Budgets are tight for any organization, but especially so for smaller, rural ones. This can mean that allocating money for cybersecurity can be a major hurdle in the successful protection of organizational assets and data. With this in mind, I wanted to discuss practices and strategies that are low- or no-cost to implement but can have a big impact on the security posture of smaller healthcare organizations.

Inventory management

At the most basic level, inventory management entails tracking and accounting for all cyber-related resources at an organization, including people, technology (hardware and software) and administrative resources (contracts, compliance, licenses). Here are some good aspects of your organization to track diligently, and the importance of each:

• People: Tracking people helps with access control and identity management, ensuring only those who have a need for access to organizational assets/data are permitted it.
• Technology: From computers and servers to mobile devices and software licenses, tracking your organization’s technology supports vulnerability management, patch management and configuration management by informing the organization which resources fall under the purview of each security sub-process.
• Administrative resources: Keeping track of contracts with vendors and compliance requirements can greatly improve the ability of an organization to perform strategic risk assessments and remain compliant with regulatory requirements.

The bottom line of this concept is that if we don’t know something is there, we cannot effectively protect it. Further, a strong inventory management program can turn many specific security processes from a major headache to a manageable routine, including vulnerability management, patch management, configuration management, incident response, access control/identity management, risk assessments and compliance.

With so much positive impact across the organization, no inventory management program is too small. Even with a spreadsheet for each trackable component mentioned above, organizations can make major strides toward improving their security.

Password management

Creating a password management program is the second biggest improvement organizations can make to strengthen their security postures. Not only can a single stolen password bypass the most expensive cybersecurity tools and solutions, the vast majority of cyberattacks today start with stolen credentials. Many global cybersecurity reports estimate that more than 80% of breaches involve the use of stolen credentials, likely leading to the common saying, “hackers are no longer breaking in, they are logging in.”

Password management at a user-level includes secure creation, use and lifecycles for passwords. In other words, users must create strong (long/complex) and unique passwords at work, use them securely and regularly change them to prevent password attacks. All of these can be a huge burden to a user, which likely is the root of the issue with incidents of stolen credentials. Fortunately, many companies have created software called password managers that can be used to avoid the burden of password use. These applications provide the capability of auto-generating extremely strong passwords for users while also saving them in the application. This means users can avoid having to remember tons of passwords for each account they have. Instead, they need to only remember their master password to the password manager.

Security awareness culture

In the modern healthcare environment, every employee’s workflow is integrated into the cyber realm. As such, everyone has a role to play when it comes to security. However, employees cannot effectively play their part in security if they are not aware of key concepts related to security. A security-aware culture should be inclusive of concepts like:

• Understanding that each employee has a role to play in security
• Setting the security expectations that come with each employee’s role
• Awareness of common security-related issues that each employee will face and strategies to deal with them
• Knowing what resources are available to an employee if they have security-related concerns or questions

While creating a security culture is “free” in terms of the budget, shifting the culture of an organization takes a lot of time, effort and commitment. I believe this type of change can be a huge facilitator to success in other security-related endeavors and will always be worth the investment.

The first step to adopting a security-aware culture at an organization is one of the most straightforward – open commitment by organizational leadership that cybersecurity is a top priority and that everyone has a role to play. Afterwards, it’s hard for me to recommend an exact roadmap to adoption, as every organization is different. However, if an organization has personnel assigned to security/technology-related responsibilities, these individuals will be key stakeholders in creating a customized roadmap for adoption. Alternatively, for organizations with or without security specialists, there are several very good free resources dedicated to helping businesses create a security-aware culture. If you’d like to learn more about creating a better security culture, I have some excellent resources included in the appendix.

While organizations may feel pressure to spend more and more on cybersecurity, the reality is that no budget is bottomless. But with these strategies, an organization of any size can vastly improve the effectiveness of their security programs. For more ideas on how to improve your cybersecurity, check out my recent blog series on offensive cybersecurity. You can read the first installment here.

Appendix

• Google Security Awareness Training (https://safety.google) – Free cybersecurity training modules offered by Google
• StaySafeOnline (https://staysafeonline.org/) – A site managed by the National Cyber Security Alliance with free tip sheets, infographics, and guides for businesses
• NIST Small Business Cybersecurity Corner (https://www.nist.gov/itl/smallbusinesscyber) – Free security guides, checklists, and cybersecurity best practices for businesses hosted by the National Institute of Standards and Technology
• The U.S. Department of Homeland Security (DHS) (https://www.stopthinkconnect.org/) – Offers various resources including the Stop.Think.Connect. campaign to promote cybersecurity awareness
• The U.S. Federal Trade Commission (FTC) (https://www.ftc.gov/business-guidance/small-businesses/cybersecurity) – Offers free resources including guides and workshops aimed at helping businesses improve their cybersecurity.
• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) (https://www.cisa.gov/resources-tools) – CISA offers a wealth of resources including tools, technical assistance, free training and more.

FREE EBOOK

Paragon Denali: The alternative you need

DOWNLOAD