" cybersecurity Archives - Page 3 of 4 - LuxSci

Posts Tagged ‘cybersecurity’

5 Ways to Prevent Human Impacts on Your Cybersecurity Program

Tuesday, October 12th, 2021

There are multiple ways that humans impact cybersecurity and can put data at risk. From being tricked by phishing emails to choosing easily guessed passwords, insider fraud and mistakenly classifying the security level of emails and other content, the actions of your employees can make your data vulnerable.

While the impact of human errors can’t be eliminated entirely, there are steps that can be taken to minimize the effects humans can have on your cybersecurity. Five of these steps are detailed below.

prevent human effects on cybersecurity

1. Adopt an “Opt-out” approach to encryption

At LuxSci, our philosophy is to limit risk by taking basic security choices out of employee hands. Instead of relying on employees to encrypt emails with sensitive contents, we automatically encrypt every message by default. This makes it more difficult for an employee to carelessly send out sensitive emails without the proper safeguards.

Conversely, when taking an opt-in approach to cybersecurity, employees are responsible for remembering to encrypt each email before sending. Anytime an employee forgets to take this step, it represents a potential security breach with all the liability that entails. Adopting an opt-out approach to encryption reduces this risk significantly. While many companies use opt-in processes because of their convenience, they introduce a high degree of risk. LuxSci’s SecureLine encryption technology enables a new generation of email encryption that features both flexibility and security.

2. Implement strict email filtering and network firewalls

Are you familiar with the aphorism “an ounce of prevention is worth a pound of cure”? By taking steps to prevent malicious threats from reaching your systems and networks, your employees will not have to spend their time trying to figure out what is a threat.

Email filtering

Phishing is one of the greatest threats to cybersecurity. Rather than relying strictly on human judgement with regard to which emails to open, using a sender policy system that filters or flags suspicious incoming emails can appreciably improve cybersecurity. Don’t count on your busy employees to know when an email is suspicious. Instead, use email filtering to keep those emails from even entering their inboxes.

Network firewalls

Firewalls help prevent attackers from gaining easy access to your network. They prevent suspicious connections or messages from connecting to the network or reaching their intended destination. By serving as a first line of defense, a firewall plays a major part in shielding your network from cyberattacks. By preventing external threats from accessing your applications, you don’t need to count on your employees to recognize when something isn’t right.

3. Prevent human impacts on cybersecurity by training staff

Almost every modern workplace relies on internet-connected devices to get work done. However, just training staff to use your technology effectively is not enough. With cyberattacks growing in frequency, keeping your staff aware of the latest cybersecurity threats is essential to protect your business. With data breaches, denial-of-service (DoS), and ransomware attacks accounting for tremendous financial losses, failing to prepare your staff for the danger these attacks pose to your IT operations can be costly.

Your employees can prevent security breaches if they are properly trained in the latest cybersecurity best practices. Some complex security breaches can evade even the best automated security measures. If your staff knows what to look for, they can play a crucial role in augmenting your existing security measures.

In addition, hackers often target employees as their first access point for gaining entry to a network. As a result, restricting cybersecurity training to just the IT department can leave your employees vulnerable to social engineering, phishing emails, and other exploits used by hackers to dupe them.

A cybersecurity training program can help reduce risks by familiarizing employees with the tricks used by hackers to gain access to their accounts. As part of the training program, it’s important to test employees on core concepts to ensure the message is retained.

4. Enforce strong password and access control policies

To reduce the risk of security breaches, a robust password protection program is necessary. One of the key elements is enforcing password complexity. Simple passwords are vulnerable to brute force hacking, enabling hackers to easily access employee accounts.

Requiring staff to use unique, complex passwords makes it much harder for hackers to gain access to an account. A complex password can include multiple types of characters (numbers, letters, capitalization, special characters) and minimum character lengths. Learn more about creating secure passwords in our blog archives.

Multi-factor authentication (MFA) is another key element of a robust security policy. By requiring more than a single action to access an account, you can drastically cut down on security breaches due to lost or stolen passwords. Given that compromised passwords are a significant cause of security breaches, using MFA is a powerful tool for bolstering network security.

In addition, setting up time-based access controls for your sensitive systems can prevent bad actors from gaining unauthorized access. For example, if you have an employee who works a 9am-5pm shift, you can prevent her from accessing the system from 6pm-8am. That way if a bad actor did get her credentials, they would be unable to login when she was offline. This could prevent someone from taking over your systems overnight.

5. Adopt the Zero Trust security stance

What is Zero Trust Architecture? Essentially, it is a policy for guarding against cyberattacks by assuming that every aspect of a network is subject to attack. This includes potential insider threats from employees or attackers who have infiltrated your network. This contrasts with other security approaches that assume that traffic within a network’s security perimeter can automatically be trusted. Instead, Zero Trust Architecture minimizes the security perimeter as much as possible to reduce the chance of a security breach and evaluates the credentials and actions of users at all levels of access to identify any actors inside the network who may pose a threat.

By providing a more granular level of threat detection and limiting access within the network, a Zero Trust security approach is more rigorous than existing security models focused primarily on perimeter security.

ZTA improves security without imposing unduly burdensome requirements. It gives users access to just the minimum level of data and services needed to fulfill their role. This can help stop insider threats from employees. If a lower-level employee with little access to sensitive data has their credentials compromised, it is less threatening to the organization’s data security. The attacker will not be able to penetrate other parts of the network without additional identity verification.

Limiting human impacts on your cybersecurity to decrease risk

Humans can amplify cybersecurity risks in many ways. Between careless mistakes and intentional sabotage, there are a number of things that employees can do to expose your company to cybersecurity risks. The steps listed above comprise a comprehensive set of measures you can take to minimize negative human impacts on cybersecurity. In conjunction with a robust security solution, these measures can significantly enhance your cybersecurity defenses.

Secure your organization by contacting us to find out how to get onboard with LuxSci.

What Is Zero Trust Architecture?

Tuesday, June 22nd, 2021

In light of the increasingly sophisticated attacks against the US public and private sectors, the Biden Administration announced a push toward Zero Trust Architecture, amid other cybersecurity reforms.

The White House order was issued on May 12, and it included a host of measures aimed at improving the country’s resilience against cyberthreats. The announcement contained plans to remove barriers that block the sharing of threat information, as well as actions to modernize the Federal Government cybersecurity environment.

A key part of the order was a requirement for each agency head to develop a plan for Zero Trust Architecture implementation within 60 days of the announcement. This plan must incorporate the migration steps set out in the National Institute of Standards and Technology’s (NIST) guidelines. The White House order also stipulates that migrations to cloud technology “shall also adopt Zero Trust Architecture, as practicable.”

This announcement is likely to have major implications in the cybersecurity world. With the federal government moving to adopt Zero Trust Architecture, it’s likely that other industries will soon follow suit. It’s worth asking what this framework is and what it means in the context of your own security stance.

what is zero trust architecture

What Is Zero Trust Architecture?

Simply put, Zero Trust Architecture is a security model that assumes no place is safe from cyberthreats, even an organization’s own network. Let’s explain it by contrasting Zero Trust Architecture with other security models.

Under other designs, an organization’s network has a perimeter, and the entities inside it are considered secure. It’s much like the terminal at an airport. Once you have gone through the security checkpoint, you are presumed free from any weaponry that could endanger others or the facility. After going through the security, you can enter the food court, the gift shops, or the bathroom without having to verify your identity or go through a metal detector.

Under this type of security model, systems can communicate with each other within the network relatively freely. Users are deemed safe and given special privileges, because they are on the “secure” side of the firewall.

In contrast, Zero Trust Architecture accepts that bad actors may be inside the perimeter of the “secure” network. Recognizing this possibility, the Zero Trust security model involves making the secure perimeter as small as possible to minimize the potential for compromise. It also takes steps to continually evaluate actors that are inside the network for possible threats.

Overall, the goal of Zero Trust Architecture is to protect devices and data from malicious actors. It improves on other security models by enforcing more granular access controls, which helps limit the potential for unauthorized access.

Trust Zones

In Zero Trust Architecture, a trust zone is an area where those granted access are also granted access to other parts of the network. Returning to our airport analogy, everywhere beyond the security gates is a shared trust zone where you can move relatively freely.

When you go to board your plane, you must go through another security checkpoint into a smaller trust zone. The smaller a trust zone is, the less data and access to assets that it has. This helps to limit the potential damage that a bad actor can cause.

If a bad actor gained access to the terminal, they could harm everyone within the secure perimeter of the terminal. If the bad actor only had access to the plane, the potential harm would be much more limited (the analogy breaks down a little here, because someone with access to a plane would also have had access to the terminal, but you get the picture).

The Core Tenets of Zero Trust Architecture

In order to build a more secure environment while still offering usable services, Zero Trust Architecture focuses on:

  • Authorization: Only granting users access to the minimum level of data and services that are required to fulfill their role.
  • Authentication: Verifying the identity of authorized users through logins, keys, certificates, multi-factor authentication and other measures. This helps to protect from unauthorized access.
  • Limited trust zones: Making trust zones as small as possible to reduce potential impacts if compromised.
  • Availability: The above security measures are critical, but they need to be designed in a way that maintains availability. A service is useless if it is incredibly secure, but unavailable much of the time.
  • Minimized delays: The vetting processes are important, but authentication should be implemented in a way that doesn’t slow down access.

LuxSci and Zero Trust Alignment

LuxSci has long aligned its services with Zero Trust principles. Our Zero Trust-aligned features include:

  • Dedicated servers with virtualized sandboxing and dynamic per-customer micro-segmentation. We put each dedicated customer in its own trust zone.
  • Dynamic network and user access monitoring that can block suspected threats.
  • Granular access controls for users and systems that access customer data.
  • Encrypted email.

The Biden Administration’s push toward Zero Trust Architecture shows just how critical it is for protection in the current environment. Secure your organization by contacting us now to find out how it can get onboard with LuxSci’s Zero Trust-aligned services.

30th National HIPAA Summit Recap

Tuesday, March 30th, 2021

Last week, the LuxSci team attended the Virtual 30th National HIPAA Summit. The conference featured government and industry leaders who led sessions on updates to HIPAA rules, ongoing threats to cybersecurity, the impacts of remote work, and many other topics.

We can’t touch on every session that took place over the four days of the conference, but some of the most interesting updates came from the Office of Civil Rights (OCR) at Department of Health and Human Services. OCR is responsible for enforcing HIPAA, so as you would expect their sessions were of high interest to anyone responsible for compliance.

OCR UPDATES

At the start of the pandemic, OCR adopted enforcement discretion to allow health care organizations to quickly transition to virtual health care and remote work without fear of penalties. In January, OCR announced that enforcement discretion would also apply to Covid-19 vaccine scheduling. OCR will not impose penalties on those acting in “good faith” to create online or web-based scheduling applications for Covid-19 vaccine appointments. Nevertheless, this does not mean that covered entities are off the hook when it comes to HIPAA. It is recommended that they implement “reasonable safeguards” to protect PHI.

The Office of Civil Rights has also continued to penalize organizations for right of access violations. When most people think of HIPAA, they think of protecting private information through strict security policies. However, HIPAA stands for the Health Insurance Portability and Accountability Act. Portability means that patients have a right to access and transmit their information to other insurance or health care providers as they see fit. In recent years, OCR has increasingly penalized organizations for failing to respond to patient information requests in a timely manner. It is important for health care organizations to have secure offsite back-ups of patient information to prevent enforcement actions. It is challenging to find the right balance of security and patient access, but it is so important!

CYBERSECURITY THREATS     

Unsurprisingly, Covid-19 exposed organizations to new security risks as employees rapidly transitioned to remote work. Although the pandemic changed practically every aspect of our lives, phishing and ransomware remained two of the biggest security threats to health care providers. At the outset of the pandemic, many ransomware hackers voluntarily stopped targeting hospitals systems in a show of solidarity. However, the respite was temporary. As the value of health care data on the black market has continued to rise, ransomware attacks have surged.

Phishing also remains a primary attack vector for intruders. OCR reported that in the first two months of 2021, hacking/IT accounted for 71% of large health care breaches. According to OCR, most large breaches have occurred via email (39%) or network servers (32%). Phishing attacks increased so much over the last year that one conference speaker noted his organization considered turning off external emails. Though it is true that the only way to completely avoid hackers is to disable your systems, it is an unrealistic option for most businesses. To combat phishing, organizations need to train staff and have technology controls in place to prevent human error. If you have the right email filtering in place, you can prevent phishing emails from even reaching your employees’ inboxes.

REMOTE WORK- LEARNING FROM THE PANDEMIC

Shifting to remote work in early 2020 left organizations scrambling to create security policies and protect patient information. Not only did providers need to worry about preventing telehealth conversations from being overheard by their families, but they also needed to be conscious of a wide array of security issues including:

  • Securing their physical workspace and devices
  • Preventing data loss
  • Protecting notes from patient conversations
  • Using secure network connections
  • Letting children or partners use work devices

The number of security risks that remote work introduced were almost immeasurable. Organizations needed to act quickly to create new policies to protect patient data, while maintaining excellent standards of patient care. Time and time again, health care organizations that lacked basic cyber hygiene like unique logins, complex passwords, and device usage policies were the most at risk of a cyberattack or breach.

One year later, organizations are continuing to adapt their policies as much of the workforce remains remote. Many presenters expect at least some of their workforce to remain remote once the pandemic ends. Some organizations were surprised to discover the benefits of having a remote workforce. Rural hospitals are better able to attract talent when remote work is an option. Patients also benefitted from increased access to health care when telehealth was an option.

The HIPAA Summit was a wonderful reminder that if you don’t have procedures and policies in place to protect your patient data and communications, it’s only a matter of time before a breach occurs. Did you attend the HIPAA Summit? We would love to learn more about your challenges with Covid-19 and secure patient communications.

What Is Smishing And How Can You Avoid It?

Tuesday, March 9th, 2021

You are probably familiar with smishing, even if you aren’t quite sure what it’s called or the underlying details. We’ve all received strange SMS messages along the lines of:

  • We’ve noticed suspicious activity on your account. Visit scamsiteabc.com/kkjdkjh if you did not make any recent purchases.
  • Congratulations! You’ve won a $500 Best Buy gift card. Click the link to redeem your prize scamsitexyz.com/ljhkjsfds

Of course, both of these messages are really just scams. They are a type of phishing conducted over SMS, hence the name Smishing. These smishing messages can look real—that’s the point. They are designed to trick the recipients into thinking that they are legitimate. They lead the recipients through a number of steps that ultimately result in them handing over sensitive details, such as their login details or banking information.

smishing title card

How Does Smishing Work?

Scammers collect a bunch of phone numbers and send out smishing messages in bulk to unwitting victims. These messages often appear to come from respected organizations, such as the recipient’s bank, or a major retailer. The exact details of the messages vary, but they generally try to elicit a quick response before the recipient has a chance to question it.

Common examples include offering prizes that may excite recipients or a warning that someone has attacked their account. The message prompts the recipient to take some immediate action. These actions can include:

  • Clicking a link – This is probably the most common example. These links will take you to a website that looks legitimate, but the details will be slightly wrong. For example, instead of the real URL, yourbank.com, the scam site may actually be yourbamk.com. At a glance it looks the same, but the scam site has no relation to your bank.
  • Contact an email address – Much like in the above example, the address can seem real, but it may have subtle differences, such as customerservice@yourbamk.com, instead of customerservice@yourbank.com.
  • Call a phone number – The number will not actually belong to the company, but a scammer impersonating the organization’s call center.

When these messages succeed and trick the recipients into taking the next step, they will be funneled deeper along in the attack. The recipient may be pushed to download malware onto their device, which can end up spying on them and stealing their sensitive information.

The other main tactic is to manipulate recipients into handing over their login details or banking information. One technique is to fake a security breach and have users re-enter their password on a fake login page. Just like that, scammers can take control of your account.

Other tactics include asking the recipient to update their account details, or to confirm their security questions and answers. This can ultimately give attackers the information they need to take control of the account.

Smishing is used to directly target individuals, or as an attack vector for penetrating deeper into an organization. If a smishing attack fools an employee, it can give these scammers access to the company’s systems. From this foothold, they can escalate their privileges until they reach their ultimate goal. This could be stealing valuable data or even accessing the company’s finances.

How Can You Avoid Smishing?

Individuals can avoid smishing by always being skeptical of text messages that ask them to visit a link, to email someone, or to call a number. They should use caution if they do not know the sender, or if the message sounds too good to be true.

Recipients should always double check the URLs, email addresses, and phone numbers to make sure that they belong to the company. You can check your prior correspondence with the company, or do a web search of the details alongside the company name to confirm. Compare the details in the smishing message against the official ones from the company, making sure to look closely for misspellings.

You can also check potential phishing sites against this database to see if it has already been reported. If you can confirm it is a smishing message, all you have to do is ignore it to stay safe. Do not even click the link, because it could infect your device. If you aren’t sure, contact the company via its official channels to check whether or not it is a scam.

Many companies have a blanket policy that they will never contact you by text asking you to update your account. If this is the case and you receive such a message, you can easily disregard it as a scam.

How Can You Defend Your Customers From Smishing?

If your company would like to be able to send URLs in its text messages without also opening the door to scammers, you can use a service like LuxSci’s SecureText. You can alert your customers that the only text messages you send will take them to the SecureText portal. As long as they check that the URL for the portal is correct, they will be safe to click the link. They can disregard any other messages purporting to be from your organization, because these will be scams.

From the SecureText portal, the recipient can enter their details to gain access to the message. The protective features of LuxSci’s SecureText allow organizations to send sensitive information via SMS, all in a HIPAA-compliant manner. With SecureText and a proper warning strategy, you can help protect your recipients from being tricked by smishing scams that seem to come from your organization.

Remote Work & Its Cybersecurity Implications

Tuesday, June 4th, 2019

Remote work has become a hot topic in recent years, with the rise of digital nomads as well as those who just want to sleep in, skip traffic and avoid their bosses. The increased flexibility can be great for workers, while organizations can save on office costs and even boost employee morale.

Despite the potential benefits, remote work can complicate an organization’s cybersecurity. Instead of having everything centrally controlled in the office, businesses with remote workers also have to account for people accessing their resources in other locations over potentially insecure connections and equipment.

It’s not an insurmountable problem, and all it requires is some basic analysis, planning and policy, as well as a few simple security tools.

What Kind of Data Does the Employee Need to Access?

Before you dive into the technology requirements and write up a detailed policy framework, it’s important to perform an analysis to see what kind of access remote employees will need in the course of their work, and to determine whether they process any data that needs to be protected.

Some employees may not require any access to company systems and don’t need to deal with sensitive data. Others may need to log in to company tools and databases, while certain remote workers may need to deal with sensitive business data or ePHI. Each of these situations will require a different approach to maintain an appropriate security level within your organization.

Low-risk Employees

If it’s just a graphic designer updating your flyers or a similar type of low-risk work, you probably don’t need to worry too much. The graphic designer could directly email the drafts to hackers and it wouldn’t have any serious ramifications for your company (unless the hackers have some kind of absurd hatred for spam and target your business in an over-the-top revenge plot).

For employees that don’t access company systems or its data, you really don’t need to take any major security precautions. If the employees only deal with information that you could post on a billboard without repercussions, there’s no real point in developing special systems.

The only policy that you would need in place is to ensure that the rest of your employees keep their communications on a strict need-to-know basis with remote employees. While these remote workers don’t need any sensitive information in the course of their work, it’s important to prevent any gossipers from divulging company secrets.  It’s also important to segregate their computer systems from those of sensitive employees if and when they happen to be in the same location, so as to avoid the spread of malware.

If your organization already has secure systems in place, it may be worthwhile to use them with remote employees that fall into this category. It could prevent such rare slip ups at a low cost, since the infrastructure is already available.

Employees that Access Company Resources, Sensitive Data or ePHI

If remote workers need to access company systems, sensitive data or ePHI in the course of their work, then your organization will need to take a number of precautions to secure itself and the data.

Again, you first need to analyze what the employees actually need and come up with policies and technologies that allow them to safely use it, without opening up any doors to unauthorized parties.

This policy should include rudimentary security processes like enforcing strong passwords and requiring two-factor authentication.

Access Control

Follow the principle of least privilege and only allow employees to access what they strictly need in order to accomplish their tasks. Opening up all of your company’s systems and its data to employees only adds unnecessary risk.

Over time, an employee’s access needs may change. If this occurs, simply adjust their privileges as necessary, whether this involves increasing or decreasing them.

Secure Employee Devices

Ideally, companies should be supplying the devices that their employees use so that they have strict control over them. These devices should have full-disk encryption with remote wipe capabilities, firewalls and antivirus software at a minimum. Your organization should also have strict rules about what employees can and cannot use company devices for.

VPN Access

VPNs offer one of the best ways to safely allow remote access to company resources. They fully encrypt the pathway between an employee’s device and the company server, preventing outside access.

Monitor Your Remote Workers

As part of your organization’s overall security policy, it should be monitoring and taking logs whenever employees access company resources. Not only does this deter employees from acting inappropriately, but it also makes it much easier to find the culprit if the company has been breached.

Obviously, this policy should be extended to remote workers who access company systems and data, as well as internal employees.

Encrypt Everything

Sensitive data needs to be encrypted whenever it is being collected, processed, transmitted or stored. LuxSci offers a range of services that can help your organization keep this data safe, from our secure forms and hosting, to our HIPAA-compliant email.

Encrypting all of your organization’s sensitive data is a crucial part of keeping it safe when dealing with remote employees. Between this and the steps mentioned above, you can offer your employees the freedom of working from anywhere without putting your organization at risk.