IT and cybersecurity services are not the same. If you are in the market to purchase managed services or security services from an IT firm, you’ll want to listen to this podcast to understand how they are different, why they are different and why you need to understand those differences to better protect your organization from cyber attacks.
In this episode:
IT and cybersecurity are not the same – Ep 325
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
IT and cybersecurity are not the same
Gary Salman, CEO of Black Talon Security, is filling in for Donna as co-host so that Donna can actually take a vacation. This is a new concept we are testing out after 6 years of juggling recording days to make up for when one of us couldn’t make our normal Friday morning podcast recording date.
Another day to remember this podcast is like a box of chocolates….
[01:51] Doctors and owners of practices are more concerned than ever as to whether they are protected from cyber threats. They see in the news where more and more companies are reporting being attacked and even though their IT folks say they are protected, they still wonder if they really are.Years ago you could purchase an off the shelf anti-virus solution, install it on your computer and that was enough protection. Not the case anymore. Just having an anti-virus solution on the PCs today is like just using the lock that’s on the door knob of the front door of your house with all your valuables in it… no deadbolt, no security system or anything…. and thinking that is enough to protect you from being broken into. The door is locked but how confident are you that a thief can’t easily break into your home?
[04:57] There is a lot of misunderstanding and miscommunication around thinking that one piece of software or hardware is going to “ransomware proof” their network. It’s still a challenge in the industry regarding the overpromissing that technology alone will protect your business from a ransomware attack or other malicious attack. It’s an ongoing balancing act with technology, software protections and training. [07:07] The services that MSPs and cybersecurity firms provide are different. There is some overlap of services but both play a critical role in protecting infrastructure.MSPs typically deliver a firewall protection, anti-virus solution, secure email/hosted email solution, backup solutions and things like that very well. We’ve said before, you aren’t really paying for a backup solution. You are paying for a recovery solution. A backup is no good if you can’t recover the data successfully and use it. So, it is key for any organization to understand their backup and recovery process and work with their MSP to confirm that data is recoverable and how long it would take to actually recover it no matter what the type of incident you are facing.
[15:44] Today, everyone talks about having cloud backups of their data. But those backups can sometimes be damaged or hacked or erased too. Remember in the old days when you backed up a server and all its data to an external hard drive and then locked it away in a fireproof safe? It wasn’t connected to the network or the internet. It was a physical device that had all of the pertinent data and was not accessible by anyone until you connected it to a network. That is what you call air gapping. If it isn’t connected to the network or internet, it can’t be corrupted in a cyber attack.Not to mention that restoring data saved in a cloud backup could take days or weeks depending on how much data has to be restored, what kind of data you are restoring (text vs images or video) and how fast your internet connection is. But the other issue is that during a cyber attack your data could have been stolen by the hackers, so that’s a different issue altogether.
There is more to security than just tools to protect you from cyber threats. That’s where the split is between what MSPs do and what cybersecurity companies can do. Cybersecurity firms have highly trained staff that can do assessments, work with companies to help them understand the risks they face and how to mitigate them.
[25:31] Not only should companies have a separate line item for an IT budget, but they should also have one for cybersecurity. They are not the same thing, but many organizations lump them together in their budgets. It’s the cost of doing business. If you want to operate in the digital world right now, if you want to be connected and you’re not investing in good MSP services and good cyber security services, ultimately, you’re going to fail. [27:58] If you don’t know where your risks are, it’s very difficult to protect the organization. That’s where a security risk analysis or assessment comes in. Every organization should do an SRA and engage a third party, independent, cybersecurity firm to do one. A SRA will look very different depending on the size of your organization, number of staff and workstations and the complexity of the organization and its network. But doing one will help you understand where your vulnerabilities lie and how to best mitigate them, whether it’s with technology, training, process changes or a combination of all three.An SRA with vulnerability management and external pen testing is a must for smaller organizations. It should be something you do on a routine basis as your vulnerabilities may change, especially if you are introducing new equipment or making staff changes or even vendor changes.
[39:57] You have to budget for both IT and cybersecurity protections. You cannot run a healthcare organization and not have security in place because the cost of a breach is insane. It is estimated that 40% of businesses, including healthcare, won’t be able to get cyber coverage in 2022 to 2023, especially if you have an existing claim. You have to invest in security. You have to think long term with this stuff.For smaller organizations, say 20 computers or so in your environment, a budget of @ $7,000 a year should be dedicated to cybersecurity, which includes vulnerability assessments, pen testing, cyber security awareness training for staff, etc. For MSPs services, you should be budgeting around the same amount depending on how the MSP services are structured.
So, to sum this all up, you should be looking for a MSP that will provide services like:
- Firewall solution
- Backup and recovery services
- Secure email / hosted email
And then on the other side of the spectrum, start looking for cyber firms that are going to provide some more advanced services like:
- Vulnerability management against your firewall
- Vulnerability management against all of your devices on the inside of your network
- Training (which could be provided by with an MSP or cyber firm)
- Some type of extended detection and response solution (AI technology that helps identify the fingerprints of an attack)
- Security Risk Analysis (most important)
There is no cookie cutter solution to protecting your organization from cyber attacks or any other environmental or human threats. Every business needs to do a security risk analysis and work with a third party cyber firm to understand where you have risks, how to address those threats and what types of technologies might be able to help mitigate those types of risks.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
