Your gym was probably full this morning. Maybe the line at the coffee shop was shorter. This is an interesting time of year. After weeks of busyness, stress, and jam-packed calendars, people are ready to sink back into a “normal” routine and many of us are determined to accomplish more, do better, and tackle new goals for the New Year.
It is not too late to make some resolutions about your company’s IT security. If you were paying attention in 2014, you are probably well aware that it’s more than a good idea, focusing on IT security is going to be critical to your business in 2015 like never before.
Brace Ourselves for More of the Same
A recent Websense report lists some jaw dropping security predictions for security in 2015.
- They anticipate credit card data hacks to increase.
- Email threats will become increasingly sophisticated and evasive.
- Rogue nation-states, or elements within certain nations, are actively engaging in cyber war strategy and developing new tactics.
- Facing these threats and more, the report warns that healthcare data is uniquely valuable to malicious cyber criminals.
Echoing this warning for the healthcare industry, an Experian study also points to the high vulnerability of health related information.
- The push to adopt EHR technologies has increased the number of potentially vulnerable access points.
- It is often difficult to follow security procedures in a life and death situation; this creates vulnerability.
- Health records are especially valuable because of the variety of information they contain: PII, health information, financial information, social security numbers, etc.
If your organization is headed into 2015 seeing these warnings and knowing that you are sitting on tempting health information, now is the time to prepare to protect your hospital or company and your staff and patients as well. There are several simple steps you can take now and plans you can put into motion to improve IT Security and be prepared for the year ahead.
Plan for Better Security in 2015
OK, in fairness, every organization is different and some of these suggestions may not be “simple” or “easy.” But many are not complicated or expensive at all. Everything on this list is ultimately simpler and easier than facing the consequences of a breach.
1. Take our Cyber Hygiene Quiz
Many industry experts believe that 80% of security breaches could be prevented by basic “cyber hygiene.” The Internet Security Alliance has created a list of recommended best practices. Based on this list, we have developed a quiz to evaluate your company’s cyber hygiene and to guide you to critical places you could make improvements. As we begin a new year, the Cyber Hygiene Quiz is a great place to start.
2. Risk Assessment
If you cannot pinpoint potential areas of risk within your organization you cannot hope to avoid them. If you are a HIPAA regulated Covered Entity or Business Associate company, you are also required to perform a regular risk assessment. If you did not have one done in 2014, make this a top priority to be done early in 2015
3. Prioritize Risks to Address in 2015
When you have taken time to identify risks your company might expect to face in the New Year, do not be paralyzed by this list. Many companies neglect or postpone the necessary assessments because they are overwhelmed by what they think they will find. Few companies can afford the time, manpower, or expense to immediately address all the risks that may be identified in an assessment. It would not even be wise to tackle too many changes or updates at one time if you could. Create a plan for addressing the risks you have identified. Every company’s threats, priorities, and exposure will be different. You may choose to start with the easiest (cheapest) or the most critical issues and fix those first, moving to the more involved, complicated, and less critical areas down the road.
4. Incident Response Plan
It is not just high profile corporations like Sony and Home Depot that need to worry about being hacked or falling victim to a cyberattack in 2015. Businesses large and small could, and likely will, become targets for increasingly sophisticated and resourceful cyber criminals. Industry studies are warning those in the healthcare industry to be especially prepared as the high value personal, medical, and financial data that makes up PHI is already proving to be very tempting. Without a carefully crafted, comprehensive plan in place, your company cannot be expected to respond effectively and the resulting damage could be much greater than necessary.
5. Test, Practice, and Update the Incident Response Plan
Test and Practice
Having a plan documented is the first step. But, the plan alone will not be enough to ensure your organization is prepared. The plan must be tested and practiced. It must be understood by everyone in the organization who has a role to play (this includes virtually every employee). A beautiful plan that no one knows about or that has not been tested is likely to fail you in a crisis.
Update as Needed
As systems, staff, and possible scenarios within your organization change and evolve throughout the year, your plan must evolve and keep pace. Employees must remain prepared at any time to implement your plan at the first sign of trouble.
6. Routine Quarterly Scans
Along with managing risk associated with or potentially created by any significant changes that occur within your network, you should have a process in place to conduct routine tests and scans on a routine basis.
Some companies are required to conduct (and pass) quarterly vulnerability scans to maintain compliance with PCI DSS. Whether this applies to your business or not, technology, software, and systems change quickly. Hackers’ and cybercriminals’ tactics evolve quickly as well. Without a system in place to monitor and catch vulnerabilities and to proactively scan for issues, a dangerous security breach could go undetected for weeks or even months.
7. Patch Management
Along with routine vulnerability scans, a documented patch management process is part of good basic cyber security. Making patch updates a regular part of network and system maintenance will ensure that you remain up to date and does not allow for distractions or other priorities to get in the way. With routine patches scheduled and conducted consistently, you have the flexibility to address emergency patches or necessary updates quickly and much more easily than if your IT team must play catch up.
8. Update Antivirus Software and Settings for Employees
Another piece of regular maintenance that should be documented and planned for the coming year is the updates that will be needed to employees’ systems. Do not assume employees will keep antivirus updated on their own or that critical settings will not be changed or altered over time. Create a process for checking employees’ devices and making updates as necessary.
9. Monthly Security Reminders
Remind employees that keeping your company data secure could also include keeping their own personal data secure. The hackers behind recent troubles at Sony reportedly have released social security numbers, background checks, and other personal information on Sony employees. Security matters to you, your customers, and every employee. Imagine being a Sony employee and seeing this pop up on your screen.
10. Spot Check Employees’ Passwords
Part of your ongoing security awareness training should encourage employees to use strong passwords, update them often, and not write them down or share them. But do not rely solely on this training to ensure that your password policy if followed or that employees are diligent in doing so.
In addition to regular training and reminders (like our free monthly security tips), let employees know that you will attempt to hack into their system and guess their password. If you do, they will be required to change it.
11. Teach Employees to Avoid Phishing Scams
Reports show that the number of phishing attacks have increased steadily and sharply over the last two years. Tactics used by these hackers have evolved as well. They have become much more sophisticated since the early Nigerian bank scams and often try to piece together a few bits of information to sound legitimate, delving into social engineering to make their misleading, dangerous emails seem more believable to your trusting, helpful, team-player employee. For the safety of your company’s data as well as your employees, help them understand what to watch for and how to avoid giving out too much information or clicking dangerous links that could expose too much.
12. Assess Physical Security for Weak Areas
Integrate your physical security policies with IT and data security policies. The threats and risks go hand in hand. A hacker may use sophisticated tools and technical expertise to make their way into your system to steal data. They may use clever phishing emails to gain information from employees that will help them find a way in. Or they may simply take advantage of weak onsite security to “tailgate” or sneak in to gain physical access to equipment or devices that are not secured. They may be run-of-the-mill criminals just looking for the hardware, but if they walk out with a laptop containing client or patient data, they have created a data breach that could be very costly for your organization.
13. Inventory Mobile Devices/Systems
A BYOD or “bring your own device” policy is necessary for managing how your employees are able to access data. No company today can avoid the issues that arise when employees use their own personal smartphones, laptops, or tablets to remotely access their work email or systems. Even company-issued mobile devices must be managed and monitored. Every device that can access your system from off-site creates an opportunity for a vulnerability or unauthorized access to occur. If an employee loses their device or any time an employee leaves the company, you must have a process and tools in place to ensure that access to your data is blocked for any device that remains in their possession.
Mobile devices, anything that could possibly leave your site containing (or with the ability to access) company, client or patient data, simply must be encrypted. The risks are too great to allow critical data to be stored on an unencrypted device. This is true regardless of your industry but if you are in a regulated industry such as healthcare, the risks are compounded by the potential for exacerbated penalties should a breach occur due to a failure to use encryption effectively. Such incidents, and the heavy remediation and punitive costs that may result, are completely and simply avoidable with a strictly enforced encryption policy.
15. Two-Factor Authentication
When employees have the ability (or need) to access company data remotely, using a two-factor authentication tool creates another small step in their login process. This minor inconvenience creates another layer of vital protection for your data. This added security is easy to create with an inexpensive tool like Duo.
Prevention is always cheaper than remediation. Given the aggressive cyber-attacks we have seen in 2014, the evolving techniques of cyber criminals, and the increasing threats businesses will face in 2015, companies can no longer pretend “it can’t happen to us.” Many companies can also becoming paralyzed by the overwhelming challenges of improving security related to technology, policies, and even your company’s culture. But there are simple, basic security steps your team can take in 2015 to greatly reduce these risks. When you need help overcoming your company’s unique challenges or correcting specific risks, contact our security experts to learn more.