Understanding Your Business Data: 4 Questions You Should Ask

The world is swimming in data! Even the smallest companies, after many years of networking and cloud use, can be harboring millions of megabytes of information — records, backups, past projects, website metrics and network use. It’s hard to get our heads around it.  Our use of data has become so sophisticated that universities now offer degrees in data management.

The analysis and use of data to make business-driven decisions is often referred to as “business intelligence.” This discipline includes initiatives such as reporting, analytics, user dashboards, event processing and data mining, as well as business performance management through disciplines such as benchmarking and data set comparison. If you own or manage a small or medium-size business, keeping all that data safe and applying proper business intelligence practices to it can be a serious challenge.

But, if you do figure out how to manage it well, there are gems of information and wisdom in your data that can help ensure your business thrives and stays as competitive as possible and improve efficiencies. 

The question is — how do you get to all that data? How do you keep it safe? And how do you determine how to best use it? A managed services provider (MSP) can help you establish a thorough business intelligence plan and provide management of it for you as an extension of your staff. Many small and medium sized businesses have some difficulty calculating ROI for this service—it seems cheaper to do it yourself. Some already have a provider and believe their data is being managed expertly, but the systems and processes the provider is using are outdated or incomplete. It comes down to this: Understanding the questions you should be asking about your data. This article outlines the top 4 questions you need to ask your Managed IT Provider. 

The 4 questions you need to ask:

1. Where is our data?

Data graphic 1-01

Most enterprises still aren’t aware of all the individual devices that contain data belonging to the business. It can be difficult to gain a clear grasp on how data moves from your on-site network to personal cell phones and computers, laptops taken out of the building, vendor networks and cloud folders. Prime Communications’ VP of Information Technology, Dave McCollough, explained, “If you don’t know where your data is or whether it is going ‘out in the wild,’ it could leave your sensitive information exposed to bad actors, and if it gets into the wrong hands, it could be costly.”

On the positive side, understanding where your data is and how to use it to your best advantage can give your organization a competitive edge. What data about your customers do you have sitting in the depths of your system that could be used to make your next marketing campaign more successful? How can you access the metrics for your business’ profitability to client loyalty?

Many small and medium-size businesses don’t have the expertise — or the time — to thoroughly catalog all their data and understand links to all devices. “It’s not cost-effective for a CEO to spend days managing data folders, even if they do have the knowledge,” McCollough said. “But the truth is, most CEOs and others who are given authority over data in small and medium-size businesses don’t really have the expertise to manage it well.” He explained that hiring a knowledgeable expert in-house can be too expensive for many smaller businesses—and those that do must then depend only on the skillset and experience of that one person.

Ask your MSP to write a clear data map showing all devices, all potential links, and how data moves through all of it. In addition, they should provide you with a plan for ongoing monitoring and management of all devices and depositories that could potentially be linked to your system.

2. Who can access our data?

It’s one thing to know where your data resides and quite another to understand exactly how hackers can get to it — or, when your team needs the data, how they might find it difficult to get. Successfully managing business intelligence requires both (1) protecting data from bad actors and (2) making it easy for you and your team to get to it and make decisions based on what’s in all your data depositories.

First, from a security standpoint, users are the weakest link in the chain, but technology offers many ways to control access. Multifactor authentication, for example, has become extremely important. Many business owners don’t realize how common it is for passwords that have been set by individuals to end up on the dark web, where they can be used by hackers. Justin Ekstein, Prime Communications’ Solution Engineer, explains: “With multifactor authentication, even if a password is leaked, the perpetrator won’t have your cellphone, which makes it much more difficult to get to your data.” 

Second, when it’s time for your team to access data, do they know how to get there? Creating a logical and easy-to-navigate data hierarchy, perhaps through a well-thought-out user dashboard, makes it easier for everyone in-house to get to the data they need and ensures nothing useful sits unused for years. Your data repositories should be periodically updated and cleaned out.

Ask your managed services provider to review and update your data hierarchy. Once your data is set up where it can be easily and safely accessed by your team, your MSP should be willing and able to provide thorough training, including security simulations.

3. How can we ensure our data is secure?

This is a topic unto itself, and we will address it more fully in an additional article about security and managed services providers. For now, think generally about how your data is secured. At the very least, you probably know you should have an antivirus system in place. However, according to Ekstein, many small and medium businesses are not aware that traditional antivirus programs often are useless now because they are outdated — or the hardware they are used on is outdated.

This is even more important at this time in history because of the proliferation of remote workers. Proper security of business data requires establishing regular best-of-class patching services and regularly updating software. You need to know how remote workers are connecting and how they are using the data. “Not knowing amounts to leaving the security of your system up to chance,” Ekstein said. “At the very least, when remote workers connect to your network, they might be bringing in some kind of sludge along with them inadvertently.”

Many companies still have basic antivirus programs that are based on definitions of viruses they’ve seen before and software packages that might be vulnerable. “In the last couple of years, there are so many new threats, and they are all so different,” Ekstein said. “You have to have a solution that has the ability to look at behaviors instead of whether it’s a good software package.” This type of security software is called Endpoint Detection and Response (EDR).

Part of having a well-appointed IT security system is determining whether you have robust backups to completely recover your system after a hack or even a physical disaster. “Just because you have backups, doesn’t mean they’re working,” Ekstein said. “They need to be regularly tested, and keep in mind that not all cloud services are backed up equally or are not easily restorable.” Don’t be fooled by the idea that your data is not important to anyone else and therefore a hacker wouldn’t be able to use it to make any money. If a hacker uses ransomware to lock down information that’s valuable to your organization, you could find yourself in a position where you must pay tens of thousands of dollars to retrieve your entire company history. The loss of customer information, for example, could damage your organization’s reputation.

Ask your MSP to identify specific programs being used to keep your network safe and then explain to you exactly how it all fits together.  To keep your network safe going forward, require your MSP to draft a plan for continual monitoring and disaster recovery. In addition to establishing a chain of command to make decisions about security, you should define actions you trust your MSP to take on your behalf immediately. “A disaster recovery plan needs to be a living document,” McCollough pointed out. “Don’t just write it and let it sit — test it on a regular basis.”

4. What's in it for you?

Data graphic 4-01

Small and medium businesses are known for their impressive resourcefulness and the ability of employees to wear many hats, learn new things and take on challenging roles. In fact, many small and medium business have seemingly achieved the impossible through sheer will! But these days a company’s data is too important to learn on the fly.

It’s easy to believe meticulous monitoring of your network is not that important. After all, you may tell yourself, you’ve been okay up to now, haven’t you? You may not have experienced a negative event yet, but the general consensus is that it is just a matter of time for any organization. You may already have a process in place for making data and business intelligence decisions, but if data is not your specialty you likely have gaps in your system that could cause devastating problems. Also, you have other things to do — how can you keep up with everything you need to know in the fast-moving world of data management and security?

Perhaps you already have an MSP that monitors your system. That’s a great first step, but don’t let it be a “set it and forget it process.” Learn enough about it to ask intelligent questions. Does your provider include training, data mapping and regular proactive reporting as part of its regular services? Is your MSP equipped to help you create a data access plan and easy-to-use hierarchy, so you can use your data to its best advantage? Don’t think of your MSP service as only “security services”—there is much more value to be tapped.

Ask your MSP to document exactly what you are getting from them. They should not only provide software, hardware and monitoring. They should help you strategize, then set everything up and administer it on a continual basis, helping you look at your data clearly and make good decisions. Backups should be checked daily. Security breaches should be continually ferreted out and fixed using the latest hardware and software, including training and testing your team. No useful data should linger unnecessarily in the depths of your network!

Benefits of Working with a Data-Intelligence-Equipped MSP

When was your data last backed up and reorganized? Is your antivirus updated? Many companies don’t address these issues until a disaster turns their attention forcefully to the inner workings of their business intelligence systems. But the exposure of data can cause irreparable harm in a company’s financial stability – and even its reputation if sensitive data such as customer information is lost.

“The best time to examine your data, business intelligence tools and potential exposures is before something bad happens,” McCollough said. “Every company should create a roadmap of its technology for the next three to five years.” If it can’t be done thoroughly in-house, using knowledge of the latest technology both for hacking and fighting against hacking, then you may want to reach out to an agile, professional MSP such as Prime Communications.

Both Ekstein and McCollough are members of a comprehensive new Prime MSP division. They bring decades of experience with them in a wide variety of managed services issues and solutions. Prime customers look to them as Chief Information Officers or Chief Security Officers on call. Working with an outside MSP team can be even better than hiring someone in-house; you get the benefit of a highly experienced team at a reasonable cost, as well as access to the best hardware and software—and the combined metrics of years-worth of multiple customers’ experiences with data and business intelligence.

“All of the services discussed in this article, and more are in our toolbox for Prime Managed clients,” Ekstein said. “We look at your specific situation and tailor a plan to your needs—we don’t just offer what is easiest for us to do.” Other Prime divisions support the MSP division with complementary targeted services in structured cabling and DAS-installations, physical security solutions, and network solutions. When you hire Prime, you get the benefit of a full team of professionals with specialties in many different network, security, and communications disciplines.

For more information about Prime Managed and a free initial meeting to discuss your data and business intelligence needs, call 402-289-4126 or email managed@primecominc.com.


Healthcare Cybersecurity Best Practices: Don’t Forget About the Physical Side of Digital Security

[checklist]

Like many other market sectors, the healthcare world was forced into cybersecurity adjustments and advancements by the COVID-19 pandemic. For example, it was suddenly not a good idea to use touchscreens and keypads to identify users and gain access. At a blinding speed in some cases, IT professionals have worked to deploy new solutions — some of which had been in process already or were being used in other industries and some were completely new.

 

With these technology advancements, it has become more important than ever to identify physical and digital/logical security weaknesses and be proactive about mitigating them to keep staff, patients and visitors (and their personal data) safe.

 

Evolving cybersecurity best practices are especially important in healthcare settings, because hospitals and other healthcare venues are technology-heavy, super-sensitive to privacy, and carry unique potential for harm when technology fails.

 

Jeff Broz, Prime Communications Inc. VP of Infrastructure Operations, pointed out that these concerns are particularly important in the growing world of the healthcare Internet of Things (HCIoT). “There is typically a well-established process for adding new devices to an enterprise network. The challenge is that the technology is changing so quickly, that keeping up is a daunting task for the IT security team.”

Healthcare cybersecurity: What could go wrong?

“When critical systems are compromised, not only is the data within those systems at risk, but the care team is impacted by forcing alternate workflows to ensure the quality of care and patient safety are not impacted.”

Jeff Broz, VP Infrastructure Operations, Prime Communications, Inc. Tweet

Some cybersecurity breaches are legendary in the healthcare world. For example, ransomware attacks and hacking through environmental controls. In a worst-case scenario, a nefarious actor can take down an entire network, locking users out or injecting viruses, causing gaps in patient monitoring and care.

Especially with some of the beefed-up collaboration technology being used through the pandemic to electronically replace in-person patient and family touchpoints, an increased number of potential breaches can deprive caregivers of access to vital information about their patients.

“It is pretty straightforward,” Broz said. “When critical systems are compromised, not only is the data within those systems at risk, but the care team is impacted by forcing alternate workflows to ensure the quality of care and patient safety are not impacted.”

This healthy fear of gaps in care have even led to an unhealthy avoidance of updating systems for some organizations. However, using legacy systems with only-partially-effective updates eventually results in more potential cybersecurity issues and — you guessed it — gaps in a hospital’s control over care. When word gets out about gaps in care, it can affect an institution’s ability to maintain its reputation and compete against institutions that allocate time and money to proper updates and upgrades.

Increased use of smart devices complicates cybersecurity, Broz pointed out, because they often do not include embedded security when they are acquired and implemented. This can lead to human error, from poor configuration to incomplete user protocols. It’s great to have devices such as smart pumps available to monitor distribution of pharmaceuticals, and many healthcare institutions have implemented them. However, do IT teams really understand the vulnerabilities that come along with such devices?

This matters in part because hackers are getting smarter. A number of breaches have occurred in recent years through laptops accessing environmental systems. IT and security staff now have a better understanding of how those breaches happened, but for a variety of reasons they don’t always take comprehensive steps to mitigate such possibilities in their own systems.

 

According to a Verizon data breach report, 59% of healthcare institution data breaches come from internal actors, whether intentional or unintentional. This often happens due to problems with un-segmented networks or missing security controls. In cases where damage is intentional, it can happen because credentials are too easy to steal, among other things.

Of course, if you oversee security or information technology in a healthcare institution, you have no doubt done your research and know all of this. If you are like many organizations, you have put cybersecurity protections in place and you are ready for the next attack. However, also like most healthcare institutions, you may have forgotten about or too-lightly addressed one particular area of cybersecurity: physical deployment and maintenance.

Broz puts in a nutshell just how critical physical security is to cybersecurity: “All of the sophisticated, deep cybersecurity protocols, software and processes you implement could be taken down in an instant if a bad actor gains access to a server closet through a door left ajar by third-party technician.”

Bones of an effective cybersecurity plan

Any institution’s cybersecurity plan includes a myriad of small security mitigations protecting the many parts of the system. However, without a well-thought-out, comprehensive structure to support full security coverage, all of those small solutions still could leave your organization vulnerable. Just as a building needs a framework to hold up the walls (the bones), a cybersecurity plan is the framework that holds up a system’s components.

An effective cybersecurity plan begins with assessment of every component in your system and every potential security breach scenario. Your assessment should include determination of physical ways bad actors could access systems (e.g., through unlocked doors), or where inadvertent actions could compromise the system (e.g., accidentally activating on/off switches). A comprehensive risk assessment should be created before any new components are purchased or programs are put in place.

The bones of your cybersecurity plan should follow emerging standards, including ever-changing best practices for encryption, data tracking, human error mitigation, awareness programs, and incentives for reporting phishing, for example. “Part of establishing digital security in a healthcare institution is knowing what the most current standards are and understanding how to follow them,” Broz advised. He said many institutions lean on third-party experts. However, if your team members are not already, they should get on the mailing lists of cybersecurity industry organizations, such as the Healthcare Information and Management Systems Society, Inc. (HIMSS), so they can receive timely updates and tips. Even with reminders from experts, Broz suggested many companies are forgetting about the physical side of digital security.

We’ve included a checklist of some of the most easily forgotten physical aspects of cybersecurity at the end of this article to help flesh out your cybersecurity plan. 

Overall, an effective cybersecurity plan must:

  • Include integrated digital and physical cybersecurity solutions pathways (“You can’t have one without the other,” Broz said.)
  • Take into account how your healthcare cybersecurity initiatives will affect profitability and other aspects of your institution, including efficiency, staffing and budgets
  • Identify unsupported legacy systems and realistically determine when the potential for ongoing vulnerabilities outweighs the costs of upgrading
  • Account for third-party devices that will be connected to your network by patients, families, employees and contractors — some exposure through third-party devices is intentional and some may be unintentional
  • Incorporate partnerships with trusted third-party service and equipment providers who know the specific business of healthcare cybersecurity
  • Prioritize to ensure that the most important, or most foundational, aspects of cybersecurity are managed first
  • Include an incident response plan, so your team knows exactly what to do when a breach happens
  • Outline built-in protocols for continual testing and updating your healthcare cybersecurity systems without any gaps in care
  • Integrate input, needs and concerns from other teams in the organization and align with high-level organizational goals and processes
  • Include detailed steps for continual training, information sharing across departments, and plan updating

Healthcare venues present unique, and oftentimes critical, potential cybersecurity issues. Most hospitals and other healthcare institutions hire experienced, educated inhouse information technology and security professionals who know how to create and carry out a plan. The key is to make sure your professional staff is given the time and resources for proper planning, implementation and management of cybersecurity — including ensuring comprehensive coverage, with no gaps, by addressing the physical side of digital security.

Physical Cybersecurity Plan Checklist

For more information about or assistance with both the digital and physical sides of your cybersecurity plan, contact Prime Communications Inc., 402-289-4126 or sales@primecominc.com.