Cybersecurity has become a huge factor in everyday life. Anyone who uses computers, internet, or credit cards – from individuals to big corporations – is in danger of having their information stolen every time they go online. For any US business, it is imperative to have someone watching and in charge of cybersecurity. The company should also have plans and training for employees to help prevent a breach of the defenses. For medical practices and hospitals, the same is true, but there is also the spectre of HIPAA violations lurking around every corner.
Why Would They Bother with You?
One reason that the small to medium business (SMB) may become a target of cyber threats is because they may not be taking the security steps that a larger business does. An article in Forbes shows this clearly:
“Do you think your small business is at risk of being hacked? An overwhelming 87% of small business owners don’t think so. But, your business might be at risk more than you realize. About half of small businesses experience a cyber attack.”
If a hacker is able to break into a business network, they have the immediate benefit of any financial information they find. And if this is an SMB in the medical field, they might gain access to the HIPAA data of patients that can then be used to create false identities and credit cards.
Additionally, that SMB may be part of the supply chain for a larger business – so now the hacker has a lever with which they might gain access to even richer pickings. The SMB does not want this to happen – the HIPAA Breach Notification Rule for over 500 patient records, “…requires covered entities to notify affected individuals, HHS, and … the media of a breach of unsecured PHI…” (17). Nobody wants to notify their customers and the media that they messed up thereby confirming that they cannot be trusted, to say nothing of giving Homeland Security even more reason to look over their shoulder.
Why the Big Companies Do It
There are large companies in the news, it seems like every other day, that have had hackers break into their systems and access the personal data of millions upon millions of their customers. Big names like Target and Anthem have violated the trust of their customers in this way. This type of exposure on the evening news is something we all want to avoid. As for those in the medical fields, the HIPAA Journal suggests that “if your organization has not implemented the appropriate safeguards to protect the health information of patients and plan members, now is the time to take action. Non-compliance carries a significant cost.” Their infographic (below) gives an idea of that cost.
The government fines that you might incur along with other incidentals coming to an estimated $380 per breached record. The breaking news companies are large, often with multi-million dollar cyber budgets. This is because the hackers get more inventive every day. A small company might wonder how to cope with this threat. Nevertheless, they must take planned steps immediately. Data shows that over half of the smaller business breached in this way actually go out of business within six months of the breach.
Here are some minimum steps that should be taken by businesses of any size to better defend against cyber attacks. This may not stop a persistent/creative hacker, but it will block out most and as an added bonus it will put you in compliance with some regulatory security requirements.
- Designate a person responsible for the cybersecurity of your network and make a plan for what happens in the event of an attack. Your employees must participate in this plan so they know what to do.
- Set up a system with regular resets of passwords that are sufficiently unique and complex to keep them from being easily guessed. If someone gets a password, it will be changed out from under them on the next 60 or 90 day required password update. In addition, encrypt any password storage, as plain text password lists are a major security threat.
- SECURITY UPDATES
- Automatically update all computers so that the latest patches are regularly applied to the systems, since many for operating systems and software are security related. Consider installing IT security software to manage your security updates and monitor for breaches.
- Your customer data really is your business. It should have a designated location that is accessible to those who need it and blocked from those who do not. This central location should make backup, security, and data-consistency easier to control. For example, something that resides only on one laptop is gone forever if that laptop is destroyed or stolen.
- Unauthorized people should not have access to your company’s all-important data. It makes no sense to secure the computers and network with passwords and updates while loaning a laptop to someone that gives them full access to all this. This holds true even for trusted business partners, since the words of Benjamin Franklin still hold true, “Three can keep a secret, if two of them are dead.”
- Secure Your WiFi so that only employees can access it. If possible, individualize logins; if not, make the password hard to guess. And if you opt to give customers access to your wifi, it is recommended that you put them on a different network, thus preventing access to business files.
Don’t get caught leaderless and directionless in the face of a crisis that you know is coming. Make a plan and take action on cybersecurity. Your plan to protect your company and your customer data does not need to be grand or complicated, but you have to have one.