(And if you have an IT Department or Company, make sure they are taking these steps also…)
Security is Not Compliance – And Being Compliant is not a Guarantee that Your Data is Secure!
A mistake many organizations make is thinking that because they’re compliant, they are automatically secure. Sorry. Not so. You can be compliant and completely insecure, but there are three key steps to ensure you are actually secure. Most IT companies are only doing one or two of the three. You want to make sure they are checking ALL the boxes so if and/or when a breach occurs and you get audited, you are brilliantly prepared, and the damages are minimized. Here they are in order:
What YOUR Business Needs To Implement Now To Be Protected From Hackers…
A Regular Third-Party Security Assessment with a Remediation Plan.
Hackers are constantly coming up with new ways in. Security tools that worked just two years ago are no longer are sufficient today. If they aren’t having a third-party security assessment performed at least every quarter like clockwork, they are missing gaping holes that are actively being exploited by hackers. Problem is, this is where most businesses stop and don’t go on to steps 2 and 3 below.
Full and True IMPLEMENTATION of Your Plan.
Best-laid plans are worthless if not implemented. You can give a patient a treatment plan – but if they refuse to follow it, or skip steps and cherry-pick your advice, they cannot expect to get well.
In a world of marketing promises, how do you know your IT and security partner is delivering as promised? Please see the previous section of this report to know if they are truly implementing the plan. Further, we are offering a free, independent Security Assessment to audit your current IT company and tell you the truth about what they are (or aren’t) doing for you.
Same goes for security – your IT consultant should be giving you options, timelines and a weighing of pros and cons for choices you make about how to implement a plan to become compliant based on your risk tolerance, situation, budgets, resources, etc. A good IT company or consultant will guide you through this. But the most important aspect is to make absolutely certain that the IT team or company you put in charge to implement the remediation plan is actually doing. it. Based on our personal experience, 90% of the companies selling outsourced IT services and support are NOT being diligent about the full and complete implementation of a security and compliance plan.
Last But Not Least…Your Business Needs Documentation To Be Federally Compliant!
This is the part most IT companies and medical practices skip. Behind every security compliance measure is a documentation requirement. If you have a breach and subsequently get audited, you will be required to produce documentation of your security activities and policies. If you do not have those documents, your business will not be able to sustain a major attack or breach. If you do not have documented plans for how to address a ransomware attack, data breach, or disclosure and clear instructions on who needs to do what when, you are putting yourself and your business at risk of not surviving the consequences.
Over half of all home security systems and cameras are bought (or beefed up) by homeowners after a burglary or home invasion. Across the country, warnings of bad storms drive hordes of people to the store to stock up on water, food and other supplies – and anyone who hesitates or waits to hit the store AFTER work or WHEN they have the time often arrives to find the store shelves empty, and the remaining picked-over supplies at jacked up prices.
We are strongly cautioning against any assumption that you are truly protected and prepared should a breach occur, or should you get reported for a violation. Fire prevention is infinitely cheaper, less stressful and more orderly than having to call the fire trucks and work the hose when your house is ablaze. Cancer is BEST treated when found EARLY and aggressively treated, not left to get worse until the point of no return. The time to have an in-depth, fresh look at the state of your security program is right now, with a friend who has your best interests in mind – NOT an insurance agent or an attorney – when there is no crisis happening, no auditors calling, no security breach occurring.
