Stay Ahead of HIPAA 2025: Essential Updates & How DataSure24 Supports Your Business
The Department of Health and Human Services (HHS) has announced sweeping changes to HIPAA regulations, transforming what were once flexible guidelines into concrete mandates. These HIPAA 2025 updates will reshape how healthcare organizations protect electronic protected health information (ePHI). For healthcare providers, medical billing companies, and their technology partners, these new mandatory requirements present both challenges and opportunities to strengthen their security posture. Understanding these changes now allows organizations to prepare effectively for what’s ahead. Key HIPAA 2025 Updates You Need to Know The new regulations introduce fundamental changes that every healthcare organization must understand and implement: These changes mark a significant shift in HIPAA’s approach to security. Where organizations once had flexibility in how they met security objectives, the new regulations mandate specific security measures without exception. This uniform approach ensures all healthcare entities maintain consistent security standards. The shift to mandatory requirements means organizations can no longer choose alternative security approaches or document why certain measures don’t apply to their situation. Every covered entity must implement the same security measures, creating a level playing field across the healthcare industry. Enhanced Cybersecurity Requirements HIPAA 2025 introduces specific cybersecurity mandates that will transform how organizations protect patient data: These enhanced requirements recognize the evolving threat landscape facing healthcare organizations. The mandate for twice-yearly vulnerability scans ensures organizations identify and address security gaps regularly. Annual penetration testing provides validation that security measures work effectively against real-world attack scenarios. The anti-malware requirement extends to all systems handling ePHI, not just traditional computers. This comprehensive approach ensures protection across the entire technology infrastructure, from servers to workstations to mobile devices used in patient care. Regular assessment requirements mean organizations must budget for ongoing security evaluations rather than treating them as one-time expenses. This shift from periodic to continuous security validation represents a fundamental change in how healthcare organizations must approach cybersecurity. Strengthening Resilience & Incident Response The new regulations emphasize organizational resilience through specific planning requirements: These requirements acknowledge that incidents may occur despite preventive measures. Organizations must prepare for potential disruptions by developing comprehensive plans that address various scenarios. The emphasis on testing ensures plans work when needed most. Business continuity planning under HIPAA 2025 requires more than just backing up data. Organizations must ensure they can maintain operations and protect patient information during and after incidents. This includes planning for system failures, natural disasters, and cyber attacks. The requirement for regular updates recognizes that organizations change over time. New systems, processes, and threats mean yesterday’s plans may not work tomorrow. Regular reviews and updates ensure plans remain relevant and effective. Important Dates & Next Steps Healthcare organizations must pay attention to these key milestones in the HIPAA 2025 implementation timeline: These dates represent important milestones in the regulatory process. The Tribal Consultation Meeting ensures tribal healthcare organizations have input into the final regulations. The public comment period allows all stakeholders to provide feedback on proposed rules. While the final rule and compliance deadline remain unannounced, organizations should begin preparation immediately. Waiting for final deadlines risks rushed implementation and potential non-compliance. Practical Steps for Immediate Action Healthcare organizations can’t afford to wait for final regulations before beginning preparation. Several steps can start immediately to ensure readiness for HIPAA 2025 requirements. First, assess current security measures against known HIPAA 2025 requirements. Understanding where your organization stands today helps identify gaps that need addressing. This assessment should cover technical controls, policies, procedures, and staff training. Second, begin budgeting for enhanced security measures. Twice-yearly vulnerability scanning and annual penetration testing represent new recurring expenses. Planning for these costs now prevents budget surprises later. Third, evaluate your current security partnerships. HIPAA 2025’s requirements demand expertise in both healthcare and cybersecurity. Ensure your technology partners understand healthcare compliance requirements and can support your compliance journey. Fourth, start developing or updating disaster recovery and business continuity plans. These documents take time to create properly and require input from multiple departments. Beginning now allows thoughtful development rather than rushed creation. DataSure24: Your Partner in HIPAA Compliance Ensure your healthcare clients are prepared for HIPAA 2025. Partner with DataSure24 for compliance-driven security solutions that address all new requirements. Our packaged services include everything needed for HIPAA 2025 compliance. Penetration and vulnerability testing services meet the new bi-annual and annual testing requirements. Our risk assessment and compliance audit services help identify and address gaps before they become compliance issues. Cyber threat protection and incident response services ensure organizations can detect and respond to security incidents effectively. Security awareness training helps create a culture of security throughout the organization. Our HIPAA Security Rule compliance expertise ensures all requirements are met properly. DataSure24 understands both the technical and regulatory aspects of healthcare security. We work with healthcare organizations to implement practical solutions that meet compliance requirements while supporting patient care objectives. Stay Ahead of HIPAA Changes HIPAA 2025 represents significant changes in healthcare security requirements. The shift to mandatory security standards, enhanced cybersecurity requirements, and strengthened resilience planning will impact every healthcare organization. Success requires starting preparation now rather than waiting for final deadlines. Organizations that begin early will have time to implement changes properly, spread costs over time, and ensure staff are trained on new requirements. The question isn’t whether these changes are coming—they are. The question is whether your organization will be ready when compliance becomes mandatory. Let us help you stay compliant, secure, and ahead of the curve. DataSure24 provides the expertise, services, and support needed to meet HIPAA 2025 requirements successfully. Contact DataSure24 today to build a compliant and secure future for your clients. Reach us at info@datasure24.com or call 716-600-3724 / 407-494-2885. Don’t wait until deadlines approach. Start your HIPAA 2025 compliance journey today with DataSure24 as your trusted partner. Posted by Mark Musone
A Managed Security Service Provider’s Day on the Front Lines of the Cybersecurity Battlefield
Did you ever wonder what it’s like to work on the front lines of the cybersecurity battlefield …. what the war room looks like … how battle cries and alarms are sounded … how troops are mobilized and dispatched to take on enemies at the gates and on the walls? In my last post, I discussed the differences between Managed Service Providers (MSP) and a Managed Security Service Provider (MSSP). I hope that I’ve made a compelling case for why your company or organization may need both. In this post, I do a deeper dive to take you behind the scenes of a typical day in the life of a MSSP Cybersecurity Analyst to bring those differences to life in a vivid way. Inside the Managed Security Service Provider Control Center … an Alarm Goes Off Imagine, if you will, a team of contracted Tier 1 SOC Analysts sitting at their workstation, surrounded by monitors tracking internal and external movements within your IT network, when an alarm goes off that’s an indication of mischief. Immediately, the Analyst will log the alarm, use their training to do an assessment of the criticality of the alarm using a 15-step checklist to determine if a quick and aggressive response and remediation is warranted. To provide some perspective, DataSure24 sees about 150 alerts per day per Analyst over the entire scope of clients we are monitoring. Within 10 minutes, the alarm will be deemed either harmless or harmful, and if the latter, escalated immediately to our Tier 2 SOC Analyst. If it’s relatively harmless, the incident is still tracked but not treated with same urgency. Later that Morning at the Desk of the Tier 2 SOC Analyst On an average month, we see about 18,000 alarms and of those, about one out of every 100 of alarms gets escalated to a Tier 2 SOC Analyst. Within minutes, that Analyst will initiate a significantly deeper investigation, using our proprietary predictive algorithms, research, team discussions, and instinct to identify the exact nature of the intrusion and best possible responses. Companies that use an MSSP will generally have a previously developed Cybersecurity Response and Remediation Planning which is then put into play. That plan is executed coolly, professionally and swiftly by the SOC 2 Analysts in conjunction with the client’s IT team. On average, once an alarm has been escalated to a Tier 2 Analyst, the time from assessment to response and remediation is less than an hour. A Managed Security Service Provider’s Response to a Zero Day Attack Three to five times a year, every company may experience a Zero Day Attack launched by hackers and cybercriminals. The term “zero-day” refers to a newly discovered software vulnerability. Because the developer has just learned of the flaw, it also means an official patch or update to fix the issue hasn’t been released. So, “zero-day” refers to the fact that the developers have “zero days” to fix the problem that has just been exposed — and perhaps already exploited by hackers. Once the vulnerability becomes publicly known, the vendor has to work quickly to fix the issue to protect its users. But the software vendor may fail to release a patch before hackers manage to exploit the security hole. That’s known as a zero-day attack. If a zero-day attack is detected via monitoring by a Tier 1 Analyst, escalation takes on a sense of greater urgency and requires greater speed before what may be a small breech turns into a major headache, resource drain, financial loss, and reputation damage. While neither a Tier 1 or Tier 2 Analyst can patch the weakness, they can put a pre-determined Incident Response Plan into effect, and work with the client’s IT team to isolate, protect or even shut down critical servers and other hardware. As you might imagine, it’s a bit more hectic and stressful both in our Mission Control room and at the client’s site when zero-day attacks occur, but teamwork and professionalism generally go a long way to short circuit an attack of this type before a software patch is applied. The human element in place, always monitoring, can be the difference between a catastrophe and a ‘dodged a bullet’ scenario. Later That Day, It’s Time to Catch Up on a Few Reports and Do a Vulnerability Scan or Two A day in the life of a DataSure24 Tier 1 or 2 SOC analyst is a lot more than just sitting around, drinking coffee and waiting for an alarm to ping! They’re also preparing and delivering monthly reports to clients showcasing alarms caught and resolved, actions taken regarding elevated alarms and responses, zero-day attack incidents, and news or updates from the world of cybersecurity that merit a watchful eye. There are also specialists hard at work doing contracted vulnerability scanning work, trying to identify and exploit security weaknesses, including phishing employees to determine their levels of awareness and compliance with company IT security policies. Generally, these network vulnerability scans reveal hundreds of vulnerabilities, most of which are easily resolved, but it some cases a significant vulnerability will be discovered or a trend indicating a security lapse identified. At that point, Network Vulnerability Analysts and other members of the MSSP team will develop a plan and identify resources that should be directed to executing remediation strategies, policies or actions. Our team is always looking for ways to improve ourselves, from upgrading our technologies to continued and consistent training in our specialized environment. Staying globally aware of Cybersecurity current events is a linchpin of our daily routine. Meanwhile, On Your Calendar of Daily Activities I hope that this brief overview into the life of a Cybersecurity Analysts provides the additional insight and guidance you need to make an investment in MSSP services happen. At a minimum, 24/7/365 cybersecurity monitoring has become a “must” and a necessary part of doing business. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help
Security Awareness Training—The Importance of Phishing Your Users
Whether your company has ten employees or one thousand, the risk of social engineering attacks is always relevant in today’s world. Users receive hundreds of spam emails per day, and although most of these emails are filtered out by current advanced filtering, some emails still slip through the cracks and are a large threat to your users. Some users click on all links or attachments found within emails. Others never click a link unless it is confirmed to be legitimate by the sender. Phishing your users using custom phishing emails created by someone within your organization will make users more aware of what they are clicking on. Most users who click on a phishing link will never do it again. It’s better to have that one click be on an email your company created that will do no harm, than an email that could cost your company thousands of dollars. The risk associated with phishing emails has only increased due to the COVID-19 pandemic. IBM reported that between March and April of this year, they saw a 6,000% increase in spam attacks, and many of these attacks leveraged the current situation around the world involving the pandemic. Now it is more important than ever to make sure that your users will not fall for these types of scams. Creating your own tests that your users can learn from is one of the best ways to do so. Source: USA Today Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Connor Karek
Security Awareness Training—Training Your Users In Social Engineering
As a business, it’s your responsibility to provide training to your users that will aid them in completing their everyday tasks. In almost every industry, users will experience social engineering attacks while performing their duties. It is imperative that your users are trained in these attacks so that they do not fall victim to them and cause damage to your company. Here are some ways that you can train your users to aid them in recognizing these types of attacks: Conduct In-House Phishing Attacks There are many free or paid tools on the web that allow you to conduct phishing tests to users. These tools provide valuable hands-on examples that your staff will have to interact with. These are great to see what your users may be susceptible to click on, or to show you what users within your organization may require some additional training to make sure they understand these attacks and how to avoid them properly. Conduct User Training (Webinar, policy reading, interactive training, etc.) There is a large variety of information and training materials online that can be accessed for free that you can use to train your users. This training could be in a webinar format, an interactive training module that users must complete, or a simple reading that they must complete that goes through the dangers of social engineering attacks and what to look out for. Making sure your users are prepared is imperative when it comes to social engineering. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Connor Karek
Cybersecurity for Manufacturers—What is CMMC and What Should I Be Aware Of?
Manufacturers are under mounting scrutiny from both cybercriminals and regulators. Due to limited resources and budgets, manufacturers (especially small to medium sized) need cybersecurity guidance, solutions and training that is practical and cost-effective. Should a hacker manage to infiltrate a manufacturers’ systems and data, the cybercriminal has the potential to shut down operations and render them unable to fulfill client requests and contracted orders. This in turn leads to lost clients, lost revenue, and inability to pay employees. Not good. The Department of Defense (DoD) recently announced that contractors who provide services and products in the Defense Industrial Base (DIB), will have to comply with the CMMC (Cybersecurity Maturity Model Certification). Lots of abbreviations – stay with us. There are 5 levels of the CMMC that have specific requirements and controls, mostly taken and modeled from the NIST SP 800-171 framework. The level that each manufacturer will have to comply with will depend on the types and size of the contracts that they are bidding on. Key dates to be aware of for CMMC: As the CMMC is still in its infancy in terms of rollout, a lot of the key dates and audit information is TBD (hence the large 5 year gap in rollout). The required controls have been released though, and it is only a matter of time until the DoD begins clamping down on the requirements in Requests for Proposals (RFPs). Next steps to take? We are suggesting that if you are a defense contractor and believe you will have CMMC requirements to comply with, that you get ahead of the game. A good first step is to perform self-assessment with the controls of the level of CMMC you are required to comply with. The next step after completing a self-assessment is to contact an RPO and perform a readiness assessment. This will get you in good shape security-wise, and let you know where the gaps currently are in terms of CMMC compliance. After meeting the criteria that the RPO states you need to fulfill to comply, you can contact a C3PAO for the audit and gain the certification. Unfortunately, the C3PAO cannot provide both a readiness assessment and an audit (and vice-versa for the RPO). Please contact DataSure24 if you have any CMMC related questions. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Max Winterburn
Cybersecurity—Where to Start and How
Every business, no matter the type or size, needs cybersecurity right now. When it comes to cybersecurity, businesses should be taking a proactive approach, rather than reactive approach. You do not want to be questioning your businesses’ cybersecurity capabilities during a cyber incident. By having a strong cybersecurity program in place, you will not only be able to quickly and effectively respond to a cyber incident if one were to occur, but you will also mitigate many cyber risks and attacks prior to being the target of a cyber-attack. Here is what you and your business should know in order to create a quality cybersecurity program without needing to spend a large amount of money. The first objective you want to do when building a cybersecurity program is to identify your sensitive data and where it resides. Whether it is your customer’s private information or your organization’s information, it is your responsibility to protect it. You should also determine your mission critical assets. These are assets that are critical to your businesses operations and if the system were to be compromised, it would cause irreputable loss to your business. Once you have identified your organization’s sensitive data and core assets, you then want to focus on properly securing the data and core assets through the use of policies and technical controls. But now you might be wondering what steps to take to secure your sensitive data and core assets. Below are easy, but effective steps you can take to protect your sensitive data and core assets right now: Additionally, there are many cybersecurity frameworks that your organization can adopt to provide guidance for protecting your sensitive data and core assets. The framework that we recommend you check out is the National Institute of Standards and Technology (NIST) Special Publication 800-171 r2. This publication offers best practices for organizations in both the public and private sector. The publication also provides guidance on how to implement these best practices, so you can protect your information and organization. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Brendan Kenney
Department of Defense DFARS Interim Rule
On September 29th 2020, the Department of Defense (DoD) issued a Defense Federal Acquisition Regulation Supplement (DFARS) interim rule which was titled “Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)”. The new rule was highly anticipated, as it was to address the new Cybersecurity Maturity Model Certification (CMMC) that was released earlier this year and discuss the DoD’s implementation of the CMMC in the Defense Industrial Base (DIB). The interim rule added the following contract clauses: Many people were shocked to learn that the new DFARS interim rule also added two new cybersecurity contract clauses on top of the CMMC clause, that will affect new contracts starting November 30th, 2020. There has been a lot of talk about the new interim rule and its requirements, as well as misinformation about the new rule. We want to assure you, the new interim rule is not as scary as it sounds or as some people are making it out to be. With that being said, let’s take a closer look at the new interim rule. We will only be looking at the contract clauses 252.204-7019/7020 in this post. We will discuss the CMMC clause (252.204-7021) in a future post. If you want to learn more about the CMMC now, please check out this video where we introduce and explain the CMMC in detail: https://www.youtube.com/watch?v=1CKjn5ztXCs New DFARS Requirements The interim rule also added the following contract clauses: 252.204-7019 “Notice of NIST SP 800-171 DoD Assessment Requirements” and 252.204-7020 “NIST SP 800-171 DoD Assessment Requirements”. These two contract clauses have gone into effect starting November 30th, 2020, and unfortunately, there has been a lot of misinformation being spread about these two clauses. Please read below for an in-depth overview of everything that you should be aware of regarding the two new DFARS clauses 252.204-7019 and 252.204-7020. DFARS 252.204-7019 & DFARS 252.204-7020 Requirements: Who This Applies to: What is the Objective? The reason for all above requirements is to eventually become CMMC certified for CMMC level 3 (the CMMC maturity level that handles CUI). The CMMC will be rolled out over the next few years until September 30th, 2025. All contracts are expected to have the CMMC after that date. Our Suggestion Example Scenarios: Our hope is to help answer all of your questions regarding the new DFARS interim rule, and the three clauses that have been added. We strongly recommend that you read the interim rule for yourself, which can be found here. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Brendan Kenney
Why You Need to Train Your Employees—What Is the Worst That Could Happen?
With email and other forms of telecommunication becoming more prominent than ever in the workplace, these forms of communication can leave holes in a company’s cyber security platform. Email addresses and public profiles can be hotspots of information that an attentive attacker can look to for gathering information and developing strategies to target the end user with attacks utilizing phishing, vishing, and other forms of social engineering. This leaves the everyday employee at the highest risk for these types of attacks. As a defense, proactive and continuous measures can help end users identify any emails that could be suspicious or malicious and help cybersecurity professionals identify these types of attacks and work to mitigate the damages caused. Malicious attackers will target the end user with such tactics such as Social Engineering, trying to act as someone they are not and looking to trick these users to either transfer funds to them or divulge confidential information such as usernames and passwords in order to gain access to the victims’ credentials. With this they can look to further exploit a business or system, gathering business documents, companies’ data including names and private contact information. This can include customer data such as credit card or payment information, personal identification information and private contact information. These types of attacks, if successful, can also lead to ransomware encrypting information on the businesses network and “holding it for ransom”. These can be extremely dangerous and costly if they propagate over a network. The methods of encrypting the data are often times extremely hard to decrypt or figure out without paying for the key. Dealing with ransomware groups and providing payment will never guarantee that the ransomware group will provide the data or give the key even after the payment is made. Now you may be asking what can be done to defend against these types of social engineering, phishing and more complex attacks? The simplest and easiest answer is to educate your employees. Continuous and ever-evolving training can teach end users to look out for key giveaways to these types of attacks. It is important to have end users that can identify scam or phishing communications as they are sent. Having users understand how to react when receiving one of these emails can save a company in the long run. An educated end user base can act as a strong preventative defense against social engineering-type attacks and give the team who handles such attacks a heads up that these types of attacks are being launched. This simple idea of continuous and consistent security awareness training can be far cheaper than reacting after an end user was phished. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Kyle Rauschelbach
Where To Begin If You Have No Security Training Program
In today’s day and age, many companies are realizing that security training is necessary for all employees. After all, the employees within an organization are the weakest link and are the easiest to exploit when looking for confidential information or when looking to do damage to a target company. Many companies do not know where to start when discussing security training for their employees. Most end up hiring outside help to assist in this process. But for those companies that cannot afford outside assistance on this issue, or for those that would like to keep this training in house, here are a few tips to get your Security Training Program started. Provide Basic Security Awareness Training Sessions for Users Most employees in the workplace are not aware of the threats that we face online every day. Most people will go through their work life clicking on all the links they receive in their inbox or submitting personal information in online forms on multiple occasions. This type of behavior is something we want to stop or limit in the workplace and the first step to eliminating that behavior is educating your users on what to look out for. There is a plethora of online resources available such as whitepapers, free online lessons, and various articles across the internet where you can gain valuable information to pass on to your users. At some organizations, you may already have an Information Technology or Information Security staff member who already has this knowledge that can be passed on to others. Take the time to schedule in person or virtual meetings where your more knowledgeable staff members or leadership can teach your other staff members valuable tips and tricks and things to look out for online and in their inbox. Test Your Users with Phishing Simulations After educating your users you are going to want to test their knowledge and what they have learned in a real-world scenario. One of the best ways to do this is to create a Phishing Simulation for all your users. These Simulations send emails that mimic emails they may receive in the workplace from potential attackers and test how they react to the email they receive. Will they open the email and click on a link, potentially giving an attacker access to their systems? Will they see the email, reflect on what they learned and ignore or delete it? These simulations are the best way to see what your employees will do in those tough situations. There are many online providers that can provide these tests for free if you sign up on their website. An example would be KnowBe4, who provides a free phishing test if you sign up on their website. Ensure User Training Occurs Consistently New threats emerge each and every day, and the types of threats that emerge are evolving at a rapid rate. Because of this, it is important that your users receive training on at least an annual basis. This training can be done using your own staff as mentioned in this post, or if after a year you believe you do cannot constantly provide this training for your users, you may want to ask outside agencies for assistance. DataSure24 offers Security Awareness Training for all business sizes and provides full management of the service itself via one of our Security Analysts. Learn more about our Security Awareness Training here. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Connor Karek
Four Proactive Measures to Prepare for a Cybersecurity Incident
Benjamin Franklin once said, “If you fail to plan, then you are planning to fail”. The same is true when it comes to an organization’s data security program. An organization that is well prepared for a security incident with a robust data security program will not only reduce the likelihood of suffering a security incident, but also significantly reduce the cost of a security incident. Below are four proactive measures your organization can take to prepare for a security incident and reduce your organization’s overall risk. 1. Develop an Incident Response Plan An Incident Response Plan (“IRP”) will establish the method and procedure for identifying, responding, and reporting a security incident. An IRP will set forth, in writing, each key stakeholders’ role in responding to an incident and ensure that every stakeholder is on the same page. An IRP should include the following: 2. Test the IRP with Tabletop Exercises Once an organization’s IRP is established, an organization should regularly test its IRP. This testing can be done through tabletop exercises that simulate a security incident and test the strength of an organization’s IRP. Following the tabletop exercise, an organization can adjust its IRP to make it better equipped to respond to a security incident effectively and efficiently. The Ponemon Institute conducts one of the largest research studies on data security breaches every year and produces a yearly report on the cost of a data breach. Last year the Ponemon Institute reviewed over 500 breached organizations and found that the highest cost saver for a business suffering a data breach was incident response preparedness. Specifically, organizations with an Incident Response Team that also regularly tested its IRP saved, on average, $295,267 in incident response costs when suffering a data breach [i]. This cost savings underscores the importance of developing an IRP and regularly testing the plan with tabletop exercises. 3. Employee Training An organization’s security system is only as strong as its weakest link. That weakest link can be an organization’s employees if they are not trained in best practices for security. Employees should be trained in identifying and preventing a security incident with strong passwords and password management, as well as identifying and reporting phishing emails and malicious links. An organization should also train its employees on how to recognize a security incident and report the incident to the proper stakeholders within an organization. This will help an organization efficiently address a security incident. An organization’s employee training should be completed during the onboarding process as well as yearly so that employees continue to be diligent in their day‑to‑day practices to keep an organization’s systems secure. 4. Vulnerability Scanning and Pen Testing One of the best ways to reduce the likelihood of a security incident is to regularly test an organization’s systems. This can be done with regular vulnerability scanning and penetration testing. Vulnerability scanning will scan an organization’s systems for security weaknesses and determine the vulnerabilities within an organization’s systems. Penetration testing, also known as pen testing, takes a deeper dive into an organization’s system. Pen testing is where an ethical hacker attempts to gain access to an organization’s systems by exploiting its vulnerabilities. A good analogy is if an organization were considered a home, vulnerability scanning would test to see if the doors were locked and pen testing would open the door and see if the doors to the rooms inside the home were locked. It is recommended that an organization conduct vulnerability scanning at least twice a year and pen testing at least once a year. These preventative measures reduce the likelihood of a security incident because an organization can use the results from vulnerability scanning and pen testing to patch weaknesses and make system modifications to further secure its systems. In addition, the Ponemon Institute “Cost of a Data Breach” study found that organizations that conduct vulnerability scans reduce the cost of a data breach by $172,817 [ii]. Therefore, in addition to preventing a security incident, vulnerability scans and pen testing will reduce the costs of a security incident, if and when a security incident should occur. In sum, take proactive measures to reduce the risk of a cyber security incident, as well as reduce the costs of an incident when it occurs. An Incident Response Plan, employee training, vulnerability scanning, and pen testing, are a few proactive measures an organization can take to secure its systems and best prepare for a security incident. If you have questions on how this specifically relates to your organization Greg Gaglione of Rupp Baase Pfalzgraf Cunningham can help. As it is often the case in life, those that are proactive and prepare, will perform the best. The same is true for an organization and its data security program. DISCLAIMER: This article is for general information purposes only. The information in this article does not, and is not intended to, constitute legal advice. Contact a qualified attorney to obtain advice with respect to any specific issue or legal question.Attorney Advertising. [i] Ponemon Inst., 2020 Cost of a Data Breach Study 42 (2020)[ii] See id. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Greg Gaglione