When Ransomware Attacks - Be Prepared to Attack Back

Ransomware can be an unfamiliar term. But after 2020, more people have heard of  it than ever before. Dare we say it’s approaching household-word status due to high-profile incidents last year? Although IT security threats have always been part of online systems, bad actors are getting more creative and destructive, making them more impactful to organizations. These days, it doesn’t take experienced hackers long to shut down your systems and ruin your company’s reputation. But organizations are getting savvy and fighting back—often with the help of a good Managed Services Provider (MSP) at the heart of their defense.

Part of the problem is that remote software used by managed IT services and in-house IT managers has become a common “way in” for those who mean harm and believe you’ll pay to get your data back—even if your company’s data isn’t useful to anyone but you. As a result, it’s more important than ever to choose the right MSP. This article provides the background of these threats—and provides advice to help your organization “attack back”!

Ransomware Attacks are Rising — Traditional Antivirus isn’t Enough Anymore

According to a report from Harvard Business Review, ransomware attacks increased 150% in 2020 as compared to the previous year. And the amount paid to get data and network control back from the attackers has increased 300%!

 

Small to medium-sized companies are often the most vulnerable because they often depend on less-sophisticated or outdated MSPs and programs. Attackers know a loss of data could destroy your small company and you might pay a large ransom to keep it from happening. They may avoid larger companies that are more likely to have strong protections in place, with in-house professionals who keep a close eye on suspicious activity.

 

Prime Communications Inc.’s Solution Engineer, Justin Ekstein, urges every organization to take a fresh look at network security as soon as possible. He said, “At this point in the evolution of hacking and ransomware, there is no doubt what was good five years ago is no longer good. But the good news is you can fight technology with technology!”

In addition, Ekstein said, companies need to get serious about the human side of security. It’s no longer enough to install a firewall and let it run. “Automated programs help with early detection and auto responses, but human eyes should be on your network 24/7 to detect subtle suspicious activity before it becomes serious,” he explained.

IT threats have become more complicated due to the expansion of network technology—nearly every network now includes personal devices, freestanding applications, and automated connections that provide new “ways in.” Below are some of the highlights of the new nature of IT threats, followed by exciting new technologies and strategies you can use to overcome these issues:

Mobile Devices

Mobile devices with connections to your corporate network provide both a physical risk (when phones or tablets are lost or stolen) and a digital risk (through saved passwords and automated connections, among other things).

Old Antivirus Systems

Old antivirus systems focus on the software hackers are installing. They detect what they see as “a bad program” and then remove the program. However, by that time the damage may have already been done. Earlier detection is needed. MSPs that haven’t stayed up to date with their hardware, software and services expose your organization to the dangers of new threats.

Email Security Gaps

Email security gaps are more important than ever to understand and fix, because 90% of viruses and threats come through email daily. Although today’s email users have more experience than they used to and often can easily detect potential threats, it’s still not uncommon to mistake a bad email for a legitimate communication and click a link that suddenly exposes your entire organization.

Outdated Cloud Solutions

Outdated cloud solutions might be running on old systems that aren’t being backed up. It is surprising, Ekstein said, but even reputable MSPs may not be backing up your information. “Your cloud solution’s ability to deliver security depends on the vendor you’re working with. Some MSPs give you Microsoft solutions right out of the box, for example, which puts everything—email, documents, Sharepoint—on one drive. And they may be retaining your information for only 30 days after deletion, because that’s what the standard used to be.”

Old or Nonexistent Recovery Plans

Old or nonexistent disaster recovery plans leave gaps in your organization’s ability to respond, not only to ransomware attacks and other IT threats but to any disaster. Prime knows this first-hand from our own experience with a major flooding event at our headquarters in 2019. We had many systems in place that helped us recover, and we learned new strategies from our direct experience that we are now sharing with customers. Think about how quickly you’ll need your information back after a disaster and how the loss of data will affect your clients. Will your current plan make it possible to recover?

Untrained Personnel

Untrained personnel can make any threat worse, because, when your systems detect a threat, it’s imperative to act soon and do the right things. 

Tools to Outsmart Ransomware Thieves

Awareness of the issues listed above (and others) is the first step to “attacking back” against ransomware and other IT threats. However, you must take the next step to truly build a protective layer around your organization’s data and operations: you must take action. Here are tools you can put in place and actions you can take to attack back:

Layered Security

Layered Security includes a thoughtful, interwoven combination of hardware, software and human oversight of your systems. Ekstein said if any of these three layers is not present, your security strategy will not be effective. If your team doesn’t have the experience to analyze and implement the layers, look for an MSP that is a proven expert in this service.

Endpoint Protection, Detection and Response

Endpoint protection, detection and response are the calling cards of the latest antivirus software. These more powerful programs look at defined behaviors instead of just programs. They identify and analyze typical harmful behavior and distinguish it from harmless everyday actions, so you can detect potential threats earlier. 

Email Security

Email security can be addressed in several ways. Advanced security tools help identify and block new viruses and threats. Training in day-to-day email security is critical to help personnel see what threats look like. “You need to educate your staff at all levels and make their knowledge a part of your ‘security stack’,” said Ekstein.

24/7 In-Person Monitoring

24/7 in-person monitoring should be combined with AI to survey logs and check to see if any activity looks odd or cannot be ignored. Trained experts can make people in your organization aware of potential threats and help mitigate them before they become unmanageable. “AI saves a lot of time,” said Ekstein, “but it also makes decisions based only on data. You need human intervention to make smart decisions.” That may change someday when the technology is not so new, he points out, but we will still need humans to teach AI and show it what is good or bad.

Cloud Solution Agreement

Having a cloud solution agreement with terms and conditions will tell you exactly what you’re getting and what you’re paying for when it comes to backup. If you already have a solution, Ekstein said, check the fine print. If backup and essential services are not accounted for, consider changing vendors and solutions.

Preparedness

Preparedness is the name of the game when it comes to disaster recovery. Take time to write a custom disaster recovery plan and train personnel to respond to disasters appropriately. Ask us about Prime Communications’ safety training partner, Safe Passage Consulting.

Cyber Insurance

Cyber insurance improves your preparedness. Be sure you understand what your policy includes and how benefits will be delivered. It’s not a matter of if you’ll need it these days — it’s a matter of when something is going to happen to compromise your data. Insurance helps you overcome the fallout of your next digital disaster.

MSP Vetting and Selection

MSP vetting and selection is critical to any IT security plan. In fact, your provider can be the glue that holds your entire plan together. Choose a provider that is adaptable and flexible — knowledgeable in a wide variety of security concerns and capable of building a plan and providing tools that meet your unique needs. Don’t tie yourself down with a long-term contract, and make sure your vendor has the financial knowledge and experience to explain the difference between operational expense and capital expense. Your managed services and security expenses should be predictable, without unknown add-ons and surprises.

Meeting the Ransomware Threat Head-On

In today’s ransomware-persistent environment, it’s a requirement to be proactive. That means making sure you have all the tools in place to detect and respond to threats. If you aren’t sure how to bring the pieces together, lean on your MSP. The best providers supply you with a virtual chief information officer (vCIO) who can help you plan technology, think it through, identify what will most benefit your business, and give you a dedicated contact to consult regularly for guidance as a standard part of your plan.

 

Prime Communications Inc. is a corporate newcomer in this market and is excited to introduce the experts we have brought on board to help us provide the perfect MSP plan for our customers. MSP Director, Brandon Nyffeler, oversees all MSP operations and is joined by Ekstein, who provides expertise in network solution and safety.

 

With the experience and skill of these two new MSP principals, plus Prime’s proven technical expertise, services and personnel in digital security, integration and network management, we are excited to offer a depth of MSP service that’s hard to beat. 

“The good thing about the experience we bring to Prime,” Ekstein explained, “is that we’ve seen both the good and the bad over the course of our careers. We have come to Prime to put that knowledge into action for Prime customers, where we know we can do it better than anyone else.”

For more information about this exciting new offering from Prime Managed, call our office at 402-289-4126, or email managed@primecominc.com. Get ready to attack back!


Using Technology to Step Up Post-COVID Security: Prevention & Action

Law enforcement agencies have seen a sharp uptick in the number of mass shootings in recent years. According to a USA Today analysis, mass shootings surged with a 47% increase in 2020 over the previous year. This was happening before the pandemic, but part of it clearly seems to be due to COVID-19 and the psychological and logistical impacts of lockdowns, lost jobs and changing political landscapes.

 

COVID or no COVID, long gone are the days when you could see a horrible news story and believe it will never happen to you or your organization. You can’t just sit around and wait for it to happen. Especially if your organization is welcoming employees and customers back to physical venues after the pandemic.  This sudden new intensity is a perfect time to devote generous attention to security plans.

 

Modern technology and training reduce the likelihood of a violent event and reduce the potential impact. According to Prime Communications, Inc., COO and security expert, Jamie Bumgardner, the most effective defense you can offer your organization is the institution of a well-thought-out two-step approach: prevention and action. This includes assessing protocols, technology and training, as well as making sure your staff knows the correct actions to take, and when.

 

Many organizations have plans in place for these kinds of events, but both plans and technology are often outdated. In some cases, equipment has gone unused for a long time, has never been tested and no longer functions. In the most egregious cases, subpar disaster plans involve contacting someone who no longer works at the company!

 

Prime Communications partners with safety training firm, Safe Passage Consulting to assist organizations in upgrading security and developing comprehensive steps for effective safety plans. In this article, we outline the basics as a baseline to help you bring your own organization up to speed.

STEP 1: Preparation

The best thing you can do for your organization to effectively mitigate potentially violent events is to be prepared. This seems obvious, but it’s often taken for granted—and it’s not always true even if you believe you are prepared.

 

With proper, up-to-date technology and training, you may be able to prevent an attack from occurring in the first place. If the event itself cannot be prevented, updates will give everyone the best chance at survival, and that, of course, is the bottom line. “You can use technology and training as a force multiplier to keep people as safe as possible,” Bumgardner said.

Technology

Security technology experts work hard day after day, developing new ways to keep people safe and fine-tuning existing tech so it’s more efficient and reliable. If you are a security professional or company leader, it behooves you to also keep up with available technology to keep your people safe. The most heartbreaking part of any disaster is realizing too late you could have done more to save lives.

One example of recent technology advances is license plate readers. These have come a long way in function and reliability. A well-positioned camera can automatically check license plates of vehicles and cross reference them with databases of bad actors. If a vehicle belongs to a past offender or someone else who’s likely to cause trouble (e.g., a disgruntled former employee), you can be notified before they reach the building and potentially stop the problem there.

 

If the worst-case scenario happens and a shooting occurs, a gunshot detection system can quicky provide a wealth of information about the event. It can tell you where a weapon was fired, the direction the shooter was moving and even the caliber of the weapon. These systems are finely tuned to only register gunshots and won’t mistake a dropped pallet or other loud noise for a real emergency—even firing a blank won’t set them off.

 

Once you know a violent event is in process, a mass communication system can keep everyone informed of what’s happening, where it’s happening and what actions to take. You cannot only send messages to staff, but you also can equip phones with a panic button to notify security staff and law enforcement of threats. With the press of a button, a phone can turn into a video and audio recording device to capture and relay valuable information. This system can be useful in other dangerous situations such as earthquakes or fires.

Training

With mass shootings and other violent events occurring more frequently, most of us have at least idly considered what we would do in a dangerous situation. Whether your daydreams feature you heroically engaging an attacker in hand-to-hand combat or leaping out a window to a quick escape, people who are thrust into real situations rarely have the skills to execute these plans.

 

Furthermore, in a building with a large number of people present, even if each individual’s plan would work, everyone reacting to their own ideas at once creates chaos. What’s more, many organizations are still following outdated or inaccurate training, and it’s getting people hurt. To do everything you can to keep people safe, you need an up-to-date, standard, practiced plan that allows you to effectively communicate.

 

An integration team can help identify vulnerabilities in your plan (and in your technology), mitigate the problems, write a new plan, then train staff on equipment, protocols AND execution of the plan during a violent event.

 

Safe Passage’s Dustin Randall says the most effective aspect of training is often scenario practice. The team will train members of your staff, then put them into realistic situations to help them internalize what they have learned, increasing the odds that they’ll act appropriately when needed.

 

“It is often the debriefing that is the most valuable, when people look back on the scenario and realize what they could have done differently—and discuss the plan with colleagues,” Randall said.

Step 2: Action

To have the best chance at survival, it’s necessary to take action of some kind. Theodore Roosevelt said “In any moment of decision, the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing you can do is nothing.”

Once you’ve done everything you can ahead of time to give the people in your organization the best chance at preventing a violent event, you need to think about what everyone needs to do when an actual event occurs. According to Randall, staff should be trained to take these actions in this order:

1 - Accept the Inevitable

Some people, when caught in violent incidents, will do anything to deny what’s happening. They may hear a gunshot and immediately assume it’s a car backfiring or fireworks—even if they have the experience to know the difference. It’s important to acknowledge when a threat is real and respond appropriately. Good training makes it more likely staff will act in a way that saves lives.

2 - Run the Opposite Way

Many people freeze when faced with a threat they didn’t expect. But doing nothing is likely to get you hurt. Many existing plans tell staff to hide in a violent situation, but Randall explains that more people die if everyone hides instead of running. Remove yourself from the situation as fast as you can, find a safe place (hopefully, a pre-arranged meeting point) and contact police. Police responses have gotten much faster since active shooter situations have increased, but there’s no guarantee officers will immediately be able to find a shooter or obstruct the shooter’s path, so your priority is to leave.

3 - As a Last Resort, Fight

No one expects your staff to be heroes—fighting an attacker is a last, desperate option. Safe Passage training teaches you to stay calm and take actions that give you a chance to live. If you find yourself facing an attacker, they suggest first throwing something at the attacker to distract them and then run as they duck. If all other options are gone, grab the gun by the barrel and face it away from you. “Always remember, there are usually more of you than them. You can band together and pile on an attacker to subdue them,” Randall said.

Keep the Security Update Cycle Going - Indefinitely

The combined Prime/Safe Passage expert team suggests continually renewing these steps over time—whether during a pandemic, after an uptick in violence, or any time. Then you’ll know for certain you and your staff have done everything you can to make efficient use of the technology and training available. If, heaven forbid, you and your organization ever have to face a real situation, imagine how rewarding it will feel to know you’ve done everything you could do to reduce the odds of disaster.

Prime &​ Safe Passage ​Partnership​ Lifecycle​

For more information about our combined technology and training services, please contact Prime Communications at 402-289-4126 or sales@primecominc.com. We are happy to have a preliminary discussion with you about your security and training needs.


The Top 5 Genetec Solutions You Didn’t Know About

Crowds of people can be challenging to manage. Fortunately, today’s technology gives us increasingly sophisticated, efficient ways to achieve successful people management. The security industry continually seeks new solutions that make it easier, faster, economical and more effective for organizations ranging from complex retail distribution centers to smaller venues with precious occupants inside, such as hospitals, schools and daycare centers.

 

Genetec has made significant enhancements in the security industry introducing a broad range of advanced integrated security features that keep people safe, monitor security events and situations, aid investigations, and provide reports and legal documentation. At Prime Communications Inc., many of our customers have selected Genetec as their security system of choice, and we consistently receive positive feedback.

 

As technology rapidly develops we want to make sure everyone is aware of additional Genetec features they might not know about. These features make an already well-appointed security system even more effective, potentially saving extra time, money, stress and heartache. Prime helps deploy these systems and provides cloud-based services to make maintenance and operation easy and reliable.

 

In this article, we will share information about five Genetec add-ons that provide the additional security Genetec systems users need to take their tools to the next level. If you have questions about any of these tools, or about getting started with Genetec, please contact us.

Solution #1: Genetec Clearance™

Digital Evidence Management

With the proliferation of surveillance video from affordable security cameras, body cams and handheld devices comes a need to manage large amounts of video evidence. But what good is all this evidence if it takes too long or is too costly to share or receive it, which means it may not even get used?

 

Evidence can be missed due to the sheer amount of time and attention it takes to receive and review video. And with increasing amounts of evidence there is also an increased risk of evidence being mishandled—a risk exacerbated by the need to transfer files using USB drives or CDs. Mishandling can be the cause of lost court cases and criminals going free.

 

Genetec Clearance solves some of these problems by allowing easier, more secure transfer of evidence files—especially large files such as video footage. This capability facilitates collaboration between law enforcement agencies, security departments and the public and helps to close cases faster.

 

Because the program exists in the cloud, the exact same files can be accessed by all stakeholders—a great boon for organizations with multiple widespread locations. From the security department’s point of view, the ability to easily transfer files, share them, and keep them organized saves time, labor and money.

 

Any type of file can be uploaded using Clearance, and the faces of innocents can be redacted or unredacted. “The whole purpose of this tool is case management, and the program has many functions to aid that purpose for any organization in a customized way,” said Dustin Graybill, Senior Systems Engineer of Prime.

 

 

Solution #2: Genetec Mission Control™

Collaborative Decision Management

Mission Control Interface

In “the old days,” a security event involved verifying a situation in-person, walking to and locking every door listed on paper or in a computer, and placing separate calls to first responders, organization leaders and affected departments. This clunky process was time consuming and riddled with human error. In one fell swoop, Genetec ushered in a new era of organizational security with its new collaborative decision management tool, Mission Control.

 

This impressive system uses sensors, pre-loaded customized protocols, data collation, and map-style visualization to give security, facilities management, and operations professionals a stunning new level of situational intelligence. The system automates data collection and responses using Genetec security sensors, cameras and access technology.

 

“The capabilities of this system are broad, which means you can set up flexible responses to just about ANY situation,” states Graybill. Ultimately, he explained, by tailoring this tool to your own organizational needs you can save time, improve safety, protect goods, and allow consistent responses to incidents, among other benefits.

 

One of the key advantages of Mission Control may be the confidence it gives on-site responders, who have been known to make very human mistakes under stress. For responses that aren’t automated, the system can be set up to provide clear prescribed steps that are easy to follow, even under stress. Your integrator will work with you closely to set the system up and prepare your teams for any eventuality.

Solution #3: Genetec ClearID™

Physical Identity and Access Management

When people move through a commercial, education, entertainment or health care environment (or any venue with large numbers of people), it can be a challenge to ensure security and keep everyone moving efficiently and safely throughout zones or building(s). It’s time consuming to grant access, keep track of everyone, and change access when roles change.

 

ClearID is an easy-to-deploy cloud-based data system that is unified with Genetec’s Security Center Synergis™. The self-service physical identity and access management (PIAM) tool allows your staff to quickly and easily enforce security protocols and at the same time keep people moving efficiently.

 

“Let’s say you’re going to come visit me at my place of work,” Graybill said. “I can provide information to you by email, so you can self-print a badge at a kiosk when you get here. The badge automatically limits areas of building you can go to. It’s all the same controls you would perform manually but without the time, hassle and potential error.”

 

The program is especially useful, he said, for automatically changing employee access according to role changes. If you get promoted, you automatically gain access to new areas. If you are fired, you automatically lose all access. “Imagine the time savings if you have groups of people who need bulk access changes to a new building, for example,” Graybill explained.

 

Solution #4: Genetec AutoVu™

Automatic License Plate Recognition

Surveillance cameras revolutionized the security industry. Now, if you steal something from a store, your image is likely going to be captured and can be used to prosecute you – IF they find you. Genetec’s AutoVu automatic license plate recognition (APLR) tool completes the loop with solid evidence that helps capture wrongdoers in many different situations.

 

“Everyone wants to put cameras in if people are stealing things, but if you can’t follow them out and get their license plate number, the camera image won’t tell you who they are,” Graybill explained. “But if you put one APLR camera at a chokepoint, you’ll get hard evidence rather than just an obscured image of a face.” The system provides immediate notification, and the photos include environmental context to help security personnel and law enforcement better understand and document events.

 

AutoVu is used by law enforcement in both stationary and mobile installations for parking enforcement and to help identify perpetrators and solve abductions, find missing persons, and close other high-priority criminal cases. Schools have considered using the system to identify child predators or sex offenders who enter campus areas.

 

The technology also can be used to automate access management. “At the very least, it allows you to grant access to cars without anyone having to stick their arms out in the rain to swipe an access card,” Graybill said. “In more complex applications, such as in a large distribution center, the system can be used with access control software and gates to automatically grant access to trucks with specific goods that go to predefined zones in your compound.” This saves time, money and mistakes, he said.

 

According to Graybill, even casinos are using APLR to identify VIP guests who pull into parking areas, so staff can have the red carpet rolled out as soon as they reach the doors.

 

“This is one technology that’s very much like the fictional systems you see on television shows such as NCIS,” he said. “A lot of that imagined technology isn’t real yet, but this is, and it’s as reliable as you think it should be.”

Solution #5: Genetec Plan Manager™

Map-Based Command and Control

“In addition to improving security overall, this system can reduce labor, sometimes to the point of being able to eliminate a position,”

Dustin Graybill, Senior Systems Engineer, Prime Communications, Inc. Tweet

It’s much more effective to adapt security tools to your operation than the other way around. Plan Manager is a Genetec Security Center module that can be adapted to your operation in a very visual and intuitional manner, which can save time and give security professionals a better understanding of any situation. Plan Manager brings together data, images and notifications from many parts of the system. The result is faster, better responses to keep everyone and everything more secure.

 

In addition, Plan Manager allows your system to capture and save situational data to aid in investigations. “You can input floorplans, maps, Google Maps images, large site plans and every component of your system into this software to more easily and more comprehensively manage the entire system,” Graybill said. A traditional monitoring system puts images and notifications into tiled squares, which can be difficult to understand and act on.

 

The technology is helpful not only for security events, but for day-to-day monitoring. Graybill describes a Prime customer that has a facility with 100 doors—50 on each side of the building. Plan Manager allows staff to simply look at the map, instantly see the status of all doors in one image, identify open doors, and then send someone out to close them. The system is sophisticated enough to identify false alarms.

 

“In addition to improving security overall, this system can reduce labor, sometimes to the point of being able to eliminate a position,” Graybill said.

 

Unified Technology for Improved Security

One of the best things about these five Genetec system add-ons is the ease with which they can be implemented with the help of an experienced Genetec integrator such as Prime. We not only can set up and efficiently connect the hardware and software for you in stress-free, customized deployments, we also can provide various levels of monthly cloud-based monitoring and maintenance services as needed to aid your security staff freeing them to do more important things.

 

For information about any of these solutions—or to get started with a basic Genetec security system—contact Prime Communications

402-289-4126 or sales@primecominc.com.


Healthcare Cybersecurity Best Practices: Don’t Forget About the Physical Side of Digital Security

[checklist]

Like many other market sectors, the healthcare world was forced into cybersecurity adjustments and advancements by the COVID-19 pandemic. For example, it was suddenly not a good idea to use touchscreens and keypads to identify users and gain access. At a blinding speed in some cases, IT professionals have worked to deploy new solutions — some of which had been in process already or were being used in other industries and some were completely new.

 

With these technology advancements, it has become more important than ever to identify physical and digital/logical security weaknesses and be proactive about mitigating them to keep staff, patients and visitors (and their personal data) safe.

 

Evolving cybersecurity best practices are especially important in healthcare settings, because hospitals and other healthcare venues are technology-heavy, super-sensitive to privacy, and carry unique potential for harm when technology fails.

 

Jeff Broz, Prime Communications Inc. VP of Infrastructure Operations, pointed out that these concerns are particularly important in the growing world of the healthcare Internet of Things (HCIoT). “There is typically a well-established process for adding new devices to an enterprise network. The challenge is that the technology is changing so quickly, that keeping up is a daunting task for the IT security team.”

Healthcare cybersecurity: What could go wrong?

“When critical systems are compromised, not only is the data within those systems at risk, but the care team is impacted by forcing alternate workflows to ensure the quality of care and patient safety are not impacted.”

Jeff Broz, VP Infrastructure Operations, Prime Communications, Inc. Tweet

Some cybersecurity breaches are legendary in the healthcare world. For example, ransomware attacks and hacking through environmental controls. In a worst-case scenario, a nefarious actor can take down an entire network, locking users out or injecting viruses, causing gaps in patient monitoring and care.

Especially with some of the beefed-up collaboration technology being used through the pandemic to electronically replace in-person patient and family touchpoints, an increased number of potential breaches can deprive caregivers of access to vital information about their patients.

“It is pretty straightforward,” Broz said. “When critical systems are compromised, not only is the data within those systems at risk, but the care team is impacted by forcing alternate workflows to ensure the quality of care and patient safety are not impacted.”

This healthy fear of gaps in care have even led to an unhealthy avoidance of updating systems for some organizations. However, using legacy systems with only-partially-effective updates eventually results in more potential cybersecurity issues and — you guessed it — gaps in a hospital’s control over care. When word gets out about gaps in care, it can affect an institution’s ability to maintain its reputation and compete against institutions that allocate time and money to proper updates and upgrades.

Increased use of smart devices complicates cybersecurity, Broz pointed out, because they often do not include embedded security when they are acquired and implemented. This can lead to human error, from poor configuration to incomplete user protocols. It’s great to have devices such as smart pumps available to monitor distribution of pharmaceuticals, and many healthcare institutions have implemented them. However, do IT teams really understand the vulnerabilities that come along with such devices?

This matters in part because hackers are getting smarter. A number of breaches have occurred in recent years through laptops accessing environmental systems. IT and security staff now have a better understanding of how those breaches happened, but for a variety of reasons they don’t always take comprehensive steps to mitigate such possibilities in their own systems.

 

According to a Verizon data breach report, 59% of healthcare institution data breaches come from internal actors, whether intentional or unintentional. This often happens due to problems with un-segmented networks or missing security controls. In cases where damage is intentional, it can happen because credentials are too easy to steal, among other things.

Of course, if you oversee security or information technology in a healthcare institution, you have no doubt done your research and know all of this. If you are like many organizations, you have put cybersecurity protections in place and you are ready for the next attack. However, also like most healthcare institutions, you may have forgotten about or too-lightly addressed one particular area of cybersecurity: physical deployment and maintenance.

Broz puts in a nutshell just how critical physical security is to cybersecurity: “All of the sophisticated, deep cybersecurity protocols, software and processes you implement could be taken down in an instant if a bad actor gains access to a server closet through a door left ajar by third-party technician.”

Bones of an effective cybersecurity plan

Any institution’s cybersecurity plan includes a myriad of small security mitigations protecting the many parts of the system. However, without a well-thought-out, comprehensive structure to support full security coverage, all of those small solutions still could leave your organization vulnerable. Just as a building needs a framework to hold up the walls (the bones), a cybersecurity plan is the framework that holds up a system’s components.

An effective cybersecurity plan begins with assessment of every component in your system and every potential security breach scenario. Your assessment should include determination of physical ways bad actors could access systems (e.g., through unlocked doors), or where inadvertent actions could compromise the system (e.g., accidentally activating on/off switches). A comprehensive risk assessment should be created before any new components are purchased or programs are put in place.

The bones of your cybersecurity plan should follow emerging standards, including ever-changing best practices for encryption, data tracking, human error mitigation, awareness programs, and incentives for reporting phishing, for example. “Part of establishing digital security in a healthcare institution is knowing what the most current standards are and understanding how to follow them,” Broz advised. He said many institutions lean on third-party experts. However, if your team members are not already, they should get on the mailing lists of cybersecurity industry organizations, such as the Healthcare Information and Management Systems Society, Inc. (HIMSS), so they can receive timely updates and tips. Even with reminders from experts, Broz suggested many companies are forgetting about the physical side of digital security.

We’ve included a checklist of some of the most easily forgotten physical aspects of cybersecurity at the end of this article to help flesh out your cybersecurity plan. 

Overall, an effective cybersecurity plan must:

  • Include integrated digital and physical cybersecurity solutions pathways (“You can’t have one without the other,” Broz said.)
  • Take into account how your healthcare cybersecurity initiatives will affect profitability and other aspects of your institution, including efficiency, staffing and budgets
  • Identify unsupported legacy systems and realistically determine when the potential for ongoing vulnerabilities outweighs the costs of upgrading
  • Account for third-party devices that will be connected to your network by patients, families, employees and contractors — some exposure through third-party devices is intentional and some may be unintentional
  • Incorporate partnerships with trusted third-party service and equipment providers who know the specific business of healthcare cybersecurity
  • Prioritize to ensure that the most important, or most foundational, aspects of cybersecurity are managed first
  • Include an incident response plan, so your team knows exactly what to do when a breach happens
  • Outline built-in protocols for continual testing and updating your healthcare cybersecurity systems without any gaps in care
  • Integrate input, needs and concerns from other teams in the organization and align with high-level organizational goals and processes
  • Include detailed steps for continual training, information sharing across departments, and plan updating

Healthcare venues present unique, and oftentimes critical, potential cybersecurity issues. Most hospitals and other healthcare institutions hire experienced, educated inhouse information technology and security professionals who know how to create and carry out a plan. The key is to make sure your professional staff is given the time and resources for proper planning, implementation and management of cybersecurity — including ensuring comprehensive coverage, with no gaps, by addressing the physical side of digital security.

Physical Cybersecurity Plan Checklist

For more information about or assistance with both the digital and physical sides of your cybersecurity plan, contact Prime Communications Inc., 402-289-4126 or sales@primecominc.com.


Pivoting to Security-as-a-Service: A Proactive Response to the Impact on the Economy

The U.S. economy remains unsettled during COVID-19. While many businesses have reopened, a majority continue to operate in limited capacity, either due to reduced occupancy numbers, or because customers are not comfortable to fully return to their pre-COVID consumer habits.

The accompanying decline in revenues means many businesses may be proceeding with caution on spending. They may have shifted to a more conservative cash preservation mode in hopes that they will survive until a new normal is established.

While splash shields and social distancing floor markers are a start, when it comes to technology, companies now have to incorporate new communication tools. A major one being video conferencing, to support remote employees so they can continue to collaborate with colleagues and customers. Then there are additional security solutions being installed in businesses as employees come back to work like touchless entries and thermal imaging solutions to pre-screen employees and customers for elevated temperatures, one of the most common symptoms of COVID-19.

Whether the pandemic is modifying social and commercial interactions, and whether or not the economy is good or bad, the reality is a variety of technology solutions will always be critical tools organizations use to help them achieve success. That is why during these difficult times, it’s important to adapt to new ways to help clients preserve capital like monthly payment procurement options.

Prime Communications has adopted a model that gives users the flexibility to take on new technologies at a low cost and the ability to control their technology roadmap.

Prime pays particular attention to the how-to pay aspect of customers’ security solution design efforts. Buying equipment outright restricts cash flow and burdens the organization with hardware ownership until it’s depreciated enough to justify replacement. “Security as a service leads to much better use of capital,” said Jamie Baumgardner COO of Prime Communications. “Switching to this model with a trusted service provider allows you to invest capital into revenue-producing projects instead of wasting it on depreciating security equipment.”

Security-As-A-Service program alleviates the following concerns

1. Cash Preservation

COVID has forced organizations into a capital preservation mode. In fact, in a recent survey with top national retail chains, 89 percent stated that their 2020 and 2021 budgets have been greatly impacted. Most CAPEX budget plans for technology equipment essentially dried up overnight. Now, more organizations are noticing that under an OPEX model they have better control over their cash flow. With an as-a-service OPEX subscription solution, customers pay a low, convenient and predictable monthly payment that includes the total security solution, and support services.

 

2. Uncertainty in The Solutions Needed

The Security-As-A-Service model addresses the uncertainty within technology strategies. Most organizations have had to completely adapt their technology needs due to the unexpected changes this year. And many organizations are still uncertain about what they may need going forward. This flexible option allows them to adapt freely.

 

A Payment Model that Provides You with More Security, Less Worry

In a world where security risks change by the day, paying large sums of money just to own equipment that will be soon outdated can represent a huge risk. Security-as-a-service saves money, provides flexibility and keeps your defenses tight using a payment structure that has proven itself. For these reasons, this is the future of security.

To learn more about Prime Communication’s Security-as-a-Service program, contact us today. Let’s discuss your specific security technology needs.

 

1 2 3 6