In a meeting last fall, NSCA and Business Accelerator Launch Security got together to brainstorm ideas and suggestions to share with integrators and manufacturers about achieving basic “cyber hygiene.”
The following list is a result of our brainstorming: simple, easy-to-follow best practices to minimize your cyber threats, protect employees and clients, and defend the integrity of your information.
- Conduct a cybersecurity technology audit (assess the existence and condition of spam filters, malware protection, etc.).
- Bring in an ethical hacker consultant for an assessment. Ethical hacking can include things like external and internal penetration testing.
- Make training on data integrity and proper email usage part of employee onboarding. It’s also a good idea to review this training at least annually, with monthly refreshers through things like newsletters, lunch and learns, videos, phishing simulations, and webinars to keep employees aware and vigilant.
- Conduct proper device audits so you know how many – and what type of – devices each employee has been given. This way, when an employee leaves, you’ll know what devices need to be returned.
- Create a zero-tolerance BYOD (bring your own device) or COPE (corporate-owned, personally enabled) policy for all web-enabled devices that come into or out of your building.
- Conduct internal process reviews every six months, and bring in an outside advisor annually. Conduct internal risk audits through a third-party assessment.
- Have at least one IT professional on staff who is educated on cybersecurity and follows NIST or UL 2900 practices. Third-party assessments can be conducted to make sure that processes and procedures follow NIST standards.
- Add cyber insurance to your insurance coverage.
- Read and evaluate all client contracts for liability stemming from breaches and possible business interruption damages caused by your engagement with their network.
- Don’t place too much trust in any one employee. Support them with outside expertise to verify internal practices. Create segregation of duties to protect the organization.
- Patch and update systems regularly – not just computers and servers, but IoT devices as well (security cameras, AV devices, etc.) – to limit network vulnerabilities.
- Find a source that will provide you with reliable, real-time threat notifications. If systems you use are breached, you’ll want to know right away.
- Have an incident response plan. If you experience a breach, or are hit with ransomware, have a plan and know what to do next to limit business disruption.
- Don’t forget about the physical side of cybersecurity. Control visitor access and limit physical access to networks.
To see just how far and wide data breaches span, take a look at this list maintained by the U.S. Department of Health and Human Services’ Office for Civil Rights. If a healthcare organization experiences a data breach of more than 500 records and the event is currently under investigation, it’s posted here.
By visiting the “archive” section of the site, you can read about resolved breach reports – and often get the story behind what happened and how the breach was discovered. Keep in mind that these are just the breaches being reported – and just within healthcare.
Want to learn more about improving your organization’s cybersecurity? Contact us!