DATA INSECURITY: How Secure Are Your Company Files?


Last month, one of Sacred Heart Health Systems’ third-party vendors for billing operations was hacked. According to the News Herald article, “Hackers used a phishing attack to gain access to the email account of an employee of the billing vendor. They were able to access [some 14,000] patients’ names, dates of service, dates of birth, diagnoses and procedures, total charges, and physicians’ names. About 40 patients also had their Social Security numbers compromised.”

You’ve probably seen something “phishy” in your own inbox, emails that look legit from a trusted source – a bank or credit card processor, for example, or even a friend – asking for inappropriate data or enticing you to click on an interesting link. So what should you do to protect your data, your company, and your customers?

I. Backup Your Data Regularly

Do you have a solid, reliable backup plan in place?  Have you tested your ability to recover your data?  If you answered no to either question, then you are guilty of making the biggest and most common mistake when it comes to protecting your data.  There are many approaches and strategies to backing up your data, and even more tools that you can purchase.

The driving question is “How much downtime can my business survive if I suffer a loss of data or systems?”  Every situation and every business is different.  If you are an accountant and the date is April 14th, you might not be able to suffer even a half-day of downtime.  Consider the risks that you are facing:  fire, theft, hardware malfunction, user error, malicious hacks, disgruntled employees, and more – the list is long.  Each risk poses its own requirement on your backup system.  Your situation will determine your strategy and guide you in the processes you create and the tools that you purchase.  Oh, and by the way, if you don’t test your recovery processes while you still have your data intact, then you haven’t really backed up your data.  There will come a time when you will need to recover your data from a critical loss, and that is not the time to discover that your backup is faulty.

II. Make a Clean Start

The surest way to be assured that your computers are not infected is to start from scratch with a clean installation of a fresh operating system from a known good source.  This step may seem challenging when you consider all the software that has to be re-installed and all the configuration settings that have to be applied for a fresh computer, but it is well worth it. 

While there are techniques that cybersecurity professionals use to detect and analyze hacked computer systems, they take skills beyond the average computer user, and it can be expensive to hire a cybersecurity professional.  Instead, bite the bullet and backup your data and rebuild your systems from scratch.  If you operate several servers or workstations in your business, then you can create a single secure image that is installed on all your computers. The more workstations you operate, the more cost-effective this becomes.  If your system is hacked, you are going have to do this anyway.

III. Implement the Top 4 Cybersecurity Controls

Now that we have a clean system and our data is protected, how do we protect ourselves from all the hackers and malicious attacks that we all face?  The Council on Cybersecurity has found that 85% of cyberattack techniques can be prevented by implementing four basic security controls for your system:

  1. Application Whitelisting: Allow only approved software to run on your systems.  Establish the software that you authorize for your business, and  don’t let anything else be installed on your systems.

  2. Application Patching: Keep your application software up-to-date.  When new vulnerabilities are discovered, the bad guys are quick to take advantage.  Application vendors offer updates to protect against these vulnerabilities. Updating in a timely manner will prevent the vulnerability from being exploited on your system.

  3. Operating System Patching: Operating systems can and should be configured for automatic updating.  Check your systems to ensure that you are applying updates automatically.  For critical server systems, it is important to test updates before they are applied.

  4. Minimize Administrative Privileges: Don’t use your system’s administrator account. Create a standard, non-privileged user for your day-to-day use.  This single step is probably the most important measure that you can take to keep malware from being installed on your system.

    Don’t let your business become the next headline or the latest statistic.  It is your responsibility to protect your customers and your business.  Take control starting with these fundamental steps, then you can get a good night’s sleep and focus on what you do best – GROWING YOUR BUSINESS.

Russell Mace, CEO