibilities across Northwell’s workforce, there is no single security training tactic that resonates with every employee.
“Our program is designed to target different audiences with different messages using different methods,” Hughes explained.
From formal training to casual newsletters, different areas of the organization may receive different types of training and awareness materials. There is training that is specific to new hires, leaders, people in IT, and those who work in finance.
“For example, for those departments that might do wire transfers, we have very targeted training for because they are very much at risk of being victimized by some type of targeted phishing attack,” Hughes noted.
“Because of their role and the type of privileged access they have, they're going to be more highly targeted than others, so we do have very targeted training for them.”
Northwell uses simulated phishing exercises, newsletters, screensavers, social media, intranet articles, and more to target specific groups. For example, a C-suite leader may receive different training than a clinician.
With a variety of content geared toward specific groups, workforce members can get the most value out of security training that was made just for them.
Making Security Training Engaging, Positive
“Another effective method that we've employed, which has really gotten some positive traction, is using animation and videos and infographics,” Hughes noted.
Northwell leverages entertaining video series to keep employees engaged while also spreading important messages.
“We also use gamification. Games are always fun to play, and if you can put a little security spin to it, it makes it more engaging and relevant to the people that are attracted to that type of interaction,” Hughes continued.
In addition to games and videos, Northwell has handed out fish-shaped stress balls with information about phishing, as well as pens and other promotional materials that put security front-and-center. Northwell also maintains a calendar with different security topics for each month.
“For example, in December we have things to watch out for during the holiday season. And in April, we might beware of schemes where there's a tax theme,” Hughes stated.
Rather than making security a scary subject, Northwell aims to raise awareness of key risk areas via engaging content presented via a variety of mediums that keep employees both entertained and informed.
Focus on Phishing
Preying on unsuspecting employees with phishing attacks is a favorite pastime for many threat actors. In fact, phishing was the most frequently reported cybercrime of 2021 according to data from the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3). IC3 received 323,972 phishing complaints in 2021, compared to 241,342 in 2020.
Additionally, a 2022 survey by H-ISAC and Booz Allen Hamilton found that behind ransomware, surveyed cybersecurity, IT, and non-IT executives identified phishing and spear-phishing as their top concerns.
Given that employees are likely targets of phishing scams, phishing-focused training is a critical part of Northwell’s overall security program. Like many organizations, Northwell leverages phishing simulations that discipline repeat offenders who fall for fake phishing emails.
“For those folks who have repeatedly demonstrated susceptibility to our phishing exercises, we require them to take additional training and we get their supervisors involved,” Hughes said.
“On the flip side of that, we have a cyber champion program. For those who demonstrate good behavior and consistently report suspicious emails that we send out in our campaigns, we reward them with a certificate and points that they can cash in for merchandise.”
Phishing remains one of the most effective cyber threat tactics, but with more employees engaged in training, organizations can mitigate risk.
Best Practices For Improving Your Organization’s Security Training and Awareness Program
It is worth noting that not every healthcare organization has the resources to build out a security training and awareness program as robust as Northwell’s, especially considering the organization’s size. However, smaller organizations can still learn from larger ones and employ key strategies to enhance the effectiveness of their own programs.
“It is really important for every organization out there that they don't try to do it on their own,” Hughes suggested.
Every employee is a member of the security team, Hughes reasoned, not just the security experts themselves. In order to maintain an effective security program, every member of the workforce should have some level of personal commitment to cause.
“These threat actors are very manipulative, very clever, and they are constantly using new techniques and tactics to try to trick people into either clicking on a link, opening an attachment, or provide information in person or verbally.” Hughes continued.
“The more people in an organization understand and recognize that the things that they hear about on TV and read about could happen to them, it really resonates more. And when you make them feel part of it, it creates a more successful program.”
Hughes also stressed the importance of soliciting feedback and tracking data to assess the effectiveness of an organization’s security training and awareness program. For example, if email open rates are low, it might be time to try a different tactic. In addition, feedback from employees can help organizations narrow their focus and create programs that truly resonate with their audiences.
Security is a continuous process, and training programs are no different. Constantly staying informed about the latest threats and communicating those threats to a workforce of thousands is not an easy task. But doing so effectively can help organizations drastically reduce risk.
“There is no beginning and no end,” Hughes added. “It is just something that is continuous and needs to be constantly reevaluated.”