1. Train employees in cybersecurity awareness
. The most important step to take in protecting your practice’s data is training your employees so they know how to identify and avoid threats, and, if infected, how to respond. At the end of the day, your employees are your first and last defense. A well-trained, security-conscious user can prevent the introduction of most threats onto your network.
2. Create a password management policy
. Such policies should govern the history, age, complexity and how often passwords must be updated. Users should be required to change their password every 60 days. Their passwords should also be sufficiently complex as to not be easily figured out.
3. Implement proper auditing of systems
. Use auditing solutions that can track and alert you to unexpected log-ins, attached peripherals (USBs), employee downloads and other system changes that could indicate a threat to your practice’s data.
4. Develop access control policies
. Users should only be able to access the information they need. Access controls should always be set with the least permissions possible to allow your employee to do his or her job – a “need-to-know” basis. Access control policies also extend to the physical
. You must ensure only authorized employees are able to physically access and change your most important systems, such as servers.
5. Patch and update all devices
. All workstations, servers and other IT-related systems must be patched and updated on a regular basis. Software developers are constantly releasing updates to patch security holes. While often overlooked, those updates must be applied regularly to protect your practice’s data.
6. Properly configure your firewall
. A firewall that prevents users from accessing sites unrelated to their work can significantly decrease the threat of malware-laden downloads. The expertise of a managed services provider can help in this area and those above.