Information Security Risks And The Human Factor

An iPad containing secure information lays unattended on a wet field

Here at Presagia Sports, we pride ourselves on understanding the importance of information security and protecting athlete health data. In fact, our Athlete Electronic Health Record (EHR) utilizes best-practices to protect your data, allowing you to focus on maximizing your athletes' health and performance!

Of course, no matter how secure any platform may be, there are some risks to information security that can come from the human factor. Our chairman and CEO, David Glickman, recently wrote an article in NATA News detailing this very subject, and we're very excited to share it with you! Read on to learn how you can keep your organization and patients safe!

As we pursue data security for our organizations and in our personal lives, change always equates to risk. The rapidly changing technology landscape in the world of athlete health management and the growing number of devices and systems we use on a daily basis have expanded the risk for all of us. We have always had to be vigilant, but this level of change and the increasing sophistication of cyber criminals over the past few years requires us to rethink the way we approach security.

As organizations get better at protecting servers and other devices, criminals are increasingly targeting applications and people. So, in addition to the efforts of your information technology (IT) team, you are your company’s other defense against cyber criminals. Your profession requires you to process information more quickly than ever, yet your organization also needs you to think twice before responding to emails, which are the primary avenue that cyber criminals use to attack your organization through you.


Malicious software, usually referred to as “malware,” is designed to disrupt or deny access, gain unauthorized access, or steal information. In the old days, malware mostly consisted of pop-ups trying to sell you something. These were annoying and slowed down your computer, but they rarely caused major damage. Today’s threats are much more sophisticated and damaging.


The latest threat is a new type of malware called “ransomware," which typically starts with an email that mimics a trusted source, such as your employer, bank or the government. When you click on a link or open an attachment, it runs a program that encrypts your files. You are then asked to transfer funds in order to get the encryption key to unlock your files. Once malware like this is on your computer, it can spread via your internal network to others in your organization. Sometimes malware even hijacks your email program and, posing as you, sends out a similar email to all your contacts.


Phishing may be the most commonly used approach of cyber criminals. Once again, this typically starts with an email that mimics a legitimate source asking you to click on a link
in the email to log in online and take some action to avoid a penalty or a problem. If you click on the link and then enter your username and password to try to log into the fake website, you have given criminals your credentials to log into your legitimate site. Successful phishing attempts can lead to the most serious consequences for you and your organization because you are giving them your access to important functions. Some phishing attempts may even ask you to enter your credit card information.

In 2016, the World Anti-Doping Agency (WADA) confirmed that a Russian group had accessed medical data within its Anti-Doping Administration and Management System (ADAMS) following a successful phishing attempt. Although the ADAMS system itself was extremely secure, the only way to avoid someone accessing the system with a legitimate username and password is if you implement what is referred to as “second-factor authentication,” in which the user must not only provide a password, but also something else that would change on a continuous basis, such as an identification code they receive via their mobile phone. Unfortunately, WADA didn’t require second-factor authentication.

Cost of Data Breaches

New regulations require organizations to report data breaches to those who might have been affected, which is one of the reasons we hear more about them in the news. A leading industry report documented 1,579 publicly disclosed breaches in the United States in 2017, an increase of 44.7 percent over 2016. Of interest within our industry are notable organizations such as the NFL, Oakwood Athletic Club, Athletic Club of America and several prominent sports medicine clinics.

Although many of these organizations didn’t report the number of records affected or the cost, we know the costs can be enormous. According to a June 2017 study by IBM Security, of 63 U.S. organizations that experienced a data breach, the average cost was $7.35 million, with an average cost per stolen record of $225. One of the biggest components of this cost is the loss of business as a result of reduced customer trust.

One of the largest known data breaches occurred in the summer of 2017 at Equifax, which exposed sensitive personal data – including Social Security numbers, birth dates, addresses and driver’s license and credit card numbers – of 145 million American consumers. That is more than 50 percent of all adults in the U.S.. The size and public nature of this breach highlights again the importance of protecting your organization against malicious attacks. If one of the world’s largest credit reporting agencies can be hacked, what about your organization?

How Do I Protect Myself and My Organization?

An employee takes great care to protect their organization from information security risks on their laptop

Security breaches often result from errors on the part of an organization’s employees and partners. According to a study released by Intel in 2015, 43 percent of data breaches were caused by such insiders, of which half were intentional and half accidental. 

Cyber security firm Clearswift claims that while employees alone were responsible for 42 percent of cyber incidents, the “extended enterprise,” which includes customers, suppliers and ex-employees, is responsible for 74 percent of such incidents, of which two-thirds are accidental. 

Interestingly, most organizations don’t perceive internal threats as being one of their biggest risks. They often point to the increasing use of the cloud, even though there is no indication that the current generation of cloud applications are more prone to compromise than on-premise applications.

Taking a few simple precautions can help protect you and your organization from these kinds of exploits:

  • Don’t open an attachment unless you were expecting it or know what it is. Remember that it is easy for criminals to pose as someone you know.
  • Before clicking on a link in an email, hover over it to see where it is taking you. The URL link you see in blue in the email text is not necessarily the actual URL destination. Sometimes, criminals even register a URL that is almost the same as the legitimate site, and if you don’t pay attention, you might not realize it. For example, if you are being directed to (did you notice the missing “e”?) or (only the last part of a URL is important), you would know that someone is trying to trick you.
  • If you have already clicked through to the site, check that the beginning of the URL is in a green font in your browser; that means you are on a secure and authenticated site. It is very easy for a criminal to make a page look exactly like the real site, but they usually won’t be able to get an extended validation website security certificate, which is required for the URL to be presented in green. If you’re still not sure whether you’re being contacted by a legitimate source, call them to check.
  • Always be vigilant when you are asked to enter your username and password in response to a link in an email. If you’re not sure it is from a legitimate source, try entering an incorrect password first. If it is a phishing expedition, they’ll usually accept your incorrect password because they don’t know that it’s incorrect.
  • Don’t use the same password on all your devices, as this means that any single site that is compromised might give criminals access to all of your accounts. If you find it too complicated to remember all your passwords, use a password manager such as True Key or Identify Safe.
  • When possible, enable multifactor authentication on sensitive sites such as your corporate network. The use of a second authentication method such as random challenge questions or entering a code sent to your phone makes it almost impossible for attackers to log in with stolen passwords.
  • Always apply antivirus and software patches as soon as they are available, as they are your first line of defense.

What’s Next

The Information Security Forum predicts that regulatory changes will continue to impose new restrictions on the way data is collected, stored, transferred and disposed of in light of growing demand for greater data protection. This will likely increase the penalties and visibility of data breaches and other security and privacy infractions going forward. 

According to Gartner, worldwide spending on information security products and services will grow to $93 billion in 2018. None of this IT spending, however, will solve the human factor – that’s up to you!

Originally published in the November 2018 NATA News, the membership magazine of the National Athletic Trainers’ Association. Reprinted with permission from the National Athletic Trainers’ Association.