Being a paramedic during the formative years of my working life, I’ve been surprised at how many of the lessons that I learned on the job have translated to the business world.
EMS can be a dangerous profession; more EMS workers are killed per year than firefighters.[1] One study showed that 2/3 reported some form of abuse on the job in the previous year.[2] In my time in the field, I was hurt several times, got stitches once, was in a number of physical altercations with people that were abusing alcohol or drugs, and pulled weapons off of several patients. I had friends that were hurt in ambulance wrecks and associates killed in helicopter crashes.
Ingrained from the first day of EMT school is scene safety. In practical exams, proctors will fail you if you fail to address it in your initial approach to the scenario. On the streets it’s considered poor form to strain the system by taking your rig out of service, especially if you’re adding to the patient count on a scene. While we couldn’t anticipate every threat, situational awareness combined with active threat mitigation meant that most of the time we were ready for what was waiting for us.
In business, safety should also be front-of-mind. In addition to concerns about physical safety, IT security is a consistent failure point. Lessons from others’ failures seem to be lost instead of learning points. Even at an average cost of over $7m per data breach in 2017, we see continued failures to invest in the necessary mechanisms to create a secure data environment.[3] Whether it’s outdated, unpatched, or inadequate infrastructure, policy design or enforcement failures, or the continuing challenge of employee irresponsibility, inadequate data security will continue to be an existential risk for many businesses. In fact, 60% of small- and medium-sized businesses (the primary target of attacks) that suffer a cybersecurity attack will fail after 6 months.[4]
We the employees are the weakest brick in the cybersecurity wall – from the front-line workers through the C-Suite, we all contribute to an unsecure environment. 95% of incidents are a result of mistakes made by people with system access.[5] Poor training is clearly part of the issue. People are still clicking links they don’t recognize, opening PDFs and other files from people they don’t know, and providing data over the phone. Something as simple as password management is still a major problem – 80% of breaches resulted from password issues.[6] However, there’s evidence that the problem is more a result of policies that drive password-defeating behavior like post-its on monitors rather than actual password strength issues.[7] The major breaches have resulted from phishing attacks, not password breaches.[8]
If business leadership wants to prevent their business from being the next victim in the hurricane of data and security breaches, dedication and investment in security must be a committed focus from the C-suite. When security is left to a position of unfunded lip service, a costly and potentially business-ending breach may be more an eventuality than a risk.
[1] https://www.jems.com/articles/print/volume-36/issue-11/health-and-safety/studies-show-dangers-working-ems.html?c=1
[2] https://io9.gizmodo.com/5872364/the-hidden-dangers-of-being-a-paramedic
[3] https://www.businessinsider.com/sc/data-breaches-cost-us-businesses-7-million-2017-4
[4] https://www.inc.com/thomas-koulopoulos/the-biggest-risk-to-your-business-cant-be-eliminated-heres-how-you-can-survive-i.html
[5] https://hbr.org/2015/07/why-cybersecurity-is-so-difficult-to-get-right
[6] https://www2.trustwave.com/GlobalSecurityReport.html
[7] https://arstechnica.com/information-technology/2011/10/when-passwords-attack-the-problem-with-aggressive-password-policies/
[8] ibid