Author: Stuart Crawford

Cybersecurity threats have shown no signs of slowing down, and small and mid-sized organizations are expected to be more heavily targeted going forward. Although splashy headlines about Fortune 500 companies suffering breaches may lead some business leaders to think that hackers are after big corporations, cybercriminals are just as likely to steal data or infect your system with ransomware.

It’s important to keep in mind that these nefarious people are nothing short of petty crooks, and they look for systems that can be breached at every level. That’s why it’s in every business’s best interest to have a high-caliber cybersecurity specialist in place.

If you own or operate a local small or mid-sized outfit, you may be mulling over the cost-to-benefit ratio of outsourcing your cybersecurity defenses. Consider these key reasons why outsourcing to a locally-based cybersecurity specialist makes sense.

Hiring A Talented, Full-Time Expert Proves Difficult

There is a school of thought in business that having your own team in place would be more beneficial than outsourcing. The arguments for that position include having control over work-hours, in-house supervision, and the ability to review performance. The clincher is often that decision-makers know the person managing the tasks.

This old school thinking is often tried-and-true when hiring for profit-driving positions. It’s difficult to imagine outsourcing a sales team or other critical positions, but cybersecurity is not necessarily an old school job. It remains highly unlikely that a small or mid-sized organization has a supervisor in place to train cybersecurity specialists like they would a salesperson or other full-time posts.

A cybersecurity expert has years of education and training under their belt. They also are tasked with keeping up-to-date on the latest hacker methodologies and tools. It’s just impractical to have an in-house professional stay abreast of the fast-changing threats and keep your systems secure. Even if your company invested heavily in a full-time cybersecurity specialist, in all likelihood, they would be wooed away by other opportunities resulting in turnover.

The difficulties associated with filling a cybersecurity position and keeping that person does not make good business sense. It’s far better to outsource the cyber defense work to a local company staffed by experts. Why pay for a full-time person with benefits when you can contract with a local expert?

Benefit From Real-Time Industry Intel

Along with keeping a stable expert to protect your systems, local cybersecurity outfits are tasked with keeping tabs on real-time cyber attack methods. Outsourcing your technology and data protection to a cybersecurity specialist allows small and mid-sized organizations to have a critical risk assessment performed by a consultant that has hands-on experience.

Cybersecurity experts offer business leaders an opportunity to protect and defend critical data and communications in ways that might not occur to even the best in-house IT staff member. Enhanced knowledge and training can help identify cracks in your cyber defenses, inconsistencies in the password or login protocols, and advise you about forward-thinking employee policies.

It is not uncommon for hackers to target employee email and devices as a way to infiltrate a company’s data and personnel files. Given the fact that the methods hackers use change quickly, it’s imperative to an organization’s survival that a vigilant line of cybersecurity defense remains in place. Working with a local company that specializes in cybersecurity brings expertise to the table many outfits might not be able to afford otherwise.

BYOD Is Becoming Commonplace

The line between employees using company devices and personal ones has increasingly been blurred. Millennials tend to be of a mind that their device is just as, if not more suitable for professional tasks. In many cases, that probably holds true.

This new era of “Bring Your Own Device” poses a more significant challenge to organizations that merely have team members on fixed in-house desktops. These days, valuable staff members prefer to use their own mobile device, laptop and work from home options. This emerging tech reality inherently increases potential entry points for cybercriminals. In the BYOD business world, cybersecurity requires employees to be more educated about protocols and have a working knowledge of how and why they are being implemented and routinely changed.

Hackers are not necessarily working night and day to skip off with a big criminal payday. They are more prone to identify outfits with poor or low-level defenses. While cybercrime profit can be gained by breaching a major corporation with a strong defense, it may be a lot easier and more lucrative to knock off small and mid-sized organizations that are ripe for the picking. Outsourcing to a specialist can prevent you from becoming the low hanging fruit.

Data Breaches And Lawsuits

Captains of industry often think of cybersecurity as a way to protect their trade secrets, critical data and avoid costly work stoppages. While all of those ideas have merit, there’s another level of cybersecurity that CEOs and other decision-makers do ordinarily understand. You could face civil litigation if a hacker breaches your system.

That idea seems incredibly counterintuitive. Why would you — the victim — be sued? The simple reality is that businesses use technology for company-to-company communications and file transfers on a regular basis. When one system suffers a breach, access to others in the network may become available to the cybercriminal.

Just as your organization is responsible for bringing a safe product to market or shoveling snow off your doorstep, you could be held liable for not adequately securing critical data and access. Along with your business reputation taking a significant hit, previous clients and associates may be looking to recoup their losses from you. Civil litigation can prove costly unless you have taken industry standard measures to protect your system.

Hire A Local Expert Cybersecurity Specialist

Cyber attacks are an ongoing reality of living and working in the technology era. Organizations of all sizes and sectors are routinely tested by hackers to see if their cybersecurity defenses can withstand an assault. Cybercriminals are not going away any time soon and unless you want to risk shuttering, it’s time to contract with a cybersecurity specialist to protect your vital business interests.

Advanced Data Governance (or ADG) is a tool from Microsoft. Available to be used within Office 365, this tool assists businesses in meeting compliance requirements and managing risk. Most of all, it helps organize the massive amounts of data that companies are now dealing with.

Each quarter, the data owned by a given business grows by exponential rates. Over time, organizations are met with the challenge of organizing this unstructured data. Moreover, they are challenged to be able to find pertinent data, retain sensitive and important data, and safely destroy or archive obsolete or otherwise useless data. These are the pain points that Advanced Data Governance aims to handle.

According to Microsoft, the goal of ADG is to help companies:

• Assess their current compliance status
• Protect their current and future data
• Respond to requests

Other goals include:

• Reducing costs across the board
• Maintaining business continuity

What is the Advanced Data Governance dashboard?

The dashboard of ADG is where most of the magic happens. Here, companies can clearly see a visualization of their data, along with helpful widgets, which explain key features about data status. This is useful as it can help companies decide what data or cross-sections of data to keep and which to discard.

How does ADG help companies meet compliance?

A particularly useful element of ADG is that cloud intelligence assists in recommending policies. All companies have their own rules and regulations to comply with. For EU businesses, for example, GDPR rules need to be observed. According to whatever rules and regulations a business must comply with, Advanced Data Governance is able to quickly filter through everything in order to detect the appropriate data. In doing so, any policies set up by the company can be applied to the pertinent data in one easy action.

Applying a given policy may mean retaining all data that meets that policy’s criteria, or it may mean automatic removal of a given set of data. When detecting data via a policy, any type of criteria can be used. Most of the time, keywords are used to search and sift through data; however, some companies may choose to use financial, healthcare, or PII related information to conduct searches.

An added feature of ADG is its ability to apply policies to all Microsoft Office 365 services, including Exchange, OneDrive, and SharePoint. This streamlines all enforcement of policies.

What are ADG labels and event tags?

Labels can be created and applied easily in ADG. Each label denotes specific data retention actions. For example, you may create a label that retains all employee record data for a select period of time. You can choose to apply these label policies to all Microsoft services or only to select services.

Event tags allow companies to start certain policies on specific dates as it’s not uncommon for policies to only need compliance during certain periods of time (during specific employment periods, mergers, events, and more).

How Can Advanced Data Governance Help Your Company?

Allow Microsoft’s Advanced Data Governance to help your company regulate and meet compliance, manage risk, improve data organization and understanding, operate more efficiently, and increase revenue. It’s an excellent tool for businesses who are noticing an upsurge in data volume and structural issues.

If you own or manage a company and are considering outsourcing your IT services, you’re on your way to markedly reduced expenditures and greatly improved cybersecurity and technology.

Still wondering about the benefits of outsourcing IT? Not sure how to go about hiring a managed IT service provider?

We’ve got you covered. Let’s start with what IT services are and why you need them.

What are IT services?

When it comes to virtually any type of business in the world, technology is a critical part of operations.

First, you must be online with a top-quality website and a consistent social media presence. Next, you need technology for your employees and daily operations: computers, printers, copiers, adequate data storage and backup, unique software programs, and more. Finally, everything must be protected with excellent cybersecurity.

All of these things encompass your business’s IT services or information technology services.

Why should you outsource IT?

Most businessmen and women start their businesses with the mind that they can do anything they set their mind to.

While this is an excellent mentality to have and provides the necessary motivation to start a booming business, it’s also important to know when to ask for help. Nowhere is this more pertinent than with information technology, or IT.

Unless you are specifically in the business of providing information technology yourself, this means you’ll have to have a strong team of IT specialists on your side.

In-house IT departments are generally only a viable option for expansive businesses who will have enough work for the IT staff to do on a daily basis. Therefore, the better solution for most companies is to hire a managed service provider or MSP.

These companies provide all different levels of IT support to their customers (businesses and organizations like yours). Their main goals are to make your life easier and to help your business grow and thrive.

What are the benefits of outsourcing IT?

1. You’ll have access to the best talent pool and technology.

Professional IT companies handle technology all day. All specialists working at MSPs are trained in their specific area of tech, and they stay updated on the latest in cybersecurity, technological hardware and software advances, updates to data cabling practices, and more. Moreover, whenever you need updated software or hardware, MSPs know the most effective and affordable options.

2. You can choose your level of service.

Most MSPs offer different tiers of service. You choose your level of service and pay a flat, monthly, quarterly, or yearly fee for them to provide whatever services are in that tier. Sometimes, businesses simply hire MSPs to be “on-call” when they need them. MSPs cater to you.

Because of this, you can basically pay for exactly what your business needs. If you own a large business and constantly need IT service assistance, choose a more hands-on level of service. If you only occasionally need help with an IT problem and generally just need someone to help you hook up new computers, networks, or equipment from time to time, choose a lower tier of service. You can also change levels of service, based on your changing needs.

3. You’ll reduce costs across the board.

MSPs only work when you need them, so you’re paying for what you need and not for downtime.

It can be expensive to hire, train, and consistently employ an in-house IT team. Moreover, in small and mid-sized businesses, these staff members generally have a lot of downtime. Hiring an MSP makes more fiscal sense in the long run, and you’ll undoubtedly get better service.

4. You won’t have to micro-manage an IT team.

MSPs take care of you; that’s their job. Unfortunately, in many cases involving an in-house IT department, it’s the manager or director who is taking care of the tech team and micro-managing their day-to-day tasks. This leaves little time to actually run the business.

The whole point of hiring an MSP is to lessen your workload and anxiety. You should be able to hand over the “tech reigns” to an MSP and let them keep your business in a continuous flow of utility, without hitch or interruption. This is what they’re trained to do without your involvement.

5. You’ll improve your compliance.

Meeting compliance is a major pain point in many industries. Government rules and other regulations are complicated and always changing. An MSP can take on this burden for you and set you up with the software you’ll need for perfect compliance and greatly improved risk management.

6. You can stop worrying about security risks.

A large part of an MSP’s role is to be aware of current cybersecurity threats. With many businesses and organizations, personal and private data is being stored. In the event of a security breach, this data could be stolen, destroyed, held for ransom, or otherwise tampered with.

If it is employee data, a breach like this could mean loss of faith in the company and even lawsuits. The same goes for loss of client and customer data — or patient data in the case of health care providers. In these situations, whole businesses can collapse.

Fortunately, cybersecurity is best handled by professional MSPs. These experts know the current strategies hackers are using to obtain login information and sensitive data. They will construct a thick barrier between you and any potential threats. Moreover, they’ll be monitoring your security 24/7, so if something does happen, they can nip it in the bud as soon as possible.

Should you simply manage IT yourself?

We don’t recommend that. Again, entrepreneurs and leaders in business are unique creatures in that they genuinely feel that they can accomplish anything they set their minds to. We’ve already covered why this is absolutely excellent for getting great business ideas, bringing them to fruition, and creating businesses that thrive and grow. But at certain times, it is critical that you release the mentality that you should handle it all.

As an owner or manager, you simply don’t have time, and your talents and abilities should be put to better use than managing IT. While we will assert time and again that information technology is absolutely essential to your business, it is crucial that you find the best-managed service provider to assist you in handling your IT. Do what you’re best at and leave the IT to MSPs.

How do you find an IT services company?

There are high-end, professional managed service providers all over the nation, so simply search for MSPs in your area. Many urban areas will have a long list of MSPs, but they’ll cover a big swath of rural towns in their service area. Once you find a few MSPs that you like the look of, set up appointments with each one to find an MSP that meets your unique needs.

When people go to their doctors, they assume their information is protected. They freely and willingly provide personal information, like social security numbers. Their primary concern is their health and so they literally trust their lives in the hands of medical professionals and providers. This assumption that patient data is protected may be derived from the assumption that medical facilities are all aligned and in compliance with Health Insurance Portability and Accountability (HIPAA). Everyone signs the HIPAA forms and so everyone assumes — even without thinking it — that they are protected and that the medical facility and/or medical providers are in compliance. Indeed, medical providers may believe they are in compliance and their patient data is protected until it happens: the data breach. Instantly, hundreds and thousands and even millions of patients’ information is compromised. Not to mention: the medical entity where the breach occurred may be held liable for it.

Breach of Patient Data Already Making Waves in 2019: The Example of Valley Hope Association

Just recently, a data breach was investigated and confirmed at Valley Hope Association. It’s a Kansas-based nonprofit organization that treats patients with drug and alcohol addictions. They have 16 facilities located in seven states:

1. Arizona
2. Colorado
3. Kansas
4. Missouri
5. Nebraska
6. Oklahoma
7. Texas.

Patients number in the thousands across these seven states. As of the last week of January 2019, the organization has been notifying these patients — former and current — that there was a data breach and their information may have been accessed.

It all started in October 2018. An employee’s email account had suspicious activity. The investigation commenced with this employee’s email account. On November 23, 2018, it was confirmed: a cybercriminal hacked into the employee’s email account, and from there, was able to access patient information. The information compromised includes:

• Social security numbers
• Dates of birth
• Financial account information
• Patient claim or billing information
• Driver’s license or state identification card numbers
• Health insurance
• Medical records
• Medications, and
• More.

These kinds of breaches are the beginning of identity theft. When it happens in medical facilities, it is all the more stressful because these are patients dealing with health issues. Identity theft is not a matter they want to deal with on top of their health issues. Following the breach, Valley Hope has taken two steps:

1. It has provided its patients with free credit monitoring and identity protection services; and
2. It has added additional security measures designed to secure patient data.

Unfortunately, the Valley Hope Association’s breach of patient data is not an isolated event. Many other medical facilities across the country have experienced data breaches. Examples of patient data breaches that occurred in 2018 include:

• Catawba Valley patient records were breached by three phishing hacks.
• Centers for Medicare & Medicaid Services (CMS) confirmed 75,000 people were affected by a data breach in the ACA portal.
• Minnesota Department of Human Services was the victim of two phishing attacks affecting 21,000 patient records.
• Fetal Diagnostic Institute in Hawaii was the victim of ransomware attacks resulting in data breaches of 40,800 patient records.
• Legacy Health, an Oregon-based health system, experienced phishing attacks that led to 38,000 patient record breaches.
• Augusta University Health confirmed in 2018 that 417,000 patient records had been breached.
• UnityPoint Health experienced two large data breaches in 2018, exposing 1.4 million patient accounts to hackers.
• LabCorp confirmed millions of records have been compromised and are at risk due to the hacking that forced a network shutdown.
• A Missouri-based Blue Spring Family Care facility was the victim of ransomware malware, which put 45,000 patient records at risk.
• Banner Health breach in Arizona compromised around 3.7 million patient records.

These are just a few of the many security breaches of patient data that occurred in 2018. As can be understood from these examples, healthcare is a lucrative target for hackers, and as technology advances, so do the hackers’ capabilities. That’s why it is imperative that medical facilities, providers, and professionals take steps to ensure their outsourced IT services providers offer all the latest technology to secure patient information.

What does HIPAA say about patient data protection, responsibility, and consequences?

The HIPAA Privacy Rule sets out to protect “individually identifiable health information” in the possession of a covered entity or its business association regardless if this health information is in electronic or paper form or transmitted orally. Covered entities include:

• Health plans
• Health care clearinghouses
• Health care providers “who electronically transmit any health information in connection with transactions for which the [U.S. Department of Health and Human Services (HHS)] has adopted standards.”

The individually identifiable health information is known as protected health information or PHI. According to HHS, PHI includes demographic information relating to:

• “an individual’s past, present, or future physical or mental health or condition
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.”

Covered entities must take measures to protect PHI. Traditionally, a covered entity breached HIPAA regulations when PHI was accessed by an unauthorized person due to unsecured PHI. When this happens, the covered entity is responsible for a breach in HIPAA regulations. But this responsibility is not as straightforward when the breach is made by ransomware or other malware activity. If the covered entity is found to be in violation of HIPAA due to these data breaches, then heavy financial fines may be imposed along with other required corrective action. Depending on the size of the entity and the amount of the fine and other imposed penalties, a data breach could be detrimental not only to the patients whose information was compromised but to the survival and existence of the facility, provider, or professional.

What can medical facilities do to safeguard their patient data?

Medical facilities or any covered entity and their business associates have options when safeguarding their patient data. These options should be interpreted into a plan of action.

• First and foremost, these facilities must comply with HIPAA regulations.
• Second, they must comply with HIPAA regulations by ensuring they are using the most advanced technologies to safeguard patient data. New technologies develop on a regular basis. You should hire an IT team or outsource your IT needs to an IT services provider who regularly keeps up to date with advancements in technology and consistently implements the technology into their services. If you hire such a team, you can rest assured that data is being protected to the best of technologies’ capabilities.
• Third, covered entities and their business associates must thoroughly vet their IT Team and/or third-party IT services provider. There have been cases in 2018 where breaches were made by tech vendors and other third-party IT services providers, e.g., the case of MedCall Advisors in North Carolina.
• Fourth, policies and procedures should be in place to ensure that on an ongoing basis, best practices are honored to safeguard PHI. These policies and procedures should apply to all staff, employees, medical professionals, and the IT team — even if IT services are outsourced.

Ultimately the responsibility comes down to the party in possession of the patient data and covered by HIPAA regulations. Don’t let what happened to Valley Hope Association happen to you. Start the new year off right: make sure your PHI is secure and safe.

Ransomware. Ransomware. You have heard the word and know it involves a cyberattack. You assume from news reports that it only happens to large companies like Target, Equifax, and Marriott Hotels for example, and that cybercriminals will not want to bother with your small or medium-sized business (SMB). Unfortunately, that assumption is wrong.

The Federal Trade Commission (FTC) notes that ransomware is a major concern of small business owners across the country. Another report notes that since nearly 50 percent of SMBs have no employee security and awareness training, they are particularly vulnerable to cyberattacks, including ransomware.

The U.S. Department of Justice (DOJ) reports that since January 1, 2016, more than 4,000 ransomware attacks have occurred every single day. Business owners suffer the temporary or permanent loss of their proprietary information, disruption of their daily business operations, and the extreme expense of restoring files, if that is even possible. Their reputation in their community may also be damaged.

What is Ransomware?

Ransomware is a type of malware, a software program intended to damage computer files. It quietly invades your computer, encrypting as many files as it can locate on your local and network drives. The encryption is done by using a complex mathematical algorithm. When the encryption is complete, your files become unreadable unless you have the key to unlock them.

The only one with the key is the cybercriminal who demands you pay a ransom in order to regain access to your files. Your data has been kidnapped. A simple virus scan cannot undo the encryption. Your data is being held hostage by the cybercriminal.

In many cases, there is a time limit for payment. A count-down clock may even appear on your screen telling you that you must pay the ransom within a certain period of time or forever lose access to the files.

How Ransomware Gets into Your System

Ransomware enters your computer most often by a “phishing” approach. This happens when an innocent user receives an email that appears to be from a friend, co-worker, or reputable company. It includes an attachment. When the user clicks on the attachment, it is downloaded and, voila, ransomware invades that device and all other devices connected to the network.

Some websites have malware lurking in the background. It only takes one keystroke and the malicious software will now infect all the files it can access. The intent is to cause as much damage as possible to your network so that it shuts down and you can no longer access any of your files.

Should you Pay the Ransom?

The DOJ does not advise SMBs to pay the ransom. But, it does note that victims of ransomware have tough decisions to make when considering whether or not to pay. It recommends ransomware victims consider the following factors before paying the ransom:

• How to best protect employees, customers, and shareholders.
• Paying the ransom does not guarantee that the cybercriminal will provide the key to decryption.
• Some victims who paid the ransom and did get the decryption key were again targeted by other cybercrminals.

The DOJ encourages businesses who have been invaded by ransomware to report it to law enforcement. There is a chance that they can use legal tools, including working with international law enforcement, to locate the encrypted data.

How to Prevent Ransomware from Invading Your Network

The most important step of preventing ransomware from invading your network is education. Your employees need to understand how ransomware works, and they need to be constantly aware of the importance of not clicking on any attachment no matter how legitimate the sender appears to be. The attachment must first be scanned for malware.

Every file needs to be backed up so it is accessible off of the network so that if there is a ransomware attack, your business is not crippled beyond repair. If an attack is discovered on one device, immediately shut down all devices connected to the network.

Cybercriminals are getting smarter and learning how to circumvent cybersecurity that is installed to prevent the ransomware and other malware attacks. There are Managed Service Providers (MSPs) who can provide a robust cybersecurity system that can withstand the threats. They should also be able to ward off a threat before it can cause any harm.