• What you should do after a spear phishing attack

    by Veriato | Oct 03, 2018

    We all know information security is complicated and multi-faceted. You have plans to defend you from countless types of attacks and threats, but the risk is still there. Spear phishing is a common threat and your organization should have a plan of how to respond in the event of this type of attack.

    What is spear phishing?

    Spear phishing is an individually targeted email attack with the intent of gaining access to personal or sensitive information. Often, the spear phisher will send an email from a seemingly trusted website or from someone you think is in your contacts list. For example, a popular spear phishing scheme involves posing as a bank and asking for your bank account information for verification, or a coworker asking for access to certain online documents.

    Immediate steps after an attack

    Spear phishing has become extremely sophisticated, and even educated employees can be susceptible. If you realize you’ve been attacked, report the incident immediately. Your IT team will be able to isolate the damage and help you protect your identity. Additionally, they will be able to spread the word so other employees don’t fall for the same scheme.

    You should immediately increase your online personal security. Change your passwords to any accounts involved in the attack and enable multifactor authentication – for example password and security code via text. Call any companies involved, like your bank or credit card company if the personal information stolen was financial.

    From an IT perspective, you should immediately blacklist the sender(s) to stop them from targeting your organization again from the same address. You should also search systems for unauthorized or suspicious traffic to make sure the spear phisher didn’t steal any network user identifications and is now able to access your organization’s data.

    Educate and move forward

    Spear phishing is very common and the likelihood it happens to someone in your organization is unfortunately high. If there is an attack, use the experience as an example to educate your employees. Although attacks are increasingly sophisticated, educating your employees on spear phishing and how to detect attacks can still go a long way on protecting your organization.

    Remind your employees that they should always read an email that’s asking them to do something involving personal information two or three times to make sure they have a grasp on the content. And, if it seems even remotely suspicious, they should call the institution the sender is claiming to represent to confirm the email request. While proper education won’t protect from every spear phishing attack, it can go a long way in keeping sensitive information confidential.

    Spear phishing is a real concern to both individuals and organizations. If you are targeted, follow these steps to minimize damage and protect both your employee’s and your company’s information.

  • How to Protect Against a Ransomware Attack

    by Veriato | Sep 26, 2018

    In 2017, ransomware attacks increased by 90 percent, making it the most prevalent variety of malware. Every organization should be thinking about ransomware protection and detection – because proper security is always more prudent than the costs of a ransom or lost time and data.

    Ransomware is changing and evolving – and so are network security offerings. Here are a few things you need to know to protect your business against a ransomware attack.

    What does ransomware look like in 2018?

    Raising awareness of the risk of clicking suspicious email links has helped curb ransomware attacks, but hackers are getting more creative with their attack methods. Their code is getting more complicated and less predictable. Here are a few ways ransomware has evolved:

    • Slow + Random Encryption

    Ransomware creators have slowed and/or the encryption process so that it doesn’t follow the typical patterns that anti-malware software are designed to notice.

    • PDF + JPEG files

    Although malicious links sent via email are still the most popular way to send ransomware, some creators have sent infected PDFs, documents or images that launch a script when opened.

    • Fewer code mistakes

    Ransomware authors are getting better at their craft, which means researchers can’t use their mistakes to determine the decryption keys.

    • Complicated code

    Some ransomware attacks can launch multiple encryption processes to speed up the entire attack. We are also seeing more polymorphic code that changes throughout the attack to prevent decryption.

    How to protect your data from ransomware

    Since ransomware captures your data, your first security step should be implementing a backup and recovery plan. Schedule regular test backups to lessen the impact of a data breach and help in the recovery process. You’ll also want to keep critical backups off your network in case your network itself gets attacked by ransomware.

    Modern businesses create a massive amount of data, so creating a reliable backup is difficult – unless you turn to cloud storage. The cloud is a low-cost and simple option to store your large critical backups. When set up correctly, you an alleviate privacy concerns often associated with the cloud. Set up your data storage with object stores, but make sure to block cloud service providers (CSPs) from accessing that data. Creating the backup and storing it – all while the data is encrypted – will help keep your data secure.

    A critical component of your data security plan is ransomware protection software. Systems like Veriato RansomSafe detect ransomware attacks, shut them down, and recover your files. RaonsomSafe installs and configures in less than 10 minutes, saving your business time and money. It’s continuously updated so it immediately detects attacks and creates a current backup before any data is encrypted. In the first 3 months of 2016 alone, ransomware attacks costs were $209 million. The right security software can protect you from attacks, and minimize your recovery time to help keep you efficient.

    Other considerations

    Besides implementing a solid data security plan, there are a couple other things you can do to protect your business from ransomware attacks.

    Employee education

    Though email is no longer the only way hackers launch ransomware attacks, it is still the most common method. Make sure your employees know not to click on suspicious links or attachments from senders that seem suspicious or that they don’t recognize. Showing examples and explaining why this caution is necessary can help your employees feel responsible and engaged in security measures.

    Have your emergency contacts ready

    Ransomware attacks are prevalent and the chances that you’ll be targeted are unfortunately high. Know how to quickly engage your business’s security software partners. Have instructions for network users ready to go. That way if you are attacked, you can immediately react and minimize damage.

    Ransomware attacks should be a concern for every business. To protect your data, set up a solid data security plan that involves encrypted cloud storage and quality ransomware protection software. Educate your employees and be aware of threat possibilities. Ransomware creators are getting smarter about their attacks. It’s time for you to get smarter about your defense.

  • 2 Big Steps to Keep Electronic Health Records Secure

    by Veriato | Sep 19, 2018

    Many industries have sweepingly digitized their documentation in the name of efficiency – substantial efficiency. The healthcare industry created the electronic health record (EHR) in the name of efficiency as well (among other benefits). But EHRs are far from universal in the medical space. While some hospitals and practices are simply slow to adopt modern practices, the greatest barrier to the universal adoption of electronic health records is privacy and security.

    As noted in a Journal of Medical System article, Security Techniques for the Electronic Health Records, “With the advancement of technology, the emergence of advanced cyber threats has escalated, which hinders the privacy and security of health information systems such as EHRs.”

    But healthcare organizations can’t run from digitatization forever. Nor can they ensure information security with paper documentation. Stakeholders in this industry must focus on implementing data security measures – like those in any other industry.

    3 Staples of Data Security

    Not every organization uses the same exact security techniques. Business structures are different. Data needs vary. And of course, budgets are not made equal. Yet, there are three pillars of security that every organization must lean on to keep confidential information confidential.

    1. Administrative Security
      A high-level measure, administrative safeguards revolve most around people – employing a Chief Information Security Officer, conducting risk analyses, and developing contingency, business continuity and disaster recovery plans.
    2. Physical Security
      As its name suggests, physical safeguards include access controls such as RFID badges, workstation security, and assigned security responsibilities to members of your organization.
    3. Technical Security
      Digital records require digital protections, of which there are many techniques – access control, entity authentication, data encryption, firewalls, and audit trails, to name a select few.

    Each of these categories deserves your attention, but if there are only specific techniques you can learn about this second, let it be firewalls and cryptography.

    2 Essential Measures of EHR Security

    Healthcare organizations’ most commonly-implemented data security measure is firewalls. There are many kinds of internal and external firewalls of course, but they’ve categorically helped organizations secure their networks and the data that’s stored within them.

    A packet filtering firewall sifts through your internal electronic feeds and prevents externals feeds from penetrating your network. Similarly, a status inspection firewall filters your feeds; but it can also dynamically correlate incoming feeds with previously filtered feeds to verify their security. An application-level gateway firewall grants user access to external network connections only after scanning each IP webpage for threats. Lastly, a Network Address Translator hides your intranet IP address from external users, creating a barrier between your intranet and local area network.

    Cryptography has also been instrumental to safeguarding electronic health records and systems. Especially during exchanges of such data, encryption ensures that health information is unrecognizable while in transit. Only users with the decryption key are able to unlock and read the data. In addition, the process of exchanging confidential information should be recorded when the encryptions are being enabled or disabled to track data access.

    Though these are just two data security tactics, they are critical steps to take. Start here, assess your current level of security in these areas, and act before it’s too late.

    Read the Veriato blog to learn more about health data security.

  • The CA Consumer Privacy Act | What Businesses Need to Know

    by Veriato | Sep 12, 2018

    What All Businesses Need to Know about Data Security Compliance with the California Consumer Privacy Act

    This summer, California passed groundbreaking privacy rights legislation through the California Consumer Privacy Act. The law takes effect January 1, 2020 but companies need to have data tracking systems in place by the beginning of 2019. Even if your business is not located in California, you may be liable - so here’s everything you need to know to get your data security compliant.

    What it the California Consumer Privacy Act?

    California law AB 375  is legislation passed in June 2018 by the California State Legislature that grants unprecedented personal data privacy rights to California consumers. These five rights are now guaranteed by law:

    • The right of Californians to know what personal information is being collected about them
    • The right of Californians to know whether their personal information is sold or disclosed and to whom
    • The right of Californians to say no to the sale of personal information
    • The right of Californians to access their personal information
    • The right of Californians to equal service and price, even if they exercise their privacy rights

    Compliance is required for all companies who receive personal data from California residents if they – or their parent company or a subsidiary – exceed any of three thresholds:

    1. Annual gross revenues of $25 million

    2. Obtains personal information of 50,000 or more California residents, households or devices annually, or

    3. 50 percent or more of its annual revenue come from selling consumers’ personal information

    Like the EU’s General Data Protection Regulation that went into effect this spring, the Consumer Privacy Act has far-reaching effects on global business, data security trends and society’s opinions on privacy.

    Data Security Compliance

    Businesses are required to have “reasonable security procedures and practices,” or face penalties. With the law, consumers hold businesses directly accountable for non-compliance. They can register a complaint of privacy rights violation and companies then have a 30-day window to resolve the issue or face a fine of $7,500 per record.

    AB 375 also holds businesses responsible for protecting the personal data they collect. If unauthorized access to personal data occurs, the organization will face penalties of $100 to $750 per consumer per incident, or actual damages, whichever is greater.

    Unauthorized data access can stem from a breach, theft, or “disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” Besides transparency about the use of consumers’ personal data, businesses are required to protect that data with a quality information security plan.

    Though the law does not detail specific security requirements, companies would be wise to protect personal information to both maintain privacy and protect themselves from penalties.

    What kind of data is protected?

    The CCPA protects personal information, and it defines that more broadly than any legislation has before. Since you need to make sure your data security package is compliant, here’s a rundown of the types of data you are now required to secure:

    • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
    • Characteristics of protected classifications under California or federal law
    • Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
    • Biometric information
    • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement
    • Geolocation data
    • Audio, electronic, visual, thermal, olfactory, or similar information
    • Professional or employment-related information
    • Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
    • Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

    Data Security Tools

    As described by AB 375 data threats can come in many forms – and you need to be prepared to protect against all of them.

    Veriato provides a suite of tools to defend your organization from hackers, insider threats, unconscious bias and other data security risks. See how Veriato can protect your consumers’ data and help you manage compliance with the California Consumer Privacy Act.

  • How Employee Monitoring Keeps Clinical Trial Data Secure

    by Patrick Knight | Aug 15, 2018

    Clinical trials are a crucial step in developing new life sciences products such as drugs and medical devices. All tests – whether with large or small groups of people – require medical and personal information from patients upfront, and then proceed to collect data throughout the process. Ultimately, research companies are responsible for large sets of sensitive data and securing that information should be a top priority.

    Why does clinical trial data need to be protected?

    To begin with, there are legal requirements for medical data security. All clinical trials require medical histories and personal information from everyone in the study. To protect participants from medical fraud, clinical trial groups are legally obligated to secure this sensitive information. HIPAA and the FDA’s Code of Federal Regulations, as well as other regulations require the protection of sensitive medical records. Your group can be fined for violating these rules.

    From a PR perspective, strong data protection policies can protect your reputation. Potential participants are more likely to take part in a study if your organization is respected and shows a commitment to privacy. Additionally, it is in your business’s best interest to secure clinical trial data to protect your competitive advantage. If a competitor obtains your data, they may be able to use it to put a new drug or medical device on the market first, with less research cost on their end.

    Risks to clinical trial data

    Personal medical histories are highly sought after by hackers looking to turn a profit; medical data is considered to be ten times more valuable than credit card information. With personal medical information, criminals can forge IDs and documents, illegally acquire drugs, and collect on fraudulent insurance claims.

    Many clinical trial organizations rely on 3rd party services to provide materials, financial support, or data analytics. By increasing the number of people who can access clinical trial data, the insider threat risk goes up. The majority of data breaches are actually caused by insiders – either with malicious intent or by mistake. By widening the umbrella of possible insider threats through the involvement of 3rd party services, the need for data security multiplies.

    Malicious insiders look for ways to use company data for personal gain or to harm the organization. They may attempt to steal clinical trial records and sell them to a competitor or take it with them for future career advancement. They may also attempt to use the data to embarrass the company in some way. Accidental information security breaches can happen by employees opening an email with malware or not correctly following security protocol (such as leaving an Electronic Healthcare Record open on a monitor).

    Clinical trial data security tools

    The Society for Clinical Data Management has published a popular whitepaper Good Clinical Data Management Practices that your organization should review and discuss ways to implement. In addition, you should be in compliance with all data security laws and regulations.

    To further secure clinical trial data, consider deploying employee monitoring software. With this tool, you can track user activity to make sure only approved employees are accessing sensitive information, and that their behavior is normal for the task. For example, employee monitoring software can detect actions such as downloading data sets and storing them on an external drive, which could signal theft. With so much on the line – fines, reputation, sales, participant safety – and so many insider threats, employee monitoring software is an effective and efficient way to make sure your data is being handled appropriately and securely.

  • Cyber Incident Reporting Compliance for Federal Contractors

    by Patrick Knight | Aug 08, 2018

    We recently discussed data security requirements for federal contractors and now we are doing a deeper dive into one of the trickier compliance factors: reporting cyber incidents.

    What is a cyber incident?

    Federal contractors use and have access to sensitive government data, and as such it is their duty to manage that information responsibly. Data security protocol has changed in the last year to more tightly protect those materials. Federal contractors are now required to rapidly report cyber incidents to the Department of Defense.

    The DoD defines a cyber incident as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” Even if the actual government data wasn’t attacked, any breach to a covered contractor information system must be reported so the DoD can assess risk to the information.

    Reporting requirements

    If you experience a cyber incident as defined above, federal regulation mandates you to report it “rapidly” – defined as within 72 hours of discovery of the breach. Additionally, you need to “conduct a review for evidence of covered defense information,” such as identifying compromised computers, servers, and accounts, as well as identifying exactly which data was breached.

    For federal contractors, a network compromise is defined as “disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.” You are required to file a report even if there is only evidence to suggest an attack might have happened. Those attacks can come through an insider to your organization or an outside hacker, whether with malicious intent or through error.

    Cyber Incident Prevention + Response

    With the complexity of this industry, it is almost inevitable that contractors will experience a cyber incident at some point. Investing in data security tools and creating a response plan are vital elements to any contractor’s business plan. With sensitive data, it is your responsibility to monitor that information for evidence of network attack.

    Monitoring software, such as technology created by Veriato, tracks user activity to make sure your data isn’t being accessed by someone who shouldn’t have it, or in a suspicious way. If any behavior is flagged, you can access a factual, comprehensive look at the incident to understand what happened, and prevent future breaches. Additionally, you’ll have a robust report for the DoD, which will build your reputation and prevent negative effects.

    Investing in monitoring software as part of your security plan will improve your data protection and help with cyber incident reporting compliance, because you’ll have a better situation assessment within the 72-hour time period

  • Data Security Requirements for Federal Contractors

    by Patrick Knight | Aug 03, 2018

    Approaching data security requirements for federal contractors

    Federal contractors are private entities that fulfill governmental needs. As such, they are trusted with sensitive, private federal information which makes them obvious targets for cyber attacks. The government has recently ramped up data security requirements for federal contractors, demanding more software, hardware and accountability from them.

    Recent changes in data security requirements for federal contractors

    Data security requirements for federal contractors are complicated and stringent. The Security and Privacy Controls document for federal IT is 462 pages long with 109 specific security requirements – and that’s not to mention various supplementary compliance publications. Beginning in 2018, contractors are expected to be compliant with new regulations laid out in NIST 800-171. You should have legal counsel and security experts to help you manage compliance, but here’s an overview of a few of the government’s recent data protection requirements:

    • Insider threat detection: The National Institute of Standards and Technology require federal contractors to implement an insider threat program. It’s a given that employees pose a serious risk to federal information, so contractors are required to provide training on identifying and reporting insider threats. They can also deploy software to detect and assess insider risk to decrease their security risk level.
    • Encrypt high level data sets: Until recently, many contractors didn’t have an effective classification system for their information. The new regulations require organizations to do a risk assessment across their data and provide proof of encryption for risk-prone data.
    • Report cyber incidents: Organizations working on behalf of the government are required to rapidly report all cyber incidents directly to the Department of Defense. The account includes a detailed cyber incident report, the malicious software, and any media the DoD requests. Reports are required for any attacks on the system – not just the contract data – to help the DoD gauge overall risk to its information.
    • Access control policy: Contractors are also required to implement an access control policy. Users should be restricted from accessing sensitive data unless it directly relates to their job. Employers should set up alerts to be notified if those access controls are violated, and immediately investigate.
    • Monitor users: Contractors are now being required to implement employee monitoring software to detect security risks. Approved software identifies suspicious user activity and detects unauthorized access. The technology can initiate undetected screen recording to capture a full picture of a suspicious incident. The software can also deploy multi-factor authentication and data encryption to boost security. Employee monitoring software can detect risk early on and alert management to intervene; it can even automatically shut down access and computer systems to prevent an attack.

    Veriato provides government-compliant monitoring software that can help you meet requirements and create a secure workforce.

    Growing threats to data security

    As technology advances so do the threats to it. More complex information systems can be more secure – but also provide more risk points insider threats and hackers can try to exploit. More government contracts and contractors widen the risk even further. As the Internet of Things is embraced by contractors, those attack points multiply. Phones, tablets, watches and speakers can all become sources of risk to sensitive government information. Additionally, escalating global conflicts mean more parties are interested in harming the government or the citizens whose data is in the custody of contractors.

    The Department of Defense and National Institute of Standards and Technology are constantly assessing risk of information through federal contractors. As technology becomes more intricate, contractors can expect more regulations and requirements to roll out when it comes to information security compliance.

    Assessing Risk

    The latest government regulations help contractors understand how to identify the risks posed to sensitive information. These organizations are held to a high security standard to protect not only the government, but also the citizens. Data security should be more than checking boxes every so often; it should be a way of operating a business. If federal contractors approach data security from a position of mitigating and managing risk, compliance will most likely follow.

  • How Technology Protects Against Wrongful Termination Claims

    by Dominique Cultrera | Jul 05, 2018

    Using technology to protect your company from wrongful termination claims

    What is wrongful termination?

    Wrongful termination is a situation in which an employee is let go for illegal reasons or if the organization violates company policy during the firing. Most employment agreements are at-will, meaning the organization doesn’t need a specific reason to let an employee go. However, there are protected cases in which termination is unlawful. Discrimination on the basis of race, nationality, gender, age, or religion is grounds for a wrongful termination suit.

    How technology can help

    Employee monitoring software can provide data to defend against wrongful termination claims. When an employee is terminated for cause, employee monitoring software may help serve as proof of the reason for termination. For example, it can track time spent on applications to demonstrate lack of effort or low productivity. Having data to back up a reason can keep a highly emotional situation more objective and less personal.

    Data collected by employee monitoring software not only supports cases for termination, but can also detect them. The software alerts you when employee activity becomes suspicious or dangerous. At that point you can conduct an investigation, and correct the behavior or terminate the employee. Employee monitoring software provides concrete evidence for a termination, versus speculation or opinion.

    After an employee is terminated, employee monitoring software can help protect your organization’s proprietary information. Many employees take intellectual property with them when they leave – whether because they feel ownership of the information or because they have hostile plans (such as damaging the company or using it to further their careers elsewhere). Employee monitoring software monitors what data an employee accesses and what he or she does with it. It lets you know if they store the information on a cloud server or external drive. You can then confront the employee and regain control of the data.

    Due Diligence

    • Keep records: The best way to prevent wrongful termination claims is to be an attentive manager throughout the employment. Keep records of employees’ performance – but make sure that documentation is standard for all employees. If your organization’s record keeping is selective, it could raise a wrongful termination claim for discrimination.
    • Check up with employees: Establish the practice of frequent meetings with employees – maybe even more than the annual review – to get an idea of their feelings about the workplace. These meetings may provide a way for employees to bring up any discrimination or harassment they might be facing. The organization can take steps to fix the problem, and those steps may serve as defense should a harassment or discrimination claim arise. Additionally, if the employee doesn’t bring up any such issues, the organization can use this lack of evidence for protection against wrongful termination claims.
    • Monitor data records: Make sure your employee monitoring software controls are configured appropriately. Though you don’t want to handle that data too much (to maintain as much privacy as possible), it is important to have a review process in place. Updating permissions and reviewing any flagged behavior will help you stay in the know when it comes to your employees. By regularly reviewing data records, you can manage your workforce and protect your network.

    Though most employment is at-will, all organizations can take steps to protect against wrongful termination claims. Employee monitoring software helps defend and prevent those claims, as well as protect corporate data. Take advantage of technology to help keep your work environment safe and secure.

  • Data Security Considerations for Your Work From Home Policy

    by Patrick Knight | Jul 03, 2018

    Incorporating data security in your work from home policy

    Work from home policies have soared in popularity among both employees and employers for a variety of reasons. Your task as an organization is finding a way to provide that benefit to your employees without compromising your data security.

    What’s the problem with working from home?

    There are many benefits to working from home – including some big ones like employee morale and productivity. In addition, employees generally appreciate the improved work/life balance and employers like that it removes distractions and conserves office resources.

    Unfortunately, working from home can pose some serious security risks that must be considered in your organization’s work from home policy. In a modern workforce, the Internet of Things (IoT) is growing in popularity. These internet-enabled devices that collect and act upon data create a massive liability when it comes to data security.  While smartphones, tablets, laptops, wireless headphones and smart speakers can make jobs easier, they also amplify the network attack surface. More devices mean more security risks.

    Remote access also raises the issue of unsecured networks. If employees are using unsecured networks to access corporate data, they put that information at risk. Additionally, when employees work from home, organizations have no control over the physical security of the devices. In a less formal setting – like at home vs. in the office – people are more likely to observe a lower level of security precautions. They may leave their computers unattended, or leave desk drawers unlocked. These simple behaviors create a security risk – even if your employees don’t realize it.

    Data security measures and considerations for your work from home policy

    • Configure Devices: If you provide hardware to your employees, it’s probably already set up on the security front. But if your employees are using any of their personal devices to access work information, consider establishing security standards and requiring IT to configure all personal devices to your security expectations as part of your work from home policy.
    • Set up a VPN: This is a key step to a successful work from home policy. A Virtual Private Network lets your employees access your secure network remotely – and keeps hackers out thanks to authentication requirements. Make sure to configure access permissions and encrypt data. It’s probably also a good idea to require the use of a VPN while accessing sensitive data rather than allowing offline access.
    • Approve applications: Make a list of approved applications your employees are allowed to use for collaboration and saving data. Communicate that list to them as part of your work from home policy.
    • Set up physical security policies: Some examples of protecting devices are requiring a password, instituting two-factor authentication, and requiring an auto-lock feature.
    • Educate employees: Explain both your work from home data security policy as well as the reasoning and considerations behind it. If employees understand the risk, they are more likely to comply with best security practices. Reiterate that working from home is a privilege – but it can’t be offered at the expense of information security.
    • Implement employee monitoring software: Even the most security-educated employees can inadvertently put data at risk. Insider threats are the number one cause of cyber attacks in business. Employee monitoring software as a part of your work from home policy will catalog activity, prevent and detect threats, and help you respond to risks as quickly and efficiently as possible. Tracking user activity via remote access allows you to offer the benefits of working from home with the knowledge that your security risks are constantly being managed.

    Offering remote work benefits can help attract and retain employees. Keep that perk working for everyone by building data security into your work from home policy.

  • The Severity of Cyber security Threats

    by Veriato | May 09, 2018

    Across every major news outlet the topic of cyber security threats and data privacy are impossible to miss. From multinational companies being relieved of millions of credit card numbers, to foreign hacking, to the selling of user data via social media, digital security is clearly more important than ever. Threats are being realized by vulnerable organizations large and small. The fallout of these breaches has also been widespread and include everything from lasting negative impact on stock prices to loss of customers and even complete loss of consumer trust. Threats of hacking in are high, but organizations would be remiss to not make efforts to detect cyber security threats from insiders as well.

    Carelessness, negligence, or compromised credentials from inside an organization make up more than half of security threats when compared to malicious intent. In fact, the most common culprit, by far, of data breaches are accidental exposure by employees. Cyber security threat experts note that what’s known as “phishing” has become the largest vulnerability when it comes to an organization's digital security. Phishing attacks trick employees into sharing sensitive company information and can lead to catastrophic damages.

    Fallout, detection & prevention

    But how does one detect a cyber security threat from an insider exactly? It’s not an easy process — in fact, simply relying on human detection and intervention is archaic in today’s digital world. It’s far too easy for an employee to move information from an organization’s network to USB drives, cloud storage, or their own personal devices. It’s also possible that an employee simply forgot to log out, or logged into an unsecure network, or a multitude of other seemingly innocuous actions that could bring an entire organization to its knees.

    In recent cases, organizations that have knowingly failed to take preventative action against cyber security threats have found themselves in severe legal troubles, leading to a multitude of damages both financial and of reputation.

    Luckily there are tools available to assist in the detection, some smart enough to preemptively identify higher threat risks before they become a problem. When searching, make sure to look for a security tool that offers actionable intelligence into the activities and behaviors of users. As more and more information finds itself in a digital format, it's imperative to find the right software to detect and prevent insider threats.

  • Best practices for securing your data when terminating an employee

    by Veriato | May 02, 2018

    When and where to start

    Best practices for securing your data when terminating an employee actually start with the initial onboarding process. Every established organization looking to scale should consult legal counsel after first having drafted an employee handbook. Once created, every employee should be provided an employee handbook outlining the acceptable use policy related to any and all corporate IT resources. It is also imperative (and often overlooked) to have the employee handbook updated periodically as technology and employee responsibilities advance.

    Establishing and tracking risk within each department is also a key factor in setting up best practices for data & intellectual property (IP) security within the context of employee conduct in our digital world — this framework also proves itself useful if and when it comes time for terminating an employee. Each position within the company should have an assigned insider threat risk level, with a sufficient amount of activity monitoring within reason. Certain job categories require more active review than others, and it’s up to the organization to determine its own best practices for data & IP security based on information sensitivity.

    What to watch out for

    While the act of securing your data when terminating an employee may seem fairly straightforward, challenges do exist. For example, some companies still operate with an Employment At Will policy. Essentially, Employment At Will refers to the employee’s right to terminate his or her own employment relationship with the organization at any time and for any reason that he or she sees fit. This also means however that the organization has the right to terminate the employment of any employee at any time for any lawful reason. The employment relationship between the organization and its employees is At Will (the exception being employment covered by a contract.) Regardless of reasons for departure, employers often find themselves with limited time to thoroughly secure valuable data and intellectual property.

    Whether an employee resigns, or employment is terminated for cause, Human Resources should be notified and a thorough exit interview should be conducted as soon as possible. Share feedback with employees to ensure you are on the same page so the employee will not be surprised. An organization does not want the employee feeling that they have been discriminated against or terminated without valid reason — this could lead to retaliatory actions by the employee and could potentially put your IP at risk.

    Emotional awareness during the exit interview process is key. Be mindful of cues that could signal larger issues within the company.  An employee openly discussing their unhappiness with management or company policies can indicate a potential insider threat. Many employees have a sense of entitlement to company IP they helped to create and recent surveys show as much as 42% of employees have taken an employer’s corporate information when switching jobs — proving the just how important securing your data when terminating an employee truly is.

    Keeping your house in order

    It’s easier than ever for employees to move IP from a network to USB drives, cloud storage, or their own personal devices. Be exceedingly clear that employees are expected to return and destroy any copies of the organization’s intellectual property they may still have. Regardless of what gave rise to the employee’s departure, activity monitoring is a vital component of securing your data when terminating an employee to ensure the safeguarding of corporate intellectual property.


    Deployment of activity monitoring allows an organization to review digital goings on for as long as necessary. If an employee tenders resignation, deploying an active and intelligent monitoring tool allows for the collecting and archiving of digital activity. These tools can also help to analyze the digital activity. Additionally, consideration should be given to monitoring those associated with the departing employee for a period of time, recording their activity for potential insider threat.

    In the event that legal proceedings are necessary, properly recorded, organized, and cataloged digital evidence can help an attorney build a strong case. More than three quarters of cases that contain comprehensive digital evidence are settled faster and with far better results.

  • Employee Monitoring Ethics | Ethically Monitoring Employees

    by Larry Thompson - President, Veriato | Apr 19, 2018

    All employers want to create a workplace where employees feel safe, valued, and trusted. We know that work satisfaction breeds life satisfaction, and generates more productivity and engagement among employees.

    As leaders, we naturally question the ethicality of any system involving data and privacy, because we want to make sure our workforce feels protected and trusted. When it comes to employee monitoring, the practice can sound much more sinister than it actually is.

    Ethical vs. Legal

    First of all, ethicality is different than legality. Each state and country has different monitoring and privacy laws and regulations, which need to be observed. Talk with your legal team about considerations to keep in mind when it comes to instituting an information security policy.

    Right vs. Responsibility

    Organizations have a right to protect their data – and a right to use appropriate measures to do so. Beyond that, organizations have a responsibility to their employees, shareholders, and customers to keep that information secure. A secure system means employee information, customer records and data, and proprietary information are all safeguarded from threats. Additionally, this security protects an organization’s reputation and bottom line. To effectively provide a sufficient level of security, some level of employee monitoring is necessary in this digital day and age.

    Employee Monitoring Best Practices

    Monitoring employees should be done with clear parameters and accountability to maximize privacy. We suggest the following best practices for employee monitoring:

    • Transparency: Tell your employees they’re being monitored. Make it clear that what happens on corporate assets, including devices and networks, is subject to monitoring.
    • Keep it professional: Only monitor corporate data. Don’t monitor personal material such as social media or online banking access.
    • Minimize exposure: Don’t make data collected from monitoring widely available. Restrict that access to only those who need to review it.
    • Monitor broadly: Don’t single any person out. Monitor your whole employee base to make sure you cover all possible threats and avoid any discrimination or favoritism.
    • Use behavioral analytics: Behavioral analytics software takes human subjectivity out of the monitoring. It monitors and collects data and determines if there is a potential threat. If so, the technology alerts the security personnel that a review of information may be necessary. With this protocol, people are in contact with that data as little as possible, and only when it’s necessary for security reasons, which maximizes privacy.

    Employee monitoring is an effective way to protect your organization’s important data, which is a huge benefit to your employees. By following these suggested best practices, your organization can experience greater information security, ethically.

  • The Benefits of Starting A User Activity Monitoring System

    by Veriato | Apr 18, 2018

    Benefits of User Activity Monitoring

    If you’re on the fence about starting a user activity monitoring system across devices or networks, you’re probably wondering if it’s worth the investment, or if you should just be more trusting of your employees. After all, you don’t want them to feel like they’re being micro-managed or taint their opinion of management.

    The truth is, effective employee monitoring, or user activity monitoring (UAM) improves productivity and network security, provides an understanding of user behavior, allows for accurate billing, and brings issues to light.

    Make workers more productive

    Deploying UAM software can boost employee performance. Just knowing they are being monitored can positively affect your employees’ online activity. Maybe they’re not intentionally wasting time on non-work-related internet searches, and just being aware that someone can see their activity will make them think twice about their browsing activity.

    Additionally, it allows leadership to get an accurate picture of processes and make suggestions for improvement. UAM provides concrete data on user activity, rather than subjective opinion, to help with effective decision-making.

    Mitigate insider threats

    A strong firewall and secure network can keep hackers out – but what if they’re already in? UAM can help you detect insider threats to your sensitive data. The average organization experiences 4 insider leaks each year, costing $16.3 million annually – which is 12 times more than the cost of external attacks.

    With so much interaction (people, devices, systems) with sensitive data, your users are a huge liability. Though 87 percent of insider leaks are unintentional, such as clicking on a malware link or attaching the wrong file, the threat remains. User activity monitoring allows organizations to catch dangerous activity before a leak, or at least in time to minimize the damage.

    Establish a behavior baseline

    Nobody is completely productive 100% of the time at work. People take breaks, and most have some non-work matters to deal with occasionally during the workday. User activity monitoring lets employers establish a baseline of user behavior so they know what is reasonable to expect when it comes to their employees’ internet usage.

    With a baseline, leaders can approach those who are abusing internet usage and work to find a fix. On an individual basis, if a certain user’s behavior changes drastically, this could be a warning sign and UAM software can alert IT to investigate further.

    Plus, understanding what your employees do online helps you better understand them. You can communicate expectations, and even partner with HR to make sure benefits packages are in line with things that are important to workers.

    Accurate billing

    If you know conclusively where your employees’ time is being spent, you can bill your clients with improved accuracy. If a client questions the invoice, organizations will have data from a UAM system to support the bill. This ensures both parties are getting fair treatment – your organization isn’t accidentally under-billing, and the client is confident the charge is valid. It also protects your reputation and your bottom line.

    Spotlight issues

    Our research shows that user activity monitoring software can reveal serious problems within your organization. 20% of users surveyed, said the UAM software they deployed revealed sexual harassment issues among employees and 5% said drug abuse issues were brought to light. In these situations, monitoring actually protects employees, because an organization can quickly address the dangerous issues. Some issues may never surface to HR, but with user activity monitoring, the problems can be quickly resolved.

    Additionally, 11% of surveyed organizations said user activity monitoring made them aware of underutilized software. Knowledge like this can lead to a change in employee education to focus on program basics, or can lead to adjustments in software spending to help the bottom line.

    Boost your business

    With so much freedom network access brings and so much sensitive data at stake, employee monitoring is becoming a necessity for the modern business. You can protect your assets, improve your business, and understand your employees better by investing in user activity monitoring software.

  • GDPR Mandates Immediate Data Breach Reporting

    by Veriato | Apr 12, 2018

    GDPR Article 33: 72 Hours Is Not a Lot of Time

    According to the EU General Data Protection Regulation (GDPR) which goes into full effect May 2018, “...as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours…”. Failure to do so may result in severe financial penalty — not to mention potential damage to reputation. GDPR mandates that notification must be given when a breach is likely to “result in a risk for the rights and freedoms of individuals”. This means immediate data breach reporting to the proper authorities for any chance of a personal data breach within the allotted 72-hour time frame.

    Prepared for Immediate Data Breach Reporting?

    These new regulations apply to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach. Time is of the essence when it comes to reporting any misuse or breach of personal data security.

    With the ever increasing speed of technology, it’s more important than ever to properly and swiftly identify and mitigate the risk of any data breach. Organisations must become adept in identifying the potential risk of a breach, detecting the actual breaches, and defining the nature of the breach, as well as providing activity detail should a breach occur. Discover how the right technology can help with breach detection, potential breach activity, as well as provide the activity detail your organization needs to stay GDPR compliant.

  • General Data Protection Regulation Compliance Objectives

    by Veriato | Apr 09, 2018

    May 25th 2018 is coming fast. Do you have the audit detail necessary to meet General Data Protection Regulation compliance objectives?

    The EU General Data Protection Regulation (GDPR) is the most significant regulation regarding data privacy in over 20 years. Starting May of 2018 the new GDPR will be fully in effect and General Data Protection Regulations compliance will be strictly enforced for the good of all EU citizens. At its core, General Data Protection Regulation compliance is simply about protecting the personal data of EU citizens that is necessary and appropriate to collect.

    Currently, EU privacy laws apply to organizations located within the EU but with the GDPR will now also apply to organizations located outside the EU. This is possibly the largest and most radical change when compared to the previous privacy regulations. All rules concerning General Data Protection Regulation compliance will now extend to organisations offering goods or services to, or monitoring the behaviour of, EU data subjects –– meaning that the regulation applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Additionally, non-EU businesses processing the data of EU citizens may have to appoint a representative in the EU.

    Under the new  GDPR rules, organisations in breach of General Data Protection Regulation compliance can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). It is important to note that these rules apply to not only controllers but to processors as well. This means that 'clouds' or cloud-based organisations are not exempt from GDPR rules or enforcement. Each Member State will have the same effective powers, including powers of investigation, corrective powers and sanctions, as well as advisory powers, particularly in cases involving complaints from citizens, and under Member State law, will also have the power to bring any and all GDPR infringements to the attention of the judicial authorities and engage in legal proceedings.

    How to Generate General Data Protection Regulation Compliance

    The right monitoring software should easily keep organizations of all sizes compliant with GDPR rules and obligations. It’s important to ensure safeguards are in place, demonstrate in real time that access to data is appropriate, and provide context should a breach occur.

    Learn more about the new changes and the best technology to ensure General Data Protection Regulation compliance

  • The Growth of AI and Employee Monitoring In the Workplace

    by Mike TIerney | Apr 03, 2018

    Recently the Economist published two articles that discussed the increasing use of AI and employee monitoring in the workplace. 

    Veriato is pleased that we were referenced in both of these articles.  We feel they did a good job of presenting a balanced view of the benefits both AI and employee monitoring offer, as well as the potential downsides if they are not implemented and used wisely. 

    In the case of AI, there is a great deal of hype at present, which can lead some to give in to the temptation to rush a deployment.  Organizations should be very clear about their goals for any technology and be deliberate in ensuring that they are aligning its power to those goals. 

    In the article published on 28 March, the author gives some great examples of how employing AI can enhance organizational capabilities in areas of hiring, productivity, worker safety, and management (yes, even management is getting AI’ed – it isn’t just the proverbial little guy). 

    A key takeaway from all this is to remember that we are dealing with people.  Humans have bad days, make mistakes, and sometimes complain.  But, without a doubt, it is people that make great organizations great.  We must keep the human element involved in interpreting data produced by AI, and in determining how to act on it. 

    In the case of employee monitoring software, a more established technology, organizations should be transparent with their people about what data is being collected or generated and how it is used. Their benefits include increased productivity through improved investigations and the prevention of both insider and external theft of company assets.  Here again, the goal should dictate how the technology is utilized. 

    Transparency does not mean employers need to disclose exact methods. But going beyond the letter of the law and communicating intention is simply a best practice.  Once again, we are talking about people. 

    We should not seek to replace human decision making when it comes to employment offers, worker assessments, investigations, and the like.  We can and should seek to present additional sources of information to enable better human decision making.  In the same article referenced above, the author correctly points to Veriato as a firm that can capture, report, and alert on all activity occurring on an employee’s computer.  We have been providing benefits to organizations through this capability for 20 years, in more than 100 countries around the world.  And we consistently work to ensure our tools provide mechanisms to protect privacy, despite the seeming continuity our customers experience.  The author suggests that as voice-enabled speakers become more commonplace, employee monitoring could extend to listen in on conversations occurring in the workplace.  It is possible that some company may try and go down that path.  Veriato won’t.  And I believe that any organization that does move in this direction is in for some deservedly uncomfortable legal discussions. 


  • Internet of Things security practices for your business

    by Patrick Knight | Mar 22, 2018

    Wearables, smart speakers, remote security systems, connected cars, inventory trackers, smart headphones: these are just a handful of the connected devices in modern workplaces. The Internet of Things (IoT), or internet-enabled devices that collect and act upon data, is becoming more popular with ever-increasing applications. Far beyond a smart coffee pot that automatically gets the brew going to start the workday, the Internet of Things is changing business security and vulnerability in a big way.

    So, what’s the problem?

    IoT improves productivity, enables employees to work more effectively from home… and causes serious security concerns. Gartner projects there will be 20.4 billion IoT devices in use by 2020. With so many connected devices, the network attack surface is much larger and harder to secure.

    Smart devices are designed to connect immediately, and were built with ease of use, not security, as the priority. When employees utilize smart devices via company networks or connect devices storing company data to other networks, that information is at risk. There’s not much regulation demanding security of IoT devices, and companies have a hard time establishing their own protocols fast enough to keep up with the adoption of connected tech.

    What can I do about it?

    First, you need to prioritize the establishment of some device security guidelines. If employees haven’t cleared all their devices they use for work with IT, start there. Then, determine which security measures you will require, and help your employees set them up across all devices. Make sure your employees know who owns the data on their tech. Set up standards for downloading and storing information. For example, you may want to restrict access to sensitive information by preventing offline access or only allowing access while connected to the secure corporate network.

    You also need to restrict permissions by user and by device. Determine who should be able to access which information and who should be able to manipulate it – and from which devices. Then set up network parameters accordingly.

    With so many access points across so many devices and networks, relying on your human capital to implement security measures is just not sufficient. As IoT expands, the need for security software increases. Investing in a security program(s) to monitor user activity and devices vastly improves a company’s cybersecurity. Businesses can rely on such software to enforce company network regulations, detect suspicious activity, and discover IT weak spots. Doing so will allow businesses to take full advantage of the possibilities that come with IoT without compromising data security.

  • 5 employee cyber security training questions you need to ask

    by Patrick Knight | Mar 15, 2018

    Chances are your organization already addresses cyber security to some extent in new employee onboarding. Whether that’s traditional training videos on cyber security that employees watch on their own time, presentations by IT, or brochures, most employees know that their companies have cyber security protocol and best practices. But how many of your employees actually know what the protocol and practices are?

    In 2016, the average cost of a data breach was $3.62 million. And according to a study by the Poneman Institute, careless workers are the leading cause of data breaches in small and medium-sized businesses. If you want to improve your business’s cyber security, it’s time to get serious about employee education and cyber security training. You can start by asking these questions about your employees’ training:

    1. Is your information relevant?
      Everyone should be familiar with the basics of cyber security, but not all employees need a complete cyber security education. HR professionals, for example, generally have access to sensitive data such as social security numbers and bank numbers, so they will need special training on how to safely handle that information. But to a new marketing team member who can’t even access those SSNs – that security training wouldn’t be applicable. Tailoring your cyber security education to specific jobs will help your employees stay engaged throughout the training – and hopefully remember and implement what was covered.
    2. Is your information understandable?
      The cyber security world is chalk full of jargon. To the average employee the words “Ransomware,” “DDoS,” “patch” and “worm” just don’t have any context when it comes to their job. Not only will they not understand you if you launch into cyber-speak, they might feel unintelligent, and just tune you out. Speak their language, not yours. A Forbes article also suggests keeping your cyber security training short; try a few quick 10-minute sessions instead of an hour-long training. If you break the training up, it will be easier to digest and remember.
    3. Have you told them WHAT TO DO with this information?
      The basics of cyber security are great, but make sure you are sharing how to implement the security measures. Do you want employees to go change their passwords? Tell them some good rules of thumb for creating strong ones. Do you want everyone to update software? Tell them about auto-updates and show them how they can set it up. Giving employees action items turns cyber security from an abstract idea into a goal they can work to achieve.
    4. Do your employees understand why it’s important?
      You know how costly security breaches can be. You know the consequences of employee negligence. So tell your employees. If they see how simple steps to improve their security can impact business operations, they’re more likely to take those steps. All of us are more likely to do something if we understand why we are supposed to be doing it. It won’t bring about 100% compliance, but it will help your employees to know you aren’t making demands just to make their lives more complicated – you’re asking for help in making a real difference in the business.
    5. Have you covered the basics?
      Everybody could use a refresher on the fundamental rules of cyber security. Even if a few employees do roll their eyes, chances are some of them have been using the same password for years – so they really should be hearing it again. In an interview with Fortune, the CEO of the Computing Technology Industry Association said, “Behavior changes really only happen through repetition, follow-up, and emphasis. It takes a long time to instill new habits.”

    If we want to mitigate our employees’ risk, then we need to get serious about how we educate them about information security. If we honestly evaluate our cyber security training methods, we could probably all make some improvements. And that could make a real difference.

  • Why Zero Trust Is Not As Bad As It Sounds

    by Patrick Knight | Mar 01, 2018

    What is Zero Trust?
    “Zero Trust” refers to a network security strategy that calls for all users – internal and external – to be authenticated before gaining access to the network. Zero Trust means organizations never implicitly trust anyone with their sensitive data. Instead of using a blanket network perimeter, Zero Trust networks implement a series of micro-perimeters around data so only users with clearance to access certain data points can get to them.

    It essentially makes sure that users are given the least amount of access possible to still achieve what they need and are supposed to. Zero Trust also means logging all traffic, internal and external, to look for suspicious activity and weak points.

    Why are companies adopting Zero Trust?
    Security breaches are getting more common and more expensive – despite increased security budgets. Zero Trust is more than a software platform; it’s an attitude about users and data. Rather than trusting internal network users and focusing on external hackers, organizations are wising up to the reality of malicious insiders and the need to play it safe by protecting information from all users.

    Security strategies are becoming an important part of the business conversation, and new measures and attitudes are being introduced. In an interview with CSO, Chase Cunningham from the firm who coined the term “Zero Trust,” says that many companies are undergoing a digital transformation. As you move to the cloud, “there’s where you start your Zero Trust journey.”

    Zero Trust isn’t as harsh as it sounds
    The Zero Trust strategy isn’t saying, “no user is safe, ever.” Obviously companies can’t function with that mindset. Rather, it means that when it comes to sensitive data, people should have to prove they are authorized to see it before they’re granted access.

    60% of network attacks are by insiders – three-quarters of which are done with malicious intent. If the majority of network attacks are done by people who are traditionally trusted network users, why not start putting some restrictions on their access? That’s all Zero Trust says to do. It prioritizes privacy by making sure sensitive data is only accessed on a need-to-know basis.

  • 4 reasons why cyber security deserves a larger chunk of your hospital organization’s budget

    by Veriato | Feb 22, 2018

    In the medical community, the patient is paramount. There are countless methods employed to treat people and protect their health. But when it comes to their patients’ safety, most hospitals need a higher dosage of cyber security.

    Currently, health organizations are allocating less than half of what other industries budget for Information Security. This is no longer sufficient for a field with such high-value assets, and many factors play into the need for increased cyber security in the medical arena.

    1. Evolving healthcare technologies: Just in the last decade, health records have gone from mostly paper to totally electronic – and the digitization is continuing. Now employees access patient data via mobile devices and remote networks. Data sharing and cloud storage are necessities. Additionally, many medical devices themselves are now internet-enabled and some providers are embracing wearable tech for patients. Precision medicine, an emerging approach that customizes treatment based on patient-specific factors, also relies on the Internet of Things, and generates more sensitive data. As digital treatments, methods, and devices become more widespread, the opportunities for cyber attacks also increase. The AHA suggests that organizations put a scalable security plan in place now that can grow and adapt with the changing landscape.
    2. Increase in threats: With more online data, come more cyber threats. In 2015, around 100 million health care records were stolen. In 2016, organizations experienced on average one cyber attack per month. The value of EHRs has increased on the black market, enticing more cyber criminals. Organized crime rings target information systems to steal and sell specific information (social security numbers, billing info) or entire EHRs. Political groups and hacktivists seek to expose high-profile patient data to embarrass or discredit their enemies. Nation-state attackers try to seize groups of EHRs for mass exploitation of people. Even your own employees are security risks – from malicious insiders to those uneducated about cyber security best practices. The threats to patient data are diverse, dangerous, and escalating.
    3. Costly consequences: The Poneman Institute reports that the average cost of a data breach for healthcare organizations is estimated to be more than $2.2 million. In another study, 37% of respondents reported a DDoS (distributed denial of service) attack that disrupted operations about every four months, totaling an average of $1.32 million in damage per year. In addition to huge monetary penalties, data breaches hurt organizations’ reputations, which can have ripple effects in business. Intellectual property such as research findings and clinical trial information can also be stolen and sold, negating years of work and monetary investment.
    4. Physical risk: A medical facility exists to help people heal. Even though cyber attacks are online, they can cause physical damage.  In a Poneman Institute study, 46% of respondents said their organization experienced an APT network attack that caused a need to halt services. This shutdown can seriously impact the treatment of patients. Additionally, attacks using Ransomware are on the rise, in which hackers make a network inaccessible until the organization pays a ransom, usually in Bitcoin to make it untraceable. In the meantime, health care records can’t be accessed, meaning treatment may be delayed – resulting in health consequences or even death (and lawsuits). In this day and age, protecting patients means protecting your network. As Theresa Meadows, CIO of Cook Children’s Hospital, said in an interview for NPR: "The last thing anybody wants to happen in their organization is have all their heart monitors disabled or all of their IV pumps that provide medication to a patient disabled."

    Hospital organizations always put the patient first. An important – and undervalued – way to do that is to give cyber security the priority it deserves.