Have you done everything you could to manage the level of risk that you need to have?
On Feb 4th I said Risk Management failed us: http://oversitesentry.com/risk-management-does-not-work/
So how can I help you understand the new level of cyber risk today?
In the past it was good enough to run a firewall (which keeps out most hackers), run some anti-virus software, and do not click on questionable sites. Those 3 functions covered 99% of all attacks coming at you on the Internet.
I am going to rehash this old level thinking in bullet form:
- A Firewall will keep out most of the criminal hackers
- Anti-virus software keeps your machine relatively safe
- Your own common sense in where you go on the Internet
Why do I have to re-evaluate my cyber risk?
Are you certain the items from 1,2, and 3 are the only things to worry about (or actually not worry)?
Does your firewall have all ports closed or leave no known ports open in a way that a criminal hacker will not find any way to attack?
We know Anti-virus software cannot keep up with all malicious software on the Internet (Symantec and others say it can only keep up with 45% of Virus threats at best according to securitywatch.pcmag.com)
http://securitywatch.pcmag.com/security/323419-symantec-says-antivirus-is-dead-world-rolls-eyes
Quote from article:
“Relying solely on antivirus is a dead end—and it has been for at least 8 years now,” said Bogdan Dumitru, Chief Technology Officer at Bitdefender. “But that’s like saying that aspirin is dead because it’s not the cure for cancer, AIDS, and all of humanity’s other illnesses.” Dumitru says that AV is now just a part of security suites that offer more specialized tools to deal with modern, specialized threats.”
Threats on the Internet are more sophisticated and firewalls and anti-virus alone will not protect you from most attacks. there are trillions of scans going on, if you have a mistake in your infrastructure it will be found. Why do you think it has gotten much worse? It is obvious as the headlines are getting more ominous.
But when evaluating cyber risk one needs to know what am I defending? How much is it’s value? what amount of my income should I budget to IT infrastructure?
I.e. if income or Gross sales are $100,000 we can’t spend too much on IT anyway.
But if gross sales are $1mil then what is the true value of our information that we are storing?
How much money one is making year after year is only one aspect. How much money the actual information is worth is another aspect (on the criminal hacker market – also known as Darknet). for example. When we know how much PII(personally identified information) is worth, like $3-5 per PII, if you are storing medical information, it may be worth $470/record. The issue with medical information is that it is persistent, it does not vaporize when credit card numbers are changed. so medical information has a high value in the hacker Darknet.
Ok I am going to attempt and make a different argument in the risk arena, what if you have a Lamborghini as a car and have all your life savings in it? How many times would you actually drive it? If any?
I think unfortunately that is the case for most smaller medical offices.
Here it is:
Small doctor office 2 doctors and 4 support staff, If one sees 20 patients a week for each doctor minus 2 weeks of vacations or other items. 20 *2*50 = 2000
So let me ask you doctor, how valuable is this database that you have?
Is it worth just the value of the computer and software? for tax liabilities yes. But if you have 2000 patients (small office, but I also want manageable numbers…) then the Darknet value is 2000* $470=
$940,000
So you can imagine if this is a slightly larger office with 10000 records (old and new). then the darknet value is $4.7mil
I wonder if all doctors with a database of 10000 clients look at their database worth as ~$5mil.
Whatever your IT budget is if your database is worth $5mil what do you think you should spend to defend it? The answer is not as little as possible
Here is the NBC San Francisco bay area investigative reporter. which learned that medical records are sold in India and Costa Rica to unscrupulous companies that defraud Medicare. http://www.nbcbayarea.com/news/local/Medical-Records-Could-Be-Sold-on-Black-Market-212040241.html
My post from Feb 16 discussing the value of a medical record: http://oversitesentry.com/improving-data-security-especially-medical/
and as mentioned in my previous blog post we are living longer in general, so our medical data is worth a lot more than doctors think today.
My recommendation? Start investing in security products and expertise, start to develop methods to protect your medical data.
Such as http://oversitesentry.com/block-all-traffic-from-china-improves-your-defense/
Contact us to let us help you decide what to secure and how.
2 thoughts on “Is Your Cyber Risk Manageable?”