Cybersecurity incidents are a growing threat to all organizations, and that includes providers working in Long Term Services & Supports. In this brief article, we’ll first look at a few sobering statistics about the criminal industry behind the threat. Then we’ll outline some very effective measures you can take to defend yourself against these motivated, professional criminals.
Ready for the statistics? You may want to sit down. It’s this:
Cybercrime is more profitable than the entire global illegal drug trade combined. Startling, right?
Profit from the illegal drug trade rakes in around $400 billion each year, whereas the total revenue generated by cybercriminals is about 1.5 Trillion annually. Last year cybercriminals profited a total of around $1 Billion in ransomware attacks alone. (Ransomware enables hackers to lock down a facility’s computer system — or increasingly the computer systems of entire city governments — and demand to be paid hefty ransoms in untraceable Bitcoin or other crypto-currencies.)
And that 1.5 Trillion figure is only the profit. The danger to individuals and organizations is four times higher than that figure indicates, because the damages — including the extra costs of security, costs of notification, recovering from cyber-attacks, and the costs of entire businesses and organizations which perish after a cyber-attack — will top $6 Trillion annually by 2021. Even more telling, 66% of businesses surveyed weren’t confident they could recover from a hacker attack.
More than 6,000 online dark web marketplaces sell over 45,000 off-the-shelf ransomware products and services. And these criminals give no quarter. They spare no one. Healthcare and related industries are the #1 target of hackers.
We can draw one overriding conclusion from this stunning statistical evidence of the risks. Data security is mission-critical.
Data security is mission-critical.
As you can see from the above statistics, data security is mission-critical for any organization, especially for Long Term Services & Supports providers, assisted living facilities, as well as organizations working in I/DD — all of whom are highly attractive targets for hackers.
The costs of network remediation, and of notifying the individuals and organizations affected, and any damages incurred by a resident (or individual), especially if your organization was deemed negligent, can be stunning.
If you haven’t put a comprehensive security plan in place, you’re leaving your organization vulnerable. The potential for loss and damage is significant.
Technical defenses and human defenses are both required.
Although you can erect a stout wall of defense on your own (see the tips at the end of the article), the advice and help of computer security professionals are invaluable in creating an effective digital security system specific to your organization’s needs.
And yet even the best antivirus and firewall software can’t completely protect your data and systems. Most hacker attacks weaponize the very individuals the system is designed to serve. Every staff member and other individuals who use your system must be educated and motivated to defend against hackers.
– 80% of hackers say “humans are the most responsible for security breaches.”
– 32% of hackers say privileged accounts are their number one way to hack systems.
Seizing such an account can be quite easy with a simple phishing attack. Phishing is a social or psychological attack used to steal login credentials. A phishing attack begins when the attacker, pretending to be a trusted person or entity, deceives the victim into the opening and interacting with an email, instant message, or text message.
From there, the attack can continue as strictly psychological manipulation, deceiving the victim into handing over login credentials. Or the attack could proceed as strictly technical, once the victim clicks on a virus-tainted link or downloads a file containing a virus.
The ubiquity of mobile devices and the rise of the Internet of Things pose new challenges for defending your data.
In the early days of the Internet, all we had to defend were wired Ethernet connections. You may remember unplugging the Ethernet cable from the back of your computer when you weren’t using the Internet. Simple enough!
But Internet eons have passed since then, and devices in use on WiFi and Bluetooth networks have multiplied exponentially. Modern WiFi and Bluetooth encryption can almost always prevent unauthorized entry, but only if humans using the network follow basic security protocols. The use of password-protected WiFi on your system — including every router — should be verified.
The bigger risk is mobile devices, which — because they’re more numerous — offer many more targets, some of them outside the purview of your organization. How many of your staff, for example, access email or company websites or apps via their home computers or personal phones? Closing this vulnerability, and keeping it closed, requires specific and focused education for everyone using a phone to access the system — including email.
The Internet of Things Vastly Increases the Number of Vulnerable Targets for Attack.
While many directors are aware of the necessity of protecting computers and phones, the security risks of IoT (Internet of Things) devices are less well known. Consequently, their protection is often neglected.
By 2022, the number of IoT sensors and devices is expected to top 50 billion. Since these billions of IoT devices are connected to the internet, they can be hacked just like any other internet-connected device. They bring us a lot of benefits and convenience. But they also vastly increase the number of vulnerable targets for an attack of the entire system.
A compromised printer, for example, could easily give an attacker eyes on everything printed in an office.
As we’ve frequently in news coverage of these terrifying events, a compromised 2-way camera with a speaker for communicating with staff can result in real-time spying and even voice-communication from the attacker.
The only defense is a thorough defense of unique password protection for every device on your network. That’s a lot easier than it may seem, with the use of password manager software, covered in the section below.
Cover your bases with these highly effective defenses.
How can you protect your organization, residents, and staff from hackers?
1- Use up-to-date, secure routers and modems, with firewalls installed:
Older routers may have vulnerabilities or need patches that their outdated hardware can’t handle. A professional network security consultant can tell you whether your routers and modems are still up to the job.
2- Back up your data:
Outsmart the criminals who may try to lock you out of your important data. Keep the copies both in the cloud and on an external hard drive. So, if a ransomware virus locks your data down, you can wipe your computer or device and reinstall everything you need from backup. Backups don’t prevent ransomware attacks. But they can drastically lower the costs to you in data and in money. With iCM all of your data is securely backed up with encryptions in our system.
3- Use security software, and keep it updated at all times:
Consult with a security professional to decide on the best security software solution for your organization. Ensure that your system, including all of the computers and devices interacting with it, is protected with professional-grade security software.
Keep all software — not just security software — up to date. New vulnerabilities in end-user software, system software, and IoT software, are constantly discovered by security professionals, who then communicate these holes in the defense to the developers. Responsible software developers issue security updates regularly. So make sure that your organization has a system in place to receive notification of these updates, and to implement them.
4- Ensure all users of your system are educated on safe practices
Systematic, adequate education of all users of your system may require an outside, specialized education company or professional — or not, depending on your specific situation.
At a minimum, your staff should know — and be reminded — to not respond to emails and text messages from unverified sources. They should also know to download attachments and applications only from trusted, verified sources.
Education of end-users is one of the most important components of an effective defense, since as we’ve seen above malware criminals often use social engineering to bypass even the strongest of technical defenses. They know if they deceive one privileged user, they can exploit your entire network.
5- Only use secure networks, and implement a comprehensive VPN solution
Secure your own networks. And educate your end-users to avoid using public WiFi networks without a VPN (a virtual private network). The fact remains true to this day: many public WiFi networks are highly insecure, and cybercriminals can watch the internet usage of individuals using them. (Installing an organization-wide VPN, on all computers and all mobile devices, provides every individual in your organization with a secure connection to the internet even when connected via an unsecured WiFi network.)
6- Set New Passwords on Every IoT Device
IoT devices may ship with a password. Sounds good, but there’s a catch — astonishingly, it’s often a default password. In other words, it’s the same password on every device shipped. While this practice brings obvious efficiencies to buyers and sellers of these devices, it’s terribly unsafe. When every device of given model ships with the same password, it’s easy for hackers to get into them. So it’s crucial to verify that every new IoT device is assigned a unique, strong password.
Also, evaluate the necessity of IoT devices. If they present too big a vulnerability, for too little benefit, you may consider foregoing them in your organization, on a case by case basis.
7- Use a password manager
Passwords strong enough to keep hackers out require a certain length and complexity. What makes passwords impossible to guess also makes them difficult for most humans to memorize.
Unfortunately, without commitment and education from organizational leadership, that means most of us will create easy passwords we use in many other accounts. It’s just human nature.
That’s why a password manager may be a key part of your security plan. A password manager is a cloud-based application, strongly encrypted, which stores all your passwords in a single database, easy to access. It’s a two-edged sword of a solution, of course: you must protect that database. Consult with network security professionals to choose a password manager appropriate to your organization.
8- Create a response plan to use in the event of an attack
Working with a network security professional, or at least using careful research from trusted authoritative sources, create your response plan to use in the event of various kinds of cyber-attacks. Be sure that each plan is redundant and accessible to key staff members. Which is to say, be sure that it is printed out and stored, on paper, not on a computer which could be locked down as a result of a ransomware attack, and not on a storage device which could be compromised as soon as it’s connected to an infected network.
9- Consider insurance
To mitigate the financial damage and liability in the event of cyber intrusions and attacks, you may want to consult with your legal, security, and insurance professionals to determine whether purchasing a cyber-security policy is warranted in your case.
Long Term Services & Supports providers are as vulnerable as any organization to cybercrimes such as ransomware attacks, vandalism, and theft of funds, data, and identities. Cybercrime is a highly profitable illegal activity, easily eclipsing the profits even of the illegal drug trade. This financial motivation, together with nihilistic and educated criminals, make for highly motivated and constant attacks on organizations and individuals connected to the Internet. Although the enemy is formidable, defending your organization is entirely doable, with a comprehensive system of defense put in place with the help of a cyber-security consultant and maintained by able and motivated leadership.
Sources: PBS Frontline; Bromium; Cybersecurity Ventures; Fortune Magazine; CSOonline; Thycotic; Juniper Research