"There’s no silver bullet solution with cybersecurity. A layered defense is the only viable defense." - James Scott, Institute for Critical Infrastructure Technology
Much of the time when you're hearing about cybersecurity, your mind jumps to password protection and those seemingly endless phishing trainings that your HR department keeps sending out. However, it also includes a wider ecosystem of legal regulations, common business practices and knowledgeable end-users which all work together to keep your personal and professional information safe. Fast action must be taken whenever a breach or corruption is discovered, so that you can locate and expel the threat before files are corrupted or stolen.
Just this year Shields Health Group in Massachusetts experienced a breach of information on 2 million patients. An unauthorized user accessed their systems and was able to extract files off the network. While the penalty of this incident is yet to be determined, another breach from ten years ago with Mass Eye and Ear Infirmary cost that company $1.5 million in HIPAA violations. That breach involved the theft of an unencrypted company laptop that contained the information of only 3,612 patients…
Insurance Company Mid State Group recently released the following statistics, regarding data breaches:
- Companies with over 50k records: average cost of breach is $6.3MM.
- The average cost of the lost or stolen data record involving PII is $176 per record.
- Attacks involving compromised passwords cost small to mid-sized businesses an average of $384,598 for each attack.
- $3.86MM is average cost of data breach.
- $133,000 is average cost of ransomware.
- It takes an average of 69 days to contain a breach.
- 60% of SMBs who get breached go out of business within 6 months.
Data breaches are only becoming more common and Healthcare Organizations need the cybersecurity posture to defend against the evolving threat landscape.
How do these attacks occur?
- Unsecured data
- DDOS or DOS attacks
- Malware and ransomware
- Unencrypted third party services
- Weak passwords
- Website spoofing
- Data wiping and/or theft
With opportunities for victimization abound, investment in cybersecurity is on the rise, yet - according to Mid State Group- Only 15% of small to mid-sized businesses have good Cyber Hygiene.
Your strategy for defense cannot be singular. You must protect your organization on multiple fronts. Think of it as pillars supporting your company’s information security, those pillars being: security awareness training, policy, and risk assessments.
FOR YOUR CONSIDERATION: RISK MANAGEMENT AND INTERNAL TRAINING
How often do you undergo mandatory (or even optional) security awareness training courses? Have you had any education in how to stay safe online?
Aside from the old seminar from your school days about stranger danger and parents' lectures about staying anonymous online, many competent professionals simply never got the chance to learn more about how they may be targeted through their online activity.
Cybersecurity threats can take many forms and target any individual within an organization. Although high-level security access would be ideal for the hacker, it’s more effective to crack the passcodes for more accessible employees, who probably have lower levels of cybersecurity threat exposure and training. If they can steal or guess someone’s credentials, regardless of whose, criminals can more easily breach the system’s security and steal files off the network.
Risk management is crucial in building a solid cyber defense structure. It's very unlikely you will not experience a digital threat in your professional career. Therefore, it is critical to know a sensible plan for responding to and recuperating from cyberattacks.
Internal Policies, Processes and Procedures
Given the rise of ransomware attacks, having strong internal processes and procedures is now more critical than ever. Most cyber insurance carriers even ask for a supplemental application before they provide a quote for cyber insurance.
These applications ask specific questions about internal controls such as multi-factor authentication, off-site data backups, firewalls in place, encryption, etc. These internal controls limit a company’s exposure to attacks, thus making the cyber carrier more comfortable taking on the risk.
If you’re wondering if your company could be susceptible to an attack, executing a cyber risk assessment of your systems will help give you the answer. A cyber risk assessment can help you identify and prioritize risks to your operation and risks resulting from the use of your information systems.
Furthermore, a cyber risk assessment will help your organization’s leaders make critical, informed decisions about the security in place and the need (if any) to add additional measures. The evaluation can help you decide the impact that a ransomware attack would have on your organization and what current systems are most vulnerable to such an attack.