The following article was published in the Veterinary Ireland Journal October 2022, Volume 12, Number 10 Edition. To find out more information, click here.

Following on from last month’s article on Cyber Crime and Ransomware, guest contributor Joe McGivern, CEO of supportIT, provides some practical advice on improving cyber security in veterinary practices, educating staff on awareness and utilising cybersecurity tools to protect systems, data, and the ability to work.

An increasing reliance on technology, especially arising from the lockdowns and home working of the Covid-19 pandemic, has made all businesses and organisations more vulnerable to many forms of Cybercrime. With employees working away from the main place of business, the danger of system breaches has become an increasing concern for everyone.

Hackers have become increasingly sophisticated in recent years and even more so during the pandemic. We are seeing an increase in the number of attempted attacks, especially those designed to target people who are working from home, or at a distance from the office, where there might be vulnerabilities of security. Breaches, regardless of the severity, can be disruptive, costly, and damaging to a business’ reputation.

The recent HSE cyber-attack is a stark example of the implications if such a breach happens in your organisation, and veterinary practices are no different, holding information relevant not only to the identities of their owner clients, but also critical clinical information relating to the animals under their care.

In light of the current cyber environment, supportIT has put together some information to help organisations put procedures and tools in place to address cyber security issues.

Create a more Security-Aware Organisational Culture

Security awareness is a large part of the human side of prevention. Often, people are the weakest link – 70% of Not-For-Profit users report a lack of security awareness in their organisations. The best way to mitigate against this risk is to ensure staff are aware of the latest threats through Security Awareness Training, both at induction for new employees, and as refreshers for existing staff.

Security Awareness Training should outline the security measures the veterinary practice has in place and explain their importance. Often users don’t like to wait for machine updates or using two-factor Authentication, but if they understand why they are in use, they are more likely to build them into their own IT practices.

There are many security awareness training Videos that can be used for Security Awareness Purposes (Check out Webroot on the BrightTalk Channel). Build one or two of those into your HR inductions, or ongoing refresher training, to highlight the importance of good security practices.

Defined Reporting Processes

Have a defined process for reporting potential scams. By highlighting attempted email scams, staff can know what to look out for and communicate to users the processes for reporting SPAM. Many of our clients request an alert when a potential SPAM issue is logged so that they can monitor the types of threats that are coming into the business and use that information for educational purposes. Some of the most important basic procedures include:

•   If a user received a potential scam email and didn’t click on anything within the email, they should still report it to their IT provider
•  If a user has clicked on anything within the email, such as a link or a PDF, they should immediately unplug their machine out from the network and log the issue with their IT provider
•  If the user is working away from the office, from home or in the field, they should still report the issue immediately because the virus could potentially infect the network the next time the machine is in the office
•  Those managing the practice’s finances and payments systems should also have a strict process for validating bank details. These should be verified by phone before bank details are changed on the system

Update Contracts and HR Policies

Introduce a non-compliance clause into your HR documentation so that staff know the implications of not adhering to good IT security.

We are also advising companies to put policies in place for work devices that are in use in the home, or, quite literally in the veterinary context, out in the field. These should exclusively be used by the employee, not friends or family. We are also advising clients to have a ‘Bring your own device’ policy; devices that staff are intending to use should have strong Anti-Virus software installed and be updated to ensure the latest security patching is in place.

Organisations should also have an internal “Security Champion,” particularly those without an IT provider This Champion should share security trends and threats with management and colleagues to ensure that good security practices are followed.

Strong Group Policy & Password Settings

As a managed service provider, we put particular emphasis on strong group policy settings; forced password changes, minimum password length, screen locks & software installation restrictions can all be activated centrally and pushed out to every machine for enhanced security.

Strong password policies should also apply to 3rd party applications being used in the business, like CRM applications and Finance applications – discourage sharing passwords and create logins for each individual user for audit trail purposes.

Use Virtual Private Networks (VPN)

A VPN is needed if you are planning for those working away from the veterinary practice to connect into the practice network, particularly if sensitive information is being made available. Ensure your practice has enough licenses in-place to allow all your remote workers to access the network and reinforce with the SSL security protocol and multi-factor authentication.

Ensure you have adequate Anti-Virus solutions in place

The best products are those that are paid solutions with proven detection rates. Make sure that you include phones, tablets, and especially, laptops. One such product is Webroot, an award-winning solution with high detection rates that isn’t too heavy on the machine. Webroot anti-Virus is an award-winning Anti-Virus with built-in Ransomware protection, while Webroot Security Awareness Training offers simulated Phishing attempts to highlight potential scams.

Two Factor/Multi-factor Enablement

Most business applications now have Multi-Factor or 2 Factor Authentication enablement and veterinary practices should ensure that this is enabled across all applications. This can usually be activated within the application itself and is best practice to ensure your application is secure, particularly if you store personal identifiable or finance data.

Data Loss Protection (DLP)

For those organisations that have more stringent compliance regulations, there is available an added layer of protection called Data Loss Protection (DLP). DLP is a built-in feature of Office365 and can be activated through the Office365 management console or through Google.

Additional Security Tools

There is a myriad of free to use and paid for cybersecurity tools available to help protect your organisation:

• End-Point Protection Tools – If your organisation has end-point protection in place through their IT provider, additional add-ons for ransomware protection can be enabled
• Advanced Email Security – Google and Office 365 have built-in Advanced email Protection tools that can be enabled
• Enable Encryption – If a laptop falls into the wrong hands and it has Encryption, it means your data is protected

If it happens, deal with it correctly

The reputational damage resulting from a data breach can be devastating for a business. Research has shown that customers will stop doing business with organisations that have been breached, which is why it is so important to take the steps above to mitigate against this possibility. However, in our experience if it does happen confidence can be restored if customers know that you have taken the proper steps by notifying them and the Data Protection Commissioner (DPC) of the breach, and then put policies and procedures in place to ensure it doesn’t happen again.

supportIT provides straightforward Cyber Security advice and related services. If you have concerns or need advice about Cybercrime, please talk to us today to get a detailed security audit for your veterinary practice – visit www.supportit.ie or contact our staff at enquire@supportit.ie / 01-902-2112.