For years, Sandy Dunn has been at the forefront of protecting electronic data and privacy. By night, she’s an instructor in cybersecurity at Boise State, but by day, she’s the chief information security officer for Blue Cross of Idaho, one of the state’s largest health insurance companies. Before that, she worked in several roles related to information security at Hewlett Packard. Her jobs in technology and health insurance have had something in common — to manage her employer’s cybersecurity interests while still allowing them to build machines or deliver health insurance. In other areas, those jobs were notably different.
“People understood the risk [at Hewlett Packard],” she said, “and I think the big difference is trying to take an extremely complex topic and bring it into a business where the core business may not be technology.” — Sandy Dunn, chief information security officer for Blue Cross of Idaho
The culture around cybersecurity at a given company can be as important as the particular challenges of protecting that company, its people and its products, she said. One of Blue Cross’ top priorities is guarding patient data, the manipulation, ransoming or loss of which would have enormous implications for thousands of people. The stakes might not be the same at other companies, however, and may require different cybersecurity solutions.
“How do we make sure we’re putting our time and resources into the things that mean the most to our organizations?” Dunn said.
That’s a difficult question for large and small employers alike. With more than 25,000 employees, the State of Idaho tops the scale by a wide margin, and the scope of its cybersecurity operations is gigantic. Every year, the state asks its employees to complete cybersecurity training. In a process that takes a few hours, they watch a handful of videos about identifying scams best practices for keeping information secure, followed by short comprehension quizzes.
Then comes the test. A few days or weeks after the training, state cybersecurity experts send a suspicious email to those who’d undertaken the training, and examine the open and click rates to improve the next year’s course. The goal is to turn one of the largest groups of workers in the West from a chain link fence into a brick wall against cyberattacks.
“People need to understand what the threats are in the environment so they don’t fall for scams that they shouldn’t,” said State of Idaho Chief Information Security Officer Keith Tresh, who is also an adjunct instructor in cybersecurity at Boise State. “This challenge is not unique. It’s not new. But the biggest thing is getting some people to really understand there’s a threat out there.”