Tag Archives: security

Mind The Skill Gap: How To Expand Talent In Cybersecurity

Posted on by

The modern cybersecurity industry has been the subject of much attention in recent years as threats to businesses large and small continue to mount. Even outside of the industry, business experts have correctly concluded that more measures are necessary to counteract aging infrastructure and an increase in possible attack surfaces. The interest exists, but what doesn’t exist is enough personnel to fill the myriad jobs in cybersecurity. And this problem is only expected to get worse as time goes on, with the number of new professionals eclipsed by how much their talents are needed.

The discrepancy in cybersecurity is often blamed on the failure of universities to provide the courses necessary to train the next generation of experts. While this is a noted problem, it is only one of many. The same cybersecurity professionals who scoff at formalized education in the field are often unwilling to invest the resources into training others within their organization, instead preferring to solicit existing talent from other businesses. Though there is significant work involved when it comes to building a reliable team, the reward of cultivating new talent is preferable to poaching the old and widening the skill gap further. It’s a sacrifice, but one that must be made if the industry is to be sustainable moving forward.

The other advantage of in-house training is the integration of cybersecurity practices throughout all of a business’s processes. Too often, organizations view these tools as afterthoughts to be stapled at the end of every project. The reality here is that new systems, products, and infrastructure should be created with cybersecurity in mind. Training and apprenticeship programs provide enough personnel to adequately address anything new coming through the pipeline. This carries the added benefit of allowing new entrants in the industry to receive a hands-on experience with a variety of systems.

And, if a company doesn’t have any place to start when it comes to building in-house cybersecurity firms, a third-party organization can help. These companies can provide support for companies that don’t have the resources to train new experts and build the start of a good security culture. However, even dedicated cybersecurity organizations should be mindful of their practices when it comes to recruiting vs. fostering talent.

It’s also important to consider the kind of training that is being given to aspiring cybersecurity experts. The best way to handle cybersecurity is to start with the broad strokes—the compliance laws that it is absolutely vital that any professional knows. In many cybersecurity courses, emphasis is placed on the products that businesses can use to combat threats. This leads to experts with very specialized knowledge of a specific solution, rather than knowing many brand-agnostic solutions or the compliance standards that underpin the whole industry. Consultants should be neutral when it comes to recommending solutions and find whatever suits an organization’s needs.

The future of cybersecurity will need to be collaborative. Between academic organizations selling their programs to business organizations offering opportunities for interested professionals to learn, a lot needs to change about how new talent is cultivated. In the future, expect to see a new generation of experts that know compliance law inside and out—and that are focused on spreading their best practices to others.

 

 

Why Cybersecurity is Important For Small Businesses

Posted on by

Most small businesses think themselves beneath notice in the larger corporate world. After all, without the need for IT systems or significant infrastructure, there is less to manage and fewer vulnerabilities to address. Anything related to technology is often an afterthought for small businesses, and many make the mistake of believing that cyber threats are not a potential issue.

The unfortunate reality is that cybercriminals are more than willing to prey on small- to mid-sized businesses, even with bigger targets available. Widespread adoption of technology has made just about every enterprise a potential target. Given the lack of focus on technological infrastructure and fewer resources to dedicate to systems monitoring or recovery after a breach, these organizations are especially vulnerable. And every company has data worth stealing, to sell or use as leverage. The loss of any sensitive information can cost a company in both reputation and capital.

For small businesses, a bit of investment in cybersecurity can keep records safe and ensure that larger losses don’t happen down the line. There’s no need for a dedicated IT team to take necessary precautions when it comes to adopting new technology or infrastructure. The first step is acknowledging that, while small businesses are vulnerable, they are not without options for their own protection.

Many cybersecurity breaches are the result of internal error—I can’t emphasize this enough. As a result, controlling for human mistakes such as weak passwords, clicking on risky emails, and using mobile devices on unsecured networks can go a long way. Many do not realize how many points of vulnerability exist. Small businesses should ensure that the tools in place are easy to use for employees that may not be familiar with these matters.

Mobile devices are such a massive point of vulnerability that it’s worth dedicating time to examine all of the ways that they can go wrong. Between the difficulty inherent in managing them, the risk of public wifi, and employees bringing devices from home, small businesses will have to account for every possible attack surface. Consistent regulation is necessary to ensure that personal and business devices stay safe no matter where they go.

For that matter, small businesses should consider regulating access to certain systems and technology. Though they may not have an IT department or dedicated standards for who can access what, these organizations should consider which systems each employee has a consistent need for. If an employee doesn’t require a system to get their work done, they should not have access.

Planning for a cyberattack should also account for the worst-case scenario of a breach occurring and ease the recovery process. Making backups of everything digital is the best and easiest way that a small business can protect themselves in the event of a breach and allow for the least downtime when something goes wrong. The investment to create on- and off-site backups is minimal, but the safety it provides is huge.

This is only a small sample of the tactics that small businesses can consider when investing in cybersecurity. VPNs, software audits, and proven antivirus software can also provide an additional line of defense. However, any small business should recognize that precautions do not guarantee safety, and may want to consider investing in the services of a third-party cybersecurity firm to assess risk levels and provide scalable solutions. Technology will become even more involved in business, and safe adoption is important for businesses of all sizes.

 

EHRs and Compliance

Posted on by

Managing electronic health records, or EHRs, in a digital ecosystem takes some level of caution, given the high value of the personal information. Healthcare organizations have struggled when it comes to providing patients with their EHRs in a compliant manner. Many of these issues stem from the patients’ lack of knowledge about how to properly access these records.

As per HIPAA privacy rules, organizations are required to provide EHRs to patients upon request. In these instances, they are allowed to have them sent to a person or entity of their choosing after paying a reasonable fee.

The “reasonable” part of this requirement has been called into contention, with a patient advocacy organization reporting some patients paying hundreds of dollars for their medical records. In two instances, patients were charged a subscription fee by the organization to access medical records.

After the release of these findings, medical organizations defended the costs associated with EHR distribution. Retrieving medical records can be a surprisingly extensive process, with information pulled from multiple EHR systems, resulting in a document that can be hundreds of pages long and filled with minutiae. Additionally, much of this often needs to be trimmed to ensure that the information is only relevant to the patient the records are being distributed to.

Add in security concerns for the transfer of data, especially when requesting it from a third party, and it’s easy to see why it has proven difficult for many healthcare organizations. In several states, fees for third party requests are generally higher than those charged to patients. This is because fees for third party requests at the behest of a patient are not covered under HIPAA regulation.

Laws differ from state to state, making it important for organizations to understand how their laws determine charges for EHRs. For instance, Kentucky entitles individuals to a single free copy of their medical records.

Additional difficulty in handling EHRs is a result of inadequate patient education regarding ways to access records. Educating them on the subject is less an IT concern and more a question of how patient engagement can be leveraged to promote HIPAA compliance. New forms for both healthcare organizations and patients released by AHIMA have aimed to improve understanding of these processes.

Even just making patients aware that they have the right to access their health information is an important step toward compliance. The form was made with the intention of it being flexible across organizations, allowing them to adapt it for their needs and patients.

As more and more healthcare providers update their EHR systems in the coming years, expect to see improvements in the ways that information is both delivered and made apparent to patients. Tools that improve patient access and are HIPAA-compliant are sure to be in demand as organizations work to do away with their antiquated and unwieldy paper records.

Compliance In The Cloud World: Challenges and Opportunities

Posted on by

[et_pb_section admin_label=”section”][et_pb_row admin_label=”row”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

The following is a podcast recorded by Scott Maurice. Listen here, or read the full transcript below!

[/et_pb_text][et_pb_audio admin_label=”Audio” audio=”http://scottmaurice.com/wp-content/uploads/scottmaurice-com/sites/521/scott_podcast.mp3″ background_layout=”dark” use_border_color=”off” border_color=”#ffffff” border_style=”solid” /][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Hi, my name is Scott Maurice. I am managing partner and cofounder of Avail partners in Seattle. We’re a technology business and consulting practice that specializes in helping clients and business leaders achieve their strategic objectives. We leverage the technologies that are available to us in this new cloud age to do that.

What we’re going to be talking about today is compliance in the cloud world; some of the challenges and some of the opportunities that are presented with the advent of utility computing and the cloud economic model. We’re going to be talking about how compliance is different than security, and we’ll also be talking about how to think about and leverage compliance as a competitive advantage and as a strategic objective as opposed to a burdensome program that you are susceptible to.

The cloud presents new challenges with respect to compliance. However, it also presents certain very strategic opportunities. One of the most difficult things to deal with when faced with regulatory compliance is establish that, one, I am compliant at a point in time, and that’s easily facilitated with an audit, typically, and two, which is more challenging, how do I maintain a state of compliance for an ongoing period, and how am I assured that compliance is in fact in place? In other words, how to I ensure that I’m compliant with the law without having some defined audit period and going back and proving that, at certain snapshots, whether that is annually or biannually or semiannually, that I am compliant at that juncture, or have been compliant over an audit period.

In terms of risk mitigation and data protection, you really do want to ensure that you are consistently compliant. In other words, the first time you fail to be compliant with a datum, you know about, can remediate it quickly, and prove that you’ve restored your compliance. So the cloud presents challenges in that regard because some of the traditional quick and dirty methods for ensuring compliance of data and data protection is simply by saying, “Hey, I secured the entire storage subsystem because it’s all under my control, or the entire server is under my control.” Those paradigms do not translate directly into a computing utility environment or a cloud environment.

That’s the challenge. How do I ensure compliance in something that is not under my direct control? The opportunity, however, is a lot more satisfying. One, you have to realize that fact that it is rare to find enterprises, especially in the mid market, that have the expertise in-house and the wherewithal and resources to continually ensure that data is protected, that permissions are enforced, that policies are enforced. It is a full time job. It can be very daunting, and it can be very expensive. So I guess the first part of the opportunity is realizing that, even if I do have all of the assets under my direct control, I’m not necessarily in the best position to ensure ongoing or continuing compliance because I don’t have the expertise, the resources, or it may not be in my financial best interests. That may be a deal killer. Upon that realization, opportunities present themselves with cloud providers and utility computing providers, where there are individuals that are dedicated to just that function.

Along with that, because they are service providers in that regard and not enterprises where they’re running this as part of a cost center, there are economies of scale that can be garnered from leveraging that kind of service. They have streamlined and optimized their service particularly, for one set of compliance regulations or another. There are specific data protection practices and rules that they can set up and enforce. And they have the capability to hire, retain, and provide training for human capital resources to be dedicated to that work. And so, when you share that burden across multiple organizations, it does represent an economy of scale, especially in the mid market to be able to facilitate an ongoing if not complete information security and protection program. That is a rare opportunity that has only surfaced since we’ve been in this cloud environment.

That’s a little bit about the challenge and the opportunities that’s available to us by leveraging some of these third parties that are dedicated specifically to security compliance.

Any organization can take steps to onboard a third party or organization that can help them ensure compliance. Some of those steps involve understanding what compliance regulations they are susceptible to. Many organizations are not immediately aware of the fact that they have a compliance issue or may have miscategorized the compliance that they fall under. Step one is understanding what rules, what compliance you’re striving for. Two, which is equally as important, is understanding the value of such compliance. Often, in regulated industries, it is highly competitive. Because it is so daunting to effectively manage a compliance program, being able to onboard one quickly and effectively can be a strategic advantage. So, to what extent are you advantaged by having an information security compliance program instituted very quickly and with complete professionalism. Understanding that is the second step.

The third step is going through a market intelligence process and a reevaluating process to determine which of the many third parties that are out there can help you accomplish your mission most directly. Often, there are several good candidates, and the differentiation between those parties with respect to any given organization, is really more about the cultural fit, how to work together. Compliance is largely a human, capital-driven exercise so you do have to work well with that third party. That has everything to do with one, your corporate objective, and two, your corporate culture. That third step in terms of really evaluating the different providers and the different options there can be daunting, but it does go back to having a singular focus on your objective, your mission, and what provides a strategic advantage in your industry and how it helps you drive your corporate objective, whether that’s revenue attainment or improving patient outcomes or public policy, etc. So those are three solid steps.

The third one can be fairly daunting because there are a lot of providers out there, but there’s also a lot of information to help you make that evaluation quickly and succinctly. And as a final step, I think that oftentimes we are just human beings. We are reluctant to relinquish control of things that we are accustomed to controlling. So for any organization that is not either born in the cloud or willing to undertake a transformation, if you have an environment that’s been around for some period of time and has been working, and you haven’t had an exposure yet, it can be daunting to let some of those things go. But that fourth step is really evaluating those things that can be done better, faster, cheaper, more completely by a third-party organization as opposed to retaining it in house.

And with my clients, what we’ve experienced is that often, the tradeoff between relinquishing that control is the immediacy of accomplishing a goal. Many compliance regulations have an audit period that looks back. That lookback period can be six months to a year, maybe longer, and often there are multiple domains for which that period is enforced. Accomplishing that lookback period and audit for multiple domains can lead to higher levels of attestation, where you can have it attested to that you are more completely secure or compliant with a set of regulations the further back you look and the more domains you can incorporate. For an organization just starting out, they may not have been prepared for an audit period that goes back six months. They may not have been ready six months ago, or a year ago. Often, third-party organizations have environments that are prebuilt, in which they host or manage a client’s workloads, especially with the utility computing advantageous in the cloud environment.

And they can provide that lookback period, even though you may not have been a client at that time, by immediately moving your workloads, moving your data, moving that information, to a compliance-ready environment, can immediately provide a lookback period for certain for all of the domains that are compulsory for your compliance regulations. There’s definitely a distinct advantage to leveraging that very quickly and saying, “I don’t have to wait another six months or a year before I can make the attestation of compliance a competitive advantage for me. Because I’ve moved my workloads and migrated into a compliance-ready environment that already has the attestation, I can begin to use it very very quickly.” So the advantage can be realized sooner rather than later.

The future of third party organizations and their evolution as they continue to adapt to continue to serve clients as compliance changes and as the business landscape changes are multiplicative. They necessarily have to differentiate themselves within either a vertical or industry or with respect to that specific compliance or an aspect of that compliance. Oftimes, there are things that are very daunting that a third party organization has the resources to tackle with great aplomb and also for the huge benefit of their clients. The evolution of these things is better accomplished by these third party organizations because of the resources that they can bring to bear, but in no small part due to the research and development of new technology.

So, a lot of the buzzwords we hear bandied about like “artificial intelligence” or “blockchain” when it comes to encryption and security, these are things that require a lot of time, a significant amount of expertise, and they do require financial resources in order to bring them to bear. These third parties are often in a much better position to be able to do that very quickly and vet those things across a broad spectrum of clients than any given enterprise, especially in the mid market. So I think what we’ll see is early adoption by a lot of these third party organizations that are providing that compliance and providing that data protection. We’ll see that early adoption from them, and it will be more stable as they roll it out. They’ll incorporate those technologies into packaged solutions for data protection in a specific use case.

For example, in the medical field, if you’re under HIPAA regulations but would like to provide instant messaging between medical professions and have sensitive data passed through that messaging platform, that can be a huge issue. It’s such a huge issue that most enterprises in the healthcare space don’t provide instant messaging. But that is something where a product with a specific utility where a benefit can be realized very quickly; a doctor or nurse can exchange sensitive data over a secure messaging platform and ensure that that data is not being compromised. Technologies like artificial intelligence that apply fuzzy logic to know when to take out sensitive pieces of information and when to leave them in. Things like blockchain, to be able to validate that data was not compromised when in transit. Encryption technologies, to ensure that the data while it rests and in flight, was secured and not compromised, these are technologies that are difficult to research as an enterprise and develop together. When you apply it to a broad spectrum of clients and have that offered as a singular product, it becomes far more feasible.

So I think that’s what we’ll see. They’ll evolve to incorporate those new technologies everyone is talking about more rapidly than the enterprises will be able to do. And they’ll do it more completely, so they’ll be able to offer a utility that is functional for the end user, as opposed to a set of technologies that then have to be rolled into a larger infrastructure or application architecture.

The last thing that I would like to say, just to round things out, is that clients and security are often conflated. That can be a huge distraction. Keeping something secure inherently means limiting access to it. Compliance is not about limiting access, it’s about ensuring the access to information is well regulated. I would be careful, for any mid market organization or any organization at all, not to conflate security and compliance. Often, we use security measures to ensure compliance, and to ensure that data is protected as it is being shared and that it’s being shared appropriately. We can validate that there is good behavior and catch bad behavior and remediate it quickly. Certainly, a lot of security tools are leveraged for that, but simply leveraging security or implementing security practices or security toolsets without a specific goal, the framework of the compliance regulations, can be a fruitless endeavor, be incredibly expensive, and ultimately, if there is no specific goal, it can lead to a lack of differentiation and competitive advantage.

I would just caution anyone who is faced with a compliance situation not to conflate compliance with security; they’re not the same thing. Pursue a compliance program as a strategic initiative, a differentiator in your industry or market, and as a competitive advantage against competitors. There’s certainly not a faster way, in my experience, to do that than to leverage the cloud environment and a team of experts that are available on demand from a third party and provide attestation sooner rather than later.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

Good Cloud Practices: How to Promote Cybersecurity in Your Organization

Posted on by

As cloud adoption continues to move along with increasing momentum, hackers have moved in to take advantage of the many businesses and organizations that have not properly put forth measures to defend their systems against attack.

With the benefits of the cloud widely extolled by IT professionals (even on this very blog), many businesses have taken notice and started to adopt, sometimes without foresight into every aspect of the cloud, particularly dealing with security. For any businesses looking to up their cloud game, here are some of the best ways to counteract common problems.

Counteract Data Breaches

As illustrated by the recent Equifax debacle and many other leaks of consumer information, dealing with data breaches is paramount when it comes to cloud security. When an organization is breached, it can face criminal charges, lawsuits, and a permanent stain on its reputation.

Because of this, companies should exercise the utmost caution when distributing sensitive information through cloud systems. Multifactor authentication is one of the easiest and best ways to counteract a potential breach, whether through phone verification, temporary passwords, or smartcards. Since many of these breaches occur as a result of poor user passwords or mismanagement of login credentials, these systems help enforce good conduct. It may slightly inconvenience some of your employees—but the cost to them is nothing compared to the cost of even a minor breach.

Physically Protect Your Data

One aspect of system management that many do not consider is potential damage in the face of a fire or natural disaster. If all of your data is kept in a single, physical location, the result of such a disaster can be catastrophic.

The cloud does, however, make it easier to backup and distribute your data. Consider additional data sites and precautions for disaster recovery. Off-site storage options are widely available and more useful than ever for preparing for potential destruction of data.

Audit Employee Accounts

The difficult part of achieving good cybersecurity is considering every point where a system can be compromised. Multifactor authentication is one way to help make the process as fail-proof as possible, but a level of due diligence from the company is also necessary.

For instance, be sure to immediately delete credentials from former employees. Even if their employment ended on good terms, it is wise to ensure that there are no extraneous accounts that have system access.

Monitor Access

The ability of system administrators to monitor a network have thankfully improved over time. Still, frequent checks are necessary to catch any anomalies as soon as possible. Advanced analytics and machine learning play a large part in better monitoring, but there is still no substitute for a seasoned IT professional, particularly one that can flag potential signs of breaches or issues before they happen. Per-app analytics are a great way to deliver application status in a usable manner that can then be acted upon in the event of a problem.

It can be difficult to completely screen a cloud system, but it’s something that every business needs to consider, with the consequences having the potential to permanently damage a company’s livelihood. Fortunately, there are a few tried-and-true methods to help protect from attack or disaster, allowing new cloud infrastructures to flourish and properly work toward improving a business.