People Are the Most Important Part of IT Security
Posted On: November 8th, 2016
Director, Change Healthcare Managed IT
The recent distributed denial of service (DDOS) attack that affected the operations of Amazon, Twitter, Netflix and others may not happen to your organization. But make no mistake: cyberthieves are after your organization’s data.
You often hear about credit card records being stolen, but the value of those records on the black market is tiny compared to a healthcare record, which is worth $355. That’s 50% more than the next most-valuable category, education records. With that much value, it’s well worth the effort of thieves to target smaller medical providers, such as home care organizations.
In 2015, more than 707 million data records were compromised, which is actually fewer than in 2014. But that’s still nearly two million records daily. A data breach can do more than expose your records—it also could result in steep federal fines, civil lawsuits, loss of business, loss of reputation and the cost of recovery.
Although you may think the weakest link is your IT data security, it may actually be your staff. One exposed password or one click on a malicious link can open your organization’s critical data to prying eyes.
Ransomware and phishing
Ransomware and phishing prey on human curiosity by placing malicious links into otherwise tempting emails or internet sites. You’ve no doubt seen those paid advertisements at the end of internet news articles with headlines such as “Six Celebrities You Didn’t Know Were Dead,” or “Fashion Tips You Can’t Afford to Ignore.” That’s known as click bait, and while those links themselves likely aren’t malicious on well-respected news sites, random clicking around can take you to dangerous places.
The same thing applies to email. The best example of phishing was the letter from the Nigerian royalty requesting help transferring assets out of the country. Spear phishing is much more personalized, with your name on the email. It also could appear to be from FedEx, your bank or a shopping site such as Amazon.
Clicking on a malicious link can cause malware to be placed on your computer that can open up organizational records for theft or to lock the information down in a ransomware attack. In the first three months of the year, $209 million was paid by organization to release their own data, an eight-fold increase over what was paid over all of 2015.
What you can do
The fixes to many potential cyber attacks are simple and straightforward. The key is making every worker understand his/her role.
For IT professionals, that means ensuring that your organization has sufficient firewall penetration protection, as well as up-do-date malware protection. Administrative passwords shouldn’t be “password,” “admin123” or other simplistic phrases. They should be strong, changed frequently and never written down. Likewise, you should be aware of who has access to your systems, including vendors and contractors, as well as how various systems interact from a security/password standpoint.
Organizations should pay close attention to mobile devices such as laptops and smartphones. Not only should you have an accurate inventory of such devices, they should be encrypted, have device-level passwords and feature remote lock/wipe capabilities in cases of loss or theft. Additionally, operating systems and security patches must be kept current, and un-trusted apps should be blocked.
Users of electronic devices should always secure their devices, lock they keyboard when away and never allow unauthorized users to take control of the device. For the last issue, think about the risk of allowing your children using a work device. They aren’t as cautious as adults, and may be easily enticed to click on links they may not realize could be malicious.
And to avoid phishing expeditions, be wary of clicking on notices from your bank, Netflix and other companies whose services you don’t use or are not expecting correspondence from. If you think it might be important, you should initiate contact using known good contact info instead of information from the email or text message.
The most difficult part about keeping your company information safe may be helping employees understand the critical role they play.