Jarrett Kolthoff | December 9th, 2018

Business Journal Ask the Expert Column

When it comes to warding off cyber criminals, cyber terrorists and hackers, the old adage that “Practice makes perfect” is completely and totally wrong. For the cyber world, the adage is more complicated, “Perfect practice and perfect practices make perfect . . . or at least give you the greatest chances of survival.” Because, if what you’re doing is incorrect from the start, no matter how much you plan, no matter how protected you think are, you’re doomed. End of story.

What’s the single most important thing we can do as an organization to minimize the risk of cyberattack?

Most businesses and organizations are so consumed with getting compliant with procedures and protocols in place that they ignore the single biggest problem with their cyber security program, outside of people. Infrastructure. Much of the mechanical controls industry and, terrifyingly, the healthcare industry operates on outdated applications and operating systems, such as Windows XP, developed before the era of sophisticated cyberattacks. These systems are unsupported and cannot be updated for vulnerability and bug fixes. That means, if you use these platforms, you’ve just painted a huge target on your back. How huge of a target you ask? CNBC reports that almost 40% of controls and critical infrastructure faced a cyberattack at some point in the second half of 2017. That’s for only 6 months, not the entire year! If you’re using Windows XP or any other unsupported platforms or applications, upgrade now. To raise the stakes for the healthcare industry, if you’re knowingly using outdated systems vulnerable to attack, which is subsequently breached, resulting in patient death, could you be the target of malpractice litigation as a result of gross negligence?

Our Cybersecurity Systems And Protocols Exceed Industry Compliance Standards – Isn’t That Enough?

In most cases, meeting compliance standards means little more than doing the bare minimum. At SpearTip, we always say compliance breeds complacency. Once you think you’re safe, you’re going to relax and that’s the moment you will get breached. We stress bringing in a third party for tabletop exercises and also for an unannounced, controlled cyberattack or cyber hunting exercise using legal hackers or cyber operatives. The exercises should be real time attacks, testing protocols and uncovering unknown intrusions for your Board, Executive Team, Management, IT and Operations personnel. There’s no better way to determine your preparedness than facing a worthy adversary. When you’re under attack, you’ll immediately discover your vulnerabilities and weaknesses, giving you the opportunity to correct any problems.

What can our IT team do to better protect devices that use the Internet of Things (IOT)?

For people unfamiliar with the term, the Internet of Things (IOT) consists of devices and controls that use the internet to communicate and/or function. This includes cloud services, which means your IT Department just became overwhelmed. According to the World Economic Forum, with the rapid expansion of cloud computing, the IOT is experiencing virtually uncontrolled growth, surging from 8.7 billion devices last year to an estimated 20.4 billion by 2020. Considering the vast array of devices using IOT technology and the cloud infrastructure, the level of vulnerabilities to your systems is virtually impossible to maintain within budget by an internal team It sounds self-serving, but you need third party resources to protect anything dealing with the IOT. There’s simply no way you can employ and pay enough qualified people to stay current on the number of threats you now face. With more and more financials, proprietary data, trade secrets and even core software systems accessed through the cloud, your device exposure opens the door to malicious threats in a fashion that was incomprehensible 12-18 months ago. To summarize, when looking at your platform, scrap the Model T for the most advance Hybrid you can afford, perfectly plan and perfectly practice your security plans repeatedly, and bring in outside help, because cybersecurity Is no longer a function you can manage alone. You need as many diverse minds with individual areas of expertise as you can find. Hiring that level of talent would be physically impossible and fiscally unimaginable. So bring in an “all-star team” to work with you, rather than for you. Preparedness no longer follows traditional models. and forgiving.