Unfortunately, malicious insiders aren’t your enterprise’s only threat – you should also be concerned about vendors and employees of third-party software. About a quarter of all reportable HIPAA breaches involved business associates, many of whom are vendors.
Healthcare and financial enterprises are required by regulations to exercise due diligence in hiring and overseeing vendors. Even organizations that are not subject to such regulations can benefit from reviewing vendor security and overhauling privacy practices.
Some healthcare security consultants recommend a three-pronged approach to vendor security. Even if healthcare isn’t your industry, we can all benefit from employing these tactics:
ISACA, an international professional association focused on IT Governance, offers a handy vendor security audit checklist. As always, WEI’s security team is also ready to help strengthen your cybersecurity strategy.
While most enterprises have malware detection software on servers and laptops, and protect the network perimeter with firewalls and intrusion systems, many do not take the same type of care with mobile devices, networked Internet of Things devices, and other devices such as printers and routers.
Wireless and Bluetooth-enabled devices can allow hackers to create a backdoor into a network’s security infrastructure. For instance, in 2013, the U.S. Department of Homeland Security issued a warning about 300 medical devices such as ventilators and laboratory equipment that relied on hard coded passwords, which are passwords that are included in firmware as code and can’t be changed without changing the software code. In fact, this is a common problem in many applications and devices, such as printers. According to Naked Security, “Printers are a generally overlooked bit of network infrastructure, despite the fact that modern, networked printers have many of the same attributes as regular desktop systems, and might store thousands of pages of confidential document images. In recent years, printer vendors like HP have been forced to rush patches to users after critical vulnerabilities were discovered in firmware run by their printers.”
In addition to maintaining an inventory of servers and laptops, it’s a smart move to maintain an inventory of all other devices that interact with your network and check regularly whether the manufacturer has issued any new firmware or software to fix security issues. For instance, sometimes a device manufacturer will release a firmware update to correct a hard-coded secret, and the problem can be fixed with a simple firmware update. If such a solution is not available, enterprises would be wise to limit network access to vulnerable devices.
Mobile security defenses should be fortified as well. Malware and virus protection is now available for all popular mobile platforms through a platform’s app store. Products include Bitdefender Mobile Security, F-Secure Mobile Security, Lookout, McAfee Mobile Security and Norton Mobile Security.
Before investing in software and/or hardware security solutions, consider starting a dialogue with an IT solutions provider that has knowledge of and experience with these enterprise security solutions. The right IT solutions partner will take the time to fully understand your IT environment and organizational goals in order to recommend the right solutions to meet your business needs. These days, enterprise security is an all-hands effort that requires collaboration across departments to identify security risks and opportunities.
To better understand the new and trending enterprise security threats, read our white paper, Effectively Managing Cybersecurity: Top 5 Enterprise Threats.