Accenture’s survey of over 900 health care provider and payer organizations across the U.S. and Canada highlighted one particularly bad habit employees have when it comes to cybersecurity. A surprising 21% of respondents keep their username and password written down next to their computer — and even more surprising is that 24% of respondents who receive quarterly security training still write down usernames and passwords.
It’s not just the health care industry. Bad security habits across industries compromise employee and customer data and have big consequences for companies, from monetary fines to reputational damage. But there are actions companies can take to help combat their employees’ bad security habits.
Here are the three top bad habits and what you can do about them:
1. Not Following Password Best Practices
This is more than writing down usernames and passwords. Employees also tend to use simple passwords that are easily predictable, use the same password across applications and never change their passwords.
These days, hackers can download password-cracking software off the internet that runs through the entire dictionary and more, including multiple languages, in seconds. And when employees use the same password across applications, passwords that get compromised on one system are added to a repository, making it easier for someone targeting your organization to get in and steal confidential data.
As an employer, there are several things you can do. You can require employees to create passwords that meet a certain level of complexity and set standards for changing them periodically. Another is using a single sign-on system, which allows employees to create complex, unpredictable passwords without having to remember them. This cuts down on the bad habits of using simpler passwords that are easier to remember and writing passwords down.
Employers can also download password blacklists, which are lists of compromised passwords from hacker sites. Blacklists can be implemented to prevent employees from using known compromised passwords, even if the password meets complexity requirements.
Facial recognition and fingerprint technology have come a long way, which could be used to replace passwords entirely. There’s also existing technology where an employee’s badge can unlock their computer when in close proximity to the device, which is very valuable for workplaces like hospitals where the public can have easy access to workstations and when multiple users (e.g., doctors and nurses) access the same computer throughout their shifts.
2. Not Protecting Paper Documents
Despite our move into the digital age, there is still a lot of information that gets printed out on paper — and then improperly handled or disposed of by employees. Throwing away or recycling paper with confidential information on it can lead to that information being compromised, whether at your workplace or after it’s disposed of.
Employers can help minimize this risk by retaining a shredding service. The service provides designated and securely locked paper disposal stations and will come to your office to shred the documents (either onsite or offsite) and properly dispose of them, usually in an environmentally friendly manner.
Employees also have a bad habit of leaving printed documents on printers and copy machines, exposing information to anyone with access to the workplace. Technology can help combat this bad habit. Copiers and printers now have the ability to put documents that an employee sends to print in a digital mailbox. The employee then must input a code at the copier/printer for the document to print out, helping ensure it only gets seen by their eyes.
3. Casually Disclosing Confidential Information
Our last bad habit results from a kind of casual carelessness. Social media provides a platform for employees to discuss their jobs or post photos taken at work, not realizing they’ve accidentally disclosed confidential information or given enough details for someone to put two and two together (such as a celebrity patient at a hospital).
There isn’t an easy technology solution for employers here. This comes down to education — and it shouldn’t be one-time only. Employees need frequent reminders of their responsibilities and easy ways they can protect confidential information. Training should include everything from password best practices to social media awareness to how to protect the security of their laptops.
And when employers implement other solutions, such as single sign-on password technology and paper shredding stations, they work hand-in-hand with training to make it easier for employees to follow rules and guidelines. When 24% of health care employees who receive quarterly security training still write down usernames and passwords,1 leveraging multiple solutions to combat bad habits is far more effective.
If you would like to learn more about how your organization can safeguard your data and help your employees understand best security practices, contact the cybersecurity and risk advisory specialists at Wipfli.
 “1 in 5 health employees willing to sell confidential data: 7 survey insights,” Julie Spitzer, Becker’s Hospital Review, March 2, 2018, https://www.beckershospitalreview.com/cybersecurity/1-in-5-health-employees-willing-to-sell-confidential-data-7-survey-insights.html, accessed May 30, 2018