Tag Archives: cybersecurity

Get Employees Invested In Cybersecurity

Posted on by

As summer starts to come to a close and those beach towels get stored in attics for another year, there’s still a genuine danger. Hint: it isn’t sharks.

In fact, the summer months are the most dangerous for enterprises when it comes to cybersecurity. As crimes such as burglary increase in the summer, so too do cyber crimes, as malicious individuals take advantage of employees attempting to access unsecured wifi networks. On top of that, IT departments may be less able to respond to attacks promptly.

Because of this, it is more important than ever for employees to be safe, even when out of the office on vacation. I wrote recently on the value of a cybersecurity education program for enterprises but would like to go more into depth about the steps a company can take to get employees as engaged as possible with using company systems safely.

Don’t Make Training A One-Time Event.

Even if training is very well structured, a single course over an hour or two is unlikely to make a lasting impression. Some experts believe that even repeating this training on an annual basis is unlikely to have the desired effect.

It’s understandable that enterprises wouldn’t want to get locked into regular cybersecurity training, though erring on the side of caution is valuable for any organization. One happy medium is cybersecurity drills, in which false phishing emails are sent to employees. The company can then track how many people clicked on the email, and break down progress by the department. Other types of threats can also be simulated, monitoring progress between training sessions.

Give Employees The Responsibility.

Though every employee should be involved in good cyber practices, it helps if they have somebody to refer to on a moment-to-moment basis when in doubt. Specialized training for employees interested in learning cybersecurity can help an organization create liaisons if dedicated IT staff are not available. This saves companies the trouble of reevaluating IT staffing while expanding the knowledge base among employees.

Make Reporting Easy

Training is entirely pointless if employees do not feel comfortable reporting potential issues. Regardless of who investigates potential threats, it should be simple and easy for employees to flag them if a problem arises. An easily-accessed form can go a long way toward bridging the gap between these employees.

For that matter, it is also valuable to give IT staff education about how to talk to employees about cybersecurity issues. They may not get a good sense of the knowledge level of an average employee, or express their frustration if a colleague makes a mistake. An empathetic approach works best, in which they work to fix problems rather than scold employees for errors. This makes individuals much more willing to come forward with the issues they encounter.

Managed Services For Cybersecurity

Posted on by

What’s the best defense against cyber attacks? As the summer continues, the abundance of employees traveling for work can cause vulnerabilities that can be exploited by criminals. Even a single misclick can cause a far-reaching disaster that can cost a company thousands of dollars.

What many enterprises don’t know about cyberattacks is that the effects are frequently not seen right away. When responding to a breach or incursion, it is important to catch it during what’s called “dwell time”. Dwell time is the period after which a cybercriminal has gained limited access to a system as they try to figure out additional vulnerabilities and the best soft target for a coordinated attack.

If a cybercriminal is successful at gaining elevated privilege on a system, they may wait days, weeks, or even months before launching a large scale attack. During this time, they may take the opportunity to drizzle in a payload, which could be a system exploit, a virus, or some other piece of malicious software.

When it comes to responding during this dwell time, it’s important to act as soon as possible. Even wasting minutes can be disastrous. For that matter, many people that work in IT may have some basic cybersecurity tools, but not the expertise necessary to react in a proper manner. This is why the best course of action to handle cyber threats is to hire a qualified managed services company.

Using an external managed services company is much more scalable and cost-efficient than hiring a full time cybersecurity expert. These firms can provide services that match an enterprise’s needs and monitor their infrastructure for potential problems.

That said, enterprises need firms that are able to do one task very well. While a Swiss army knife can be useful in a pinch, it pales compared to an actual knife when it comes to tasks like cooking. Ergo, specialization is important. Enterprises shouldn’t just be looking for a company that hardens security, as this is frequently ineffective. Instead, they should find a firm that knows the security space of their industry and can identify anomalies at a glance. They should also be poised to scale in the event of organizational changes.

When hiring an external firm, a company should be aware of the services that they are gaining. While all companies strive to provide an impeccable image to potential clients, thoroughly vetting possible cybersecurity firms is important. Know the services you will need and ensure they have professionals able to both implement and update them over time. They should also come equipped with the most up to date tools that can monitor activity and deploy solutions on a moment’s notice. This is why dwell time can be problematic for unprepared organizations—if it continues long enough, getting a sense of the timeline and the origin of the incursion becomes difficult, if not impossible.

An external firm is the best way for a company to monitor and shut down incursions. In these cases, it pays to do research and find a firm that provides a managed services package specific to your industry and your organization’s needs. Breaches can happen, but with the right people and the right tools, they don’t have to be large scale disasters.

Teaching Employees Cybersecurity

Posted on by

As the weather gets warmer and employees start looking forward to their vacations, enterprises should be wary. While the summer is seen as a time to be outside and active, many cybercriminals are waiting to take advantage of an unwary organization and steal sensitive information.

This is in part because employees on the move are more likely to access unsecured wifi networks. Public wifi may be convenient, but it can risk the compromise of sensitive data. For organizations, it may be difficult to respond. Not only is it nigh-impossible to track wifi usage outside of the office, but having fewer staff during the summer months can reduce response time in the event of a breach.

Some companies may invest in full time staff meant to screen against a breach. However, this is often not effective, especially if the staff are not specialized in cybersecurity. Combined with the cost of labor, maintaining a defense in this way is not cost-effective.

The solution lies in stopping the problem at its source—the people that can cause a breach. Many employees may not even be aware of the problematic conduct that can lead to a cyberattack, and awareness goes a long way. Paying to train employees against a cyberattack may be a more effective use of revenue than paying full time IT staff to hedge against breaches.

Of course, teaching employees the principles of cybersecurity is something worth spending time on and executing correctly. In many cases, enterprises may have security training in place due to compliance laws. This is often done as a way of checking boxes rather than providing any meaningful education.

For instance, some types of training may be entirely online, with employees required to read a short pamphlet and complete a test verifying that they understand its contents. This approach, though simple for management, does not foster good retention and may not adequately cover the types of threats an organization might experience. It’s all too easy to grow complacent with training, even as its limitations open up new attack surfaces for cybercriminals.

Generally, the best way to train involves small groups of five to ten employees. Training should involve roleplaying several common scenarios and teach employees how to spot red flags and respond to potential problems. Threat assessment should be the priority for training, as many may not know what a potential cyberattack looks like.

Threats can take many forms, both digitally and physically. Phishing schemes are the most common, with an innocuous-looking emails downloading a payload that can sit on an employee’s computer for some time, compromising the machine and even spreading to others. Other red flags can happen in a workspace, such as an individual masquerading as an IT professional and planting problem files on a computer under the guise of performing work.

Whatever the nature of an attack, employees should feel empowered to not only detect these red flags, but report on them as well. It does an organization no good to criticize an employee that raises a false alarm, as this can discourage them from speaking up in the event of an actual problem.

When it comes to dealing with cyberattacks, preventing them is vastly better than containing them once they’ve started. Because of this, it’s worth examining an employee training program geared toward an enterprise’s needs. New attack surfaces mean new issues, and training that starts before cybersecurity becomes a problem can pay dividends—even if an organization doesn’t know it.

A Layman’s Guide To Achieving Compliance

Posted on by

As compliance regulations tighten for healthcare organizations, many executives that have allowed these practices to fall by the wayside over the years are reevaluating how they handle data and electronic systems. It may seem like a complicated topic, and that a team of highly-skilled IT professionals are required to achieve compliance, but neither of these things are the case. While compliance can be difficult, often all it takes is hiring an external organization to reach that level. As for complexity, it is possible and indeed vital that top-level leadership in health organizations understands how regulatory compliance will affect them.

Healthcare compliance is evaluated along three axes: legal, ethical, and professional. Standards for all three should be up to date, with policies in place to enforce them throughout an organization. They should focus on procedures that employees need to follow, metrics of success, and ways to monitor possible issues to be corrected.

As far as enforcing compliance goes, a number of agencies are actually responsible, depending on the nature of compliance. The Department of Health and Human Services and the Office for Civil Rights are primarily responsible for monitoring patient records and ensure that they are all protected according to HIPAA standards. In a similar manner, The Centers for Medicare and Medicaid Services address electronic health records as their nature changes and write many of the rules for healthcare compliance. Finally, the Office of the National Coordinator for Health Information Technology moves organizations safely away from paper and toward digital records, encouraging information exchange in a safe and compliant manner. All of these organizations and more have published guides to the best ways to protect data and achieve compliance.

In organizations themselves, everyone is responsible for compliance. However, the burden of educating others and securing an organization’s compliance certifications falls to a compliance officer, often a Chief Compliance Officer (CCO) in a larger organization. Certifications are varied, but the four most common are for healthcare, research, privacy, and ethics. However, just gaining these is not enough—a CCO will have to maintain these standards and become re-certified at regular intervals.

In truth, these certifications are only really helpful for an organization if it has a significant number of them—the four previously listed, at the very least. Each one deals with a different facet of compliance, but the elements of education, reassessment, and discipline common to regulation as a whole are relevant in their own ways.

Another misconception about regulatory compliance is that it is interchangeable with cybersecurity. While it’s true that good cybersecurity is more necessary in healthcare than most other industries, these practices don’t always conform to compliance standards. The reverse is also true—compliance does not necessarily fix vulnerabilities. The same professional should not be responsible for both, as considerations are different and keeping abreast of both is a difficult task. However, both officers should be in frequent contact to ensure that nothing that they are doing adversely affects the other.

And, above all else, executives should not be afraid to solicit outside help! Third-party organizations are often crucial to providing an objective assessment of how an organization can achieve effective compliance. Plans should be scalable and account for future developments, as regulations will always change. However, with good communication and the help of skilled professionals, healthcare organizations can find options that keep stakeholders happy and data handled properly.

Pillars of a Strong Compliance Culture

Posted on by

While professionals in a variety of industries have strived to adapt to changing regulatory standards, getting an entire company on board is a far different matter. Compliance officers have taken it upon themselves to become well-informed about the subject matter and the near-constant barrage of changes that affects it.

That said, a compliance officer trying to single-handedly bring a business up to regulatory standards is akin to trying to extinguish a fire with an eyedropper. Even if one person tries to implement all of the changes necessary, they are, in fact, only one person. Not only does the entire team need to get involved, but the entire team needs to be invested as well. Education is only effective if employees are willing to put operations in practice and audit their own behavior. Getting them to care is perhaps one of the greatest challenges a compliance professional faces.

For any compliance program, the first step to making it relevant is to start a program that has been tested with other industries. While compliance is certainly necessary to obey the law, it also confers other benefits and allows a company to stay competitive. If a firm is able to comply particularly well, it can even strive to obtain a HITRUST certification and distinguish themselves further.

Once a company has established industry best practices, it’s time to look at how personnel are trained to achieve compliance. Training is a good first step, but compliance officers must find a way to engage employees effectively. The good news is that processes that lead to good compliance can also lead to increased productivity for employees. Try to simplify workflows and eliminate tasks that lead to possible compliance issues. Employees will be more supportive of changes if they feel that they benefit from them as well.

And employees should be incentivized for practicing good compliance. Establish both good compliance practices and well-defined rewards for following them. Structure any incentive to fit into the everyday workflow of employees and make them aware of how they can contribute.

Organization is also key. Data should not just be kept safe, it should be sequestered and stratified as needed. Whether digital or traditional, part of compliance culture should cover the way data is handled, backed up, and disposed of. Still, this is something that every employee has to be a part of, from c-suite executives right down to new hires. Don’t start a training program meant to elucidate the finer points of data safety and then not follow it up with anything.

Each employee may need a specialized approach to compliance. While anybody can fall victim to something like a phishing scheme, differences in data access means that a selection of training programs and follow-ups is necessary to cover common issues. Tailoring these initiatives to risk levels helps a company create an experience unique and relevant to everyone.

A skilled compliance officer can change the course of an organization through creating a culture based on compliance. Even as companies scramble to keep up with new regulatory environments, many are realizing that making these changes sooner rather than later can have a lasting impact and generate a significant competitive advantage.