5 minute read
CYBERSECURITY
By Michael Drawbaugh
In this day and age, security must be paramount, or you will end up being sorry. This article addresses several key elements in ensuring you and your team offer a modern and safe business in which your data and information about your valued clientele are secure and safeguarded with the utmost care.
What exactly is Cybersecurity?
Cybersecurity is the practice of protecting critical systems and sensitive information from digital attacks. It is more commonly known as information technology (IT) security. Cybersecurity measures are designed to combat threats against networked systems and applications, whether those threats originate from inside or outside of an organization.
In short, it is the age-old process of protecting a company’s assets—now digital—to ensure that you can mitigate risk and protect yourself from any significant event or disaster including modern cyberattacks such as phishing and ransomware.
Why is this important to my clinic?
Everyone plays a role in cybersecurity, especially you. As a human resource to the organization, you are a key element in the overall success and failure of the business, including the protection of data. Cybersecurity has been, and will continue to be, a critical issue. As technology becomes more complex, more advanced, and more user-friendly, it becomes more vulnerable. We can blame that on a few factors, but one such factor is the human element. Humans are the weakest link in any structure, and that is no secret.
Four Reasons Why Humans Are the Weakest Link
There are four primary reasons why humans are the weakest link in the security chain:
1. Humans are trusting by nature and want to believe the best in people. We are more likely to fall for scams and social engineering attacks. Scammers and attackers know this, and they exploit our trust to get what they want.
2. We are creatures of habit and often do not like to change our routines. This makes it easy for attackers to target known weak points. For example, an attacker may know that you always check your email first thing in the morning. They could send you a phishing email at that time, counting on you to click on a link or attachment before you have had a chance to think about it.
3. We are often too busy to pay attention to detail, leading to us making mistakes that hackers can manipulate.
4. We can be emotional creatures, which clouds our judgment and makes us more vulnerable to social engineering attacks. We may let our guard down when we’re emotionally invested in something, which makes us susceptible to scams and other fraudulent activity.
No matter how strong your technical defenses—such as firewalls and other intrusion detection type systems—are, they can always be circumvented by a determined attacker if he or she can find a way to trick or coerce a member of your staff into giving them access.
Humans are fallible and make mistakes. Mistakes in cybersecurity can have disastrous consequences, as we have seen with high-profile data breaches in recent years.
Humans are also the easiest target for cybercriminals. We can be socially engineered into clicking on malicious links or opening attachments that contain malware commonly referred to as phishing. Once our systems are infected, detecting and removing destructive software can be challenging. This is the primary reason for having a highly reputable end point security solution commonly referred to as Anti-Virus and Anti-Malware running on all your devices.
How best to protect your data
First, you should get the best of breed security services you can afford. But at the end of the day, the only true way of protecting your data is through BACKUP. Backup your data regularly. Daily! Enough said.
If you backup to a flash drive or other physical hard drive, please disconnect that drive from your computer after the backup. Store it in a secure location. If you leave your backup on a hard drive that stays connected to your computer, that hard drive will be compromised if your computer is compromised, which makes the backup irrelevant at that point.
Now flash drives are a great short-term solution, but be aware that they are prone to damage and failure. This is not the best way to protect your data, although something is better than nothing.
Store the flash drive in a different location than the computer, keeping in mind that in the event of a disaster, you want your backup and computer in two completely different locations so that one of them will likely be accessible. Backup your files to a secure cloud location that is a trusted source and meets most (if not all) industry certifications.
Use business grade services such as Microsoft 365 applications and cloud storage, as these solutions encrypt data both in transit and at rest. Encrypting data means that the data is converted into a cipher or code that prevents its unauthorized access. Encrypting data in transit means that the data is encrypted as it is being sent from one location to another, including the uploading of the file to the cloud. Encrypting data at rest means that data is securely encrypted while it is not being actively used.
Backing up your data regularly is the only way to ensure that you do not lose valuable data due to a ransomware attack, and it keeps the institute from having to pay the ransom in an attempt to get the data back.
What about passwords?
The old notion is to frequently change your password to help suppress the window of opportunity in which criminals could break into your environment. However, as described above, this actually makes it easier to crack passwords because humans (aka “weak links”) started using patterns, such as adding 1, 2 and 3 at the end of the password each time it was required to change. Studies have shown this makes passwords easier to hack.
A new method has come about and is being led by many premier industry vendors including Microsoft. That is, passwords don’t have to change so long as they are extremely complex and hard to hack using so called Dictionary Attacks and other computer-aided attacks. Using a Passphrase or combination of words to form a 14 – 18 character “password” is becoming the new norm. Passwords such as BackingPackers#254 are becoming very common place, and frankly just as easy to remember. They are also extremely difficult to crack using even the most advanced hacking tools.
In addition, many devices are now also offering alternative authentication systems including PINs and biometrics, something that is specific to that device and that device only.
But the ultimate form of account protection is to implement Multi-Factor
Authentication or MFA (sometimes also referred to as 2 Factor Authentication or 2FA). MFA is the act of protecting sign-ins with a username and password through a 3rd form of authentication. This is usually a notification on a smart device, a code sent via text (SMS) message, or sometimes even automated phone calls depending upon the select MFA service and services available to the end user. With MFA enabled, even with your password, hackers can get no further without authorizing access into the account. This is a highly secure practice, one that is becoming mandatory on most platforms including Microsoft 365.
One Final Thought
Do not be stingy! Free can be very tempting, but “buyer beware.” When dealing with cybersecurity, this needs to be reviewed and approached from the perspective that you are investing in your business. It is all too easy to use the free solution that Cousin Bob told you about at the last family picnic. Nonsense! Work with a reputable, seasoned IT professional or firm that can help guide you through the overall process of safeguarding your business and treat it with the attention it deserves. Further, each scenario can dictate different solutions, so there is no single solution that fits every business’s needs.
About the Author: Michael A. Drawbaugh is the owner and senior level consultant for MAD Technology Solutions, LLC, a full-service IT consultancy working in the greater Harrisburg/ Hershey metro area and beyond. Several key services are providing seasoned, senior level IT resources to small business owners and small business managers to ensure they are effectively using technology to meet their own business goals and objectives. They are also a Microsoft Cloud Solution Provider focusing on the Microsoft 365 platform. Michael is a Microsoft Certified Professional and Small Business Specialist.
