If you made it through 2015 without a security issue, consider yourself lucky. All indications point to increasing threats, which means you should resolve to increase your security measures in 2016 to be even more vigilant, including addressing existing and new threats, such as physical device protection, wetware avoidance, employee training, and more.
Here are our top 10 New Year’s resolution suggestions for infosec professionals.
1. Review Your Internal Threat Protocol.
While rogue nation-states, organized crime cartels, and other nefarious entities are the cyber villains everyone loves to hate, the most destructive and costly data security threats come from inside our organizations. According to the PwC, 32 percent of companies said that inside sources of data theft are more costly and damaging than security incidents perpetrated by outsiders.
Identifying insider threats can be challenging, however, especially when companies rely on technical security controls alone. What’s needed is a holistic approach that addresses both the technical and non-technical detection points, including the human behavior side of the risk—psychological motivators, opportunities, and triggers.
2. Be Alert to Wetware Security Threats.
Wetware is likely “the security threat you’ve never heard of,” wrote Forbes reporter Adam Levine. It’s a term based on the fact that the human body is 60 percent water, “used by hackers to describe a non-firmware, hardware, or software approach to getting the information they want to pilfer.”
Wetware intrusions occur when hackers use social engineering to exploit human weaknesses such as employees’ trust, predictable behavior, or failure to follow security protocols. Examples include opening a phishing email, purposely taking an illegal action, and losing paper files that contain sensitive information. The key to avoiding these threats is education and vigilance. Train your staff to spot scams, avoid them, secure their devices and follow basic security best practices.
3. Stay Alert to New Scams.
A particularly sophisticated email phishing scam attacked companies throughout 2015, resulting in more than $1.2 billion in damages. In October, the Federal Bureau of Investigation sent a second warning to U.S. businesses about the vicious Business E-mail Compromise (BEC) attack. “Despite a warning about these email scams (in February) … I have seen an increase in this activity,” stated FBI agent Scott Augenbaum.
To ensure that your company doesn’t become a victim of this email scam or others that may develop in 2016, stay informed and connected. To learn more about the BEC scam, common versions of the emails, suggestions for protecting your company from becoming a victim, and guidelines for filing an IC3 complaint visit the FBI’s Internet Crime Complaint Center (IC3) website.
4. Don’t Forget Physical Device Security.
In February 2012, Emory Healthcare lost ten computer disks that were being stored in an empty office, putting 300,000 patients’ data at risk. Emory faced fines, a HIPAA breach violation, and a class action lawsuit. This loss of physical data is not an isolated incident. According to a Bitglass breach report, “68 percent of breaches since 2010 occurred because devices or files were lost or stolen, while only 23 percent were due to hacking.”
While not as sensational as external threats, physical data security threats come with the same high costs—regulatory penalties, lawsuits, and PR nightmares. In fact, the loss of their privacy data by any means is catastrophic for a company. As a result, a thorough security plan should include protection of physical devices and files, including paper documents.
5. Create or Review Your Breach Response Plan.
Despite the billions of dollars spent on security controls designed to keep cybercriminals out and prevent internal data breaches, the number and severity of data breaches increases every year. To mitigate the risks and meet the demands of consumers, regulators, and the press, companies must create a breach response plan—before a breach occurs.
“Even firms with mature security organizations and advanced security controls will experience breaches. Thus, every organization needs an incident response plan—a plan that it maps out in advance and tests regularly against the types of incidents most likely for the firm’s threat model,” stated Forrester Research.
6. Transform Your Security with Cloud-Based Tools.
As more businesses discover and utilize the full capabilities and potential of cloud services, their security models ultimately may be transformed, according to PwC. In fact, in 2015, over “59 percent of businesses that use cloud services report that doing so has improved their information security program.”
Cloud-based security can improve intelligence gathering and threat modeling, better block attacks, enhance collaboration and collective learning, reduce the lag time between detection and remediation, and create secure communications channels. Factor in potential cost reductions, and cloud-enabled security becomes all the more compelling.
7. Consider Joining a Collaborative ISAO in Your Industry.
In a world of unrelenting cyber attacks, early-warning notification and expert advice can mean the difference between business continuity and widespread business catastrophe. That’s why in February 2015 President Barack Obama signed an Executive Order to encourage sharing of cyber security threat information within private sectors and between private sectors and the government.
Among the recommendations of the order was the creation of Information Sharing and Analysis Organizations (ISAO) to safely and effectively share information that could help companies better prevent and respond to cyber threats and vulnerabilities. “Rapid information sharing is an essential element of effective cybersecurity, because it enables U.S. companies to work together to respond to threats, rather than operating alone,” stated The White House.
8. Get Certified.
If you or members of your security team are not yet certified, resolve to make qualification a priority in the New Year. Verizon, which compiles an authoritative annual report on security breaches, recommends having IT security staff pass a course, such as GIAC Incident Handler, so that they will know how to properly respond to a breach. “A lot of organizations lack personnel on hand who know what to do in the event of a data breach,” says Bryan Sartin, director of Verizon’s Research Investigation Solution Knowledge (RISK) team. “They need to know how to freeze the environment, how to move toward incident containment, and how to maintain crime scene integrity.”
Security credentials range from basic CompTIA Security+ to the gold standard ISC2 Certified Information Systems Security Professional (CISSP). Other popular security certifications include those from GIAC, ECCouncil and ISACA.
9. Initiate Mandated Trainings.
Infosec pros have a responsibility to help employees understand that they’re part of a team fighting against vulnerabilities and hacking together. Every team member should feel not only valuable in this fight, but also well prepared to contribute to the security effort, and this requires mandated training. Most industries offer many options for this type of training.
For example, for healthcare security professionals, the official HCISPP training seminar is the most comprehensive, complete review of healthcare security and privacy concepts and industry best practices. It is also the only HCISPP training course endorsed by (ISC)². It includes interactive learning techniques, providing learners with relevant and timely content that will increase knowledge retention and transfer, and is led by (ISC)²-authorized instructors who specialize in healthcare security and privacy.
10. Consider Adopting NIST Standards.
Security pros do a lot to counter the never-ending security threats breathing down their necks, but they aren’t necessarily doing the right things to actually mitigate their risks. Despite it being a requirement of the HIPAA Security Rule, many healthcare companies have not yet adopted a defensible information security structure that contains critical components. Clearly, businesses must raise their Information Risk Management (IRM) to levels that exceed the threats. This includes adopting a process focused on continuous process improvement.
One of the most powerful information risk management (IRM) processes already exists to support this goal—the National Institute of Standards and Technology (NIST) Cybersecurity framework. NIST gives organizations a proven security infrastructure, a continuous improvement framework, and critical guidance on managing information security, including understanding their assets, threats, vulnerabilities, and appropriate controls.
We hope you find these New Year’s resolutions beneficial in your battle to launch and sustain the most secure shield of defense in your company against every security threat you’ll face in 2016.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.