Our work environments have been turned upside down. We are all in a place of creating new work routines. Having left the cyber safety net of a central office designed to protect company cybersecurity, IT departments are juggling a dispersed workforce while maintaining cybersecurity standards that protect private data.

Before COVID-19 forced a remote workforce, anywhere from 60 – 90% of breaches were caused by human error. We are seeing cyber criminals take advantage of extra vulnerabilities created with employees working from home. Cybersecurity is no longer just an IT thing. Protecting your company and their private data has never been closer to home, literally. Mistakes that could hurt the company start on your own network, which could also affect your personal security. Your business, IT department and your family are relying on your vigilance to be cyber safe.

Cyber safety habits to put into practice

1. Separate work and personal devices
   If your company provides you a device, use it only for work purposes. Have a separate device for family and personal use. If separate devices are not a possibility, create separate profiles with different security settings. Use your work profile only for work purposes. If you have children who need to use the same computer, create separate profiles with parental controls that limit their ability to access and/or download content that could infect your computer.

2. Lockdown your device
   You may feel that your device is physically safe in your home office, but you still need to protect data safety. Set a unique password for your device and lock it every time you walk away. If you are using one device for multiple profiles, have a private, unique password for your work profile that no one in your household can access. This is good practice for after quarantine as well.

3. Be wary of add-ons and downloads
   There are many add-ons and extensions that promise to make your work run faster, smoother and better. Be cautious of downloading these onto your device. Many contain malware that give hackers access to the data on your computer. If you then link to your company network, they could gain access there as well. A good cyber safety practice is to research on trusted sites before downloading a new program or add-on.

4. Use company approved sharing sites
   With your entire team working remotely, there is a greater need to communicate digitally. It may be more comfortable to use data sharing platforms you are used to, they may not be the most secure. Only send private data through company approved sharing sites.

Know signs of a breach

Preventative measures are important to cyber safety, but breaches are still possible. It’s important to know what signs to look for in the event of a breach.

1. Increase in unwanted pop-ups
   Pop-ups are a widely seen by-product of malware. If advertisements or system pop-ups begin appearing outside of any program, you may have been infected.

2. Processing slows down
   Is it taking longer than usual for your computer to boot up or for programs to load? Viruses and malware run in the background, slowing down the programs you are attempting to run.

3. New programs appear
   Computers do not add content on their own. If a new program, app or internet add-on appears on your computer, you may have a virus that inserted content onto your computer.

How do you handle a potential breach?

1. Report it!
   Inform your IT department of what you are experiencing. Send screen shots of error messages, pop-ups and other unwanted content. Be specific about when it started happening and what is going on.

2. Don’t click
   Never click on suspicious content, even to try and close pop-up windows. Malware is the gateway for a virus. Clicking on the content can give them access to the data they are looking for.

3. Scan with anti-virus software
   Company devices should be equipped with anti-virus software. If your company does not provide a device, get with your IT department about them providing access to anti-virus software. While it should do scans in the background, if you notice any of the above issues, tell it to run a full system diagnosis.

4. Don’t access private data
   Until your issue has been resolved, do not attempt to access the company network or open any private data. If a hacker is monitoring your computer through malware, you run the risk of giving them access to that information.

While human error will never be eliminated, we can all take steps to increase our awareness and cyber safety to lower our risk.

Safety. Such an important word with so many different connotations. We ask safety questions constantly. Is my family safe? Will my house be safe? Is this a safe neighborhood? Are our schools safe? Many technologies are designed to specifically pacify our desire to feel safe.  We can track our child’s cellphone. We buy alarms for our homes and doorbells with cameras. Schools install cameras and specially locking doors to protect the children.  But one area most people neglect, is cyber safety. Why?  Because it is such an abstract issue.  I check the locks on my doors each night before I go to bed.  I can see and confirm they are locked. None of my physical senses will tell me if my PC is being hacked, until it’s too late and the ransomware notice covers the screen.  As an executive, are you doing what it takes to keep your clients safe? Is their information secure within your care? Do you even know where to start looking? Take this short quiz to see if you are on the right path. We can help you answer “Yes” to all of your security questions.

Protect your Patients. Protect your Organization. Protect Yourself.™

Third Rock would like to take this chance to salute the nation’s Nurses for their role in patient safety – clinical safety, physical safety, and cyber safety. It’s nurses of all types who are on the front lines of protecting patients from cyber threats – such as identity theft. ransomware, and device hacking –  by practicing good “cyber hygiene.”  Good job, nurses – THANKS for all you do to keep all of us cyber safe!

I recently taught a cyber security class to a large medical practice.  The goals were to better protect the organization from cyber-attacks and to improve their HIPAA compliance.  This medical practice is a well-run and well-managed business that invests in its employees and is clearly one of the most security conscious practices I have worked with.  The hour-long course covered the cyber security basics including password management, safe Internet practices, phishing, malvertising, and incident response.  I wanted to build their cyber confidence such that they quickly knew how to recognize and respond appropriately to a potential cyber threat.

Overall the course went very well; although, I took the class to areas they were not familiar with nor comfortable with.  Discussions at times were lively and lengthy, which was great as they were really engaged.  There was a common thread in our discussions and that was people are not using the correct terminology concerning cyber security and threats, and this causes confusion and misunderstandings.  Let’s face it, in today’s world, we are bombarded daily by the news media about hacking incidents and new cyber threats.  It is part of our daily lives and conversations.

So, I was really pleased when a colleague, Mike Moran, returned from a cyber security conference and brought our team copies of a new lexicon recently published by (ISC)².  This is by far the best glossary of cyber security terms I have seen.  It was published by John McCumber in February and you can download a copy from his blog.  John is the Director of Advocacy for the North American Region of (ISC)².  And who is (ISC)²? The International Information System Security Certification Consortium is the largest and best recognized association of cyber security professionals.  Mike is certified by (ISC)² and helps our customers improve their cyber security.

I recommend you download a copy of the (ISC)² lexicon and review it.  Post it in your office and distribute it to your team.  It sends the message your organization is serious about cyber security and enables everyone to speak more accurately.  It is another step in building your organization’s cyber confidence.

If you have concerns about your cyber security or would like to improve your cyber confidence and compliance, contact us at: info@thirdrock.com

Protect your Clients. Protect your Organization. Protect Yourself.™

Our CEO would contend there is an alternative approach to the cyber security talent shortage.  Most breaches occur because computer systems are easy to breach and people make mistakes.  Compare the number of breaches based on operating systems.  Linux and UNIX variants are more difficult to breach than Windows, especially if you keep them patched.  Which means we need to focus some time and effort on Windows, shoring up its weak defenses.  The good news is, Windows and Linux can be hardened far more than their standard configurations.  We simply have to take the time to learn what is misconfigured and correct it.

Everyone should also take time to implement a simple cyber security plan.  Stop trying to boil the ocean and hire a certified security person you can’t afford.  Learn how to implement the top five most important cyber defenses or if you don’t know what they are or how, contact a reputable cyber security firm and have them create a simple, usable, affordable plan.

What are the first five steps to a good cyber security plan?

1. Make sure the backups are working and you can restore from them.
   1. Keep the backups encrypted, offsite (in the cloud), and disconnected from the network.
2. Perform a thorough cyber security assessment (HIPAA SRA, NIST SP 800-171, etc) and include a configuration and vulnerability scan of each type of operating system (computer).
   1. 1. This is not a lightweight network scan. This is an intense operating system vulnerability and configuration checking scan.  We use one with over 300 tests.  Most Windows systems pass less than 30% of these tests.
3. Harden all of your operating systems’ and network devices’ configurations based on the scan results from step #2 and ensure automatic patching is turned on where possible.
   1. If you have software applications that don’t allow you to keep your operating systems patched, you need to implement a plan to move off those software applications.
4. Implement current cyber security training of all employees that touch valuable data.
   1. Include identifying phishing campaigns.
5. Inventory and map your valuable data at rest and in motion.
   1. Verify it is secure and encrypted at all times.
   2. Inventory all network devices so you know to check them for data (and yes this could be considered another step.)

Obviously, there are other steps to be addressed and performed but these five steps will greatly improve your cyber security stature, confidence, and resilience.

If you purchase a security risk analysis (risk assessment) from a firm, they should include a technical scan of your operating systems as it is the only way to know what needs to be reconfigured on the operating systems.  If you purchase policies and procedures, they should include a risk management plan, a security plan, a contingency plan, and a breach notification plan.

But most of all, realize, cyber risk management and cybersecurity are not just about security.  You need to take a holistic approach, including leadership, employees, processes and technology.

Contact us today – 512.310.0020 or info@thirdrock.com for more information on completing a security risk assessment, developing a risk management program, or becoming a Partner to make these or related services available to your clients.

Protect your Clients. Protect your Organization. Protect Yourself.™

The top threat facing any organization today is the staff member working from a computer!  Not because this person intends to do malicious harm to the organization, but because of lack of cyber security awareness and training.  Confirmation of this is MediaPro’s 2017 State of Privacy and Security Awareness Report in which they surveyed over 1,000 people and rated their responses to real-world cyber security questions.

Respondents were grouped into 3 “risk profiles” based on their correct answers; Hero (93-100%), Novice (77-92%) and Risks (76% and lower).  In summary, 70% of those surveyed scored at the Novice level.  You might say well, 77% is a solid “C” grade in school and 92% is an “A-“.  Well if you consider one instance of risky behavior, clicking on that link in an email can infect your organization with ransomware, that is pretty frightening!  Consider that 70% of your organization is at the “Novice” level of cyber security awareness! The odds of being breached are relatively good!

The 2017 Verizon Breach Report provides some sobering breach statistics;

• 62% were the result of hacking
• 81% hacking related breaches involved stolen or weak passwords
• 66% malware installed via malicious email attachment
• 75% were conducted by outsiders (25% insiders)
• 73% were financially motivated
• 51% involved criminal groups
• 27% discovered by 3^rd parties

How do you make your entire staff Cyber Security Awareness Heroes?  Here are some easy steps that will substantially improve cyber security awareness.

1. Make cyber security awareness a priority in your organization. Discuss it in staff meetings and company-wide meetings regularly.
2. Increase training frequency and delivery methods. Taking the same training class year after year does not improve awareness and clearly tells staff it isn’t a priority.  Require two new and different training classes per year, preferably once a quarter.
3. Hold an awareness campaign where emerging threats are reviewed and positive cyber security habits are encouraged.
4. Encourage reporting of security incidents as learning opportunities. Investigate and document security incidents and then review them with the workforce to learn from them.  Revise policies and procedures as needed to address process issues.
5. If you have access to the data from your IT support organization, publish or post the statistics on the attempts to hack into your network. We all are nice and comfortable behind firewalls and forget how many bad actors are out there.
6. Conduct email phishing campaigns to improve workforce email awareness, use and habits.

Your cyber security training program should continue to evolve to keep pace with the rapidly changing cyber threats.  If you are a smaller organization, a job role should be assigned the responsibility to keep your training current and fresh.

Our dependence on computers and the Internet will only increase, as will the threats wanting to steal our sensitive data or damage our reputations or ability to do business.  It is a small investment to train your workforce to protect your organization.

If your organization needs a security risk assessment, compliance management plan, or cyber security plan, please contact us at:  info@thirdrock.com

Protect your Clients. Protect your Organization. Protect Yourself.™

A webinar brought to you by the National Rural Health Association and Rural Hospital Insurance of America

If you are the CEO, CFO or COO of a Rural Hospital then this webinar is for YOU!
But, it is open to all healthcare management.

On February 21, from 2:00 pm – 3:00 pm join the Rural Hospital Insurance of America (RHIA) program manager in conversation with two of America’s leading experts in cyber threat protection, prevention, detection, and response to learn how to stay ahead of the growing and evolving threat cybercrime poses to your patients, your patients’ data, your hospital, and yourself.

Learning objectives include:

• The common myths that attract cyber risk
• Five building blocks of patient information safety
• The typical policy pitfalls to avoid while optimizing your primary mechanism for risk transfer, cyber liability insurance
• How to overcome the crushing complexity of compliance
• How modern risk management transforms the cyber liability into a strategic asset

Patient’s lives are at stake when medical records go missing, are held hostage, or are corrupted by fraudulent use.  And, without adequate preparation and protection, a cyber breach can put your hospital’s ability to stay in business at risk.  Plus your liability and the liability of your board could be on the line.

How severe is this risk?  Consider what happened in 2017:

• Over 200,000 data records lost or stolen every hour
• Cybercriminals paid only $1 for a stolen credit card but shelled out $50 to $350 for a single ePHI record
• 33% of all Americans’ medical records stolen by year end

With an average of one million new cyber threats released every day and the cost of a data breach to American businesses – including rural hospitals – ranging from $800,000 to $3.6 million, this is a life or death matter.

For an up-to-the-minute assessment of the cyber liability environment and the questions you and your board members should be asking to satisfy your fiduciary duties, register now.

Presenters:

Sarah Churchill Llamas, of the law firm Winstead PC

Robert Felps, founder of the compliance and management firm Third Rock

Brant Couch, webinar moderator

The 2017 Global Information Security Workforce Study (GISWS) released in February 2017 forecast a shortage of 1.8 million cybersecurity workers by 2020, while a study by Cybersecurity Ventures estimates “3.5 million unfilled cybersecurity jobs” by 2021. While the projected magnitude of the shortfall varies from one study to the next, government experts, consultants, and pundits alike are unanimous in predicting that the current shortage of qualified cybersecurity workers will only get worse for the foreseeable future, a situation Steve Morgan has called “the greatest cyber risk of all.”

There is less agreement about why the shortage exists and, therefore, how to fix it.  The traditional school of thought is that educational institutions haven’t prepared enough graduates to meet the growing need. The implied solution from this perspective is to increase educational capacity by creating new programs and increasing enrollments in all programs through better marketing and outreach efforts. Outspoken critics of this perspective, however, say that cybersecurity is not an entry-level position and that graduates of cybersecurity programs lack the technical depth required to be effective.

These critics offer an alternative perspective – cybersecurity professionals are not trained in the classroom but must be developed on the job after gaining expertise in IT operations. So rather than casting about externally for cybersecurity talent that isn’t available, IT managers should be looking within their own ranks for people who could be trained in security. For instance, in a 2015 Computerworld column, “The myth of the cybersecurity skills shortage,” Ira Winkler wrote, “The best security practitioners have experience in the technology and processes that they are supposed to secure…If you have no experience as a system administrator, you cannot maintain the security of a system.” He goes on to say that most of his work as a security professional has been to shore up poorly designed, poorly configured, and poorly maintained systems, which requires IT knowledge, rather than using hacking knowledge he gained in his training. But this perspective also has critics.

A third point of view is that IT managers who only look for security professionals with IT/computer science credentials are creating the shortage through their own myopia. In a Harvard Business Review article, Marc van Zadelhoff, General Manager of IBM Security, describes IBM’s approach of creating “new collar” jobs. They look for people with “unbridled curiosity, passion for problem solving, strong ethics, and an understanding of risks” – characteristics that can’t be taught – and then train them in the necessary technical skills through on-the-job programs, vocational and community college courses, and industry certification programs, such as those offered by (ISC)². Supporting this view is the finding in the Global Information Security Workforce Study that 87% of current cybersecurity workers began their career in another field, some in other IT roles but many in non-IT fields.

So what’s the answer?

Like most difficult organizational problems, there is no single cause and, therefore, no single solution. Addressing the cybersecurity personnel shortage will require focused and creative efforts on the part of educators, managers, trade associations, and employees alike.

• Educators need to work closely with industry to identify the needed knowledge and skills to integrate into existing curricula or to serve as the basis for new programs.
• Managers, meanwhile, with support from HR and other training resources, may need to create their own internal on-the-job training programs for existing personnel, creating opportunities for lateral moves into security positions.
• Managers may also need to cast a wider net for potential security talent as IBM has done, looking for people with the necessary character and an eagerness to learn outside the IT ranks.
• Trade associations, such as ISSA and (ISC)², can pool resources to raise awareness of high school, college, and midcareer professionals of available cybersecurity career options and the paths available for acquiring the needed knowledge and skills.
• Workers already in cybersecurity positions will need to adapt to their role as teacher/mentor to those moving into security positions, respecting those with non-IT backgrounds as possibly bringing in fresh perspectives.

Finally, even if there were an excess of cybersecurity pros, they cannot safeguard an organization alone. All workers, managers, and executives, from the front desk and loading dock up to the C-suite must come to recognize that cybersecurity is now a part of everyone’s job! More on this in the weeks to come.

Is a personnel shortage putting your organization at risk? Contact us for a third-party Security Risk Assessment to find out: 512.310.0020 or info@thirdrock.com.

Just when you thought all hope was lost of remembering your 16 character password with upper and lower case letters, numbers, and special characters; NIST comes to the rescue. That’s right!  The National Institute of Standards and Technology wrote a brief addendum to SP 800-53 which simplifies Strength of Memorized Secrets.  You and I refer to those “secrets” as passwords.  It’s a light read, only 50 or 60 pages.  I don’t really know because I didn’t want to print it and kill four trees.  Anyway, the good news is Tom Sullivan wrote up a nice, short, one pageish, blog post about the draft from NIST.  You can find it at NIST tweaks advice on passwords, says make them easier to remember.  Thank You, Tom!  And Thank You, NIST!

Seriously though, it’s a serious issue.  We all need to take care in creating strong passwords to protect our data and that of our clients.  Here’s the short list of how best to do that according to the new NIST advice:

1. Make it easy to remember for you; e.g., “I rode a green bike as a kid.”
2. Make it something private, not publicly known. (Sports team names are not good passwords.)
3. The longer the better, longer than 12 characters.  Personally, make it longer than 16 if the system supports that length.
4. Hope the developers know to have password policies that prevent bad passwords.

 Here’s the summary from the document.

A.5 Summary

Length and complexity requirements beyond those recommended here significantly increase the difficulty of memorized secrets and increase user frustration. As a result, users often work around these restrictions in a way that is counterproductive. Furthermore, other mitigations such as blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks. Therefore, no additional complexity requirements are imposed.

And you thought all your tax dollars were going to waste! 🙂

Join our free monthly newsletter to stay up-to-date on HIPAA and cybersecurity.