Cybersecurity

Welcome to the Bits and Bytes CEO Insights video series, a valuable source of knowledge where industry leaders Mark Schilling, Chris Olson, and Greg Bibeau come together to share in-depth strategies for fortifying your company’s cybersecurity. In this extended discussion, we will explore crucial aspects ranging from foundational practices to advanced measures, offering you a complete guide to navigating the ever-evolving landscape of digital security.

Foundational Security Measures: Building a Solid Base

At the core of any robust cybersecurity strategy lies a foundation of good login hygiene. Mark Schilling, founder and CEO of Shilling IT Managed Services, based out of Valparaiso, Indiana, emphasizes the significance of cultivating this practice. He stresses the need for unique passwords, advocating for the use of password management tools to ensure their effectiveness. In the digital age, where password reuse is a common pitfall, he further recommends the widespread adoption of Multi-Factor Authentication (MFA). To demystify this crucial security layer, Schilling provides clarity on what MFA entails, making it accessible for business owners to implement across their systems.

Adding to this perspective, Chris Olson, IT director of Catalyst IT Managed Services in Sioux Falls, South Dakota, brings attention to role-based access controls. In an era where remote work is increasingly prevalent, understanding and assigning access based on job roles becomes paramount. Olson emphasizes that the principle of least privilege should guide these decisions, ensuring that individuals have access only to the information necessary for their specific roles. As a foundational measure, this practice significantly reduces the attack surface, making it more challenging for unauthorized entities to compromise sensitive data.

Greg Bibeau, founder and CEO of Terminal B in Austin, Texas, introduces an often-overlooked aspect—asset control. The inventory of devices within a business is a cornerstone of security. Maintaining a comprehensive record of all devices connected to the network ensures that potential vulnerabilities are minimized. Bibeau advocates for a proactive approach, urging businesses to routinely update this inventory to reflect changes in their digital ecosystem accurately.

Role of Penetration Testing: Elevating Security Practices

Moving beyond foundational measures, the experts delve into the realm of advanced security considerations, with a spotlight on the role of penetration testing. Mark Schilling suggests a collaborative approach by engaging external firms to conduct security assessments. This external perspective brings a fresh set of eyes to the organization’s security infrastructure, often uncovering vulnerabilities that may be overlooked internally. Schilling underscores the value of these periodic tests, emphasizing that security is not a one-time effort but an ongoing process.

Chris Olson further differentiates between vulnerability testing and penetration testing, shedding light on their distinct purposes. While vulnerability testing focuses on identifying weaknesses in a system, penetration testing takes it a step further by simulating real-world cyberattacks. The proactive nature of continuous vulnerability assessments, as advocated by Olson, becomes evident in preventing security weaknesses from being exploited. By integrating these practices into the cybersecurity strategy, businesses can stay ahead of potential threats and continuously improve their defenses.

Employee Training and Awareness: The  Human Element of Cybersecurity

Greg Bibeau brings forward a critical but sometimes underestimated aspect—employee training. In a landscape where technology evolves rapidly, Bibeau highlights that even the most advanced tools cannot guarantee security if employees are not adequately trained. Basic training on safe computer usage becomes essential, instilling a culture of security within the organization. Beyond the basics, ongoing security awareness training is crucial to keep employees informed about evolving threats and risky behaviors.

Advanced Antivirus vs. EDR: Navigating the Modern Security Landscape

As the discussion progresses, the focus shifts to the evolution of antivirus solutions. Chris Olson clarifies the distinction between traditional antivirus and the newer Endpoint Detection and Response (EDR) solutions. While antivirus primarily relies on a dictionary check for known threats, EDR introduces a more sophisticated approach. By incorporating behavioral analysis and response mechanisms based on predefined playbooks, EDR enhances the organization’s ability to detect and respond to emerging threats effectively.

Incident Response: Strategies When the Unthinkable Happens

The experts unanimously agree on the critical nature of the initial response when confronted with a cybersecurity incident. Prompt communication with both the managed service provider (MSP) and the insurance company is emphasized. Chris stresses the importance of cybersecurity insurance as a fundamental necessity. This insurance covers a spectrum of aspects, from negotiating during a ransomware attack to addressing business interruption and even reputational damage.

Data Protection: Safeguarding Your Digital Assets

A central theme in the conversation is data protection, with a specific focus on the crucial role of backups. Greg underscores the importance of investing in additional backup products for critical data, including emails, OneDrive, and SharePoint. While Microsoft 365 infrastructure is well-backed up, individual emails may not be. Therefore, adopting the “321 methodology” becomes essential—maintaining three copies of data on two separate media types, with one copy stored offsite. This approach, coupled with regular testing of backups, ensures that businesses can rely on their backup systems when urgently needed.

Staying Informed: A Proactive Approach to Cybersecurity

To stay informed about emerging threats, the experts recommend leveraging the resources provided by the Cybersecurity and Infrastructure Security Agency (CISA). This federal agency oversees cybersecurity and offers valuable insights into evolving threats and vulnerabilities. Subscribing to CISA’s alert feeds provides businesses with regular updates, allowing them to stay ahead of potential risks.

In addition to governmental resources, the experts suggest following reputable cybersecurity professionals on platforms like LinkedIn. Mark recommends Wes Spencer, known for his effective communication of cybersecurity concepts without overwhelming technicalities. This approach enables both technical and non-technical audiences to understand and stay informed about cybersecurity trends.

Navigating the Complex Landscape of Cybersecurity

In conclusion, this insightful conversation with cybersecurity experts provides a comprehensive guide for company owners looking to enhance their security posture. From foundational practices to advanced strategies, the importance of continuous improvement and adaptation is evident. Cyber threats are dynamic, and as businesses evolve, so should their cybersecurity measures. Implementing a holistic and proactive approach ensures that your digital assets remain safeguarded in the face of evolving challenges.

Stay tuned for more valuable insights from industry experts on the Bits and Bytes CEO Insights webinar series, guiding you through the intricate path of navigating the complex landscape of cybersecurity.

Experts from this video:

  Greg Bibeau, Terminal B in Austin, Texas

  Chris Olson, Catalyst IT Managed Services in Sioux Falls, South Dakota

  Mark Schilling, Schilling IT Managed Services, based out of Valparaiso, Indiana

 

64% of companies have experienced some form of web-based attack. 51% of companies have experienced a denial of service attack. And 62% of companies have experienced some form of phishing or social engineering attack. 

The statistics go on. If you’re thinking that your business doesn’t need cybersecurity, you’re wrong. You could end up in trouble very soon if you don’t hire cybersecurity professionals. 

Are you still not convinced? If so, read on! This article will tell you all about the benefits of cybersecurity. 

What Is Cybersecurity? 

Cyberattacks can plunge businesses like mid-market healthcare companies into chaos. The people who create these attacks can steal business data, shut down technology, and more.

Cybersecurity primarily involves protecting internet-connected systems such as data, software, and hardware from these threats. Professionals can help businesses create a strong cybersecurity strategy that can provide a high level of protection. 

Some cybersecurity professionals can also help businesses create a post-cyberattack plan. This can help the business recover its data and continue its business.

What Is Internet Security? 

Internet security includes managing internet-associated risks. All of a business’s web apps, browsers, sites, etc. need protection. 

You may have heard people refer to internet security and cyber security interchangeably. In reality, they shouldn’t be doing this. Not all cybersecurity services involve online security.

However, most of the threats that a business will deal with will come over the internet. So any cybersecurity expert your company hires should mostly deal with internet security. 

Types of Cyber Attacks 

So what types of threats is your, say, commercial construction firm up against? Below, you’ll find some of the ways in which malicious individuals can attack your business’s network. 

Malicious Websites 

Many internet sites can infect a business’s network. If an employee accesses such a malicious site, the network can become flooded with malware. This can cause system malfunctions and/or steal data. 

In addition, certain malicious individuals can access illegal or inappropriate content with a company’s system. This can harm a business’s reputation. 

Credential Stealing 

Cybercriminals can collect user credentials. This includes passwords, usernames, etc. These criminals can then use this information to access corporate systems. 

How can cybercriminals get these credentials? They may create phishing sites or organize data breaches. In other situations, they can easily guess weak and reused passwords. 

Phishing 

Phishing is a method that cybercriminals use to gather user data. They will send emails to targets that appear to be from trusted companies. Usually, these emails will ask the recipients to give them certain types of data. 

If the recipient trusts the email, they will give up their data. This can give cybercriminals access to bank accounts, data networks, etc. 

Malware 

The term “malware” is short for malicious software. This is software that cybercriminals create for evil purposes. They may try to send the malware to the network itself or trick someone else into downloading it. 

Once a piece of malware is in a computer system, it can cause problems in several ways. It may hijack the system, steal or encrypt data, cause system malfunctions, and/or hurt a system in other ways. 

Loss of Data 

Companies don’t just lose data through cyberattacks alone. In many cases, employees may accidentally leak data themselves. They may divulge it to an outsider or save sensitive data on unsecured personal accounts. 

Why Is Security Important?

So why should a business like a pharma firm protect itself from these kinds of threats? You can find some reasons for this in the sections below. 

Prevent Business Disruptions 

Are you looking to increase productivity at your company? If so, you shouldn’t want your business to get cyberattacks. A cyberattack could disrupt your business’s operations. 

Protect Employees and Customers 

The personal data of employees and customers can get leaked in a cyberattack. If this happens, your employees and customers will trust you less. Both of them can then end up leaving your business. 

Prevent a Damaged Reputation 

As mentioned earlier, cybercriminals can use your network to access illegal and morally questionable content. They can also access and leak questionable data from your network. This can ruin your business’s reputation and cause you to lose business. 

Protect Your Company Finances 

Cybercriminals may be able to access the bank account where your company stores its financial assets. If they do this, they could drain your company of funds. 

Comply With Regulations 

Some industries have regulations in place that require businesses to have a certain amount of data security. If you allow a breach to happen, your company may have to pay hefty fines and deal with other penalties. 

The Benefits of Cybersecurity Services 

As you can see, good cybersecurity can help your business stay safe in several ways. But you may be thinking that you don’t need cybersecurity professionals. You may believe that your business can create a cyber security plan on its own. 

DIY cybersecurity plans are possible, but experts do not recommend them. All the cybersecurity tips you can find online cannot match a cybersecurity team’s level of experience. Here are some ways that these professionals can help you. 

• Can easily identify the nature of cybersecurity threats 
• Can quickly resolve any problems caused by cyberattacks 
• Can provide small businesses with the same services as large ones
• Can teach employees how to deal with cybersecurity threats
• Can tell you all about the regulations your business needs to follow 
• Can recommend the best cybersecurity tools and procedures 
• Can cost less than an in-house IT and/or cybersecurity team. 

Try Our Cybersecurity Services 

Now that you know the benefits of cybersecurity services, you should see why your company needs them. Hopefully, you will soon be off to find the best possible services. This should keep your company nice and safe. 

And if you’re a technology decision-maker in Texas, you don’t need to look any further than our cybersecurity services. We will train your staff and create an impenetrable cybersecurity plan. We’ll also make sure that it complies will all the demanding standards. 

Schedule your discovery session by filling out the form on this page. 

On May 5, 2022, the agricultural manufacturing giant, AGCO, was hit by a ransomware attack that halted its operations. This cyber attack resulted in data exfiltration, financial losses, and operational disruption. Luckily, due to AGCO working outside of retail, no consumers lost their data in the attack.

The AGCO ransomware attack is just one of the countless cyber attacks that target businesses in the USA. San Antonio and Austin, TX, are thriving business hubs, and if you’re based here, you need to take steps to protect your data.

If you manage your business operations in-house, a lack of resources could leave you vulnerable to a cyber attack.

How could you defend against the AGCO cyber attack? What exactly is AGCO ransomware? How can you keep your data safe?

This AGCO guide will help you. Read on and let’s get started!

How Does an AGCO Ransomware Attack Work?

We know what happened in the AGCO ransomware attack, or at least, we know the end result: damage to a major corporation. Entire cities are targets: The city of Oakland entered a state of emergency in February 2023 after a ransomware attack plagued its IT systems.

Ransomware is one of the most damaging forms of malware. Let’s see how it sinks its teeth into your data.

Ransomware works by getting into your system files, encrypting sensitive data, and then threatening to delete it unless you pay the hacker a financial ransom. For big businesses, the ransom to get the data back can be 7 figures or more, and there’s no guarantee the hacker will keep their word.

Most businesses use encryption to protect their data, and consumer computers often come with whole-disk encryption software pre-installed. When the decryption key is personal to you, no one else can read your data. Ransomware poses such a huge threat because the hacker holds this key.

AES-256 encryption uses a 256-bit key to encrypt your data. It is a form of symmetric encryption which uses the same key to encrypt and decrypt the data. In a brute force attack, with no knowledge of the victim, AES-256 is almost impossible to crack, taking multiple years even for a supercomputer.

So, you see the dilemma you face if AGCO ransomware gets hold of your data. You need to protect yourself, and one of the best ways is with managed IT services with specialized training in cyber security.

The benefits of investing in ransomware protection far outweigh the costs. Damage to your business reputation, loss of consumer data, and financial costs can be hard to recover from.

How to Protect Yourself From an AGCO Ransomware Attack

Managed It services can protect you from ransomware in a number of ways. These are some of the basic strategies you can implement, but there are new techniques arising every day to match the evolving cyber threats. Without assistance, it can be time-consuming to keep track of them all.

Data Backup, Recovery, and Cloud Services

Cloud services, like Azure Cloud, make it harder for attackers to reach your data. They also protect your data from physical theft of equipment, like hard drives, while making it easier for your team to collaborate. Cloud backup lets you recover your data, even if the hacker decides to delete it.

Managed service providers keep track of your backups for you. When you’re busy with your business, it can be easy to forget to make backups at regular intervals. Miss one, and you could lose something essential.

Even though cloud services give you a remote backup, offline backups still have their place too! They can be stolen, but without them, you rely on your cloud service entirely – plus you can disconnect them if you detect a breach. Use a mix of physical and cloud backups to ensure you can access your data even if the worst happens.

Team Cybersecurity Training

Training your team in cybersecurity is one of the best ways to protect yourself. Human error accounts for the majority of data breaches – all you need to do is download the wrong email attachment – so team training is vital. Plan for an AGCO cyber attack the same way you plan for any business threat.

That said, training an in-house team dedicated to cybersecurity often costs you more than teaming up with a managed services provider. They have experts in cybersecurity ready to help you, and they can help train your other team members too. This combination frees up your resources and saves on your total expenses while offering you optional protection.

Remote Management and Monitoring (RMM)

RMM enables your managed services provider to help you from anywhere. They can schedule manual updates and backups, mitigating security threats and keeping you updated. Your cybersecurity experts can patch holes in your security and perform regular analysis to find any additional gaps.

Endpoint Detection and Response (EDR) Services

AGCO ransomware fails to hurt you if it fails to reach your files. Having up-to-date firewall and antivirus systems helps to keep you safe, but you need to keep regular updates scheduled to stay ahead of ransomware as it evolves. Your managed services provider will take of this for you.

EDR can be complex to implement in complicated business infrastructures. Without special training, you may leave gaps in your protection, and as we all know, antivirus software can affect your computer performance – this is multiplied in an interconnected network, and you need things to run fast to stay efficient.

Upgrade Security for Your Business

An AGCO ransomware attack can devastate businesses of all sizes, and as we’ve seen, even city departments can fall victim to ransomware. The right managed services provider can give you peace of mind.

Terminal B can keep your sensitive data out of the wrong hands. We offer managed services packages tailored to your needs. We have helped businesses in San Antonio and Austin, TX, keep their data safe for over 15 years.

We offer cybersecurity management, Azure Cloud, Azure Virtual Desktop, support, and consultancy services. We specialize in the construction, healthcare, hi-tech commerce, and pharmaceutical sectors.

Ready to tighten your cybersecurity? Book your strategy session today!

In 1985, CIA officer Aldrich Ames didn’t spend his summer at the park or at the movies. He spent his summer meeting with Russian diplomats and KGB officers in Russia, offering up classified U.S. information about technical operations and personnel.

Until his arrest in 1994, Aldrich Ames continued to volunteer information to Russian officials. Due to his easy access to both information and diplomats as a CIA officer, this was easy money for Aldrich – to the tune of $4.6 million.

In addition to traditional spies and double agents like Aldrich Ames, today’s organizations face a barrage of new threats brought on by the digital age. In this interview, Terminal B Service Manager Alan Stephenson explains that data loss prevention can include many disciplines, from cryptography to legal compliance to data archiving rules.

Tasked with overcoming both internal and external threats, data loss prevention has never been more important, but it has also never been more accessible. Locally-owned cloud service providers like Terminal B can give your company more control than ever over the security of your data, providing security and peace of mind.

What Is Data Loss Prevention?

Data can be deleted, overwritten, shared, copied, and misused – Alan explains that data loss prevention is an extra layer of security in the form of a set of procedures that identify, monitor, and protect your company’s sensitive data.

It includes everything from your company’s shredding policies to your cloud backup service. This combination of digital tools and company policy helps to keep sensitive data out of the wrong hands. Data loss prevention (or DLP) is synonymous with a DLP solution, which is the software companies use to identify, monitor, and protect sensitive data.

Since your company has to protect against a wide range of threats, data loss prevention looks different in different contexts.

Data in Use

Data is “in use” when it’s in a non-persistent digital state. That means that somebody is accessing, reading, processing, updating, or erasing data within the system. Data in use is at risk from both malicious and accidental threats, such as accidental overwriting or deletion.

Data in Motion

To get data from point A to B, you have to set it in motion. When this data is in transit, it is vulnerable to attacks, especially if you are moving it outside of the business’s firewall (for example, sending a contract to an external vendor).

Data at Rest

When data is not in use or in motion, it is in storage. This “at rest” data may be stored on a physical computer or in a cloud-based storage solution. While data at rest is less vulnerable than data in motion, it’s an appealing target for malicious actors because of its volume and value.

Internal Data Loss Threats

Alan explains that while most data loss threats come from external actors, sometimes the call is coming from inside the house – internal actors (either well-intended or malicious) can also cause data breaches.

Accidental

Most of your employees and colleagues are likely to be well-intentioned. However, not following the right procedures (or not knowing the right procedures to follow) can leave your company vulnerable and exposed to the threat of data loss.

While much of data loss prevention focuses on malicious attacks, simple errors like deleting or overwriting data can also be costly. The first example Alan gives is an employee accidentally emailing unencrypted data to the wrong recipient—this kind of innocent mistake can have serious consequences, so businesses must have the right safeguards in place.

One such safeguard is Terminal B’s ability to flag unusual ingoing and outgoing emails, giving users a short window of time to turn back the clock and unsend an accidental email.

Businesses should implement and enforce data policies that restrict access to sensitive documents (users should be able to access only the documents they need to perform their job), prevent users from copying documents onto unencrypted devices and monitor for unusual email or network activity.

Malicious

In much the same way as malicious external actors, malicious internal actors pose a significant risk to your data security. Internal actors like disgruntled former or current employees and independent contractors are uniquely dangerous because they have access to more data and can do more damage than most external actors.

Methods of stopping malicious internal threats include preventing emails between business and personal accounts, restricting access to copying or moving documents, and layering access to the “crown jewels” of the company – top-priority data like recipes, source code, or financial accounts that internal actors may feel motivated to target.

Another important precaution is credential maintenance. Making sure that employees use secure credentials and that former employees and contractors no longer have access to private information is a key component of data loss prevention.

External Data Loss Threats

The most common data loss threat comes from malicious external actors. These malignant forces use various techniques to steal, modify, or corrupt your data – and today’s businesses need to be familiar with these threats.

Hacking

While “hacking” evokes images of frantic tech geniuses in dark rooms, the reality is more mundane – and costlier.

Methods today’s hackers use range from the very simple (like guessing someone’s password) to the more complex (like escalation of privilege or man-in-the-middle attacks). Hackers have many ways to gain access to protected information, and your company needs up-to-date data loss prevention solutions to combat these evolving tactics.

Alan suggests several strategies to mitigate the risk of unauthorized access, such as geo-fencing, multi-factor authentication, blocking vulnerable connections, and implementing data rules.

Phishing

A phishing attack impersonates a legitimate request for information (often by pretending to be an established company or even a specific individual) to trick users into providing confidential information. Phishing is one type of social engineering that costs companies millions of dollars each year.

“Spear-phishing” (or “targeted phishing”) is a phishing campaign that targets specific individuals, while “whale-fishing” or “whaling” exclusively targets top executives.

After gaining access, phishers may simply sit and wait—rather than “killing the golden goose,” Alan explains that phishers can infiltrate organizations for the long term, passing through fraudulent account numbers and poaching financial information over a period of weeks, months, or even years.

To prevent phishing, Alan recommends simulated phishing testing and ongoing monitoring to retroactively secure vulnerabilities.

Malware

One common type of malicious threat is malware – software that a hacker may attach to a system or that a phisher may trick users into installing.

Malware comes in many varieties, such as:

• Ransomware – Locks down a system until the owner pays a ransom
• Keyloggers – Stores a complete record of every keystroke on a device
• Trojan horse – Can do everything from disabling your firewall to locking your entire system.

Physical Theft

While it may seem mundane, physical theft of unencrypted laptops and hard drives (or even post-it notes with credentials written on them) is a significant driver of data loss.

A data loss prevention solution can’t stop burglars from breaking into your office, but it can guide them to where and how you store sensitive information.

Consequences of a Data Loss: What’s at Stake?

Data is one of your most valuable assets, and a data breach can be costly. Lost business, damaged reputation, and regulatory fines are all significant losses to your company. This makes data loss prevention a top priority for every industry

Compliance

Depending on your industry, geography, and the size of your company, different regulations may apply to your organization, but some major regulations you should be aware of are:

• The Health Insurance Portability and Accountability Act regulates how healthcare and healthcare insurance companies must disclose (or not disclose) private information.
• PCI DSS. The Payment Card Industry Data Security Standard sets rules for how businesses must process, store, and transmit credit card information.
• CCPA and The California Consumer Privacy Act allows California residents to request all the data any company of a certain size collects about them – even if the company is not located in California. The California Privacy Rights Act expands on the CCPA to add more options for consumers to opt-out of data collection.
• The Sarbanes-Oxley Act of 2002 dictates what kind of information public companies must record and store and how they must disclose that information.

Alan draws attention to an important reason companies use data loss prevention: having a written policy for compliance is important, but when employees diverge from the policy, a technological safeguard is an extra layer of security.

Reputation

Data breaches cause reputational damage to 46% of companies – 60% of which are likely to go out of business from reputational damage. Once your stakeholders lose trust in your organization, earning that trust back is an uphill battle.

Financial Loss

Data breaches are too costly to ignore, and they get costlier every year. A data breach in 2022 costs nearly 3x as much as a data breach in 2006. The financial risks of a data breach include regulatory fines and settlements, ransoms paid to hackers, the cost to replace stolen or deleted documents, and the cost of losing business due to reputational damage.

Following a 2015 data breach, Anthem learned how expensive falling out of compliance can be, to the tune of $16 million in HIPAA settlement costs. While $16 million is a significant outlay, it’s far from the most expensive data breach, as the cost of high-profile breaches like Equifax’s 2017 breach or Epsilon’s 2011 breach could be in the billions.

Data Loss Prevention Through Terminal B

Is your data secure? Do you know that it’s secure?

Data loss prevention has historically been expensive, with only the biggest companies able to afford high-functioning security. Today, Terminal B makes cybersecurity simple and accessible to a wide range of businesses. As one of the only locally owned managed service providers, we can bring you the best of both worlds: worry-free service from experienced professionals paired with a level of personal attention that larger firms can’t provide.

You shouldn’t have to be a DLP expert to stay secure. Rest assured that you are secure and compliant by trusting Terminal B’s worry-free IT ecosystem.

Don’t leave your security up to guesswork, and don’t leave yourself vulnerable to data breaches. Terminal B is one of only a handful of Microsoft Gold Cloud Service Providers in the country: with this level of experience and expertise at your disposal, let our experience be your competitive advantage.

Ready to experience what it’s like to have technology you can trust? Contact us today to learn more.

A Little Free Library is an innovative way to promote education, bring a community together, and share with others.

The concept is simple: A steward sets up a public bookcase and invites anybody to take or borrow a book for free, or to contribute books of their own. There’s no shopkeeper, no librarian, no guard – Little Free Libraries run on the honor system.

While most neighborhoods gladly welcome a Little Free Library, they aren’t without risk. Occasionally, a rogue “patron” cleans out the entire library, selling the charitable contributions for profit at a local bookstore. To checkmate this threat, some Little Free Libraries started stamping books and asking local bookstores not to buy books with their unique stamp.

The honor system works up to a point, but once the violations become pernicious, communities have to create specific rules. For health information, the stakes are high, and the rules are important. The Health Insurance Portability and Accountability Act (HIPAA) sets the rules for how covered entities record, store, and share protected health information – replacing the “honor system” that healthcare companies had used previously.

HIPAA compliance is important for many reasons:

• Protects patient’s privacy
• Protects organizations from hefty fines and settlements
• Promotes trust among consumers and organizations

In this video, Cyber Trust Alliance CEO and co-founder Randy Steinle shares some practical things about HIPAA compliance that are important for everyone to know.

What Is HIPAA and What Does It Protect?

For most of the 20th century, there was no federal law protecting the privacy of health information. Some states had their own laws, but most institutions were free to establish their data security policies.

That changed in 1996 when then-president Bill Clinton signed the HIPAA into law.

As this video from Compliancy Group – a HIPAA compliance solution – explains, HIPAA establishes federal rules that covered healthcare entities must follow to protect the privacy of sensitive patient information. Lawmakers have amended HIPAA several times – recently with the Final Omnibus Rule of 2013, which clarified some gray areas and updated terminology to reflect current technology.

Covered Entities

This video explains the four types of entities HIPAA covers under the law:

• Healthcare providers – such as hospitals, clinics, and private practices of any size
• Health plans – including government-, employer-, and church-sponsored plans
• Healthcare clearinghouses – which are essentially the middleman between healthcare providers and health plans
• Business associates – like data analysts who provide a service for a covered entity

While all of these entities fall under HIPAA regulation, Randy says that 84% of organizations are falling short in their compliance practices.

Protected Health Information

Compliancy Group describes covered information under HIPAA as Protected Health Information (PHI). The HIPAA recognizes 18 PHI identifiers:

• Names
• Geographical subdivisions smaller than a state (such as city, county, or street address)
• All dates related to an individual (birth date, admission date, etc.)
• Phone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• VINs or license plate numbers
• Device serial numbers
• URLs
• IP addresses
• Biometric identifiers (fingerprint, voice prints, etc.)
• Full face photographs
• Any other unique identifying number, characteristic, or code

Patient Rights Under HIPAA

The most fundamental right patients have under HIPAA is that covered institutions may not disclose the patient’s protected health information to unauthorized entities. There are five rules within HIPAA:

• Privacy Rule – governs how covered entities use and disclose PHI
• Transactions and Code Sets Rule – creates national standards for transactions and identifiers
• Security Rule – protects PHI when it’s stored digitally (which the rule calls “electronic protected health information” or “e-PHI”
• Unique Identifiers Rule – requires providers, plans, and clearinghouses to use a National Provider Identifier (NPI)
• Enforcement Rule – sets fines and penalties for HIPAA violations

Within these rules, patients have some unique rights under HIPAA.

Right to Access Health Information

While HIPAA doesn’t permit covered entities to disclose PHI, they are not only allowed but are required to disclose PHI to the patient themselves at their request. HIPAA gives patients the right to access their own health information, including protected health information.

In this interview, Randy explains that this right to access healthcare records has led to a dramatic increase in government scrutiny in recent years.

Right to Release Records

A patient may want their family to have access to their health records, or they might want to keep family out of their records. Under HIPAA, patients have the right to release records but also the right to restrict records.

Right to Modify Records

When the patient accesses their own health information, they have the right to make legitimate corrections to the record. There’s a caveat to this right: Their corrections must be accurate. HIPAA does not permit patients to simply erase or fabricate their own records, but they can request changes to inaccurate information.

Right to Access Disclosure History

There are exceptions to the privacy rule – for example, hospitals may disclose certain information to the patient’s own health insurance provider, to law enforcement under certain circumstances, or certain kinds of information to public health data analysts. While HIPAA allows certain exceptions, patients have the right to see the history of how covered entities have disclosed their information.

Common Causes of HIPAA Breaches

HIPAA breaches are serious violations of privacy and carry heavy fines, but breaches do inevitably occur. In fact, Randy explains that over 50 million records are compromised each year. While there is no single strategy, understanding the common causes of HIPAA breaches can help you take a proactive approach to compliance.

Organizations like Compliance Group help organizations stay compliant by creating HIPAA programs and assigning dedicated compliance coaches, but there are steps your organization must take on its own:

Training

On the surface, HIPAA is straightforward: Don’t share PHI. In practice, however, the various types of data, various types of entities, and exceptions can make HIPAA compliance a complicated task.

Consider an example: Jane Doe is 15 years old and suffers from anxiety. After a counseling session, her parents ask the healthcare provider how her treatment is going. Is the counselor allowed to share Jane’s information with her parents?

The answer depends on the state. While HIPAA generally authorizes parents to access their minor dependent’s records, many states make exceptions for certain types of sexual, substance abuse, or mental health information for adolescents.

This is just one example of the nuances of HIPAA. Because there are so many potential complications, HIPAA training should be comprehensive and ongoing. Randy shares that at a minimum, federal law requires entities to train their staff on HIPAA at least once a year. Many HIPAA breaches come from well-intentioned employees who simply didn’t know better.

In this interview, Terminal B’s David Reimherr points out that training isn’t just necessary to get a good insurance rate – it’s necessary to get an insurance policy at all. Training is the most important investment you can make in your HIPAA compliance.

Mishandling

In a busy workplace, it’s easy for a healthcare worker to accidentally leave a file on a counter, walk away from an unlocked computer, or talk to a colleague within earshot of others. These are all examples of simple data mishandling that can lead to breaches in HIPAA compliance.

Technology has helped to mitigate data mishandling as tools, like keycard access to computers, layered security for sensitive documents, and digital documentation, have lessened the risk of mishandling physical documents. However, user error (even among well-trained workers) is still an unsolved risk element for covered entities.

As Randy points out, many organizations fall short because they try to replace IT tools with DIY solutions that don’t address the whole picture of security and compliance. While training goes a long way toward HIPAA compliance, organizations should be mindful of other tools they can use to stay safe and compliant.

Carelessness

“Did you hear that a famous actor was at my hospital?” “How’s your dad recovering from his accident? I saw him on my last shift.” “My mom said she was fine, but I looked up her chart, and she needs treatment.”

These are all seemingly mundane yet serious examples of careless gossip that is not HIPAA compliant. Looking up records for a patient you are not treating (such as a celebrity or even a family member) and discussing patients with others (even if the patients are public figures or relatives) are serious HIPAA violations.

Malignant Data Breaches

While the other examples of HIPAA breaches have boiled down to human error, malignant data breaches are intentional.

On the black market, payment card information (such as a credit card number) is only the second most valuable type of data. The most valuable? Healthcare records.

Healthcare records are over 45 times as valuable as a credit card number on the black market. This makes healthcare data a lucrative target for bad actors like hackers and thieves.

This is where data loss prevention solutions can help covered entities like healthcare providers and health plans. As technology moves forward in leaps and bounds, hackers are constantly finding new ways to circumvent security, and organizations must be proactive about addressing these vulnerabilities.

Data loss prevention solutions help to identify, monitor, and protect sensitive information like PHI, and these solutions can put your organization on a level playing field by taking advantage of the same advances in technology that malicious actors are using.

Exceptions to HIPAA

As this guide has alluded to, there are some exceptions to HIPAA that covered entities need to know about. These permitted uses and disclosures help clarify what types of use HIPAA permits and doesn’t permit.

• Disclosure to the individual. Not only are individuals allowed to know their own healthcare information, but they also have the right to request and receive it.
• Treatment, payment, and healthcare operations. Imagine that you are hospitalized for several days. Every 12 hours or so, nurses and doctors change shifts. Should each new nurse start with zero information? HIPAA permits covered entities to disclose PHI both internally and externally when it’s necessary for treatment, payment, or healthcare operations. This includes sharing PHI internally among clinicians, as well as externally to collect payment through your health plan.
• Opportunity to agree or object to the disclosure of PHI. Patients have the right to control the disclosure of their own PHI. Non-permitted entities, on the other hand, have the right to request this information from patients directly as long as the patient has the opportunity to agree or object.
• Incident to an otherwise permitted use and disclosure.
• Limited dataset for research, public health, or healthcare operations. Entities can use certain types of data (usually aggregated/non-identifiable) for legitimate research, public health, or healthcare operations.
• Public interest and benefit activities, such as when required by law, when it’s needed for identification or donation for a deceased patient, or in the event of a serious threat to safety.

Stay Compliant with Terminal B

Compliance is not a luxury – it’s a necessity: Not only to protect yourself from the fees and penalties for noncompliance but also to protect consumer privacy. Randy suggests starting with online templates but points out that for most companies, that isn’t enough. To stay compliant, you need the help of dedicated IT professionals.

While there’s no easy button to staying compliant, Terminal B is here to help. By helping take the guesswork and stress out of HIPAA compliance, Terminal B can help you wherever you are on your IT journey.

HIPAA is complex and high-stake, but with the right team of experienced professionals on your side, HIPAA doesn’t have to be stressful. At Terminal B, our experience is your competitive advantage.

To learn how Terminal B can help you stay compliant and productive, contact us today.

Randy is the CEO and Co-Founder of Cyber Trust Alliance.  A 30 year technology veteran, Steinle has led multi-million dollar organizations in higher education, manufacturing, IT services and healthcare.  He is passionate about providing affordable and achievable solutions for underserved markets in the healthcare space.  In his spare time, Steinle manages the global partnership between Microsoft and the International Association of Microsoft Channel Partners (IAMCP) serving over 5,000 partners globally.  He’s married to Beth, a Professor and Sr. Associate Dean at the University of Texas in Austin and the proud father of 4 grown children. 

In the digital animation anthology Love, Death & Robots, one memorable episode tells the story of a couple who finds a miniature civilization growing in an old freezer.

The tiny citizens go from ice age to stone age to iron age in a matter of minutes, evolving from prehistoric to futuristic before the viewer’s eyes. Before the couple even has time to process the fact that a microscopic world is blooming in their kitchen, generations of miniature humans pass in the blink of an eye, planning and mounting an attack on their “giant” onlookers.

Today, security and productivity can feel just as disorienting – new generations of security threats evolve before companies have even acknowledged their predecessors, leaving businesses scrambling to catch up with each new evolution.

Thankfully, modern businesses don’t have to leave security and productivity up to chance. Terminal B is paving the way for new generations of cybersecurity tools to address new generations of cybersecurity threats.

In this interview with Terminal B founder and CEO Greg Bibeau, he shares four critical concepts for security and productivity. Mastering these concepts can’t protect you from tiny universes in your freezer, but it can help keep you safer from cybersecurity threats like malware, hackers, and phishers.

1. Remote Management and Monitoring (RMM)

RMM, PSA, MSP, EDR… IT loves a good abbreviation. In the case of RMM, this abbreviation stands for “Remote Management and Monitoring,” and it encompasses a wide range of capabilities, ranging from compiling performance data to remote desktop access.

For security and productivity, the essential function that Greg highlights is RMM’s ability to remotely implement software updates and reconfigurations. There are two alternatives to using RMM to keep software up to date:

• Manual updates. Performing manual updates requires a human user to physically update the software of every machine. While this may be feasible for very small or very low-tech organizations, it doesn’t take long for this to scale out of control. The more systems your IT environment contains, the less workable manual updates are.
• Default update settings. For organizations with limited budgets, Greg recommends using the default update settings of your devices. This is less performant than RMM but has certain advantages over manual updates. The advantage of using default settings is that it saves the labor of manual updates, but the disadvantage is that a scheduled update can interrupt and even break your key processes – a side effect of default settings that RMM can sidestep.

While manual updates and default update settings can help mitigate some security risks, RMM has several important advantages. The most important advantage is that RMM can vet and schedule updates. This means that IT service providers can use RMM to implement security patches as soon as they’re available, vet a patch before implementing it, or schedule an update for a convenient time that won’t interrupt a key process.

The downside of RMM software is simply the cost, but with a wide variety of RMM tools available to businesses, most organizations will be able to find a solution that fits their budget.

2. Dual-Factor Authentication

In military operations, the two-person concept is a control method that splits responsibility and control between two individuals. For example, a single person cannot launch a nuclear warhead (accidentally OR maliciously) because a second person with their own unique key has to jointly operate the launch. That means that a malicious actor can’t simply steal the key or passcode since both operators have to be present.

In cybersecurity and IT, dual-factor authentication performs a similar function: If a password becomes compromised, dual-factor authentication prevents the malicious actor from accessing your accounts with a single device or piece of information.

Instead, Greg explains that dual-factor authentication requires two components: something you have and something you know.

• Something you have can be a fob, keycard, mobile device, or biometric data, like fingerprint or faceprint.
• Something you know can be a password, passcode, or security question.

For example, imagine that you’ve secured your account with your mobile device and password. If somebody gains access to your password (through a brute-force guess, malware like a keylogger, or a phishing attempt), they won’t be able to access your account without your mobile device. If a malicious actor steals your mobile device, they won’t be able to access your accounts without your password.

Dual-factor authentication multiplies the security of your account by creating a second barrier to entry.

In the past, dual-factor authentication was optional, but Greg shares that in today’s security climate, it’s no longer an option – it’s an essential. Dual-factor authentication is a bare minimum standard for businesses to keep their data safe, but the good news for companies is that you can implement dual-factor authentication for free on major platforms like Microsoft and Google.

3. Training

Since the 1960s, business software has steadily increased in volume and complexity. Today, employees face an unprecedented breadth of business software. To reconcile with this newfound diversity of technology, businesses should engage in comprehensive and ongoing training across all levels of their organization.

Not only is training beneficial for productivity and security, but many insurance providers require proof of training before they’ll underwrite your company’s cyber liability policy.

In this interview, Greg says that the #1 priority of your training program should be security proficiency. While technological tools can go a long way toward preventing security breaches, no technology can completely mitigate the risks posed by social engineering and human error. When employees are proficient in security concepts, they’re more likely to recognize phishing attempts, follow appropriate password controls, and avoid risky behavior.

While the main goal of training should be security proficiency, an added benefit of ongoing training is that it develops expertise. When you make on-demand training available to your employees, you encourage continued development and produce knowledge experts in your field. In addition to on-demand and scheduled training, you should also implement ongoing testing, including simulated phishing attacks and formal evaluations.

Both accidental and malicious employee activity can result in security breaches, but your employees aren’t your only vulnerability – many organizations require their upstream vendors to participate in ongoing training as well.

4. Endpoint Detection and Response (EDR)

Before the mid-2010s, anti-virus software was a key component of most businesses’ and individuals’ security systems. In the last decade, endpoint detection and response (EDR) has gradually replaced anti-virus software as the next generation of security tools.

Endpoint detection and response monitors computing devices that are part of an interconnected network. Each of these computing devices (standard devices like laptops, desktops, and mobile devices along with IoT devices and workstations) is an endpoint. Since these endpoints are the point of entry for legitimate users to access your network, they’re also an attractive target for illegitimate users.

Anti-virus software was the best solution for businesses at one point in time, but EDR has surpassed anti-virus software as the standard best tool for network protection. Anti-virus software’s limitation is that it can only check for a known list of threats, and as Greg explains, by the time the software recognizes new threats, malicious actors may have already exploited the vulnerability. Anti-virus software is reactive rather than proactive.

As opposed to anti-virus software, EDR doesn’t just monitor for a limited list of known threats, it monitors for a wider variety of anomalies, which ultimately keeps your company safer and more productive.

The downside to EDR is that the added security comes at a price, making it potentially cost-prohibitive for smaller businesses. A Security Operation Center (SOC) monitors the best EDR solutions around the clock, which keeps you secure and productive in the middle of the workday and the middle of the night. With 24/7 monitoring, malicious entities are less likely to get the drop on you, allowing you to maintain a high level of security even while you’re away.

Steps to Implement Critical Security and Productivity Concepts

Are you excited to start increasing your security and productivity, but not sure how to start implementing these four crucial concepts?

Greg shared the ideal order you should follow:

1. Start with dual-factor authentication on as many platforms as possible. Since many platforms allow you to implement dual-factor authentication for no additional cost, this added protection is a no-brainer. In today’s security climate, this safeguard isn’t a luxury, it’s the bare minimum.
2. Your next priority should be Training solutions vary by price, and you should consider requiring ongoing training not only for your own employees but also for the vendors you work with. Most insurance companies require training as a condition for underwriting a cyber liability insurance policy.
3. Remote Management and Monitoring (RMM) should be your next priority. This service keeps your devices up to date with the most current security patches without requiring physical maintenance or breaking any of your key processes. While RMM comes at a cost, it’s well worth it to keep your devices up to date.
4. Finally, Endpoint Detection and Response (EDR) is an essential component of cybersecurity that replaces anti-virus software by monitoring for unusual activity in network endpoints, such as desktops and mobile devices. This solution is your fourth priority because of its higher cost, but companies should invest in EDR as soon as it’s feasible.

Stay Secure and Productive with Terminal B

What’s the next step for you? Get help from the cybersecurity experts at Terminal B. Greg and his team of experts have been helping companies stay secure, compliant, and productive for over 15 years, which is why we’re one of the only Microsoft Direct Gold Cloud Service Providers in the United States.

As a locally owned managed service provider since 2004, let our experience be your competitive advantage.

To experience a worry-free IT ecosystem, schedule a discovery session to learn how we can help.

These days it’s essential for any good managed IT service provider to have security as a top priority in their business. Companies will simply not want to work with a service provider that cannot adequately protect business-critical data, and provide assurance that their company data is safe from cyberattack. What Managed Service Providers (MSPs) know about security is that it is essential for business growth. That means the best security practices must be in place right from the beginning, so that they can grow right along with the company.

What MSPs know about security

A managed IT service provider also knows that protecting data is the first obligation in cybersecurity, so detecting any system vulnerabilities becomes paramount. Since the threats themselves are external, they cannot be controlled in any way – but the steps taken to prevent threats from actually being carried out can be managed. Therefore, service providers know they must implement several layers of security, in order to protect their clients’ business data, so their own services will be in demand. The security layers called for include training employees, management policies, security procedures, and such technical controls as firewalls, passwords, anti-virus software, multi-factor authentication, and data authorization.

Security service providers also know the best security practices available at any given time. This can be a tricky thing to manage, because those practices must be constantly updated and changed, in accordance with new methods and approaches used by cyber criminals to penetrate networks. Here is how an MSP will implement top-notch security practices, based on their knowledge and experience with cybercriminals:

Firewall – since the Internet is the primary access point to all stored data on the cloud, a solid firewall must be setup to block intrusions.

Dynamic firewall rules – these must be implemented, so that it’s not necessary to update firewall rules with every new threat.

Protect wireless access points – employees use these to connect to Wi-Fi, so they must be protected through authorization and encryption.

SD Wan – allows for high availability of data for situations like VoIP and Microsoft Teams.

Servers and workstations – since these are network endpoints, they must have comprehensive security controls in place.

Virus detectors – must be running continuously, and must include all known threats.

Backups – to be prepared for inevitable data breaches, data backups must be maintained off-site so that corrupted or encrypted data is not lost.

Putting what they know into practice

Knowing the best practices to implement for security is the foundation for services provided by an MSP to all clients. All the security controls described above must be in place in order to properly protect client data. All data gathered from these controls can then be logged into a central repository, where the service provider will receive instant notifications about any suspicious activity. Because client data is constantly being monitored, any risk to clients is significantly reduced, while security is being increased.

Contact us

If you’re in the market for a new managed IT service provider, we urge you to contact us at your earliest convenience. We make a point of maintaining a staff of the best and most knowledgeable security experts, so they can use their knowledge to help protect your valuable data assets. We use what we know about security and cybercrime to prevent intrusions and breaches, so that you can sleep easier at night, with the knowledge that your business-critical data is safe from exploitation by cybercriminals.

By the year 2025, it is expected that it will cost a total of $10.25 trillion to continue the battle against cyber crime. Given the fact that this is representative of the largest wealth transfer in human history, there isn’t much doubt about the size of the problem, nor about the need for everyone to do their part. While humans themselves have historically been the weakest links in preventing cyber crime (consider phishing and identity scams), cyber security services can contribute a great deal to defending corporate data. In this article, we’ll consider the five biggest cyber security threats out there today, and how cyber security services help to prevent them from happening to your business.

Cloud security threats

There are literally tons of opportunities for leaks to take place with so much data traveling between companies and various business partners. A tremendous amount of data passes between cloud providers and business organizations, and that gives cyber criminals their chance to hijack this data for their own purposes. With so many businesses now having moved to the cloud, it has become fertile ground for concentrated attacks by criminal-minded individuals. About 50% of all businesses are now on the cloud, so even more organizations will be positioned there in the future – which means there will be greater opportunity for cyber criminals.

Mobile security threats

Even though mobile computing hasn’t been around all that long, it hasn’t taken cyber criminals long to figure out vulnerable points and carry out attacks against them. In fact, since mobile devices have become so popular, they have become a particular point of interest to cyber criminals, simply because there are so many of them. There are app-based threats, web-based attacks, network attacks, and even physical threats against devices that don’t use PIN numbers or biometric security features.

Social engineering attacks

Social engineering attacks have grown even more prevalent in the last couple years, because more workers are signing on to work machines from home, where less protections are in place. These types of attacks are often the most successful because they usually involve tricking a human into providing passwords or other critical company data, and they all seem very safe and legitimate. Some of the most common ploys have criminals posing as company executives, and asking for specific company data, or using email attachments to unleash viruses into a company network.

Ransomware

The basic premise of ransomware involves a breach of the company network, and unleashing a virus that encrypts business data, thereby rendering it unusable. The cyber attacker will then ask for a sum of money in return for the data, and many companies simply have no recourse but to pay the ransom and hopefully get their data back. These kinds of attacks are growing exponentially, since Ransomware as a Service (RaaS) has now become popular. Kits can be purchased that will unleash ransomware on various companies, so the would-be cybercriminal can simply turn it loose on an unsuspecting business public.

Remote work threats

Working from home increased significantly during the height of the COVID-19 pandemic, and most remote workers have continued in that setup even after COVID has begun declining. This fact has not been lost on cyber criminals, who are doing their best to exploit the relatively weaker security computing environment. For instance, there are unsafe Wi-Fi networks, email and phishing scams, unencrypted file-sharing, and workers will often use personal devices for work. Most personal devices lack the security protection necessary to safeguard business data, and this provides an opening for cyber criminals to carry out attacks.

Ready to protect your work environment with Cyber Security Services?

Contact us to today to learn more about optimizing your defenses.