Snapshot of INSIDER THREATS Within The Healthcare Sector

Snapshot of INSIDER THREATS Within The Healthcare Sector

As we know, Insider Threat affects both the public and private organisations. Insider threats are one of the biggest security challenges that the Healthcare industry faces. In fact, in a recent Forbes article, it indicated that 58% of healthcare systems breach attempts involve inside actors, which makes this the leading industry for insider threats today.

One of the most compelling insights is how quickly healthcare is becoming a digitally driven business with strong growth potential. However, what’s holding its growth back, is how porous healthcare digital security is. Not to mention the sheer confidential, sensitive and highly valuable information that these organisations possess, makes it easy for a clumsy or a malicious insider to compromise security and potentially cause massive harm.

Forbes went on to say that around 66% of internal and external actors are abusing privileged access credentials to access databases and exfiltrate proprietary information.

Insider Threat Example

A former Dallas Hospital guard built a botnet, using the hospital network, to attack rival hacking groups. The individual was eventually caught after he filmed himself staging an “infiltration” of the hospital network and then posted it on YouTube for public viewing. The video clearly shows the individual using a specific key to “infiltrate” the hospital, which revealed his identity as Jesse McGraw, a night security guard of the building. The investigation revealed that McGraw had downloaded malware on dozens of machines, including nursing stations with patient records. Additionally, he installed a backdoor in the HVAC unit, which, if failed, would have caused damage to drugs and medicines and affected hospital patients during the hot Texas summer. McGraw pled guilty to computer tampering charges and is serving a 9-year sentence in addition to paying $31,000 in fines.

Overview of Insider Threats Within The Healthcare Sector

The CERT Insider Threat Centre (NITC) contains over 2,000 insider threat incidents which is used as a foundation for their empirical research and analysis in this article. In total, CERT identified 88 malicious insider incidents mapped to 91 healthcare organisations that were directly victimised in the attack. Of the victim organisations, Health Network make up the largest subsector. These are the networks of hospitals and medical centres that are dedicated in bringing healthcare to specific regions.

Interestingly, 20 victim organisations indirectly employed the insider in some sort of trusted business partner relationship or non-regular full-time employment (e.g. contractors).

As the chart below shows that Fraud is the most frequent insider threat incident type accounting for about 76% of all incidents. Within these fraud cases, we generally see individuals with access to patient payment records taking advantage of their access to customer/patient data to create fraudulent assets such as credit cards in order to make a profit.

Insider Fraud Incidents
  • Who?
    • 64.3% of the healthcare fraudsters began their malicious activities within their first five year of working for the organisation;
    • 72.8% misused their authorised access (e.g. Privilege account or PII data access);
  • What?
    • Around 52.7% of fraud incidents within the healthcare sector involved the theft of customer data;
    • Around 37.5% of incidents directly targeted financial assets;
    • Around 94.9% of personal identifiable information (PII) that was stolen, was customer data;
  • When?
    • For incidents where attack was known, around 70% involved insider activity during business hours. The other 30% of incidents took place both during work hours and outside work hours;
  • Where?
    • Around 72.7% of incidents took place on site when attack location was known;
    • Around 23.6% involved both onsite and remote activity;
  • How?
    • Most incidents used rudimentary techniques.
      • 25.8% of insider incidents either received and/or
      • 24.2 transferred funds and/or abused privileges;
    • Around 36.4% the insider tried to conceal their activity in some manner such as modifying the log files, using a compromised account or creating an alias;
  • Why?
    • Around 84.8% committed insider Fraud because their motivation was financial gain.

Suggested Mitigation Strategies

Healthcare information security should be the outmost importance for the organisation. Although identity theft is the most common misuse of patient data, patients can face severe, permanent consequences from medical record misuse, alteration, or destruction.

To better protect your healthcare organisations from insider threats incidents, here are some best practices that I suggest that you adopt:

  • Mitigation protection for fraud related crimes starts with better screening and identification of employees at hiring;
  • Some insiders accumulate excessive privileges that enable then to carry out their crime. It is therefore important that you carefully control and audit roles;
  • If possible, enforce separation of duties with all of your critical processes;
  • A monitoring strategy for fraud should include monitoring access and data modification. May also include frequent random auditing on critical information fields;
  • Utilise user activity monitoring solutions to identify online user activities that can be used to detect fraudulent activities;
  • Encourage employees to recognise and report on suspicious behaviour including outside facilitations;
  • Develop an employee assistance program that includes financial counselling.

Workplace Depression – Is It You, The Job Or Both?

Workplace Depression – Is It You, The Job Or Both?

The health of your organisation is always a changeable matter.

Employee health of an organisation influences operational efficiency and success considerably. Therefore, it is imperative for employers to handle this aspect with utmost care and attention. Be it physical or mental health.

Depression can happen to anyone and may dawn upon anytime.

It is the silent killer of productivity and employee health and your working environment, and risk to the organisation.

This is a problem that requires immediate attention to prevent. As employers, you must keep a watchful eye out for this drastic mental health issue.


Whose Responsibility Is It To Deal With Employee Anxiety?

Whose Responsibility Is It To Deal With Employee Anxiety?

There are so many aspects a job that can cause anxiety – having tight deadlines, trying to harmonise a work/life balance, dealing with office gossip and politics, meeting your supervisor’s expectations… the list goes on.

But what do you do if your workplace makes you feel anxious on a regular basis? When you dread stepping foot into the office day after day. When something about your job makes anxiety your norm?

In this video, we discuss whose responsible for identifying whether any of your employees are anxious?


Can You Identify Employees Close To Breaking Point Due To STRESS?

Can You Identify Employees Close To Breaking Point Due To STRESS?

How do you know if there’s a problem with individuals experiencing stress within your organisation?

Stress amongst team members can often go unnoticed, especially within busy working environments.

Worse still, management is often unaware of the early warning signs of workplace stress in their team.

This video will discuss the fundamentals of stress, the symptoms, the risks and how to identify an employee who is on the verge of breaking point.


User Risk Monitoring Vs Activity Monitoring Vs Session Monitoring

User Risk Monitoring Vs Activity Monitoring Vs Session Monitoring

Employees are indeed the biggest asset for an organisation, but they can also be the most significant liability.

The simple fact is your users are the most likely the source of a data or cyber breach in your organisation, whether through negligence or malice. So it makes sense to monitor their actions.

In this video, we discuss the benefits and merits of the following types of user monitoring – User Risk Monitoring, User Activity Monitoring and User Session Monitoring


Is Cheating Good For Business?

Is Cheating Good For Business?

Have you ever wondered why organisations with a high standing reputation and high-performing teams encourage their employees to cheat?

We’ve all heard the old adage “cheaters never prosper,” but is it really true?

This video will discuss why cheating is rampant in many organisations and why it may be a good idea.

1. The #1 Thing To Build Loyalty With Your People –…
2. Is Honesty Still Important In Today’s Business Age? –…

The Human Side Of Cyber –


#insiderthreats #insiderrisk #datatheft #culture


Is Honesty Still Important In Today’s Business Age?

Is Honesty Still Important In Today’s Business Age?

How would you describe your ideal coworker or employee?

Professional, productive, efficient, problem-solver, team worker, trustworthy, toxic, bully?

Some of those characteristics, such as trustworthiness, honesty, and dependability, are especially important now, when we mostly work remotely.

While everyone would want a team with those qualities, not everyone is ready to build a safe and open environment that will encourage honesty, instead of meeting it with defensiveness.

In this video, we’ll discuss what makes a person trustworthy, how to show trustworthiness in a workplace, how to build a work environment that encourages honesty, as well as how to go about mitigating dishonesty behaviour.


1. How Emotion And Attitude Can Influence Behaviour? –… 

2. How To Catch People Doing The Right Things? –…

3. The #1 Thing To Build Loyalty With Your People –… 

BOOK The Human Side Of Cyber –



The #1 Thing To Build Loyalty With Your People

The #1 Thing To Build Loyalty With Your People

Employees are your most valuable assets.

They should feel that your organisation wants the best for them. Otherwise, they may look for another job. These are people who work day in day out to boost your business and help you reach your goals, and loyal employees can do absolute wonders for the future of your brand.

Yet, according to research by Gallup, 70% of an employee’s motivation is influenced by their manager. This is because employees that lack motivation don’t fully commit themselves to a position and lose productivity. Which, in some cases, can cost a company millions and lead to poor customer service.

“People leave managers, not companies”. In this video, we will identify what loyalty is, what are the characteristics and how you can build loyalty with your people



1. How Do You Deal With Employee Burnout?…
2. How To Catch People Doing The Right Things –…
3. We Reveal The #1 Secret To Great Communication In Isolation –… 


BOOK The Human Side Of Cyber –

FOLLOW ME ON MY ADVENTURES Website:​​​​ Twitter:​​​​


Is “Intention” Positive Or Negative Behaviour?

Is “Intention” Positive Or Negative Behaviour?

Gain Understanding Of How INTENTION Can Impact Your Organisation's Risk

“Organisations are no longer built on force, but on trust”

– Peter Drucker

What’s the difference between Intent vs Agenda?

  • “Agenda” can be thought of as a temporary organised plan for matters to be attended; and
  • “Intent” can be thought of as a course of action that a person intends to follow.

Intent matters! It is vital to trust! It’s critical to organisations!

While we tend to judge ourselves by our intent, we tend to judge others by their behaviour.

Intent, by and large, is drawn of the following process:

Intent in the purpose of why you are doing something.

Motive is the reason for doing something

Agenda grows out of motive. It’s what you intend to do or promote because of your motive.

Behaviour is the manifestation of motive and agenda.

Actions are the manifestation of your behaviour. It will symbolise the activities you follow based on your intention.

Outcome will be the result of your actions, whether positive or negative.

Let me ask you two questions.

  • What do you think is the most trusted institution in society? Government? Non-profits? The media? Large companies? According to a new global survey from public relations firm Edelman, the answer is business.
  • Now, what do you think is the most mistrusted institution in society? The answer is government. Are you surprised?

According to a global survey from public relations firm Edelman, 80% of people expect their employers to act on significant social issues like climate change, racism and vaccine hesitancy. In addition, the survey found that people think business outperforms government on a range of social issues: healthcare, inequality, jobs, climate change.  

There is a severe disillusionment with the government to solve significant problems.

The impact of intent issues on trust is dramatic.

A person with integrity, capability and results but with poor intent would be someone who is honest and performs well but whose motive is suspect. For example, perhaps this person wants to win at any cost. But generally, people will sense such behaviour and will not extend their complete trust.

On the other hand, a person with good intentions but without integrity, capability and results is a caring person who is dishonest or cowardly.

Leading with intention

“Intention” is often referred to as a mental state representing a commitment to carry out an action or actions in the future.

It provides the fuel required to act. It’s the “why” and the reason for committing to something.

If you operate with intention in the workplace, you will find people are helpful, understanding, engaged and most likely motivated in the actions you are looking to execute.

However, if you operate without intention, it will undoubtedly prevent you from getting the results for you and your team.

In leadership, the more intentional your behaviour, the more likely those around you will respect and follow your lead. Likewise, when they know the why behind your request, they are more willing to come along.

Negative intention

Douglas McGregor was a leadership expert who touted the value of “Theory Y” in which you assume good intentions and believe people want to do a good job.

This is certainly accurate for most leaders. While some leaders may not be extraordinarily effective, most of them don’t wake up in the morning seeking to be anything but their best.

However, things can go wrong, and a positive characteristic can become an unhappy reality for a leader’s employees.

Often that negativity can manifest in snap judgments, the blame game, and erroneous assumptions about co-workers, especially intense and stressful situations.

Let me ask you the following – Does your organisation have good intentions? Do you have a culture of caring for one another? For your work? For your clients? For your partners?

If you feel your organisation is deficient above, the following questions might provide an insight into the problem.

  • Are people manipulative?
  • Are people withholding information?
  • Are people seeking credit where credit is not due?
  • Are people spinning the truth?
  • Are ideas being suppressed?
  • Are mistakes being covered?
  • Are there lots of fingers pointing at others for blame?
  • Are there numerous meetings after meetings?
  • Are people overpromising and underdelivering?
  • Are people pretending that bad things are not happening?
  • Are people disagreeing or arguing for the sake of it?
  • Do management and executive have a different set of rules?

We know that good culture isn’t founded on ping-pong tables or free beers. Instead, it’s based on mutual respect and values.

Unfortunately, the behaviour of a single person’s behaviour can have a serious detrimental and negative effect on the entire business, especially if it comes from the CEO of the organisation.

Positive intention

But what if I told you that the underlying behaviour of someone with negative intention has a positive intention?

There is a reason why people do what they do. Their behaviour is not random.

Have you thought of the following – why do people steal? What do people commit fraud? Why do people commit crimes that cause such harm to their organisation that it may be forced to shut down?

For every negative behaviour, there is a positive intention behind that behaviour.

Whilst the behaviour itself may be negative or unresourceful, the intention is to meet one of their core emotional needs.

When emotional needs are empty, they need to be filled for us to feel good. So, some use chocolate chip cookies. Some gamble online. Some do drugs. All these offer a quick fix but can also have negative consequences on others and ourselves.

If you observe a colleague at work and this person is bullying and harassing other colleagues, they are unconsciously aiming to meet their own emotional needs.

Rather than thinking that this person is rude, aggressive or obnoxious, try asking yourself under what extreme circumstances you feel it necessary to behave in the same way? Once you look at it through this lens, you might begin to see things differently.

Malicious Insider vs accidental vs cyber attacker

What is the difference?


  • Malicious insider – Intentionally exceeded or misused access that negatively harms the organisation’s critical assets.
  • Accidental insider – Through their action/inaction without malicious intent that causes on the organisation critical assets

Yet, many organisations feel they have to choose between protection from outsiders versus insiders.

Keep in mind that once an outsider (with intent) gets in, there is a good chance they will perform the same types of malicious acts as malicious insiders, for example:

  • Plant malicious code or logic bomb
  • Create backdoor account
  • Exfiltrate intellectual property or other proprietary information

Insider threat is a behaviour pattern

Sometimes managers overlook the red flags (negative intention behaviour) out of concern for the bottom line or fear that it may cause the team, themselves, or their organisation.

However, a vigilant workforce (with positive intention) is an excellent defence and can usually recognise and report red flag behaviours no matter how hard insides may try and cover their tracks.


Tackling The Human Factor In Security

Tackling The Human Factor In Security

How Employees Behaviour Are Making Businesses Vulnerable From Within

 “I don’t know how to exist before 9 A.M., and without coffee, I’m not classified as a human. Actually, I could be regarded as a threat.”

– Katie Findlay

What is harder to control people or systems?

You can control systems as they are reasonably predictable, people – less so.

If there is a problem with the door not closing, you can either fix it or replace it. However, if someone continues to slam the door, you will have difficulty changing that person’s behaviour.

We are very aware that the biggest threat in any organisation comes from employees even when they are not behaving maliciously.

This means CEO’s and other executives can no longer hide in the shadows from such risks.

Part of the CEO role is to manage organisation risk, which means that ultimate responsibility for insider threats and cyber threats must lie with the CEO.

Unfortunately, the CEO cannot pass the responsibility onto someone else domain, like the chief information security officer (CISO), should they experience a data breach.

Today, it’s understood that a significant data breach will ruin the bottom line and pose enormous risks to a company’s brand, reputation, stock price, and how it’s perceived by customers, partners, and even its employees.

For many organisations, protecting their high-value assets has long been considered something of a “tick and flick”. But, unfortunately, that won’t do. Being compliant does not mean security. It does not mean that you are safe.

Compliancy is like having the license to drive cars, but it does not mean you are a good driver. Hence, we have road rules, speeding, and red-light cameras to remind us to drive safely.

This mindset concerns itself more with meeting a regulator’s approval than it does in determining what’s best for a company’s well-being and overall success. Yet many CEOs feel this is enough and rest easy over issues of cybersecurity simply for this reason.

If top executives don’t properly address the potential risk a data breach could have on their organisations, they could soon be shown the door.


  • Target – The retail giant infamous data breach in 2013 led to the payment card information of 40 million consumers. CEO Gregg Steinhafel and several other executives resigned.
  • Sony Pictures – it was revealed in 2014 that hackers leaked upcoming film releases, employee information and personal emails from Sony Pictures. Co-Chairman Amy Pascal.
  • Equifax – 145 million people, had their personal information exposed, including names, birth dates, addresses, driver’s license numbers and social security numbers. It wasn’t a huge surprise then that CEO Richard Smith was forced to resign.

Cyber security and insider risk management is not IT problem. It’s a business performance issue.

Since we realise that people are the biggest threat to an organisation, let me ask you the following question…why do people do what they do rather than what they are supposed to do?

Clearly, human beings are not machines!

What makes a person with a “good background” behave appallingly towards their colleagues, while another employee with “little resource” is extremely helpful and accommodating?

One thing is clear, humans are not random creatures. All actions that people take, they take for a specific reason.

The Theory of Planned Behaviour predicts an individual’s intention to engage in a behaviour. It provides an understanding of why a person carries out any behaviour.

The performance of a behaviour is determined by the individual’s intention to engage in it (influenced by the value the individual places on the behaviour, the ease with which it can be performed and the views of significant others) and the perception that the behaviour is within their control.

Let’s take the example of locking your workstation screen policy when leaving your desk. We all know that we should do this, but some don’t. The question is, why?

According to the theory of planned behaviour, it could be several reasons:

  • Behavioural attitude – Some may feel that they don’t like locking their computer or it isn’t essential.
  • Subjective norms – Perhaps management or others don’t follow such policies, so they feel they don’t need to adhere to such rules.
  • Perceived behaviour control – Locking a workstation is a “pain” if it is perceived that entering the password is cumbersome.

Yet, there is a more simplistic model to explain why people do what they do. There is a single driving force behind all human behaviour. This force impacts every facet of our lives, from relationships and finances to our bodies and brains – Pain and Pleasure!

Everything you and I do, we do either out of a need to avoid pain or our desire to gain pleasure. This is, for certain, how humans are wired.

 “When a behaviour is easier to do, it is more likely people will do it.”
– Nir Eyal, author of Hooked

 After all, what is procrastination? It’s when you know you should do something, but you still don’t do it. Why not? The answer is simple: At some level, you believe that taking action at this moment would be more painful than just putting it off. Yet, there comes a time that putting something off for so long that suddenly you feel pressure just to do it. What happened? You changed your reference to what you linked to pain and pleasure. Suddenly not taking action became more painful than putting it off.

Let’s take password management. People know that password security is essential and is a good thing. Yet, why do users have poor password hygiene?


  • They have to create complex and lengthy passwords for every application connection. It’s cumbersome and time consuming.
  • It’s difficult to remember a single complex password, let alone several of them.
  • Having to change passwords regularly is annoying.

How do users move away from pain?

  • They use simple, easily guessable passwords that are easy to remember, such as 123456, monkey, password, iloveyou, qwerty, abc123
  • They reuse the same passwords for multiple applications

Poor password hygiene persists primarily because we have made it a painful and challenging process. Until that changes, the problem will stay.

 “The human brain is immensely complex and powerful. Yet, though it’s capable of incredible feats, we don’t like to use it more than we have to. Given the choice, we opt for the least mental effort. So, when we can, we tend to go for not what’s most rewarding, but what’s easiest.”
– (Rethinking The Human Factor –  Bruce Hallas)

Let’s take another example… “corporate policies.”

According to research completed by CEB, more than 90% of employees violate policies designed to prevent data breaches.

The question is, why?

Organisations believe that corporate policies will help ensure that employees behave in a certain controllable way.

Policies answer questions about what is the expected behaviour from employees and how non-compliance is dealt with.

Unfortunately, the majority of organisations are unable to enforce corporate policies, and here are the reasons why (pain):

  • Corporate policies are often convoluted, complicated and not translated into a meaningful and useable language.
  • Corporate policies are rarely followed by management and executives.
  • Corporate policies are old, not relevant and haven’t been updated.
  • Corporate policies don’t include strategic relevance and context.
  • Corporate policies aren’t linked to the organisation values.
  • Corporate policies are not effectively and strategically communicated.
  • Those who break corporate policies are rarely reprimanded.

If you were to assume “force” was the only way to bring about the right policy and control behavioural change, then you are mistaken.

Of course, human behaviour is such that if you try to change another behaviour, they naturally resist (pain). That’s because they value their perceived freedom of choice and feel pressured and trapped when things are imposed.

Traditional guidance regarding how to defend against insider threats focuses primarily on negative incentives (pain), which constrain employee behaviour or detect and punish misbehaviour. However, when relied on excessively, it can result in unintended negative consequences that exacerbate the threat. They fail to prevent damage and alienate staff even further.

On the other hand, positive incentives (pleasure) can complement traditional practices by encouraging employees to act in the organisation’s interest by fostering a sense of commitment to the organisation, the work and co-workers.

Instead of solely focusing on making sure employees don’t misbehave, positive incentives create a work environment where employees are internally driven to contribute to the organisation only in positive ways.

Let me ask you a question… why don’t cyber awareness programs work?

Simple answer: There is a disconnect between awareness and behaviour.

For all of the discussions above, it is no longer enough to limit our thinking that our problems will be solved by technical means alone. In the past, we could invest in sophisticated security systems, which was enough to maintain an adequate level of security.

 “With only a hammer as part of the toolbox, we tend to treat every problem as a nail.”
– Bruce Hallas

 No technology can pinpoint with definite certainty that a person is a threat to an organisation. Think about it, no person walks into the office with a red jacket and a sign stuck to their forehead claiming that they are a threat to the organisation.

Organisations are a collection of people who share a common purpose. People within organisations unite to focus their various capabilities and skills toward achieving personal and business goals.

If people are both the problem and the solution, then it seems somewhat perverse that we should try and solve the problem using only technology.

In research conducted by Ponemon Institute, it asked CISO’s what was top of their threat list?

Not technology! Not hackers! Not malware!

But people!

For many CISOs, the “human element” is their overriding concern and yet, as an industry, they still tend to treat weakness in information security as a technology problem.