Practice owners offer countless reasons to justify not investing more in cyber security. They’re too small. They don’t have any valuable information. They can’t afford rigorous cyber security measures — or they’ve already got a good firewall and antivirus software.
Unfortunately, current events keep proving them wrong. Cyber attacks are on the rise and increasingly targeting professional corporations who lack the manpower, knowledge or interest in protecting their sensitive information.
Take the recent case of a Toronto dentist victimized by the infamous ‘Ryuk’ ransomware program. It locked him out of nearly every one of his computers and held his business up for a $165,000 ransom. A patient or staff member apparently clicked on a phishing link which downloaded the malicious software, setting off the unfortunate chain reaction of infection, encryption and demands for payment.
Thankfully, extensive backups are allowing him to get his practice up and running again. But he still faces the uphill battle of repairing his reputation, dealing with regulators and re-establishing control of his network.
You can prevent incidents like this from happening to you. But how?
Adopt a top-down approach to cyber security
The first question you need to ask yourself is, “who is responsible for cyber security in my practice?” When we pose this to business owners, they often say their IT team, IT contractor or firewall provider — which is always unsettling.
Because unless you answered, “everyone in the organization,” you’re probably at greater risk that you realize. While cyber breaches might take place through computers, the consequences and opportunities for stopping them go far beyond.
Your practice must embrace a culture of prevention, and that begins at the top. Everyone from senior leadership down needs to understand the risks, model best practices and demonstrate an unwavering commitment to protecting sensitive information.
Following are some principles you can implement to begin building a top-down cyber culture:
Cyber risk is enterprise risk
Cyber risk is at least as impactful to your business as market conditions, government regulations, or employee fraud. You need to approach it with the same sense of urgency and incorporate it within your ongoing enterprise risk planning and management.
Cyber risk requires cyber perspective
Invite a dedicated technology security professional to join your board, or at least sit in on meetings. Create a technology committee that meets regularly to discuss organizational priorities, ongoing trends, and vulnerabilities. Empower this team to make recommendations both from a policy standpoint as well as practically in terms of controls and opportunities to reduce your vulnerabilities.
Cyber risk management begins with policy
Create a culture of prevention. That means educating team members on how to identify and report suspicious behaviour, setting expectations for password and device management, and creating a culture where people feel comfortable raising concerns to management.
Cyber risks have legal implications
You need to thoroughly understand your legal liability and be prepared to defend your position in court in a worst-case scenario. The federal government implemented new mandatory reporting legislation in 2018 that compels organizations to disclose any breach that has the potential to result in a “real risk of significant harm.” Failing to do so could result in fines of up to $100,000 — and this is beyond the existing danger of reputational damage and potential civil action.
Cyber risks and attacks are always evolving
Be vigilant about emerging threats, techniques and incidents in your professional sector; but don’t let those distract you from what’s most important. Focus on achieving excellence in your cyber maturity program. Determine where you’re most vulnerable and what’s most important to your organization and protect those areas to the best of your ability — and get everyone in the organization on the same page.
Cyber risks are not all equal
You cannot protect yourself against every single cyber threat. Instead, you need to decide which risks you need to avoid, are going to mitigate or able to transfer through insurance — and which ones you’re willing to accept. Develop a business case and strategy for each and revisit these frequently to ensure they continue to align with your business goals.
Take steps to protect your business
Here’s the startling truth: If they’re willing to invest the time and effort, there’s really nothing that can stop a dedicated cyber criminal from breaching your systems. But you can make it extremely difficult and encourage a would-be attacker to look elsewhere for an easier payday.
Below are a handful of measures you can take to prioritize your risks and vulnerabilities, improve your habits and prepare your team for a worst-case scenario.
Put effective policies and procedures in place
Work with a cyber security consultant to create data management rules and best practices that align your business with appropriate laws in your jurisdiction. Provide training and communications for all team members, make cyber awareness a part of onboarding, and create a culture that emphasizes good technology hygiene.
Review your technology infrastructure
Understand the function, status, and limitations of your cyber security controls. Update your software frequently and replace outdated hardware. Also, familiarize yourself with how your firewalls, antivirus, and antimalware software work and how effective they will be against an attack.
Create an incident response plan (and test it)
Establish a series of actionable, repeatable and priority-ranked steps that enable your team to quickly identify a breach, communicate about it, contain it and prevent further damage. This plan will clearly outline individual responsibilities, as well as any third parties (e.g. cyber security consultant, legal counsel, public relations team, etc.) you need to contact and when. Practice this plan regularly to identify gaps and make the process second nature.
Penetration test your systems
Work with a cyber security consultant to proactively hack your systems and hunt for vulnerabilities. This will help you understand where an attack is most likely to target while allowing you to prioritize any holes and fill them as necessary.
Conduct a maturity threat assessment
Periodically review your controls — both policy and technology — along with your cyber security risk profile and other notable incidents in your industry. This will help you determine whether the measures you currently have in place are enough to protect against the most likely attacks or whether you need to adjust your approach.
Manage your third-party vendors
Create an inventory of all arm’s length organizations you currently work with. Review all contracts and policies to fully understand what guarantees they make about your data and how they will protect it if they experience a breach. If your vendors do not provide adequate protection, you may want to consider finding a new one as you could be liable for their negligence.
Putting it all together
Most breaches are financially motivated crimes of opportunity. And that’s precisely why small businesses like professional practices are increasingly prime targets for hackers. Many owners lack either the interest, the knowhow, or the capital to invest in enterprise-level controls — and that opens a massive window of opportunity for an attack.
You can drastically improve your practice’s cyber security by shifting your focus from fancy technology and to the time and leadership you can offer instead. Make cyber security everyone’s responsibility. Look toward implementing the right policies and procedures, being mindful of your risks and vulnerabilities and gain the insight of a trained security professional. And always assume an attack is likely to happen.
Your preparedness will make a cyber criminal think twice before targeting you. And even if they do, you’ll be in a far better position to stop them before they get their hands on your most precious information assets.
For more information or to learn how MNP can help protect your practice, contact Danny Timmins, CISSP National Leader, Cyber Security, at 905.607.9777 or [email protected]