How practice owners and partners can reduce their cyber risks

Cyber security threats are continually evolving and reshaping the business landscape. Beyond affecting your business’ ability to operate, breaches can compromise intellectual property, employee, and customer information. They can also cause lasting legal and reputational damage to your practice.

As attacks continue to grow in frequency and sophistication, professional corporations are under attack. Small to mid-sized businesses are the number one target of cyber criminals. In fact, a 2017 Globe & Mail report revealed small businesses account for over 70 percent of data breaches. These numbers have almost certainly increased over the past five years and will undoubtedly rise even more as organizations continue to focus on meeting the demands of a post-pandemic world.

As a practice owner and / or partner, you play a pivotal role in setting the tone and stage for lasting cyber resilience. The four following recommendations underscore your power to shape key policies and governance measures and support a more proactive and comprehensive approach to cyber security.  

Beware the complacency trap

Cyber security is a moving target, with new risks and threats emerging all the time. The steps you’ve taken in the past are a great start, but you must constantly be vigilant and proactive in assessing and mitigating vulnerabilities — else find yourself caught flat footed.  

“Organizations, like people, are prone to follow the path of least resistance,” says Danny Timmins, MNP’s National Cyber Security Leader. “Practice owners will often invest heavily in fortifying their cyber defenses only to set the issue aside after they’ve received a clean bill of health.”

Often, the topic of cyber security doesn’t come up again until the practice experiences an attack or near miss, or there’s a highly publicized threat that hits close to home. Timmins says the price of complacency can be costly if that something happens to be a ransomware attack.

To avoid this trap, he recommends practices invest in cyber security and privacy assessments at least every year. The process is usually quite straightforward and rarely reveals the need for significant remediation unless the practice has undergone material change. At best, the practice will buy added peace of mind in knowing their priorities, policies, and controls are functioning properly and pointed in the right direction.

However, Timmins says if there’s an ideal time for an unexpected software vulnerability to arise or to uncover new risks not considered in the cyber security plan this would be it.

“These kinds of issues are ticking time bombs,” he warns. “It’s a tired expression, but in this case an ounce of prevention truly is worth a pound of cure.”

Take a whole business approach to cyber security

Another common mistake among practice owners and managers is relegating responsibility for cyber security to their internal or external information technology teams. This often stems from a misconception that hacking and malware are inherently technology problems best managed by technology specialists.

“We typically frame cyber security in terms of people, processes, and technology,” says Timmins. “Focusing all your resources on the technology without addressing people and processes is like installing high definition cameras around your house and leaving the doors and windows open when you’re not home.”

This, of course, should not minimize the crucial role IT plays in preventing and responding to cyber incidents, but emphasize everyone else’s. Anyone — from the receptionist to the managing partner — who has access to the business network is a potential gateway for a would-be hacker to exploit. Timmins says that’s where the people and process side of things come into play.

“The overwhelming majority of attacks boil down to human error. All it takes to compromise the network is someone clicking on a phishing link they shouldn’t have, plugging in a thumb drive they found laying on the floor, connecting their work device to an open network, or recycling a password that was compromised in an unrelated attack.”

Policy may not be as sleek and exciting as AI-powered threat detection, but Timmins says it’s a powerful tool for any practice owner or leader wanting the biggest return on their cyber security investment.

“Set clear guidelines. Educate employees on how to use technology responsibly. Explain clearly and frequently that cyber security is everyone’s responsibility and why it should be a top of mind consideration in everything they do in the course of their day to day,” says Timmins.

Welcome cyber perspective into the practice

Depending on the nature of your business, it’s likely you have specific skills and qualifications you look for in building your management team. A strong business acumen, legal expertise, finance and strategic experience, an extensive medical background perhaps. But given the importance of effective policy in mitigating cyber risks, now may be a good time to consider bringing cyber and technology expertise into your inner circle at least on a part time basis.

“A cyber expert can provide immense value in high level discussions, especially as more organizations are moving to the cloud and undergoing digital transformations,” says Timmins.

As with human error, third-party applications and vendors are another common risk area that leaves organizations vulnerable to a breach. Having someone on speed dial who knows what questions to ask of technology providers and advisors, and what pitfalls to look out for can help you avoid a costly and potentially fraught relationship.

“Some third-party risks are unavoidable and simply the nature of moving to the cloud,” says Timmins. “But you can only anticipate the risks you’re aware of — and that’s where a cyber advisor can help.”

Timmins says increased regulatory complexity is another area of concern where expertise can deliver significant value. The laws are changing rapidly and so are the penalties for noncompliance. So it’s imperative to have a knowledgeable person on hand to ensure policies and processes satisfy potentially several different jurisdictional requirements depending on where employees and clients live and work.

“Every organization also needs to operate on the premise they will be the target of an attack at some point,” says Timmins. “Some people will simply tell you what you want to hear. It’s altogether different  having an expert with skin in the game — someone who is invested in the business and your success.”

Expect the worst

It’s discomforting for many practice owners to learn their organization can do everything right and still become the victim of a cyber attack. The best technology, policies, and training can significantly reduce the likelihood of a breach, but there are no guarantees.

A momentary lapse by a team member, a yet undiscovered software vulnerability, or an extremely persistent hacker can all run roughshod around the very best cyber defenses. That’s why Timmins argues every organization should operate on the premise their systems will be compromised and to plan accordingly.

“How a practice responds to an attack is as important as how it goes about preventing one,” says Timmins. “That doesn’t just mean having incident response plan in place — but practicing it frequently in conditions that are as true to reality as possible.”

He adds that an effective cyber incident response plan will provide clear, stepwise instructions about:

• How to report a breach and to whom
• When to call a third-party advisor to contain and remediate the breach
• When to call legal counsel and public relations advisors
• How to document and report details to regulatory bodies
• How to communicate with employees and affected parties

By the time a breach occurs, each step in the process should be well understood and feel like second nature to those involved.  

Even prior to an incident though, Timmins says there are critical steps the practice should be taking to prepare. These include offline and offsite backups which would allow the business to restore at least parts of the network and maintain a continuity of operations — as well as purchasing breach insurance to offset the potential legal, business disruption, and recovery costs of an attack.

“Cyber risks are enterprise risks,” says Timmins. “Practice owners and partners need to set the tone for how to mitigate and manage this growing issue.”

After all, if they’re not willing to accept the worst, it’s hard to expect anyone else will.

Danny Timmins, CISSP, is MNP’s National Cyber Security Leader. To learn more about how you can protect your practice against the latest cyber threats, contact Danny at 905.247.3290 or [email protected]