Servers and storage are a primary focus for one hospital’s support upgrades.
After the WannaCry ransomware attacks, healthcare organizations everywhere are taking another look at their cybersecurity defenses. But the saying goes that often the best defense is a good offense, and alongside keeping security patches up to date and protecting specifically against ransomware, organizations should take an opportunity to ensure they are looking at lessons learned from those who have been breached along the way.
But where should healthcare organizations start? Where do technology deployments and best practices meet? This is where Sadik Al-Abdulla, director of security solutions at CDW, can help.
Al-Abdulla has performed security assessments — penetration tests in which he assessed an organization’s security posture by attempting to break into its network for numerous clients. Each time, he gained full control of their networks. “I’d like to think that I’m good,” says Al-Abdulla, “but I am not the world’s best.”
The industry average for a good “red team” of penetration testers is 95 percent, he explains. “So if talented hackers go after a company, they will get access.”
CDW’s security team has conducted more than 4,000 assessments for organizations of every size across all industries, and the team’s members have learned valuable lessons from their experiences — primarily, that most breaches are caused by user behavior. Employees click phishing links, create weak passwords and use the same credentials for multiple accounts, while IT personnel don’t always have a disciplined program for patching and updating hardware and software.
Hackers exploit user vulnerabilities in two ways: First, to gain access and then to expand it so they can reach their final objectives, whether that’s stealing money, sensitive data, account credentials or intellectual property.
The success rate of hackers necessitates a fundamental shift in how organizations think about security, says Al-Abdulla. Rather than focusing solely on avoiding breaches altogether – an approach that leaves an organization completely vulnerable when an attacker is successful at breaking through perimeter defenses – IT teams should build networks that can adapt to security incidents.
“It’s not only about preventing access, because sooner or later, attackers will get in,” he says. “What happens next is what’s important. Are they detected and contained, or are they able to then go transfer millions of dollars out of your electronic account?”
Karen Scarfone, principal of Scarfone Cybersecurity, agrees. Keeping intruders out is important, but organizations should also have plans in place to minimize damage in case of a breach. “I’ve spoken to some people who are almost giving up on prevention, and that’s a dangerous approach,” she says. “You need a balance.”
Hackers are most successful when they have the element of surprise on their side, so becoming familiar with emerging threats can help organizations stave off disaster.
One of the most popular exploits employed by cyberattackers is ransomware, which deploys malware to encrypt enterprise data and demands that users pay money to get it back. “There’s more ransomware today than there was six months ago, because it still works,” says Al-Abdulla. “It’s a profit center.”
Unfortunately, victims keep paying ransoms, which enables attackers to enhance their arsenals. “It’s going to get more insidious,” says Craig Williams, senior technical leader and manager of outreach at Cisco Systems’ Talos Security Intelligence and Research Group.
The best defense against ransomware is to conduct regular backups — and practice restoring data from those backups to ensure that they work as anticipated, Williams advises. Not opening unexpected attachments can also help, as can disabling unused browser plug-ins, a main source of malware. Williams suggests users review their plug-ins once a month and uninstall any they don’t use.
Mobile technologies and Internet of Things projects represent another growing vulnerability. Networks host so many devices that IT departments struggle to manage them all. One of the best ways for organizations to minimize the damage from security incidents is to detect breaches quickly, so it may make sense to outsource monitoring to a vendor that can provide 24/7 coverage, says Karen Scarfone, principal of Scarfone Cybersecurity.
Organizations invest a great deal of time and energy into building walls around their networks to keep out intruders. “But once that first crack occurs, in most cases for most companies, hackers have almost free rein,” says Al-Abdulla. “Starting to prioritize differently and to think about building more resiliency into the inside of the network is critical to containing and limiting the damage.”
One strategy is for security programs to focus on users just as they do on technology and processes. Training users to create stronger passwords and to recognize phishing scams is just as critical as firewalls and intrusion prevention systems. This training should be followed by audits to assess how well users have learned their lessons. “Don’t just teach them,” says Al-Abdulla. “Follow up and see if they’re using what you taught them.”
Organizations should also pay attention to what happens before, during and after a breach, he adds. They can take steps to prevent attacks, but if hackers get in, organizations should have plans to detect and contain them during the attack and remediate afterward.
For instance, organizations can segment their networks to make it harder for intruders to escalate their privileges. They can establish backup plans that enable them to restore data in case of a ransomware attack. Organizations can also conduct drills to practice containing a breach and resuming operations quickly.
“Those kinds of things are tremendously valuable, because sooner or later someone is going to click that one link,” says Al-Abdulla. “If you put the work in now, the impact to the business when it happens will be much less.”
Learn more about how CDW’s security solutions and services can help you keep cyberattackers from damaging your IT operations.