Cyber Safety Tips for Businesses When Employees Work from Home

With the threat of the Coronavirus, many companies are allowing or requiring employees to work from home. If your company deals with protected information such as healthcare, financial, consumer or personal, you should have policies and procedures in place to protect that data within your normal work environment. However, having your work force suddenly need to access this information from home may not be normal. Systems may be overloaded, sensitive information distributed in a way that you never anticipated and lines of communication disrupted. Do your policies and procedures cover such a situation, like a pandemic? Here are 6 tips to best protect your business and your clients.

Train Your Employees

We are not talking about the once a year standard, boring videos people half heartedly watch so they can print off a certificate proving they did it. Your employees must know key elements of cyber safety that they are regularly reminded of. If nothing else, make sure they know these 3 things.

1. Anticipate phishing and spear phishing attacks. Word will travel fast that everyone is working from home. Hackers will recognize you are vulnerable and try to take advantage of it. Tell your workforce to anticipate phishing and spear phishing attacks that will attempt to take advantage of pandemic fears. Give visual examples, have your IT on high alert searching for phishing attempts and contact employees immediately when one gets through your firewall.
2. Do not access sensitive information on unauthorized devices. The biggest culprit: cell phones. Have policies about what devices they are allowed to use to remotely access information and make sure they know. Never store sensitive information unencrypted on a portable device.
3. Do not access sensitive information on unsecure networks. Like working from Starbucks because they have free WiFi? That may be fine for personal use, but not when you’re accessing sensitive information. Public WiFi makes it easy for a hacker to infiltrate your computer, stealing the information you accessed.

Determine Critical Processes and Access Control

This is a key component to any Pandemic plan. Who is authorized to access sensitive information, and how do you ensure they can actually access sensitive information in a highly distributed environment? Minimize your exposure by controlling access to data. Not everyone working from home needs access to sensitive information. Make sure you lock down access to only essential employees. Follow through by monitoring who is accessing data, what they are accessing and why.

Multifactor Authentication

For those employees who need to access sensitive information, require multifactor authentication every time they remotely access a private server. This is an easy step to implement that can have a big impact on keeping cyber criminals out.  Explain to your employees why the two-factor authentication is an important safety capability.

Network Access Control

While you should train your employees not to access sensitive information on unsecure networks (see tip #1), you can implement access controls that actually block a user if they do not meet a certain level of security. You should implement a Virtual Private Network (VPN) which provides higher security for your workers using their home and/or public internet that are not secure.   It’s fairly easy and inexpensive to implement. For more information on VPNs, click here.

Encrypt Data

If information is stored locally on a device, make sure it is encrypted. Portable devices are often stolen that contain sensitive information. A simple step of encryption protects your clients’ information and protects you from hefty breach costs and fines.

Provide Company Devices

Laptops and cell phones should always be running the most up to date version of an operating system available (i.e. Windows 10 vs Windows 8). They should also have up to date firewall protections and antivirus software. If employees are permitted to use personal devices, it is difficult to ensure these protections stay up to date. Providing company devices that are properly configured and regularly updated help strengthen the barrier against cyber criminals.

Protection doesn’t have to be complicated, but it does have to be intentional. Simple steps taken by the company and the employees can go a long way. While we want to stay physically safe through this wave of the Coronavirus, let’s make sure we stay cyber safe too.

 Concerned if you have the right precautions and planning in place? Contact Third Rock at info@thirdrock.

The holidays get busy. Traveling is stressful and we aren’t always as vigilant as we should be. In today’s world of data breaches, identity theft and cybercrime, there are many things we know to be cautious about. You wouldn’t give away your credit card number or let a stranger have access to your driver’s license. But are cyber safe with your phone? We have become so dependent on our phones to store sensitive and private data. Sometimes forget that we need to protect it too.

Let’s take a look at a scenario that could happen to any of us:

The morning was a rush and you made it to the airport on time, thankfully. After getting through security, there is a little time to breath. You grab some coffee, check your phone and realize you forgot to charge it. Ugh. Your phone needs to be charged to last the whole flight and still have juice when you land. You notice a charging station near your gate. There are even cords already plugged in, so you don’t have to dig yours out of your mess of a bag. Score!

You may not be as lucky as you feel. Cyber criminals are taking advantage of how dependent we are on our devices and their need to be charged. This new scam, known as “juice jacking” takes advantage of your connection to your phone.

How does it work?

Phone cords are designed for 2-way communication. Data can come in, but data also goes out. This can be seen every time you attach an iPhone to your computer and iTunes wants to download your data. Convenient when you want it, but bad when the criminals want it. Criminals download malware into the charging station or physically alter the charging station installing a cable connected to a virus laden device, and wait until you connect. They then have access to everything on your phone. What do you keep saved?

• Passwords?
• Credit card information?
• Communications?
• Photos?

Depending on the malware, they could download your data or install malware on your phone that will continue to monitor your usage. They might even lock you out of your phone completely. The biggest concern; you may never know. A week later you’re seeing fraudulent charges on an account and trying to figure out what happened. This is very similar to the card skimmers installed at gas stations.

What can you do?

Thankfully there are easy ways to avoid this scam.

• Use your own AC adapter and cord
• Plug into a wall outlet, not a charging station
• Use a “charge only” cord at a charging station
• Use personal car chargers
• Use a portable charger

 Be cyber safe this holiday season

Physical security is important and easy to remember. We see our wallet; we protect our wallet. This holiday season, let’s also remember our cyber safety. 

The healthcare industry led the nation in regulations for information security. In an effort to protect private health information (PHI), healthcare organizations are required to protect patient data against any reasonably anticipate threats or hazards.  You are required to perform risk assessments, but knowing your risk is not enough. Steps must be taken to fix issues and prevent data loss. Most other industries and states are joining the bandwagon with regulations of their own. The basics are the same: do your due diligence to protect data or face the consequences.

The Breach

The University of Rochester Medical Center (URMC) recently agreed to a $3,000,000 settlement with the Office of Civil Rights (OCR). URMC reported data loss in 2013 when an unencrypted flash drive was lost. They again reported a breach when a personal laptop with unencrypted ePHI was stolen from a treatment facility. The fine may seem steep when you think that only 43 patients’ data was on the stolen laptop. The bigger issue, however, was the lack of progress in breach prevention from the first to the second incident.

The Cost

Beyond the fine to the OCR, breaches can cost a company much more. According to the IBM Security Cost of a Data Breach Report 2019, healthcare is the industry with the highest average cost at $6.45 million, not including fines. Lost business was the largest contributing factor to this total, accounting for 36% of the total cost. Other factors include detection and reporting, notification of affected parties and post breach clean up.

 Corrective Action

The list of requirements mandated by the OCR look very similar to the actions that are expected to prevent the breach in the first place.

• Conduct a Risk Analysis
• Implement a Risk Management Plan
• Implement customized Policies and Procedures
• Train your staff
• Create and maintain a body of compliance evidence

Prevention is always cheaper

URMC is facing a guaranteed loss of $3,000,000 plus other expenses in breach clean up, notification and potential loss of business. The cost of our cyber risk management from assessment, reporting and remediation starts at $699/year for a small organization. Our automated tool, CyberCompass™, puts you in charge of your cyber risk, cybersecurity and compliance. Addressing all the requirements listed above, we also save you 70% of the typical cost, time and effort. An easy to use dashboard prioritizes your corrective actions, allowing you to work through them at your own pace. With built in regulations for most industries, start your move toward Cyber Confidence® today.

 Contact Us for more details or visit thirdrock.cybercompass.co

In the days of old, people built giant walls to defend their land. It was easy to see the invading army approach. Pull up the drawbridge, light the arrows and defend your city. Today, the walls are digital and the invaders are invisible and often robots; sneaking in the back door or under the radar, pretending to be someone we trust or attacking out of nowhere. So how do we defend our territory in a modern technology age?

Ditch the passwords

Passwords are the first line of defense in protecting your private information. The problem with passwords though is that if you make them strong, they can be hard to remember. And if you follow the sound advice to not use the same password on any site, you may think you have to remember 30 plus long, hard to remember passwords! To this I give you 2 suggestions:

1. Get a password manager – Don’t trust Google to save your passwords. (see previous blog) A password manager is a vault to place all those hard to remember passwords in a secure location. Read Consumer Advocate’s top ten choices in their article here
2. Use passphrases – Instead of hard to remember letter, number and character combinations, use a full phrase as your password. Pick something you can remember and add modifications to in order to have a unique phrase for different sites. For example, “BobandSusan’sbankaccount!”

Multi-factor Authentication

Requiring 2 forms of verification is becoming a popular and simple way to secure data. Here’s an example one of my money accounts uses. I’m asked for the email, username, or phone number associated with my account. Once entered, I am then asked for a code that will be emailed or texted. This is very easy for me as a user. I don’t have another password to remember, the messages come through quickly and I can access my account. While it’s easy for me, it’s harder for a hacker. Someone would have to be able to access my phone or email to be able to access the original account.

Recognize Imposters

A popular way for hackers to gain access to your data is called spoofing. They send an email from what appears to be a legitimate company claiming something to try and get you to give over your information. Your account has been compromised: type in your password. You’ve won a gift card: type in your password. You have been locked out: type in your password. We’ve seen suspicious activity: type in your password. You get the idea. Hackers use the logo of a trusted company to put you at ease, but when you click on the link it sends you to a spam site that is gathering your data, not resolving an issue. Here are things to look for:

• Is this normal behavior for the company in question? If not, don’t trust the link.
• Check the email address against valid emails you have received from the company
• Look at the link. If you click to a sign in page, check the website address. If you aren’t on the company’s main sign in page, do not put in any information.
• When in doubt, go to your account. If you want to check activity, type in the website address you know and sign in that way. Most companies will post the notifications inside your account so you can verify.

Have you recently purchased a new device? Smart phone, laptop, tablet or even a smart watch? Maybe you just downloaded the latest update to your computer or smart phone. Do you know what it did? Too many times we take for granted the base features technology and updates provide without checking that the privacy settings. Always check the settings represent what is best for you, not what is best for the company.

Location, Location, Location

Location services are very helpful. Let’s face it, who pulls out a paper map anymore when your navigation can tell you exactly how to get somewhere? However, your location does not need to be tracked at all times, so you should check the settings on all of your devices. Most apps have the option to only track while in use. When in doubt, it’s better to turn off location tracking until you find you need it. Phones are not the only devices that track location. Be sure to check settings on your laptop, tablets and smart watches.

“Checking in” on social media? Publicly announcing your location on a social media platform could potentially be dangerous. You are letting would be thieves and criminals know you are away from home, or informing an unwanted person how to find you.

Just Click “No”

Having your passwords saved is extremely convenient, especially if you follow the rule to have different passwords for every site. Google/Chrome wants to automatically save all of these passwords for you which seems very nice of them. The issue is this is not actually secure, especially if you use public WiFi. A hacker could easily write a script to steal the saved data on your computer.

Do you do a lot of online shopping? When your browser asks to save your credit card information, be sure to choose “never”. If a hacker can get your passwords, they can also steal your credit card information.

Public WiFi

Do you deal with sensitive data for work, bank online or simply enjoy online shopping? Accessing private accounts with private data on public WiFi puts you at extreme risk. It only takes one person with the know-how and malicious intent on the same WiFi to remotely access the information on your computer. Save sensitive work for private networks.

If you are a business owner, be sure to have separate WiFi networks for guests, non-sensitive  data and sensitive data. Limit access to the network for sensitive data to those who need access.

PRO TIP: Consider using one computer to “surf” the web and one computer to ONLY access sensitive data web sites such as banking, financial services, stock trading, healthcare and insurance.

One of the biggest challenges in data and information security is knowing your threat level. IBM security recently released their 2018 X-Force Threat Intelligence Index. They monitor daily security events in 130 countries throughout the year for a comprehensive understanding of trends in cyber threats.

One of the most prominent ways organizations were found to be inadvertently open to attacks was due to improper configuration of cloud services. Misconfigured cloud servers accounted for 43% of more than 2.7 billion compromised records. This is an increase of 20% over recorded incidents in 2017.  According to the survey, “misconfiguration is now the single-biggest risk to cloud security, with 62% of surveyed IT and security professionals noting it as a problem”. While most of these breaches appear to be the result of inadvertent actions, it is possible for an insider to maliciously expose data and hide it as an accident.

No matter the style of attack, financial gain is almost always the motivation. Over the past few years, ransomware became a popular choice for cyber criminals. In 2018, however, we actually see a decrease in the use of ransomware by 45%. Why? Because cryptojacking is proving far more lucrative for criminals, thus increased in use by 450%! Without the need of any hardware of their own, a cyber criminal can install a cryptocurrency miner virtually undetected. Once installed, not only is the criminal gaining valuable coin at the owner’s expense, but they are also opening the door for other kinds of breaches.

The number of recorded vulnerabilities has exponentially increased in the last 3 years. This is due to the “ever-expanding attack surface as new players such as IoT devices, and other smart technologies enter the fray.” The attack surface references the span by which an organization has entry points for a cyber criminal to infiltrate. Finance and Insurance registered as the highest targeted industry, due to their access to Personal Identifiable Information (PII) links directly to bank account and credit card data that can be monetized quickly. Professional services, such as legal, CPAs and consulting, is the third most targeted industry with the second highest likelihood of a breach. Valuable customer data combined with limited security budgets and staff makes it “as vulnerable as it is lucrative”.

With all of this seemingly troubling news, you may be asking: what can we do to protect ourselves? As IBM states, we must “make security an integral part of culture and overall structure”. This is done by changing your threat landscape to reduce your risk of exposure. And that starts with knowing your risks. Our Cyber Quick Check is the first step to understanding your risk, and takes less than 5 minutes. Based on your Cyber score, discover the recommended next steps. With dedicated action and your part and the use of our automated cyber risk management system, CyberCompass™, we can increase your protection to 80% in only 90 days. The threats are real, but protection is available. Don’t wait in the dark any longer. Protect yourself and your business from threats today.

Health IT has come a long way since the HITECH Act was introduced almost 10 years ago. Technology availability and accessibility has also increased dramatically in that time frame. While better connectivity has revolutionized healthcare, it has also opened the door to cyber risks.

Testimony before the Texas Health Services Authority Board at the Texas State Capitol on Friday, October 4 reinforced recent headlines that cybersecurity is a persistent problem; one that will require greater resources at all levels of healthcare and healthcare governance. Representatives from the Texas Attorney General’s Office, the Texas Medical Board, Texas Medical Liability Trust, University of Texas, and Cynergistek[1], along with Third Rock CEO, Robert Felps, took turns presenting data and observations on the “current state of cybersecurity and privacy in Texas healthcare” from their professional perspectives. Though some gains have been made in recent years, key points across the presentations made clear that Texas healthcare organizations – and the supporting governing bodies – still have work to do to safeguard patient data.  Here are the key takeaways:

1. Available data indicate that Texas healthcare organizations remain extremely vulnerable to cyber threats.

• In 2017, TMLT received reports of 600 data privacy and security incidents, or breaches. There have only been 103 incidents so far in 2018 (Jan-Sept), but that’s still an average of 11.4 incidents/month.
• Mac MacMillan, CEO of Cynergistek, reported that his firm is notified of at least one security incident a day by one of their 1500 hospital clients, which includes 70 academic medical centers.

2. Both formal and informal reports indicate that healthcare organizations have an incomplete approach to cybersecurity and HIPAA compliance.

• In 2016, the OCR Random Audit Program evaluated 63 Covered Entities. Of the audited organizations, 13 had not attempted to perform a Security Risk Assessment (SRA). Of the 50 organizations that had completed an SRA, none satisfied the OCR’s requirements.
• MacMillan also reported that fewer than half of Cynergistek’s client organizations meet the NIST requirements for cybersecurity; a situation he attributed to a lack of both human and financial resources.

3. Too many healthcare organizations are financially unprepared for a cyber event.

• 70% of healthcare organizations report having no cyber insurance.
• The combination of legal fees, penalties, increased administrative costs, and loss of business resulting from an information security incident can potentially put a healthcare organization out of business.

4. There is a significant shortage of adequately-trained cybersecurity personnel.

• According to MacMillan, there are currently about 780,000 cybersecurity employees and approximately 350,000+ cybersecurity job vacancies. By 2021, labor experts are predicting 3.5 million cybersecurity job vacancies.
• When he visits a client hospital and asks “Who’s taking care of ‘x’ cybersecurity technology?” he is often referred to an IT employee with no cybersecurity experience.

5. Enforcement responsibility for healthcare data privacy and security is distributed across multiple state agencies, resulting in incomplete data and inconsistent enforcement.

• At the state level, responsibility for enforcing HIPAA and HB300 falls to the Texas Medical Board, Texas Board of Nursing, Dept of Health Services (DHS), Office of the Attorney General and others.
• Agencies report aggregate numbers to the Office of the Attorney General of complaints received and of incidents resulting in disciplinary action. However, specific cases are only referred to the Attorney General’s Office when the Agency believes an incident warrants civil or criminal penalties that only the AG’s office can impose.

6. Information security incidents negatively impact patients – both directly and indirectly.

• Healthcare records are worth substantially more on the black market than credit card or even social security numbers, making healthcare records a prime target for cyber criminals.
• A security incident resulting in identity theft can take years, and thousands of dollars, for an affected patient to correct.
• A ransomware attack can bring care delivery to a standstill, freezing infusion pumps and other medical devices, putting patients at risk.

Are you cyber confident?  Can you afford no action?  Third Rock makes it simple and affordable.

Protect your patients, protect your practice, protect yourself

[1] A cyber security consulting firm, https://cynergistek.com/

[2] Texas Medical Liability Trust, the largest medical provider in the state, https://tmlt.org/tmlt