The Growing Threat of Cybersecurity Attacks
Cybersecurity attacks are not only becoming more frequent, but more sophisticated. Hardly a week goes by without an organization falling victim to a new malware or ransomware cyberattack. These attacks can plague organizations with financial loss, reputational damage, and regulatory fines. Because of this, organizations must ask the question, “do we have the capabilities to withstand, recover from, and adapt to new threats?”
In their 2024 data breach investigations report, Verizon identified 10,626 confirmed data breaches, nearly double the number from the previous year. Ransomware or extortion was involved in 70% of financially motivated incidents, and the median loss of an attack was found to be $46,000. The report also found that more than 50% included a non-malicious human element, emphasizing the need for security awareness training. This article focuses on high-level strategies for medical professional liability (MPL) companies to combat cyber threats through effective cyber resilience.
Building a Cyber Resilience Strategy
Cyber resilience should be at the top of every organization’s information technology (IT) strategic plan. To shift from a reactive mindset to proactive preparation, create a strong cyber strategy that starts with an effective risk management process.
An organization needs to first identify which systems are supporting business processes and what kind of sensitive data resides in those environments. Vulnerabilities and threats can then be identified, as well as the likelihood of each threat exploiting a vulnerability and the potential impact on the organization.
Ensuring Robust Backup and Recovery Procedures
Diversify Data Storage
The ability to quickly recover data and systems in the event of an attack should be part of the risk assessment process. Robust backup and recovery procedures should be implemented. Some strategies include:
- Cloud adoption: A common strategy for protecting data through diversification of storage, cloud computing allows for scalability and faster recovery with various recovery options.
- Geographic redundancy: Cloud services often offer data storage in different geographic locations to mitigate the risk of primary backup or data source corruption.
- Other storage options: Network-attached storage (NAS), block storage, and storage area networks (SAN).
- Air-gapped backups: Refers to backups isolated from the network, ensuring data is not accessible by threat actors.
Align Business Continuity and IT Objectives
Successful resiliency is achieved not just through diversification of data storage, but also through the alignment of business continuity plan requirements with the IT department objectives. In the event of a disruption, an organization needs to know how quickly critical systems can be brought back based on importance. It also needs to distinguish what the acceptable loss data is for each department and application.
As such, a business continuity plan and incident response plan should be developed, maintained, and tested annually to identify areas for improvement and minimize the impact of disruptions. Roles and responsibilities should be identified so personnel know their responsibilities during a disruption. There are several regulations and standards that require a business continuity plan and incident response plan to be in place and to be tested regularly. For example, the November 2023 revision to 23 NYCRR Part 500 from the New York Department of Financial Services requires the development, maintenance, and testing of business continuity plans, disaster recovery plans, and incident response plans in part 500.16a and 500.16b.
Testing Business Continuity and Disaster Recovery Plans
Understanding Recovery Time Objectives and Recovery Point Objectives
Two crucial metrics used in disaster recovery plans and business continuity plans include:
- Recovery time objective: The maximum acceptable time to restore a network or application.
- Recovery point objective: The measured amount of time until the maximum tolerable data loss.
The recovery time objective and recovery point objective are communicated and decided upon by the organization and IT professionals based on business requirements and capability of the IT team. Using the recovery time objective and recovery point objective, organizations can prioritize systems for recovery and decide the different types of data storage solutions. Organizations can test the recovery time objective and recovery point objective in different disaster recovery tests to evaluate the recovery of backups and the integrity of that data in the event of downtime.
Common Types of Disaster Recovery Plan and Business Continuity Plan Tests
As mentioned above, the disaster recovery plan and the business continuity plan should be tested annually. Six of the most common types of tests are as follows:
- Plan review: This is the most basic type of test where gaps are identified through a thorough review of the documented plan.
- Tabletop exercise: A simulated exercise is held with key personnel to discuss and walk through a hypothetical scenario.
- Walkthrough test: A physical walkthrough is conducted including the steps taken to access backup systems and data.
- Simulation test: A specific disaster scenario is chosen to partially or fully activate the disaster recovery plan to evaluate the effectiveness.
- Parallel test: The recovery environment is brought online alongside the production environment to test the effectiveness of the disaster recovery plan.
- Full interruption test: This is the most comprehensive and disruptive test. The production environment is fully shut down and all operations are failed over to the recovery environment. This provides the closest simulation to a disruption.
By regularly testing the disaster recovery plan and the business continuity plan, organizations can ensure they are well-prepared to handle any disruption, minimize downtime, protect critical assets, and maintain business continuity.
The Role of Security Awareness Training
Addressing the Human Element
Learning from past incidents and adapting security measures to address new and evolving threats is a key component of an effective cyber resilience strategy. This involves security awareness training; employees are an organization’s greatest asset and often the weakest link in cybersecurity. Without proper training, they are more likely to fall victim to phishing scams, click on malicious links, or use weak passwords, all of which make an organization vulnerable to attacks.
Increasingly sophisticated bad actors are using creative ways to breach cybersecurity controls. These methods include schemes specific to the MPL industry, such as posing as defense attorneys or other known vendors and sending corrupted links, posing as policyholders to access confidential information, and posing as claimants and plaintiffs in efforts to steal valid outgoing payments. Having a well-developed cybersecurity training program as part of the cyber resiliency strategy can help mitigate these risks. Consistent training that adapts to the current threat landscape should be pushed out to all employees, temps, and contractors.
Building a Strong Foundation for Cyber Resilience
As threats evolve and the frequency of attacks continues to increase, cyber resilience is critical. By taking a proactive and comprehensive approach, MPL insurers can ensure business continuity in the face of advanced and continuously maturing threats, while creating a competitive edge that attracts new clients seeking strong data protection.