Looking at what we learned during three packed days at the XChange 2022 Conference, we have much to share. The XChange conferences help IT service providers, like Cumulus Global, explore emerging trends, challenges, products, and solutions. While we attend to improve our service offerings and business, many of the insights will benefit your business as well. This XChange of Ideas shares three emerging security trends.
1 Security is Not a Technology
Most small and midsize businesses see themselves as having security because they have some security technologies and systems in place. Security, however, is not a technology; security is an ecosystem that spans people, processes, and systems, as well as a lifecycle of prevention, response, and recovery. As important, we need to understand that managing our security
Most businesses still lack the basic set of security protections that span the security lifecycle. A solid security foundation should include advanced threat protection, next-gen endpoint protection, DNS security, web protection, multi-factor authentication, and encryption. A solid backup/recovery is also necessary; having a business continuity solution is preferred.
With the dynamic nature of threats and cyber attacks, many businesses are at higher risk and should be deploying advanced security services. Advanced security services may include managed security incident detection and response (MDR) services, internal application whitelisting, segmentation, and other protections that can detect, halt, and stop the spread of an attack.
2 Cyber Insurance is Not Assurance
Cyber Insurance is more than a good idea, it is a necessity for almost every business. But cyber insurance is not assurance that you can quickly recover from a cyber attack.
- Cyber insurance underwriters have you complete a questionnaire or audit about your cyber protections, policies, and procedures. When you submit a claim, most cyber insurers will ask you to demonstrate that the protections were in place, how they were functioning, and that you follow the policies and procedures noted in your application. If you cannot show that you do what you promise, expect your claim to be denied.
- Your cyber insurance underwriters may prevent you from starting your systems and data recovery. Recovery typically destroys evidence of the attack, it’s cause, and it’s method of propagation. You may be unable to restore your systems and data for days — or even weeks — while your insurer completes a forensics investigation.
Having the right protections in place, and being able to demonstrate compliance, is a clear expectation to resolve cyber insurance claims. Having a continuity solution in place that allows you to return to operation in parallel with a forensics investigation should be considered.
3 HIPAA is Not Just For Doctors
HIPAA is the regulatory cornerstone for protecting personal health information (PHI). These regulations control how we store, transmit, and share — procedurally and technically — PHI. Compliance, however, is not just required of healthcare providers, insurers, and others direct access to patient records. Businesses serving healthcare providers — those that sign a Business Associates Agreement — face compliance requirements as well.
HIPAA enforcement is expanding beyond Covered Entities to Business Associates, as is notable on the US Department of Health and Human Services Office of Civil Rights HIPAA “Wall of Shame”