Whether or not you’ve seen the 1979 psychological horror film When A Stranger Calls, at some point you’ve likely heard this memorable line: “We've traced the call and it's coming from inside the house.” According to the 2017 Threat Monitoring, Detection & Response Report, inadvertent breaches prompted by internal users (employees, vendors, etc.) accounted for 61% of cyberattack incidents.
Phishing scams, spyware, ransomware and malware are the most common types of cyberattacks, and they all in one way or another require you to open the door for them to enter. What happens if you don’t open that door? They likely aren’t coming in!
Here’s what you need to know to ensure that you’re taking the necessary precautions to minimize your office’s vulnerability to attempted cyberattacks.
Be Prepared and Remain Vigilant
Thwarting possible cyber assailants is an ongoing process that demands education on the part of everyone in your office. It’s important to delegate the responsibility of staying up-to-date on current security threats to at least one member of your staff. This team member can then assist others with taking additional measures needed to protect your networks, data and systems as needed. If you’re running a small practice, that responsibility may fall on you.
Regardless of who’s monitoring security for your practice, there are tons of sites and resources dedicated to cybersecurity news and best practices that can keep you in the know. Two of the many we follow are Krebs on Security and VirusTotal, which is a valuable resource for analyzing any suspicious files or URLs that arouse your suspicion.
Another important procedure you should implement is security training for your staff. We are at a point in the evolution of cyberattacks where the safest bet is to adapt an instinctual skepticism in your staff for unsolicited emails (and phone calls and texts) that arouse suspicion. If you’re the recipient of an unsolicited communication (being prompted for sensitive information like usernames, passwords, credit card details, etc., or being asked to download a file or piece of software to your computer), you should refrain from providing any information or downloading anything until the individual responsible in your office for security has had an opportunity to review the situation. Keeping your office protected will require ongoing education, staff training and vigilance on the part of all.
Invest in Password Manager Software
This one’s a no-brainer. As much as we hear about password breaches and the need to come up with unique, complex passwords for each of our online accounts and systems, the statistics paint a grim picture of how most people actually manage their passwords, with more than 50% using “five or fewer passwords across their entire online life” and the five most popular passwords (in 2014) proving to be “123456, password, 12345, 12345678 and qwerty.” I won’t delve deeply into how password managers work (Consumer Reports has a quick primer here) other than to say that they make it very easy to guard against risky password management practices.
Does your staff manage login credentials across a wide range of cloud-based and local technologies? The answer is almost assuredly yes. To protect yourself against the human tendency to use the same password across multiple platforms or weak passwords that are more memorable, your safest bet is to purchase and mandate staff usage of password management software. They are inexpensive and for those of you who use one password for everything (and many people do), this allows you to carry on with that practice in a sense, as you only have to remember one (for the password manager itself) — just create one that's going to be hard to crack!
If Your Office Is Attacked
Sometimes our best efforts still fall short. In this instance, your staff should be trained in how to proceed should they suspect the office has fallen victim to an attack. The timeframe from opening a compromised attachment to network infection is minimal; in fact a 2016 report from Verizon found in “93% of breaches, attackers take minutes or less to compromise systems”. It’s imperative that as soon as a problem is suspected or recognized you notify a professional, which may be the IT person in your office. You’ll need to disconnect from the network to extinguish any internet access and prevent any data from leaving your system. Any passwords that may have been compromised should immediately be updated. You’ll also want to determine the risk for any information that may have left your system during the attack and proceed accordingly.
The above suggestions are simply first steps. Expert advice runs the gamut in terms of actions you’ll need to take following a breach, but a good starting point for your research might begin here.
Prepare Now, Rather Than When Under Duress
What you don’t want to do is begin formulating your plan for responding to an attack after the attack has occurred and stress levels are at a maximum. Develop your incident response policy now so your course of action is clear if/when you need to invoke it.
None of us want to have to spend our time dealing with these threats to our business, but it’s important to allocate time to plan for them when we can think clearly and unburdened by the need to rush. Make sure that you and your staff are educated about best practices for thwarting attacks, that you’ve developed a policy for dealing with attacks and that everyone is clear on what is expected should an attack occur. The time you spend preparing now could just end up being some of the most important hours you ever put into your business.