Most Important Cybersecurity Measures for Small DSOs
Large corporations invest millions of dollars in state of the art cybersecurity controls. While the average DSO can't invest that much, what are the most important cyber policies that any group can put in place?
Dallin Kaufman
12/10/20243 min read
Introduction
Large corporations invest millions of dollars in state of the art cybersecurity controls. The list of tools, software, and policies that can be implemented are endless: firewalls, an EDR, a SEIM, an IDS and IPS, penetration tests, and emergency response plans, just to name a few. The average DSO can look at this list and honestly ask if all of these measures are really necessary for them. While I might get a couple of dirty looks for suggesting this, the TLDR is that no, that's probably not all necessary for your business. However it's more nuanced than a simple yes/no. To understand, we first need to tackle the nature of risk.
Nature of Risk
It's not possible for any organization to be 100% cyber protected, and this means that every company carries some level of cyber risk. Not all risks are created equal; some are significantly worse than others. We measure risk using the following formula:
Severity = Likelihood x Impact
This means that for each risk that could potentially impact your company, we have to consider how likely the risk is before determining if it's relevant to us and if we need to guard against it. So how do we determine what risks are most likely? It all starts with understanding attacker mindset.
Attacker Mindset
Not all attackers are created equal. Some groups are sponsored by foreign governments and have vast amounts of resources and training at their disposal. Other attackers are nothing more than a 14 year old kid with a youtube video and a laptop. If a government sponsored actor decides to hack your company, there's nothing you can do to stop them. These are the people that infiltrate companies like Google and Microsoft, that gain access to telecom infrastructure and social media platforms. These people don't care about you! I hate to say it, but you can't pay them enough to be worth their time, so they'll spend their money and talent on the bigger fish.
There is an economy to cybercrime: the more skilled the hacker, the bigger the target they're after. The only people going after small companies either don't have a sophisticated skill set or are trying to hack thousands of companies at once and only care about "low hanging fruit" vulnerabilities. So while you should NEVER just ignore cybersecurity, you can get away will less controls than the larger corporations.
Top Three Cybersecurity Measures
Implementing the following three things in your DSO, while not comprehensive, will significantly demotivate 99% of attackers at your level, or will allow you to quickly recover from an attack.
Implement 2FA everywhere you can
Train your employees on phishing
Take backups, and test them
Backups
Your patient data is irreplaceable. If an attacker steals and encrypts this data, your office can't function until you have it back. Take daily backups, and store them using a trusted third party vendor to prevent them from being compromised in an attack. While this doesn't prevent attackers from sharing patient data they've stolen, it can get your practice back to making money as fast as possible after a potential compromise.
Backups can be notoriously finicky, so after you start taking backups test them regularly! Make sure that you can restore your patient data on a test system and if you can't, find out why.
2FA
2FA is a second layer of security on top of a normal username and password. Passwords are getting easier to steal and easier to crack, the simplest way to guard against this is to enforce 2FA on every software system you possibly can. While it's not always convenient to pull out your phone and get a code, it makes a big difference.
Phishing
Phishing is the #1 attack vector that hackers use to get inside of corporate networks. It always involves a fake email, text, phone call, or other communication designed to get you to click on a link, give up your password, or release company data. All employees need to be trained on the danger of phishing, and how to spot these malicious messages.
Conclusion
Cybersecurity doesn't have to break the bank! By assessing the risks your company faces, prioritizing the most likely ones, and then implementing the most critical controls, you can get your DSO in top shape.
About the Author
Hey y'all it's Dallin ;) I've been working in IT for DSOs since I turned 17. I'm currently studying Cybersecurity at Brigham Young University. Talk to me about DSOs, cybersecurity, fantasy nerd stuff, or anything involving getting up in the mountains!
Hours
By Appointment