SIDEBAR
»
S
I
D
E
B
A
R
«
SMB Cyber Security Training & Policies
Sep 5th, 2019 by Admin

Acquiring secure IT services to promote cybersecurity is a good step to ensure your company is protected from malicious forces. Professionals who provide secure IT services will be there to guide you and your workforce in keeping all endpoints and networks worry-free. However, the effort to make sure cybersecurity is maintained should not rest solely on secure IT services providers. It is the end-users who should be even more careful, as it is they who roam company networks and use online resources. Companies can lose a lot with employee negligence, but such errors can be avoided. Through well-planned cybersecurity training, awareness and vigilance does not rest solely on secure IT services providers.


Secure IT Services: Cyber Security Training


Building a culture of cybersecurity is integral to make sure that the entire workforce is calibrated when it comes to cybersecurity knowledge. While training may include how to use company resources and provided secure IT services, it can also dig deep with cybersecurity basics like how employees can be safe at home as well, and how they can promote a secure lifestyle in and outside of work. Professionals who handle secure IT services can take the lead in these trainings, with some collaboration with company leaders.


Secure IT Services: Constant Follow-Ups


What transpires in one training session can immediately be applied, as time goes by, these tidbits of cybersecurity knowledge may fade. Companies may fail in instilling a habit of cybersecurity mindedness within the workforce without adequate follow-up. Sessions that aim to remind the workforce of cybersecurity basics need not be actual sessions. These can be in the form of email newsletters, company-wide memos, even short instructions sent to team and department leaders to disseminate to their members. Efforts to follow-up need not come from your hired secure IT services providers. Strategic ways to look after the workforce can be effective, albeit simple.


Secure IT Services: Personal yet Professional


A noteworthy way to make cybersecurity impactful is to bring it to a personal level, yet connect it to how it affects one’s professional matters. Negligence in keeping one’s personal gadgets secure may end up bringing viruses and malware to the office. This is a common occurrence for those who use company gadgets for personal affairs e.g. using the office computer to open social media accounts, or using company internet for personal affairs, like booking flights or online shopping. Chances are, these “bad habits” can ultimate affect one’s personal online life, and also their work-related online resources, such as cloud storage and company email accounts. This lack of awareness can be noticed in age gaps, as more senior employees seem to be less adept in practicing cybersecurity measures than younger professionals. Secure IT services providers can be tapped in approaching this age gap, and also in emphasizing in general that personal bad habits can bite one back when brought in the office. Your personal cybersecurity errors may come back as a company-wide problem, and there’s no greater shame in knowing you included many people in a singular error.


Secure IT Services: Encourage Error Reporting


Through training, secure IT services professionals can emphasize the need to be proactive and vigilant. Slight cybersecurity threats can balloon into major threats, and the enterprise workforce must be pushed to speak up even at the slightest suspicion. There is a bit of shame when one has to admit that they may be the cause for a certain virus or malware to penetrate company networks, but rather than seeing the trouble snowball, nipping it in the bud through professional honesty is the better act. Incident report forms may also be created to promote anonymity when there are specific instances to be reported. Training must make sure that professional honesty and vigilance is part of the cybersecurity culture that is upheld. Company leaders and secure IT services providers must work together to put this habit front and center.

Secure IT Services: Cyber Security Policies


Now that an internal knowledge and awareness of cybersecurity has been instilled, external forces to encourage maintenance of a cyber-secure workforce, alongside reprimanding bad habits and negligence, are compulsory. Policies can be executed to keep cybersecurity as robust as possible. You may work with secure IT services providers to help you in coming up with policies, or in writing down details of suggested policies below:


Secure IT Services: Acceptable Use Policy


Put a strict, discernible line between websites, apps, and other internet-related resources that allowed or not in the office. Some social media sites may appear more personal than professional in terms of use, or the office can agree on what browser to use so that configurations are uniform for all computers. Identifying which websites or apps to use limits gateways for hacker or malware to enter.


Secure IT Services: Confidential Data Policy

Ultimately identify what kind of information stays in the office, and nowhere else. Company secrets and industry processes that took years to perfect must not reach competitors in any way. This specific policy will make sure that company data are kept where they should be kept, and will not reach areas vulnerable to cybersecurity threats.


Secure IT Services: Email Policy


Controlling as well what kind of email service providers will help in maintaining company data. While not all businesses are able to come up with a private email domain, executing email laws will uphold cybersecurity standards.


Secure IT Services: BYOD/Telecommuting Policy


There is merit in the Bring-Your-Own-Device (BYOD) scheme, as it promotes employees to use gadgets there are more accustomed to in promoting work efficiency and mobility. However, a policy to govern security measures for these gadgets will support this request to use one’s own laptop or tablet to meet workload deadlines. Secure IT services providers may come up with ways to give access to antivirus program installations or do routinary scanning of gadgets that aren’t company-owned.


Secure IT Services: Wireless Network and Guest Access Policy


Non-company personnel will come in once in a while, such as industry partners or potential clients. Assigning which internet connections they are limited to is a valid way of promoting the company’s cybersecurity. Another way would be to come up with temporary connections that only function during a specific period. Some companies opt for this when they host events within company premises.


Secure IT Services: Exiting Staff Procedures


Employees come and go, but your company’s human resources team must work with your IT team or your IT provider to cut a former employee’s “IT trail”, such as deactivating company email accounts and making sure personal gadgets are banned from connecting to company networks. These processes should be part of clearance whenever an individual severs their professional relationships with the company.


Protecting your enterprise’s cybersecurity sounds like a tall order, but the repercussions of being lax are massive. A proactive approach should be in place, and it should come from company leaders and administrators.


Contact us to learn more about our Secure IT Services for your business!

What Does Your IT Team Need to Know About HIPAA Compliance?
Nov 30th, 2015 by aperio

(Part 4 in our series on IT Compliance Concerns.)

In Part 3 of our series, we discussed how the HIPAA Act was created in an effort to make it easier for people to keep health insurance, maintain the confidentiality and security of their healthcare information, and to control healthcare administrative costs. In this post, we will focus some of the concerns faced by your IT team with regard to HIPAA compliance.

What are some of the Information Technology concerns for HIPAA compliance?
The main issue faced by IT with regard to HIPAA is keeping Protected Health Information (PHI) secure. The HIPAA Security Rule covers what is expected of companies with regard to maintaining the security of PHI in electronic form, but does not state the way that entities must go about providing this protection. Instead, it states the factors that should be considered for security measures. These factors include an entity’s size and capabilities, its information technology infrastructure, costs of security measures, and the chance and magnitude of anticipated risks to the security of PHI.

The Security Rule does specifically require that security measures include: measures to maintain the confidentiality, integrity, and availability of all electronic PHI an entity creates, handles, or transmits; measures to identify and protect against threats to the security or integrity of PHI that can be reasonably anticipated; measures to protect against uses or disclosures of electronic PHI that are prohibited by HIPAA; and efforts to ensure that employees comply with HIPAA requirements.

Some of the areas affected by these security needs include:
●    Data encryption.
●    Email encryption.
●    Multi-factor authentication (a system of security that requires multiple methods of authentication from different categories of credentials in order to identify a user for login purposes or for other transactions).
●    Compliance training.
●    Social engineering awareness. (You can read about social engineering in our blog post, “Technology Alone Is Not Enough for Security”.)

Another point to consider is that any company that allows the uses of mobile devices for business (particularly hospices, which do much of their work in patients’ homes), will need to be aware of and have solutions for mobile devices’ known security issues. As an example, consider the $50,000 penalty paid by the non-profit Hospice of North Idaho. In this case, an unencrypted company laptop was stolen, which contained electronic PHI for 441 patients. The investigation found that the company had not conducted adequate risk analysis.
Additional Concerns for HIPAA Regulations for the Use of PHI
Additionally under HIPAA, certain uses of PHI may be curtailed or prohibited. For instance, HIPAA prohibits the use or disclosure of PHI for marketing to individuals without obtaining an authorization, with only some exceptions. HIPAA also prohibits the receipt of direct or indirect remuneration in exchange for PHI. It also has rules for when PHI can and cannot be used for further research.

Coming soon: Part 5 in our series on IT Compliance Concerns, “Your Company and PCI DSS Compliance.”

Additional HIPAA resources:
●    National Hospice and Palliative Care Organization’s Compliance Tip Sheet.

Other posts in this series:
●    Part 1: Making Sure Your Business is SOX Compliant
●    Part 2: SOX Compliance and Your IT Team
●    Part 3: Making Sure Your Business is HIPAA Compliant

SIDEBAR
»
S
I
D
E
B
A
R
«
»  Substance:WordPress   »  Style:Ahren Ahimsa