Another day, another data breach: How NOT to become the next Medibank Private…

I've been spending a big chunk of my time over the last few weeks talking to practices who are scared to death of the potential risks from cyber attacks and rightfully so, considering these days it's not a matter of if, but when.

Some of the classic responses I get when talking about security with clients range from a complete understanding of what they need to do to achieve their goals down to a completely opposite nonchalant attitude of "she'll be right"...

1. Hackers aren't interested in our little practice…
   BUT THEY ARE!
   It's easier to compromise 1000 smaller businesses then it is to hit one big one; if only 10% of those pay a ransom of $10,000 then that's a million dollars right there.
2. Securing our network is too expensive...
   It's not too expensive. In the current landscape, especially with the Optus and Medibank Private breaches recently, we're going to see government agencies start to really come down on businesses that are compromised and have been negligent in securing their networks.
3. I don't need all this security mumbo jumbo!
   You absolutely need this security mumbo jumbo.
4. I have good backups, I'll be fine...
   That's great, however do you want to be fined if you do have a data breach?

But let's look at it from a different angle because a fine is only money.

How do you recover from the reputational damage that is caused when you have to tell all your patients that their personal and medical data has been breached and possibly out on the dark web to be sold to the highest bidder?

Cost is a big factor in a lot of the decisions that are made in regards to protection but considering the reputational damage that can be caused by a breach and losses due to downtime, it shouldn't be, provided you're investing in the right security "stack" to minimise your exposure in line with your goals.

So what should an ideal security stack look like?

Managed services

Managed services are the cornerstone of any good solution. They will usually include some form of support, anti-virus and "patch" management along with a proactive approach to looking at your hardware to minimise downtime.

HOWEVER, not all managed service plans are created equally; an ideal plan will include more than just antivirus and patch management; ideally they will be working to get your practice to an "Essential Eight" maturity level and include things like ransomware protection, persistent foothold protection and a good quality cloud backup solution.

We often put our security stack on to the networks of new clients only to find them riddled with viruses, malware and RATs.

Next-Gen firewalls

Your firewall is the equivalent of building a massive brick wall on the internet connection to your practice. Now as effective as a brick wall is at stopping things, we come across the problem of also needing to let things through it.

So we decide to put a door in the brick wall. This allows things to go through it, but now we have the problem where things are coming through it unchecked, so like a nightclub, we need a bouncer.

Although I think most of us have had a good night ruined by a bouncer at a nightclub at some point, a good one will only let in people that aren't there to ruin the party and keep out the riff-raff.

A good Next-Gen firewall will have a bouncer that checks what is going through it using live cloud databases and also study the behaviour of what that traffic is trying to do.

We recently had a discussion with a practice who pulled out one of the cheapest modems on the market and pointed to the part where it said "firewall".

Yes, it has a firewall function included, but it is only a basic brick wall with a door in it and no bouncer–basically completely ineffective and this is what we come across every day. If you have a modem provided by your internet provider, it is ineffective to protect you against pretty much everything.

At Teamwork, we recommend Cisco Meraki firewalls as they're fully cloud managed and provide one of the best levels of security for your network.

In addition to this, they will actually alert you if something is not right, for example if your internet goes down or if you have a device on your network that is doing something odd.

Spam protection

Spam is one of the key vectors of attack for any business, not just dental. By stopping the majority of spam from hitting your network, you not only increase productivity but also plug one of the biggest security holes for your practice.

Spam protection is quite inexpensive these days and using a third party such as Mailguard will not just give you industry leading protection but insights in to how much junk mail you're actually receiving, just by looking at their daily reports.

So what does it all cost to protect a five computer practice at this level?

Realistically, upfront, a good network firewall is around $2000-$3000 installed with a three year licence with all the bells and whistles.

As for the ongoing costs for the managed services and spam protection, the industry average should be around $500-$700 a month depending on the IT provider you use and the overall level of security and value they provide.

Whilst this may not be the be all and end all of your security stack, they definitely give you a great foundation to elevate the security of your network and significantly reduce your attack surface.

We believe practices should learn and understand what security they require and how it works for them.