Cyber Safety Tips for Businesses When Employees Work from Home

With the threat of the Coronavirus, many companies are allowing or requiring employees to work from home. If your company deals with protected information such as healthcare, financial, consumer or personal, you should have policies and procedures in place to protect that data within your normal work environment. However, having your work force suddenly need to access this information from home may not be normal. Systems may be overloaded, sensitive information distributed in a way that you never anticipated and lines of communication disrupted. Do your policies and procedures cover such a situation, like a pandemic? Here are 6 tips to best protect your business and your clients.

Train Your Employees

We are not talking about the once a year standard, boring videos people half heartedly watch so they can print off a certificate proving they did it. Your employees must know key elements of cyber safety that they are regularly reminded of. If nothing else, make sure they know these 3 things.

1. Anticipate phishing and spear phishing attacks. Word will travel fast that everyone is working from home. Hackers will recognize you are vulnerable and try to take advantage of it. Tell your workforce to anticipate phishing and spear phishing attacks that will attempt to take advantage of pandemic fears. Give visual examples, have your IT on high alert searching for phishing attempts and contact employees immediately when one gets through your firewall.
2. Do not access sensitive information on unauthorized devices. The biggest culprit: cell phones. Have policies about what devices they are allowed to use to remotely access information and make sure they know. Never store sensitive information unencrypted on a portable device.
3. Do not access sensitive information on unsecure networks. Like working from Starbucks because they have free WiFi? That may be fine for personal use, but not when you’re accessing sensitive information. Public WiFi makes it easy for a hacker to infiltrate your computer, stealing the information you accessed.

Determine Critical Processes and Access Control

This is a key component to any Pandemic plan. Who is authorized to access sensitive information, and how do you ensure they can actually access sensitive information in a highly distributed environment? Minimize your exposure by controlling access to data. Not everyone working from home needs access to sensitive information. Make sure you lock down access to only essential employees. Follow through by monitoring who is accessing data, what they are accessing and why.

Multifactor Authentication

For those employees who need to access sensitive information, require multifactor authentication every time they remotely access a private server. This is an easy step to implement that can have a big impact on keeping cyber criminals out.  Explain to your employees why the two-factor authentication is an important safety capability.

Network Access Control

While you should train your employees not to access sensitive information on unsecure networks (see tip #1), you can implement access controls that actually block a user if they do not meet a certain level of security. You should implement a Virtual Private Network (VPN) which provides higher security for your workers using their home and/or public internet that are not secure.   It’s fairly easy and inexpensive to implement. For more information on VPNs, click here.

Encrypt Data

If information is stored locally on a device, make sure it is encrypted. Portable devices are often stolen that contain sensitive information. A simple step of encryption protects your clients’ information and protects you from hefty breach costs and fines.

Provide Company Devices

Laptops and cell phones should always be running the most up to date version of an operating system available (i.e. Windows 10 vs Windows 8). They should also have up to date firewall protections and antivirus software. If employees are permitted to use personal devices, it is difficult to ensure these protections stay up to date. Providing company devices that are properly configured and regularly updated help strengthen the barrier against cyber criminals.

Protection doesn’t have to be complicated, but it does have to be intentional. Simple steps taken by the company and the employees can go a long way. While we want to stay physically safe through this wave of the Coronavirus, let’s make sure we stay cyber safe too.

 Concerned if you have the right precautions and planning in place? Contact Third Rock at info@thirdrock.

 

Meet Hayden. He was born at 7:23 am on May 3. He started breathing too soon and swallowed liquid which caused him to struggle to breath.  Within an hour of being born, he was taken to the NICU. For 2 days he received amazing care from the doctors and nurses. He was discharged, happy and healthy, ready to take on the world. His future is bright and open to all possibilities.  Or is it? While the hospital protected his body, are they protecting his personal information? Can someone steal his identity, potentially jeopardizing his future? Children are a common target of identity theft because there is a false belief they are too young to have any “valuable” credentials.  What are you doing to make sure the Hayden’s in your hospital are protected? Be cyber confident so your patients (and their parents) can be confident in you.

Protect your Patients. Protect your Organization. Protect Yourself.™

As a board member or executive of a hospital, have you ever wondered exactly what responsibility you have, if any, for security? Not just the physical security of the people who come to the hospital for care, but the protection of their information long after treatment has been given. Are you doing everything in your power to keep patients “cyber safe”?

Third Rock is excited to be a sponsor of this year’s Healthcare Governance Conference.  Come visit us at table 15 to find out exactly what questions you should be asking about the state of your cyber security.  We can help you assess your current level of risk and create a personalized plan to get you where you need to be. Because the worst questions are the ones that are never asked.

Protect your Patients. Protect your Organization. Protect Yourself.™

Boost your Cyber Confidence!

Get some tips and inspiration when Third Rock’s Julie Rennecker, Robert Felps, and Mike Moran present Healthcare: Transforming an Industry from Cyber Victim to Cyber Confident at the ISSA Austin Chapter meeting tomorrow, March 20.

The 2017 Global Information Security Workforce Study (GISWS) released in February 2017 forecast a shortage of 1.8 million cybersecurity workers by 2020, while a study by Cybersecurity Ventures estimates “3.5 million unfilled cybersecurity jobs” by 2021. While the projected magnitude of the shortfall varies from one study to the next, government experts, consultants, and pundits alike are unanimous in predicting that the current shortage of qualified cybersecurity workers will only get worse for the foreseeable future, a situation Steve Morgan has called “the greatest cyber risk of all.”

There is less agreement about why the shortage exists and, therefore, how to fix it.  The traditional school of thought is that educational institutions haven’t prepared enough graduates to meet the growing need. The implied solution from this perspective is to increase educational capacity by creating new programs and increasing enrollments in all programs through better marketing and outreach efforts. Outspoken critics of this perspective, however, say that cybersecurity is not an entry-level position and that graduates of cybersecurity programs lack the technical depth required to be effective.

These critics offer an alternative perspective – cybersecurity professionals are not trained in the classroom but must be developed on the job after gaining expertise in IT operations. So rather than casting about externally for cybersecurity talent that isn’t available, IT managers should be looking within their own ranks for people who could be trained in security. For instance, in a 2015 Computerworld column, “The myth of the cybersecurity skills shortage,” Ira Winkler wrote, “The best security practitioners have experience in the technology and processes that they are supposed to secure…If you have no experience as a system administrator, you cannot maintain the security of a system.” He goes on to say that most of his work as a security professional has been to shore up poorly designed, poorly configured, and poorly maintained systems, which requires IT knowledge, rather than using hacking knowledge he gained in his training. But this perspective also has critics.

A third point of view is that IT managers who only look for security professionals with IT/computer science credentials are creating the shortage through their own myopia. In a Harvard Business Review article, Marc van Zadelhoff, General Manager of IBM Security, describes IBM’s approach of creating “new collar” jobs. They look for people with “unbridled curiosity, passion for problem solving, strong ethics, and an understanding of risks” – characteristics that can’t be taught – and then train them in the necessary technical skills through on-the-job programs, vocational and community college courses, and industry certification programs, such as those offered by (ISC)². Supporting this view is the finding in the Global Information Security Workforce Study that 87% of current cybersecurity workers began their career in another field, some in other IT roles but many in non-IT fields.

So what’s the answer?

Like most difficult organizational problems, there is no single cause and, therefore, no single solution. Addressing the cybersecurity personnel shortage will require focused and creative efforts on the part of educators, managers, trade associations, and employees alike.

• Educators need to work closely with industry to identify the needed knowledge and skills to integrate into existing curricula or to serve as the basis for new programs.
• Managers, meanwhile, with support from HR and other training resources, may need to create their own internal on-the-job training programs for existing personnel, creating opportunities for lateral moves into security positions.
• Managers may also need to cast a wider net for potential security talent as IBM has done, looking for people with the necessary character and an eagerness to learn outside the IT ranks.
• Trade associations, such as ISSA and (ISC)², can pool resources to raise awareness of high school, college, and midcareer professionals of available cybersecurity career options and the paths available for acquiring the needed knowledge and skills.
• Workers already in cybersecurity positions will need to adapt to their role as teacher/mentor to those moving into security positions, respecting those with non-IT backgrounds as possibly bringing in fresh perspectives.

Finally, even if there were an excess of cybersecurity pros, they cannot safeguard an organization alone. All workers, managers, and executives, from the front desk and loading dock up to the C-suite must come to recognize that cybersecurity is now a part of everyone’s job! More on this in the weeks to come.

Is a personnel shortage putting your organization at risk? Contact us for a third-party Security Risk Assessment to find out: 512.310.0020 or info@thirdrock.com.

If you don’t read about cybersecurity and stolen data everyday then you probably don’t read much news.  But, if you scan the news headlines once in a while you’re aware of the following:

• 2014 – The Year of the Cyber Breach
• 2015 – The Year of the Healthcare Cyber Breach
• 2016 – The Year of the Cyber Attack (it’s common news)
• 2017 – The Year of Ransomware

So, what will 2018 be dubbed?  2018 – The Year of the Meltdown?  Wait, what meltdown?  Or the Year of the Spectre?  Is that a ghost or something else?  Well unfortunately, two major hardware vulnerabilities have been discovered in almost all computer processors (CPUs).

What’s the Problem?

Meltdown and Spectre are hardware vulnerabilities in most modern computer processors (CPUs).  These critical flaws in the processor designs allow applications (computer software programs) to steal data from other applications running on the same processor.  Normally applications are blocked from reading data from other applications unless they have been given “permissions.”  But Meltdown and Spectre are hardware design flaws that allow this to happen.  A malicious software program (malware) can read data from another legitimate application without providing appropriate permissions.  This data may include your emails, passwords from browsers or password managers, instant messengers, EMRs, EHRs, practice management systems, billing systems, credit card processing systems, the list goes on and on.

What to do?

There’s not much to do about the hardware flaw, it will take years for all the hardware to be replaced with new computers. However, it is important to have your IT department or support firm apply the patches as they become available.  It is also very important to ask all of your cloud providers to confirm that they have applied the patches to all of their affected hardware.

Linux and Windows patches are already available. Chromebooks updated to Chrome OS 63 are protected.

Android devices running the latest security update, are already protected, which includes the Google phones. Other vendor’s updates are expected to be delivered soon. Users of other devices will have to wait for the updates to be pushed out by third-party manufacturers, including Samsung, Huawei and OnePlus.  So, know which devices still need to be updated and watch for the patches to become available and apply them as soon as you can.

What’s the Impact?

The potential impact is stolen protected or sensitive data; a data breach.  But, even if you install the patches and prevent a breach there is the possibility the patches will degrade your computer CPU performance.  On new CPUs (computers) the performance degradation may only be 5% based on what the experts are predicting.  But on CPUs older than five years, experts are predicting much worse performance.  Unfortunately, we’ll have to wait and see.

More Info?

For more details on Meltdown and Spectre visit the Meltdown Attack site at https://meltdownattack.com/

We are into the Holiday Season and Cyber Scrooges – cyber criminals – are alive and well!  Breaches seem to be a daily occurrence.  In the area where I live, they even recommend paying for gas with cash and don’t use a credit card at the pump due to card skimmers.  So, I’m out holiday shopping and I’m lucky if I have two dollars in my wallet.  That means I have to stop at a cash machine to pay for gas.  Wait, that cash machine could have a card skimmer attached to it!  I guess I have to go into the bank to get cash as well!  Bah humbug!

So, here’s some helpful advice to make you and your family a little cyber-safer during the Holiday Season.

1. Avoid using a debit card! A debit card provides direct access to your bank account.  Most banks will return the funds if a theft occurs, but generally you have to detect it and report it.  It may take time and effort to get the refund.  Use a credit card and review all the charges before paying the bill.  I use a credit card to buy gas!
2. Regularly review your bank accounts for unknown transactions, say twice a week. Set up alerts so you are notified when large withdrawals are made.
3. Set up two-factor authentication to access your bank account. This means your bank will text you a code as the final step to log into your bank account.  It is a small pain, but the protection it provides is well worth the effort!
4. Keep your antivirus software up to date and use strong passwords.  These are absolutely necessary if your device is connected to the Internet.
5. Finally, use caution when cyber-shopping. We just had a record setting Cyber Monday. The Internet allows us to shop anywhere with ease.  Search engines can provide a wide range of “stores” that are selling the toy your son or daughter must find under the tree Christmas morning.  The problem is you can’t easily tell if the seller is an honest business or a guy on his computer in the basement scamming people.  Bad businesses can buy “likes” and positive reviews for a few dollars to make themselves appear legitimate.  Here are a few cyber-shopping tips:

• Don’t chase the lowest price. Shop with known and trusted companies.  If something is too good to be true, it isn’t and it can cost you a lot!  Companies that have the lowest price may not be investing in safeguards to protect your personal information.
• Watch out for limited time offers. You click on a link for the item you want, and low and behold it is on sale at a ridiculous price for the next 90 seconds! Stop! It is designed to prevent you from fully reviewing the product and seller.  It’s not worth the risk.  There will be a legitimate “Black Friday” deal in a day or so!
• Watch out for websites spelled close to well-established businesses. They can be common misspellings or have extensions on their names.  Hover your mouse over the link and read the URL.  If it reads differently than what you expect, don’t click on the link.
• Don’t fall for free gifts via email. These are phishing emails designed to enable viruses to be loaded on to your computer to steal your personal data.
• Never give out more information than is necessary. If a site asks you for your social security number or driver’s license number, etc., stop and decide if you need to provide additional personal data.

We here at Third Rock wish you and your family a very wonderful Holiday Season and a Happy New Year!