Cybersecurity Education Can Mitigate Business Risks

Cyber Security Investing
Security Investing

MediaPro’s Chief Strategist, Security, Privacy, and Compliance, Tom Pendergast, talks about cyber attacks in healthcare and some of the emerging trends and challenges in cybersecurity.

The state of New York now has cybersecurity regulations in place, and has brought to light an important facet: cybersecurity education and training as a means to mitigate business risks.  
A look at our list of top cybersecurity companies show that the sector has a vast scope that spans from software companies to operational support. One specialized and important area in light of the news on New York regulations is education.
INN spoke to MediaPro’s Chief Strategist, Security, Privacy, and Compliance, Tom Pendergast, about cyber attacks in healthcare and some of the emerging trends, as well as challenges, in cybersecurity. Although MediaPro is a private company, investors should be aware of the need for education and awareness within the cybersecurity sphere.


MediaPro is a training company with a focus on data awareness protection, offering security, privacy, and compliance education and awareness programs. In 2016, MediaPro released a report on the state of privacy and security awareness and found that a whopping 88 percent of employees lack basic awareness to stop privacy or security incidents.
Continue reading below for the full transcript of our conversation. It has been edited for clarity and brevity.
Investing News Network: First of all, what are your thoughts on cyber attacks in the healthcare sector?
Tom Pendergast: We’ve seen a lot of increased interest from the healthcare sector on how to equip employees to fight back against cyberattacks. What I’ve seen is that cyber criminals are going after the healthcare industry now because they’ve recognized something that started getting reported a couple of years ago. PHI, Protected Health Information, is pretty high value data. The FBI recently noted that the value of PHI on the black market is much, much, higher than other forms of personal information. As more of that healthcare data gets handled in electronic records, it’s easier for cyber criminals to get it in large chunks. Couple that with the fact that in healthcare, some of the technical systems have traditionally lagged behind other sectors–because money in healthcare typically goes toward serving patients and saving lives–not building super robust IT systems and you’ve got high value targets and less developed technical infrastructure. From my kind of human side of the problem perspective — healthcare providers have done a pretty good job of educating employees about Health Insurance Portability and Accountability Act (HIPAA) protections, but the standard HIPAA training is relatively light on core cybersecurity best practices. So I think that the healthcare sector has some catching up to do in terms of educating employees about general security best practices.
INN: Do you see that there is an increased demand in educating employees?  
TP: Absolutely. We see it growing, we’re responding and trying to meet their needs by creating specific packages especially for smaller healthcare providers. If you look at the larger healthcare market there are many, many companies that are small, there’s mom and pop type medical practices, single providers, and these folks have not been doing much at all other than providing a HIPAA notice. So there’s a lot of interest in the small business– SMB market if you will–in the healthcare sector. We’re also seeing the major players getting more interested in doing better cybersecurity. I think these ransomware attacks scared the heck out of everybody, so I think everybody’s saying, “We really have to do something now.”
INN: In one of your blog posts, you emphasized the importance of awareness in the C-level suite. Do you think this is an emerging trend in the cybersecurity sector?
TP: I definitely think it’s emerging. I’ve been in this business for 10 years just doing security and privacy awareness type stuff. I’ve never seen a year in which the C-level and executive level folks have been paying more attention to cybersecurity risks.
I think it’s a couple of factors. There’s been much more publicity about the cost of a data breach. You probably have seen the latest Ponemon Data Breach report. There’s a recognition among C-level people that a cybersecurity risk is a business risk. It used to be, “something for IT to worry about,” and I don’t think that’s true anymore. I think people at the C-level really understand that these cybersecurity risks are business risks. And of course the BEC scams really opened executives’ eyes when they realized that the sophistication of social engineering attacks aimed at C-level people is really getting quite high and the costs are just enormous.
I think 2016 was a turning point in getting attention to this stuff. MediaPro has developed a new executive training program that we will introduce this year. It speaks directly to C-level folks in the language that matters most to them, which is about risk to the business.
INN: Do you have any cybersecurity companies that you follow or you closely watch?
TP: One that I’ve started paying attention to just in the last three or four months is a company called Barkly. Their marketing department does a great job at getting your eyeballs on their content. What they’re doing from a marketing standpoint is kind of interesting, but then what they’re doing technologically looks interesting to me as well. They’re pretty innovative in going after malware and shutting it down.
The other company think is really interesting is called ObserveIT, which is a behavioral analytics company focused on insider threat. What they’re offering to their customers is this capacity to identify the risky behavior of individuals so that you can track those individuals and hopefully stop them before they become a source of risk to their company. I think those two companies are kind of cool.
INN: That’s really interesting. The whole cybersecurity business has gotten so big that there are specialized companies for each and every tiny issue now.
TP: There really are. I continue to think that companies like IBM are doing interesting work in the sector. Their ability to analyze what’s going on within an IP environment is interesting. I think we’re heading down a path in cybersecurity technology where we’re going to have this immense capacity to understand the behavior of individuals within IT environments.
How we handle it, how these companies are going to handle that knowledge and what they do with it is going to be a big challenge. It’s going to be a challenge for these companies and it’s going to be a challenge for the companies that deploy these kinds of technologies because people will feel like they’re being spied on.
INN: Have you seen any trend in terms of the kind of challenges people face when it comes to cybersecurity?
TP: Yes, I think so. A recent article called “Security Fatigue” I think really highlighted a very interesting challenge that we all deal with. People hear so much about passwords, that you’ve got to watch out for this, and you’ve got to watch out for that. They just get tired of hearing about all the things they need to do because they don’t see the impact of a malware attack very often. Most individuals don’t really see it at all. So people tune this out and so I think that we have to get more and more creative in reaching people. We adopt the tactics of advertisers, and marketers, and communications people to just try to get people to pay attention and get them sensitized to the risks.
I think the big challenge I always see in our work is, how we can help people internalize their understanding of the risks in such a way that they’ll act on it, and you can’t do it with boring training, you’ve got to somehow break through people’s malaise.
INN: Right, that’s very interesting. What are your thoughts on the future of cybersecurity?
TP: I kind of tracked the timeline back to a couple of years ago to when this market really started to shift, and I think it was the Target breach in 2013. That Target breach was the turning point, where it used to be only the best practice companies that were doing a good job with security awareness and privacy awareness training approaches. But after that, everybody started to get more cognizant of the risks and started to do more about it both in our market, training and education, but also in the broader market. I don’t think that’s slowing down at all.
 
Don’t forget to follow us @INN_Technology for real-time news updates!
Securities Disclosure: I, Pia Rivera, hold no direct investment interest in any company mentioned in this article.
Editorial Disclosure: The Investing News Network does not guarantee the accuracy or thoroughness of the information reported in contributed article. The opinions expressed in these interviews do not reflect the opinions of the Investing News Network and do not constitute investment advice. All readers are encouraged to perform their own due diligence.
The Conversation (0)
×