By Kristin Shoe
What if a trusted third party could help your company identify specific vulnerabilities before the hackers do? Cyberattack stories abound, from large corporations like Target and Equifax to various small businesses across Alabama, and the productivity and revenue loss continues to be catastrophic. However, a comprehensive penetration test, ideally performed by an outside cybersecurity expert who is unfamiliar with your network and uninvolved with its design, will often highlight weaknesses in your company’s network and its defenses. During such an exercise, various tools and software are deployed that seek out deficiencies better found by you than a hacker.
Consider a couple pen testing success stories from two well-known companies:
Penetration testing conducted at the Mayo Clinic identified outdated operating systems on crucial medical equipment and devices. Furthermore, the testing discovered staff with weak and overused passwords. Mayo acted quickly to update its systems and enforce a strict password policy, thereby strengthening its protection significantly.
Walmart’s testing found unpatched software in use, weaknesses in its Point of Sale system, and poor password hygiene. Walmart immediately patched and updated its POS system to protect customer payments and implemented employee training and password policies.
While the Mayo Clinic and Walmart are large corporations, penetration testing offers benefits to healthcare providers at every size. In fact, for many cybersecurity insurance policies and certain compliance frameworks, annual (or even more frequent) third-party penetration testing is a requirement. Healthcare providers and certain adjacent industries often have certain legal requirements to perform penetration testing at least annually. Discovering open ports, weak user credentials, unpatched applications, and other potentially devastating fissures in your practice’s network allows your team to repair and resolve these problems before the hackers find them. While you may need to dedicate some time and resources to fixing these problems, the cost is minimal when compared to that of an actual breach that takes your entire practice out of operation for weeks or even months.
Consider the cost of assuming your network is protected. For example:
Alabama’s own Norwood Clinic announced in late 2021 that a cyberattack had exposed the records of roughly 228,000 patients. A $2.3 million settlement was reached in January. This settlement doesn’t include the cost of cleaning up the actual breach itself or the downtime in productivity for the clinic.
In 2019, an extensive ransomware attack hit Tuscaloosa’s DCH Medical Center, extending to Northport and Fayette centers as well. A social engineering scheme focused on employees, convincing them to click on attachments via email, thus releasing malware and shutting their entire network down. Hospital services and functions were partially paused for 10 days until a decryption key was purchased from the attackers at an undisclosed cost. A lawsuit from a group of patients is ongoing.
When your eight-year old tells you he’s done his homework, do you believe him or do you double check that it’s complete? If your mechanic changes your oil, does he assume he’s put the cap back on or is it part of his protocol to inspect that before he’s done? Do you go to bed believing your doors are probably locked for the night or do you make sure they’re secure? Your company’s network must be given the same thorough consideration. Protecting your business’s most valuable assets means that alerts must be managed, patches updated, and security gaps remedied. If not, you are at a significantly higher risk of attack.
Kristin Shoe is the Director of Marketing at SIP Oasis an IT services company based in Birmingham. She can be reached at (205) 623-1223.
