In most online business today, cyber risk is a concern, but if you operate in health or IT, and don’t treat data and regulation with the respect it deserves, you could lose your practice.
How can you avoid that?
The volume and complexity of data being captured by mid-sized businesses in healthcare and IT is growing exponentially. For example, a recent report by LDV Capital found that recent advances in visual sensors, computer vision and compute power will cause an explosion of patient data within MRIs, dental x-rays and more.
Additionally, more small businesses than ever before are actioning from and storing data in cloud-based solutions. A 2013 survey by the National Small Business Association showed that more than 70 percent of respondents felt it was “very important” to keep up with changing technology trends. At the same time, many mid-sized IT firms have faced data breaches in the cloud, which may be considered a breach of contract, leading to client turnover and lack of industry trust.
How can auditors within SMEs in health and IT verify their organizations are protected in a world of such copious amounts of digital data and constant threats?
Methodology to merge tech and processes
A robust cybersecurity program should, of course, incorporate technology, but that technology will only properly function with good best practices toward compliance. The best program focuses on people, process and technology as a whole. Security is a process, not a product.
Here I will outline a methodology to operationalize cybersecurity audits… the only way to ensure processes and policies are being followed to protect your business.
Begin by identifying information assets by speaking with Ops. Front-line managers and process owners know the most about how risks and incidents materialize at an operational level. Start here and have them speak to how policies are operationalized, and where existing mitigation activities leave the company vulnerable on a day-to-day basis.
Next, address your industry-specific regulatory requirements. Protecting the privacy of consumer financial information is a given whether you are in the health or IT service industry, and noncompliance with GLBA can lead to fines or increased audit and regulatory oversight. HIPAA compliance controls protect your patients’ data in healthcare. You can read more on HIPPA compliance via our helpful blog post here.
Learn the lexicon around an appropriate cybersecurity program. There are countless solutions that offer endpoint security at a cost that SMEs can afford. There are fewer offerings in the realm of what my company Zeguro offers, which is a cyber safety platform and insurance offering. The point is, in order to properly investigate and initiate with an offering, it helps to have the vocabulary and basic knowledge around the most common types of security threats. Zeguro recently put together an eBook that is free to download which is a great primer: Cyber Safety 101.
Don’t forget the “what if” scenarios
Finally, quantify a cost, as part of your internal audit, as to what downtime (or worse data breach lawsuits) could cost your business based on industry-specific case studies. If you decide to look for a cyber risk policy to protect you, you need to review any potential coverage for Business Interruption and Extortion coverage. When seeking a cyber insurance policy, you want to ensure that the language incorporates interruption coverage for a computer attack, data re-creation, loss of business (including contingent loss of business), crisis management, and cyber extortion.
A cyber attack doesn’t just take information, it can destroy it. For example, a ransomware attack encrypts all your information, including operating systems, thus turning your devices into really expensive paperweights. If you can’t access customer data, you can’t meet consumer needs. The longer it takes you to recover and recreate your databases, the more money you lose.
Follow the steps above, and take cyber risk policy insurance seriously after your internal audit, to continue countless successful years with either your IT or healthcare practice.
About Dan Smith
Dan is President and Co-founder of Zeguro, a cybersecurity company focused on small and mid-size enterprises. Based in San Francisco, Zeguro is changing the way SMEs approach cybersecurity, through its Virtual Cybersecurity Officer platform – combining risk assessment, mitigation, and insurance. Prior to founding Zeguro, Dan is a 3rd generation entrepreneur who has worked on many sides of the information security challenge.
In his native Australia, Dan’s security engineering and architecture experience with government and corporate entities led to a co-founding a number of companies there in the Security and Services space. Upon moving to the United States, he applied that experience to security and Infrastructure management at First Republic Bank and a number of high tech companies.