Cyber Safety Tips for Businesses When Employees Work from Home

With the threat of the Coronavirus, many companies are allowing or requiring employees to work from home. If your company deals with protected information such as healthcare, financial, consumer or personal, you should have policies and procedures in place to protect that data within your normal work environment. However, having your work force suddenly need to access this information from home may not be normal. Systems may be overloaded, sensitive information distributed in a way that you never anticipated and lines of communication disrupted. Do your policies and procedures cover such a situation, like a pandemic? Here are 6 tips to best protect your business and your clients.

Train Your Employees

We are not talking about the once a year standard, boring videos people half heartedly watch so they can print off a certificate proving they did it. Your employees must know key elements of cyber safety that they are regularly reminded of. If nothing else, make sure they know these 3 things.

1. Anticipate phishing and spear phishing attacks. Word will travel fast that everyone is working from home. Hackers will recognize you are vulnerable and try to take advantage of it. Tell your workforce to anticipate phishing and spear phishing attacks that will attempt to take advantage of pandemic fears. Give visual examples, have your IT on high alert searching for phishing attempts and contact employees immediately when one gets through your firewall.
2. Do not access sensitive information on unauthorized devices. The biggest culprit: cell phones. Have policies about what devices they are allowed to use to remotely access information and make sure they know. Never store sensitive information unencrypted on a portable device.
3. Do not access sensitive information on unsecure networks. Like working from Starbucks because they have free WiFi? That may be fine for personal use, but not when you’re accessing sensitive information. Public WiFi makes it easy for a hacker to infiltrate your computer, stealing the information you accessed.

Determine Critical Processes and Access Control

This is a key component to any Pandemic plan. Who is authorized to access sensitive information, and how do you ensure they can actually access sensitive information in a highly distributed environment? Minimize your exposure by controlling access to data. Not everyone working from home needs access to sensitive information. Make sure you lock down access to only essential employees. Follow through by monitoring who is accessing data, what they are accessing and why.

Multifactor Authentication

For those employees who need to access sensitive information, require multifactor authentication every time they remotely access a private server. This is an easy step to implement that can have a big impact on keeping cyber criminals out.  Explain to your employees why the two-factor authentication is an important safety capability.

Network Access Control

While you should train your employees not to access sensitive information on unsecure networks (see tip #1), you can implement access controls that actually block a user if they do not meet a certain level of security. You should implement a Virtual Private Network (VPN) which provides higher security for your workers using their home and/or public internet that are not secure.   It’s fairly easy and inexpensive to implement. For more information on VPNs, click here.

Encrypt Data

If information is stored locally on a device, make sure it is encrypted. Portable devices are often stolen that contain sensitive information. A simple step of encryption protects your clients’ information and protects you from hefty breach costs and fines.

Provide Company Devices

Laptops and cell phones should always be running the most up to date version of an operating system available (i.e. Windows 10 vs Windows 8). They should also have up to date firewall protections and antivirus software. If employees are permitted to use personal devices, it is difficult to ensure these protections stay up to date. Providing company devices that are properly configured and regularly updated help strengthen the barrier against cyber criminals.

Protection doesn’t have to be complicated, but it does have to be intentional. Simple steps taken by the company and the employees can go a long way. While we want to stay physically safe through this wave of the Coronavirus, let’s make sure we stay cyber safe too.

 Concerned if you have the right precautions and planning in place? Contact Third Rock at info@thirdrock.

If it’s not broke, don’t fix it

Many people think that as long as their computer is running at a good speed and everything is working, there is no need to upgrade. Why spend money when you don’t have to, right? Wrong! The technology world cannot run on the mantra “if it’s not broke, don’t fix it” because in reality, it is broken and you just don’t know it. The proof can be seen when WannaCry ransomware was unleashed on the world in May 2017.

It crippled over 300,000 machines in 150 countries by targeting vulnerabilities in Windows operating systems, hitting Windows 7 the most. While Windows patched many of these vulnerabilities, their focus was, and still is, on their active operating systems, primarily Windows 10. According to Windows “every Windows product has a lifecycle. The lifecycle begins when a product is released and ends when it’s no longer supported.”[1] What does this mean for your security?

Windows Lifecycle

According to Windows’ lifecycle policy[2], a product is designed to have a 5 year mainstream support lifecycle followed by a 5 year extended support cycle. During the mainstream support, consumers have access to free incident support, security update support and the ability to request non-security updates. When a product moves to the extended support stage, security updates are still provided but no new features or design changes are available, and not all products are covered.

After the end of extended support, security updates greatly decrease. According to Microsoft, “the Extended Security Update (ESU) program is a last resort option for customers who need to run certain legacy Microsoft products past the end of support. It includes Critical and/or Important security updates for a maximum of three years after the product’s End of Extended Support date.” Who determines what is critical and important? Microsoft of course. It would have to be a huge security breach, such as WannaCry, to justify the amount of money it would take to push out an update.

Image from Windows end of XP Support[3]

What’s the risk?

If you are running an antiquated system on your home computer, that is a risk to your security and your personal information. Not smart, but not a worldwide catastrophe. However, having one device on your work network running an old system could be devastating.

Though Windows created security updates to counter WannaCry, it is still active on over 145,000 devices worldwide according to a survey by Armis[4]. If even one device on your network is infected, it creates a gateway for hackers to breach your security.

Armis discovered that within the past 6 months, 60% of organization in the manufacturing industry and 40% in the healthcare industry experienced at least one WannaCry attack. Why? Because they tend to have older technology which makes them an easy target.

Percentage of old Windows OS versions by industry type (Retail, Technology, Healthcare, Manufacturing)4

What’s the cost?

It is estimated that the global effort to counter the original WannaCry attack in 2017 cost around $4 billion, including $325 million paid out in ransoms. The combined efforts to stop the attacks created the false sense of security that WannaCry is no longer a threat. This is just not true.

In the same way that tech companies develop better, faster and more efficient software, the criminals do too. Hackers do not stay docile. If one means to infiltrate your system fails, they look for a different back door. Having the most up to date software means that Windows is fighting those battles for you. Keeping an unsupported operating system is the same as lowering the drawbridge to the attacking army.

According to IBM’s Cost of a Breach Report 2019, the average cost of a breach in the United States is $8.2 million. With the average size of a breach being 25,575 records, that equates to $242 per record. Lost business was the biggest contributor to this total cost, with the average business losing $1.42 million[5]. It is hard to recover from the lack of trust a customer feels when their information was stolen on your watch.

Next steps

Where do you go from here? Even with these numbers, you may be asking yourself, can we really afford to find and update every device that is out of date? The bigger question is, can your business survive the cost of a breach if you don’t?

Start with our Cyber Quick Check to see what your cybersecurity score is. Our Security Risk Assessment includes multiple scans that pinpoint weak areas that are most vulnerable, including a full inventory of what is on your network. Don’t let your records be held ransom. Fight back with the right security.  If you’re still running Windows XP, Windows 7 or Windows Vista start an upgrade program today.  Replace your computers that have the oldest versions of Windows with new computers with the latest version of Windows as you can afford it.

Check your cyber score at here

[1] https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet

[2] https://support.microsoft.com/en-us/help/14085

[3] https://www.microsoft.com/en-us/microsoft-365/windows/end-of-windows-xp-support

[4] https://armis.com/wannacry/

[5] IBM Security and Ponemon Institute. Cost of a Data Breach Report 2019. https://www.ibm.com/downloads/cas/ZBZLY7KL

In January 2019, Spiceworks surveyed 600 IT and security decision makers over a wide variety of companies, all with one thing in common: their use of third-party vendors or Business Associates (BAs). Their findings should have everyone looking more closely at their BAs. Some of the key findings were:

• 90% of companies with third-party policies review them annually
• 81% consider their policies effective
• 44% of the companies experienced “a significant, business altering data breach caused by a vendor”
• 15% of breached companies were notified by the vendor of the breach

These statistics are startling, highlighting the chasm between the BA risk management process and the reality of vendor incident response. The most disturbing findings came after the breach. Almost 70% of the breached companies made no change to their obviously faulty risk policies and procedures, with only half of them discontinuing the vendor relationship! The negative, business altering consequences include a combination of increased operational cost and complexity, disrupted operations, financial loss and reputational damage. Reason would move to making changes, but many don’t know where to start.

Evaluate Your Vendors

Companies need to take decisive steps with their business associates to protect their customers’ data. At a minimum, a “trust by verify” approach is required, while many companies are moving to a “zero trust” model. Some options include:

• Contractually obligate vendors to security and privacy practices
• Review your vendors’ security and privacy policies and procedures including their risk management plan
• Require security risk assessments be performed annually
• Conduct a joint risk management review focusing on data exchange and management, prior to enabling the BA access to your data
• Request historical review and references

Security should be a joint effort

It is essential to keep an inventory of all third-parties who can access and share your data, but that is not enough. This study found over two thirds of the companies were not confident that their vendors notify them when sharing data with other subcontractors. Properly vetting your BAs may increase the trust relationship, but additional steps should be taken.

• Coordinate responsibilities between both parties
• Require and review breach notification protocol
• Require insurance and other forms of indemnification
• Maintain regular communication of security expectations and execution

The need for vendors and BAs will always be present in our ever changing, collaborative world. Take the steps necessary to protect your company, your clients and your vendors.

Reference

Nearly half of firms suffer data breach at hands of vendors. Mark Sangster. 6 March 2019. https://www.esentire.com/blog/nearly-half-of-firms-suffer-data-breach-at-hands-of-vendors/

Have you ever received an email from a trusted company saying that your account needs maintenance? The only problem, you don’t have an account with that company. So why are they sending you an email? Most likely, it’s scammers using a popular technique called brand impersonation.

Brand impersonation has become so popular that 83% of all spear phishing attacks use this tactic. A scammer sends a very legitimate looking email, complete with logo and, what appears to be, legitimate email address. The goal is to get you to give up credentials or click on a malicious link. Some links take you to, again, what looks like a real website asking you to enter your login information to “fix” your account. These websites are actually hosted by the cybercriminal, and once you enter in your data, they have it. Nearly 1 in 5 attacks involve the impersonation of a financial institution, in order to gain access to your login, account numbers and other personal information. The highest impersonated company though is Microsoft, being used for 32% of known attacks.[1] If the cybercriminal can gain access to your email, they can monitor it without you knowing. Then they can learn details about you, send password resets from you valuable accounts and capture the email to login.

What to look for 

• Misspellings or questionable domain name in sender’s email
• Misspellings or questionable domain name in any of the hyperlinks
• Vague description of the “issue” with your account
• If you click a link, check the web address it sends you to
• Is this normal practice for the company to communicate with you?

Best practices to protect yourself

• Make sure the information presented in the email actually matches your use of that product. (i.e. if you receive an email about an iTunes purchase, but haven’t made any purchases)
• If you want to check your account, do not follow links in the email. Go to the company’s website directly to log in
• When in doubt, call the company to ask about your account
• Send the fake email to the legitimate company. Many companies invest in the protection of their customers and will investigate brand impersonations.
• If you do make a mistake and type in your user id and password to an impersonating web site, immediately go to your real account and change the password.

[1] SPEAR PHISHING: TOP THREATS AND TRENDS • US 1.0 • Copyright 2019 Barracuda Networks, Inc. • barracuda.com

Email spoofs and phishing have greatly evolved in the last few years, with criminals upping their game to trick you. Instead of casting a wide net, criminals are utilizing Spear Phishing, a highly personalized attack. Attackers research their targets and craft a carefully designed message impersonating a seemingly trustworthy person or company. According to Beazley’s 2019 Breach Briefing, business email compromise increased 133% with financial institutions, healthcare and education being the top targets. While it only accounts for 6% of all spear phishing attacks, it has proven very lucrative for criminals.

Business email compromise (BEC) occurs when a cybercriminal uses a compromised email account or spoofs a legitimate email address to trick an employee into transferring money or sensitive data. The financial industry is the highest targeted due to their easy access to funds. An employee gets an email from a “senior executive” requesting a wire transfer, giving this attack its nickname of CEO fraud. Attackers use a sense of urgency in their emails to encourage quick action by the receiver without investigation. The FBI reports a loss of $12.5 billion since 2013 due to BEC.

Criminals must do their research to pull off a BEC attach successfully. They must learn names of employees, hierarchy of the company and who controls the funds. Then, using a spoofed or compromised attack, they send an email requesting a wire transfer with a fraudulent account number or sensitive data with financial information. These tend to not have any links or malicious attachments so they are hard to detect through email security. An email may look similar to this:

                     From: Jane Johnson <jane.johnson@conp.com>

To: Michael Blake <michael.blake@corp.com>

Subject: Request

Hey Michael,

Are you in the office? I need to process a bank transfer for me.

Give me a quick reply when you can get it done.

Regards,

Jane Johnson

CEO, Corp Corporation

Cell: 408-292-2020

On first glance it looks legitimate and has a sense of urgency. On closer inspection, you see the sender is using a spoof account of @conp.com instead of @corp.com. If this money is sent, it’s almost impossible to get back. This criminal did his research.

Hard to Defend

•  Targeted attacks that are not mass produced, so they aren’t flagged as spam

• Emails come from reputable email services (gmail.com is used for 1 in 3 attacks)

• No malicious links or attachments

• Domain and display name spoofing make convincing impersonations

• Compromised accounts used to send requests are even harder to trace

• Social engineering tactics such as brevity, urgency, personalization and pressure increase chances of success

Steps to Protect your business

• Enable multi-factor authentication for remote access to systems and apps

• Implement regular anti-fraud training for your employees

• Establish a process for employees who travel and need to request funds. Do not document the process in the network.

• Limit the employees who have the authority to submit or approve wire transfers

• Verify any vendor requests to change account details with verbal confirmation

• Utilize artificial intelligence technology that recognizes when an account has been compromised

Health IT has come a long way since the HITECH Act was introduced almost 10 years ago. Technology availability and accessibility has also increased dramatically in that time frame. While better connectivity has revolutionized healthcare, it has also opened the door to cyber risks.

Testimony before the Texas Health Services Authority Board at the Texas State Capitol on Friday, October 4 reinforced recent headlines that cybersecurity is a persistent problem; one that will require greater resources at all levels of healthcare and healthcare governance. Representatives from the Texas Attorney General’s Office, the Texas Medical Board, Texas Medical Liability Trust, University of Texas, and Cynergistek[1], along with Third Rock CEO, Robert Felps, took turns presenting data and observations on the “current state of cybersecurity and privacy in Texas healthcare” from their professional perspectives. Though some gains have been made in recent years, key points across the presentations made clear that Texas healthcare organizations – and the supporting governing bodies – still have work to do to safeguard patient data.  Here are the key takeaways:

1. Available data indicate that Texas healthcare organizations remain extremely vulnerable to cyber threats.

• In 2017, TMLT received reports of 600 data privacy and security incidents, or breaches. There have only been 103 incidents so far in 2018 (Jan-Sept), but that’s still an average of 11.4 incidents/month.
• Mac MacMillan, CEO of Cynergistek, reported that his firm is notified of at least one security incident a day by one of their 1500 hospital clients, which includes 70 academic medical centers.

2. Both formal and informal reports indicate that healthcare organizations have an incomplete approach to cybersecurity and HIPAA compliance.

• In 2016, the OCR Random Audit Program evaluated 63 Covered Entities. Of the audited organizations, 13 had not attempted to perform a Security Risk Assessment (SRA). Of the 50 organizations that had completed an SRA, none satisfied the OCR’s requirements.
• MacMillan also reported that fewer than half of Cynergistek’s client organizations meet the NIST requirements for cybersecurity; a situation he attributed to a lack of both human and financial resources.

3. Too many healthcare organizations are financially unprepared for a cyber event.

• 70% of healthcare organizations report having no cyber insurance.
• The combination of legal fees, penalties, increased administrative costs, and loss of business resulting from an information security incident can potentially put a healthcare organization out of business.

4. There is a significant shortage of adequately-trained cybersecurity personnel.

• According to MacMillan, there are currently about 780,000 cybersecurity employees and approximately 350,000+ cybersecurity job vacancies. By 2021, labor experts are predicting 3.5 million cybersecurity job vacancies.
• When he visits a client hospital and asks “Who’s taking care of ‘x’ cybersecurity technology?” he is often referred to an IT employee with no cybersecurity experience.

5. Enforcement responsibility for healthcare data privacy and security is distributed across multiple state agencies, resulting in incomplete data and inconsistent enforcement.

• At the state level, responsibility for enforcing HIPAA and HB300 falls to the Texas Medical Board, Texas Board of Nursing, Dept of Health Services (DHS), Office of the Attorney General and others.
• Agencies report aggregate numbers to the Office of the Attorney General of complaints received and of incidents resulting in disciplinary action. However, specific cases are only referred to the Attorney General’s Office when the Agency believes an incident warrants civil or criminal penalties that only the AG’s office can impose.

6. Information security incidents negatively impact patients – both directly and indirectly.

• Healthcare records are worth substantially more on the black market than credit card or even social security numbers, making healthcare records a prime target for cyber criminals.
• A security incident resulting in identity theft can take years, and thousands of dollars, for an affected patient to correct.
• A ransomware attack can bring care delivery to a standstill, freezing infusion pumps and other medical devices, putting patients at risk.

Are you cyber confident?  Can you afford no action?  Third Rock makes it simple and affordable.

Protect your patients, protect your practice, protect yourself

[1] A cyber security consulting firm, https://cynergistek.com/

[2] Texas Medical Liability Trust, the largest medical provider in the state, https://tmlt.org/tmlt