26
Jun, 2020
58520598_audit_400.jpg

Have You Kept Up with Your Security Audits? You Need To, Especially Now!

58520598_audit_400.jpg

When a business undergoes a security audit, its IT security is evaluated to make sure that it has the proper protections in place to protect against the various threats that could strike. Now more than ever, it is important for any organization to be confident in their preparedness. Let’s discuss the importance of assessing your own organization’s security with audits, and how this benefits you.

What Does a Security Audit Entail?

A security audit is intended to determine how effectively your business’ security is doing its job. Covering hardware specifications, your infrastructure as a whole, your network policies, the software you’re using, even how your employees behave, a good security audit will give you a complete picture of the protections and safeguards you have in place.

The reason behind doing this is simple: it allows you to identify (and, in theory, mitigate) any shortcomings in your current security infrastructure. Once your audit has been completed, you should essentially have a checklist of any detected vulnerabilities to attend to. Whether “attending to” these solutions will result in you decommissioning, consolidating, adding to, or reconfiguring them will all depend on the challenges you encounter.

Of course, considering how quickly technology can develop (particularly that which pertains to the business environment), these audits should be performed on a fairly regular basis. Even changes to your processes or the odd software update could easily expose you to new, unforeseen vulnerabilities.

In any case, documentation will be your greatest ally throughout this process. Any audit that is completed properly will generate an extensive list of discoveries, evaluations, and suggested next steps pertaining to your business’ security. These outlines should be detailed and particular, going so far as to identify specific departments within your organization if need be. Perhaps, due to the nature of the information they interact with, your HR department needs to have more cybersecurity protecting it specifically. Whatever your situation, your audit should give you a clear path to follow moving forward.

What You Might Discover During Your Audit

A brief disclaimer seems appropriate here: this is FAR from a comprehensive list. There are hundreds of issues that an audit could potentially catch, but in our experience, these are the most common discoveries:

  • Poor password hygiene
  • Data retention/backup policies not getting followed
  • Granting permissions to users who don’t need them
  • Misconfigured or outdated security software
  • Inconsistent access control levels on folders on the network
  • Non-compliant, unauthorized software installed on workstations
  • Sensitive data being stored incorrectly
  • Undocumented, outdated, or untested incident response plans
  • Insufficient (or non-existent) activity auditing

Again, there are hundreds more possibilities, so be prepared.

Compliance Requirements

There are many standards that different industries and governing bodies have set for businesses to uphold, under threat of fines and other challenges if any shortcomings are discovered. Therefore, in order to pass these compliance standards, it is mandatory to run audits based around those that apply to your operations. These may include:

  • SOC 2 type I
  • SOC 2 type II
  • ISO 27001
  • GDPR (General Data Protection Regulation)
  • SOx (Sarbanes-Oxley Act)
  • HIPAA
  • PCI-DSS
  • FINRA
  • FISMA

Again, this is not a comprehensive list, so make sure you are aware of any compliance regulations that you are expected to abide by.

NuTech Services is always here to help you make sure that your IT is properly managed and maintained—including the security and compliance standards that apply to it. To find out more about what we can do to help your business with its IT and cybersecurity, schedule a consultation with us at 810.230.9455.

20
Mar, 2020
148461139_healthcare_secure_data_400.jpg

You’d Be Surprised How Insecure Some Healthcare Providers Are

148461139_healthcare_secure_data_400.jpg

The healthcare industry is in a difficult position. Despite the utility that connected devices present to medical providers, the Bluekeep vulnerability makes it seem as though connected devices aren’t a wise solution for many to use… and there’s nobody these organizations can blame but themselves.

What is BlueKeep?

BlueKeep is a malware strain that was first discovered in May 2019, and was patched in short order to prevent it from becoming another situation like EternalBlue. EternalBlue was the exploit that allowed WannaCry to have such a considerable impact, especially on healthcare providers in the UK. Despite this precedent, however, many hospitals neglected to apply the necessary patches–and that isn’t even the worst part.

The worst part is that the three systems that BlueKeep impacts (Windows 7, Windows Server 2008, and Windows Server 2008 R2) share one thing in common: they have all passed their end-of-life date, and therefore no longer receive security updates.

This makes this situation a two-fold disaster. Not only have patches been released to mitigate BlueKeep, the systems affected by BlueKeep should not be in use anyways.

Of course, it only gets worse, and paints an unfortunate portrait of medical IT. A reported 22 percent of BlueKeep-vulnerable devices are yet unpatched. Worse, 45 percent of connected medical devices remain vulnerable, making things like x-rays, anesthesia machines, and other care-driven technology a risk to use.

Are you concerned about your organization’s technology?

Lean on the IT experts at NuTech Services for assistance. We can help any organization ensure that their technology won’t put their operations or their patrons in harm’s way. Learn more about what we can do by calling us at 810.230.9455.

7
Feb, 2018
medical_records_digital_400.jpg

Tip of the Week: Do You Know How to Protect Medical Data?

medical_records_digital_400.jpg

Businesses that work with medical data are in a tricky situation, as the slightest issue with security could place considerable risk on storing this data. If you’re not careful, you could be putting your business at risk. With the compliance issues that have to be regarded, the security of any medical data you store on your infrastructure has to be made a priority. How can you minimize the risk of storing this data without compromising your business’ effectiveness?

Compliance regulations, like the Health Insurance Portability and Accountability Act (HIPAA), will make things a bit more difficult for your business. However, your business shouldn’t be hit too hard if you’re being mindful of the regulations while planning how you store medical records and other sensitive information. Here are some tips to help you keep your business as secure as possible.

Encryption is Key
The strange thing about HIPAA is that it doesn’t necessarily require that your business have data encryption implemented. Considering how much it helps in the event of a data breach, it’s ludicrous to think that it’s not required at all. Encryption essentially scrambles data so that you need an encryption key in order to view it properly. This makes any stolen data practically useless, as military-grade encryption is incredibly tough to crack by your average hacker.

Implement Comprehensive Security Solutions
More often than not, it’s better to stop attacks from happening before they infect your infrastructure rather than respond to them afterward. You can do this by implementing a Unified Threat Management solution, which includes a firewall, antivirus, content filter, and spam protection to minimize the security threats of your company at all times. These preventative measures don’t necessarily guarantee immunity to threats and hackers, but they significantly reduce the chances that you’ll suffer from them.

Limit Access Based on User Roles
The more users have access to certain data, the more threats can potentially access that specific data. Think about it this way; if you have 10 computers on your network, any one of those computers can be used to infiltrate your network. However, it’s unlikely that all 10 of the users also need the same privileges to access important data. You can keep specific data safe by limiting the number of users who have access to it.

Does your business utilize medical records or other sensitive information? Your company could be at risk of being fined due to compliance regulations. To find out how your business fares regarding data compliance, reach out to NuTech Services at 810.230.9455. We can work with you to ensure that you’re being as proactive as you need to be to ensure your data is secure.