Cybersecurity for Small and Medium-Sized Businesses
June 25, 2019
Andrew Kroninger, Total HIPAA’s Director of Customer Success, recently interviewed Erik Kangas, founder and CEO of LuxSci. LuxSci provides email encryption, web hosting, forms, and secure sending services for HIPAA compliant entities. The two discussed cybersecurity for small and medium-sized businesses and the hidden cost of cyber attacks.
Erik provides helpful tips for small and medium-sized business owners who wish to keep their companies safe. You can listen to this episode of our podcast HIPAA Talk here or on your mobile device via Apple Podcasts. Or, read our summary below.
Biggest Cybersecurity Challenges for Small and Medium-Sized Businesses
It is no surprise that small and medium-sized business face unique cybersecurity challenges. In order to overcome these obstacles, business owners and managers must first understand the specific problems they face. In this interview, Erik outlines several factors that make small and medium-sized businesses particularly vulnerable.
Lack of Oversight
In a small business setting, each employee is responsible for a significant percentage of the company’s output. Therefore, everyone is so wrapped up in their own projects that they tend to push (what they consider) “non-urgent” matters, like cybersecurity, aside. (Of course, we disagree with this idea that cybersecurity is a non-urgent matter.) Erik calls this the “wild west mentality.” Employees are spread thin and do not have the bandwidth to think about the minutiae of cybersecurity.
Additionally, small and medium-sized businesses rarely have an in-house IT department or a sizable number of employees who understand cybersecurity. How can they adequately monitor their systems and cybersecurity programs if no one fully understands how they work?
Likelihood of Personal Device Usage
Small businesses tend to have more flexible scheduling; employees may work from home or take their work out of the office. This generally less regimented approach results in more employees using personal devices at work. There is often a lack of policies surrounding personal device usage, like a BYOD (Bring Your Own Device) Agreement.
Any laptops, computers, mobile phones, or tablets that employees that access the company network must be protected like all other in-office equipment. For example, failing to install adequate firewalls on a single employee’s laptop opens the company up to a myriad of possible attacks.
Lack of Time
Again, small and medium-sized businesses have limited time and resources. They tend to skimp on employee training. This may seem like it has little to do with cybersecurity, but employees play a large role in your company’s safety. Many cybersecurity attacks, especially those related to email, can be prevented by employee diligence.
Typically, if a small or medium-sized business needs a new security-related service, they use google to find an option that fits their price range. Then, they install it and forget about it, assuming the program will manage itself and protect the business from all cybersecurity-related threats. However, this is not enough – programs need to be maintained. The “set it and forget it” mentality creates dangerous vulnerabilities. Not to mention, having the correct software is only one piece of the puzzle.
Common Attacks on Small and Medium-Sized Businesses
Social Engineering Attacks
Social engineering attacks rely on human interaction to extract information that should not be released. This type of attack can wreak havoc on small and medium-sized businesses. Phishing and spoofing are the two most common social engineering attacks. Both cause many HIPAA breaches and incidents of theft each year.
Phishing is a type of scam in which hackers contact a target, usually by email, posing as a reputable website or trusted entity. (90% of phishing attacks come through email.) By assuming this false identity, they lure individuals into revealing sensitive information, like login credentials or banking and credit card details. For example, a phishing email may appear to come from a user’s employer and ask for their username and password to the company website. The user provides the information and grants the hacker access to the company’s systems.
Hackers also use a method called spoofing. In this case, the attacker sends an official-looking message, usually an email, to a target that contains a link. Clicking on this link installs malware on the recipient’s device.
Though these attacks pose a serious threat to small and medium-sized businesses, they can be prevented with adequate training. Teach employees how to recognize these malicious emails.
Hackers install malware on devices remotely, often through email. There are always new innovations in harmful software like drive-by malware. This is a type of attack that installs malware onto a user’s device without them having to click on a malicious link. Again, employee training and using a secure email service can filter out, or at least highlight these dangerous messages.
Hidden Cost of Cyber Attacks
Cyber attacks send shockwaves through small and medium-sized businesses. There are numerous hidden costs, especially if your company handles PHI (Protected Health Information) and a cyber attack causes a breach.
First, an organization has to clean up the mess, or rather, patch the leak. The problem must be solved as quickly as possible. Therefore, a small business will likely have to hire a compliance or cybersecurity expert to help with the cleanup. They will likely pay premium prices and rush fees because this must be done immediately. Not to mention, all other business matters must be put on hold.
The business may incur legal fees or fines. The bad publicity from the incident may lead to a loss of business or trust from clients, employees, and business associates.
Covered Entities (organizations required to comply with HIPAA) must notify individuals whose information was exposed in a breach. If the breach impacts more than 500 individuals, the Covered Entity must notify HHS, and potentially their State Attorney General’s office, immediately. Breaches affecting less than 500 people should be reported to HHS within 60 days of the end of the calendar year in which they occurred. After a breach, cyber insurance costs will skyrocket, if the company is able to get it at all.
In 2017, the average cost of a breach for a medium-sized business was $2 million, and it has only gone up since. If companies spent just 10% of that cost proper cybersecurity measures, it is likely that breaches could be prevented altogether, or at least seriously mitigated.
The old adage, “an ounce of prevention is worth a pound of cure” perfectly describes small and medium-sized businesses’ relationship with cybersecurity.
What Can Small and Medium-Sized Businesses Do to Stay Safe?
Rely on Experts
The best thing small and medium-sized businesses can do to stay safe is to work with an expert. Outsource the complex, difficult-to-understand tasks to an IT expert or Managed Service Provider. A comprehensive approach to cybersecurity involves working through every little detail; if you do not feel equipped to do this, hire help.
Many small and medium-sized business owners complain about the cost of taking proper cybersecurity measures. Think about it like paying for parking; putting $2 in the meter is worth protecting yourself from a $50 ticket, or worse – getting your car towed! The upfront cost may seem steep, but small and medium-sized businesses simply cannot afford the risk of doing nothing, or doing cybersecurity poorly.
Complete a Risk Assessment
Companies should perform a thorough Risk Assessment. HIPAA requires Covered Entities to perform a Risk Assessment, but any company benefits from this exercise. A Risk Assessment evaluates all possible vulnerabilities and establishes a blueprint for the creation of Privacy and Security Policies and Procedures.
Risk Assessments also help companies understand which actions they can reasonably address on their own and which they should outsource to experts. We recommend you review your Risk Assessment annually and perform one from scratch every 2-3 years, or when you’ve had any major changes in your systems. For example, getting new servers, upgrading to new operating systems, and using new software for collecting or storing PHI all warrant a new Risk Assessment.
Backup and archive everything. We recommend following the 3-2-1 rule: keep three copies of your data on two different storage platforms, one of which is offsite. Hackers coerce business owners into paying large sums of money to release their data/end a ransomware attack. We always ask our clients: how long you can live without your data? Many businesses would be devastated to lose even a week of material. Additionally, Covered Entities must retain PHI for a minimum of six years (if not longer, depending on state requirements), so secure storage is a must.
Using a free version of an email service may be tempting, but doing so puts your company at risk. Paid email services offer cybersecurity features, like filtering and warning labels that protect users from spam, malware, and phishing threats. This removes a great deal of risk. Even though employees should be trained to recognize and report these malicious email attacks, preventing them from interacting with these types of messages altogether is ideal. Additionally, if you send or receive any PHI via email, you must use email encryption. This is one of the many services LuxSci offers.
In conclusion, cybersecurity for small and medium-sized businesses is not as daunting as it seems if you ask for help. Why not hand things over the experts, for the sake of your business? You can find a full list of LuxSci’s offerings here and a list of TotalHIPAA’s offerings here. Again, the old adage “an ounce of prevention is worth a pound of cure” perfectly describes small and medium-sized businesses’ relationship with cybersecurity. Don’t wait for a disaster to occur; protect your business today.
January 6, 2020
HIPAA breaches involving fewer than 500 individuals, which occurred during 2019, must be reported to the US Department of Health and Human Services (HHS) by Saturday, February 29, 2020. Reporting… Read More ›Read More