SMEs Become Major Target for Cybersecurity Attacks

Hacker
Cyber attacks have become an expensive and frequent danger to businesses of all sizes. The cybersecurity attacks that usually make headlines are ones affecting large businesses, but it turns out that 62 percent of all cyber attacks target small and midsized businesses.

Small and midsized enterprises (SMEs) are not lucrative individually, but automation has made it possible to attack them by the thousands. Because various SMEs are affiliated with larger organizations and may have access to the data of these partners, hackers may also see SMEs as a gateway to larger corporate networks.

SMEs tend to be easier targets than large companies, because their budgets are usually smaller and don’t prioritize cybersecurity. However, the cost for victims to recover from a cyber attack has steadily increased each year, regardless of the size of the business. Cyber attacks are expensive due to lost productivity and recovery expenses, which can cost a brand millions in public relations consulting fees, customer outreach efforts, advertising campaigns and liability suits.

The staggering cost of a potential cyber attack makes network security and a technical risk assessment essential for a business to prepare for and recover from a security breach. As the digital age continues, cybersecurity grows more important.

Take time to identify any weaknesses in your business’s cybersecurity and create a plan for correcting them. For more information on how to prevent cyber attacks, read our post “Five Ways to Thwart a Cybersecurity Nightmare.” 

Limit Downtime This Hurricane Season

Floods from hurricane destroy roads and office buildingsWith hurricane season now in effect, several large storms are already causing major flooding in Houston, TX. An estimated $1.3 billion in damages is slowing or temporarily halting business operations for many companies in the area.

However, instead of suspending essential business activities, one company is making the most of the recent floods. Houston-based independent electricity provider AP Gas & Electric (APG&E) used the surge of downpours as an opportunity to test its preparedness for the more considerable storms that are likely to hit in the coming months. By sticking to its predetermined business continuity plan (BCP), APG&E is able to continue providing electricity to its customers, saving the company time and money that would have been lost had it closed down.

If your business is on the coast, follow APG&E’s lead and make sure you’re prepared to minimize downtime in the event of flooding, storm surges, extreme winds and even subsequent tornadoes this hurricane season. Here are a few suggestions to help you start your BCP.

Create a Plan That Addresses the Entire Business


There’s a common misconception that business continuity planning only affects the IT department. In fact, whether you create a business continuity plan (BCP) internally or choose to outsource it, your BCP should involve plans for getting critical processes and departments up and running again.

If you already have a BCP in place, third-party consultants can provide an objective view of your business and make suggestions for your BCP so that your plan is effective when interruptions occur.

Business continuity as a service (BCaaS) uses the expertise of professionals to develop and manage a specific plan tailored to your business’s needs. With a streamlined course of action, your business will be able to remain operational in the event of a disaster.

Prepare Alternate Workspaces


Whether there’s physical destruction to your building, or employees and customers are unable to travel, damages from disasters can hinder your ability to maintain normal business activities in your primary office space. If you need to relocate business operations, make sure you have access to an alternate workspace as soon as possible.

Fully equipped alternate workspaces like Mobile Recovery Centers (MRCs) can be made available within as little as 24-48 hours of a disaster declaration, while fixed-site Business Recovery Centers (BRCs) can be made available within as little as four hours of a declaration. Once the alternate location is set up, your company can begin to successfully restore business operations.

Back up and Recover Your Data


Having access to your data and applications is imperative when disaster strikes. A fully managed and monitored cloud recovery platform will protect your IT infrastructure. With secure data vaulting and recovery, your data will be recoverable on- or off-site within your recovery time objectives.

Hurricane season is upon us, so make sure you take the necessary steps to prepare your business before it’s too late.

To see how another business remained operational during hurricane season, check out this post.

[INFOGRAPHIC] Why Employees Are the Leading Cause of Data Breaches

Employee data breaches have become a major concern in today’s corporations. An astounding 60 percent of companies believe their employees are not knowledgeable about potential security risks. 

Learn more about the leading cause of data breaches by checking out this infographic by Experian.

Infographic depicting the causes of data breaches

Data breaches are here to stay. To learn more about the harm they cause, read this post.

How Do You Maintain Business Continuity When Your Business Is Part of a Crime Scene?

Police crime scene tape close up
In April 2015, Baltimore, MD erupted in chaos as protesters stormed the streets following the death of 25-year-old Freddie Gray. Rioters showed no scruples about damaging physical property, and a Small Business Administration survey later estimated the damages at $9 million.

But while many businesses weren’t equipped to handle the disruption, one local service provider was prepared. Rather than shutting its doors while waiting for the rioting to subside, the business simply relocated its operations to a building it owned outside of the hot zone. The building was already equipped with tables and chairs, and the business worked with a third-party business continuity and disaster recovery (BC/DR) vendor to have office equipment shipped in within 24 hours.

What would you do if your business experienced an interruption due to a civil unrest, a terrorist event, workplace violence or other kind of event that might make your own organization or city a crime scene? Follow the lead of the Baltimore service provider and take these precautions: 

  • Have physical space ready. It could be a building you own, a previously contracted third-party building or a mobile workspace.
  • Make sure you have access to backup equipment, whether it’s your own inventory stored off-site or equipment that you’ve precontracted from a BC/DR provider.
  • Make a plan of action and test it. Creating a plan of action and testing it helps your employees know what to do in the heat of the moment and helps you fine-tune the plan.

Unfortunately, you won’t receive prior notice when a crime occurs on your doorstep. But with some advance planning, you can relocate your operations and protect your business. 

To learn more about integrating workspace recovery and IT disaster recovery to maintain business continuity, read this post.

Three Unexpected Opportunities for Business Continuity ROI

ROI concept
“What’s the ROI on that?” is one of the most popular questions management asks when evaluating business programs and projects. When it comes to business continuity programs, the answer is often “Well, there’s not really any ROI unless you experience a disaster. It’s like insurance.”

Because of this perceived lack of immediate value, budgets often get diverted away from business continuity to other projects that produce more tangible results. In fact, 49 percent of businesses don’t even have a comprehensive business continuity and disaster recovery (BC/DR) plan, leaving their entire company at risk because of the lack of an obvious ROI.

But what you may not realize is that business continuity programs do produce ROI — and you don’t even have to experience a disaster to reap the benefits.

Identifying new opportunities begins with the business impact analysis (BIA), when you assess and prioritize critical business processes, employee roles and technology. As you take a closer look at the inner workings of your business, you’re likely to discover new opportunities for cost savings or even revenue generation. If you work with a consultant who can provide an objective BC/DR assessment, we can almost guarantee you’ll find areas for improvement within your company.

Here are just a few ways you could realize ROI from your business continuity program.

Phase out Outdated Processes


Do you have manual processes that can be automated? In an IDC Technology Spotlight, 33 percent of respondents said their workflows involve manually extracting content from paper documents. By automating outdated processes like these, you can have employees spend that time focusing on other activities that advance the business.

Shorten Approval and Revenue Cycles


Are there too many unnecessary people involved in approval processes, thus slowing down project and revenue cycles? During the BIA process, you’re forced to identify critical processes, as well as the people and resources that perform those processes. What many businesses realize during the BIA is that certain processes have unnecessary touchpoints. Simplifying these processes will make business continuity more efficient and cost-effective. On a day-to-day basis, you also have the potential to identify ways to shorten your approval times and revenue cycles.

Decrease Vendor Investments


How many vendors do you work with? In an Institute of Internal Auditors Research Foundation (IIARF) survey, 42 percent of respondents said they rely extensively on third-party providers. Of those who use third parties, 90 percent said they used technology vendors. In some cases, you can consolidate the products and services you receive and cut down on the number of vendors you work with. By bundling products, you can reduce the money spent and increase the value provided from those services. You would also decrease organizational risk, as the more vendors you work with, the more you open yourself up to security issues such as third-party data breaches.

As you can see, having a BC/DR plan in place isn’t just about being prepared for a disaster. An effective plan can help you make your processes more efficient, improve data security and save you money.

For more insight into the ROI of business continuity, check out the resources for the Business Continuity Institute’s Business Continuity Awareness Week 2016

[Webinar Recap] How to Get the C-Suite to Prioritize Cybersecurity

Webinar slide
One of the most important pieces of a successful breach response is senior executive involvement. Yet research by Ponemon Institute shows that only 45 percent of executives believe they’re accountable for the incident reporting process. In fact, they view breaches as part of the cost of doing business.

Convincing the C-suite to prioritize cybersecurity can sometimes feel like an uphill battle, which is why we spoke on that topic during our recent webinar with the Disaster Recovery Journal. During the session, Rentsys Senior Manager Brandon Tanner and Director of Network Services Scott Frieszell offered their top three tips for getting the C-suite on board with cybersecurity initiatives:

  1. Don’t start at the top.
  2. Emphasize the benefits to stakeholders in each department.
  3. Provide a picture of the total impact.
 To hear more, check out the webinar recording here

Four Ways to Keep Your ePHI From Becoming a Statistic

Doctor using a computer
Medical Provider Struck by Hackers!

Insurance Giant Suffers Massive Data Breach!

Millions of Patients Have Data Stolen!

It seems like there are new headlines about data breaches in the healthcare industry every month — if not more frequently. In the last few years, electronic protected health information (ePHI) has become the primary target for hackers, and it's easy to see why.

According to a recent report by Reuters, ePHI fetches 10 to 20 times more than credit card data on the black market. That's why organizations that handle healthcare data are prime targets for data breaches and theft. In fact, 28.5 percent of the entire U.S. population was affected by just two — Anthem and Premera — healthcare data breaches that were discovered in 2015.

Starting to feel a little overwhelmed? Don't worry. Here are five things you can do to keep your ePHI safe from prying eyes.

Encrypt Everything


In 2013, two laptops were stolen from a secure office at a hospital in California. The laptops contained ePHI such as financial information, health conditions and demographic information. Unfortunately, the data wasn't encrypted, so the hospital had to notify 729,000 individuals that their ePHI had been compromised. The hospital implemented policies and procedures to reduce risks to the patients' ePHI, but the damage was already done. Had the laptops been encrypted, the hospital could have protected the information.

A recent article by Health Data Management points out that it's easy to encrypt everything, since encryption tools are embedded in current operating systems and come with nearly every device. (If a device doesn't have built-in encryption functionality, that's a sign that it's outdated and shouldn't be used to handle ePHI in the first place. We talk about that more below.) Yes, encrypting all your data costs time and money, but it's a drop in the bucket when you compare it to the cost of recovering from a breach.

Know Who You're Working With


While keeping ePHI out of the hands of outside thieves is hard enough, you also need to be able to trust your employees and your vendor's employees with the sensitive information. The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) maintains a "wall of shame" website listing major healthcare data breaches. Of the 1,472 breaches on the website, 309 (21 percent) involved a business associate. These associates were responsible for exposing 32.8 million records.

You should thoroughly vet your employees and vendors who have access to your ePHI to make sure they're not susceptible to using the information for personal gain. Routine audits can catch employees who are putting their noses where they don't belong.

Stop Using Outdated Devices


Encrypting ePHI and auditing employees' system usage can go a long way toward better controlling patient data, but the ability to do those things can be hampered by outdated technology. The healthcare industry is traditionally slow to adopt new technologies, and old communications methods and technology (such as pagers) are costing hospitals $8.3 billion per year.

Obsolete, poorly secured technology leads to vulnerabilities in your network. In fact, even one outdated system connected to the network could provide hackers with a back door. To monitor for threats, use a firewall service that includes intrusion detection and prevention, port scanning and protocol inspection, and perimeter anti-virus/malware blocking.

Don't Count on Obscurity


When healthcare giants like Anthem and Premera make headlines with massive data breaches, you might think you can get away with less-than-cutting-edge ePHI security by being a smaller provider. After all, hackers are only interested in big scores, right? Wrong. ePHI from a small physician's practice is just as valuable as ePHI from an insurance giant. According to a recent Health Data Management article, smaller providers represent a tantalizing target for hackers for one key reason: They're easy targets.

A lack of awareness about what the hackers are capable of and concerns about cost have kept many small healthcare providers from being properly equipped to handle sophisticated cyber attacks. Regardless of the size of your practice or company, you should always be aware of the threat of cyber attacks and keep your company prepared to fend off hackers. The cost of keeping your patients' ePHI secure pales in comparison to the consequences both you and your patients could face after a data breach.

To find out more about how to keep your data safe, read our post "Five Ways to Thwart a Cybersecurity Nightmare."