How to Achieve and Sustain Secure Agility

GettyImages-532034284The long-term success if a business depends on its agility – the ability to sense and adapt to changes within the industry in order to stay competitive. The same can be said for your IT operation, but it’s not as daunting as it sounds.

Start at the bottom—and at the top

An agile enterprise requires agile, user-centered, comprehensive, integrated security. If security at your enterprise isn’t already all of those things, start making it all of those things.

For most of you, that effort can and should begin with patching your key applications, operating systems, client systems, and servers more consistently and regularly than you are now. As you and your colleagues get patch management sorted, you should be looking for other opportunities to establish, improve, and extend security policies, practices, and technologies that improve agility across the enterprise.

As you and your colleagues get patch management sorted, you should be looking for other opportunities to establish, improve, and extend security policies, practices, and technologies that improve agility across the enterprise.

Secure agility can be built from the ground up, but the will and commitment to become and remain securely agile must come from enterprise leadership. That means executives, IT, security, and business unit leaders must be visibly and demonstrably behind security- and agility-enhancing initiatives.

Walk the talk

Declared commitments to secure agility must extend beyond platitudes and media quotes. Every strategic plan, every set of operational practices and principles, and every solution chosen for deployment must reflect and support that commitment for it to mean anything to your enterprise. This means that every such resource must incorporate processes for regular review and the opportunity for revision in response to corporate, marketplace, or regulatory changes.

Every strategic plan, every set of operational practices and principles, and every solution chosen for deployment must reflect and support that commitment for it to mean anything to your enterprise.

This means that every such resource must incorporate processes for regular review and the opportunity for revision in response to corporate, marketplace, or regulatory changes.

Build it in

Every process and control upon which your enterprise’s competitiveness depends must incorporate security- and agility-enhancing elements.

This means those processes and controls must be driven by and measured against your enterprise’s performance requirements and goals. They must also incorporate specific features for integration with and support of efforts to achieve and sustain user-centered security.

Controls and processes that do not include these characteristics will likely contribute little to your organization’s agility, and might even impede it. (This means all controls and processes must be reviewed and tested regularly and designed to be easily modified or retired as changes demand.)

Show your work

It’s not enough to preach the gospel of secure agility. It’s not even enough to achieve a sustainable level of secure agility. For your efforts to have maximum business value, you must show and tell all of your most important stakeholders the details of those efforts and their effects. This means that consolidated, integrated, timely, business-driven reporting of all things related to security and agility should be a critical element of your secure agility efforts.

Be securely agile everywhere

Pursuit of secure agility may begin in one or more departments or business units, but for maximum business benefit, it must be pervasive.

For many enterprises, the best way to make this happen is to start with IT. IT powers most of the services that run an enterprise’s business and is already focused on (if not preoccupied with) security. Secure agility initiatives that prove successful within IT can therefore likely be incorporated into the delivery and management of other business services.

This means that a single, integrated, process-driven platform for service management and security management can be a powerful enabler of enterprise agility.

Secure agility is an operational and competitive requirement for every successful enterprise. By taking concrete steps toward inculcating a culture that is focused on user-centered security and enterprise agility, you can accelerate your enterprise’s journey to true, sustainable, secure agility.

If you choose or are forced to remain focused on reactive firefighting as an operational approach to security, neither secure agility nor your career are likely to advance much further at your enterprise.

Moving to a proactive, holistic approach to user-centered security and enterprise agility, however, will have salutary effects on your enterprise and your career.


Reshaping Your Enterprise With Agility, Resilience, and Trust

GettyImages-537708180It is critical to understand that success in establishing and cultivating ART-fulness (agility, resilience, trust) at your enterprise—like success in establishing and cultivating comprehensive security—is largely an outreach-driven effort.

Both require consistently high levels of internal marketing, sales, and evangelism.

These requirements may constitute the bulk of your challenges as you seek to establish, grow, and promote both ART-fulness and security at your enterprise.

Fortunately, there are some straightforward steps you can take to tame these challenges, steps based on some fundamental, consistently successful marketing and outreach techniques.

How to Make Your Enterprise More Secure and More ART-ful

  • Engage

Security and ART-fulness are things you simply cannot achieve and do not even want to attempt without lots of help and support. Identify the influencers, leaders, and stakeholders who matter most to your efforts. Then, make sure their voices are heard and matter, and make sure that they know these things are true.

  • Inform

Once you’ve identified those who matter most, get and stay in touch with them. Tell them what you’re doing and why. Tell them how their support is contributing to your efforts and why those contributions matter. Regular, non-disruptive, nonintrusive communications, perhaps via a short e-mail newsletter, a dedicated internal Web site or portal, or both, can be low-effort, high-impact tools here.

  • Persuade

Use the activities and information with which you engage and inform your constituents to persuade them that comprehensive security and ART-fulness are essential to your enterprise’s success. Find and share supporting external examples of secure, ARTful enterprises.

Identify and tout credible data that underscores the business value of security and ARTfulness—and the costs and risks of not having enough of either. Free, simple, Web content monitoring tools such as Google Alerts can make finding such points of persuasion easier.

Also, when you and your colleagues successfully improve security, agility, resilience, and/or trustworthiness within your enterprise, promote these successes to as many stakeholders and influencers as possible. Nothing persuades like success.

  • Invite

This is one of the most critical and frequently overlooked elements of successful outreach. Every communication should include a call to action—an invitation to do something to continue the conversation. Ask your constituents for their opinions and suggestions wherever possible.

Hold events such as webinars and Tweet chats, and invite constituents to participate. Solicit success stories or even “epic fails” related to security, ART-fulness, or both, and share these with attribution. Welcome input and feedback, and incorporate these explicitly into your enterprise’s journey to greater security and ART-fulness. This is one of the most effective ways to turn the disinterested and skeptical into observers, stakeholders, and advocates.

An enterprise that is optimally secure and ART-ful is one that is well positioned for sustained success, whatever its primary business. But neither optimal security nor ART-fulness ever just happens. Each requires careful, consistent nurturing and support from a committed community of advocates.


Trust Us, the Cornerstone to Business Is ‘Trust’

GettyImages-77188102Let’s cut to the chase. There are likely no circumstances under which you would choose to do business with any person or entity you could not trust.

It is equally likely that every client (internal and external), partner, and prospect of your enterprise thinks and feels exactly the same way.

Trustworthiness is therefore at least as critical to your enterprise’s success as agility or resilience.

To quote perhaps the world’s best-known investor and businessperson, Warren Buffett, “Trust is like the air we breathe. When it’s present, nobody really notices. But when it’s absent, everybody notices.”

This is especially true for companies that sell products or services, which is just about all companies.

Trust and the Bottom Line

Stephen M.R. Covey is the author of the book The Speed of Trust: The One Thing That Changes Everything. He is also the son of Stephen R. Covey, who wrote the worldwide bestseller The 7 Habits of Highly Effective People, and CEO of the Covey Leadership Center. A central element of Stephen M.R. Covey’s thesis is that deals get closed faster and are more successful when those involved share high levels of trust.

Specifically, Covey argues that success in business requires a winning competitive strategy, and superb organizational execution—and that distrust is an enemy of both. He adds that while high trust levels won’t necessarily make a poor strategy effective, even the best strategy can be derailed by a lack of trust.

The bottom line? Edelman, the world’s largest PR firm, surveyed some 33,000 people worldwide for its 2015 Edelman Trust Barometer. Of those respondents, 63 percent said they simply refuse to buy anything from those they don’t trust. Further, 80 of those respondents said that they will buy only from those they trust.

Zig Ziglar, one of the best known and widely read sales professionals in the world, once said, “If people like you, they will listen to you. But if they trust you, they’ll do business with you.”.

How to Achieve and Sustain Trustworthiness

  • Know where you are. Bite the bullet, and ask your most important constituent groups (privately, of course) questions that help you assess how much they trust your team or company. At minimum, ask if they’d do business with your team or company again, if they’d recommend your team or company to peers, and why or why not.
  • Fix what’s broken. Use those questions and answers to identify any unsatisfied constituents, find out why they’re unsatisfied, and fix it. Every unsatisfied constituent is a detriment to trustworthiness, and you should assume that your constituents talk with each other.
  • Cultivate advocacy. Use those questions and answers to identify your happiest, most trusting clients and partners, then ask them to let you make them stars. That is, ask for their permission and cooperation to showcase them in your outreach efforts. Then, make it as easy as possible for them to be featured in the success stories, presentations, interviews, and other content you produce with their cooperation and support.
  • Show your work. It’s one thing to claim to be trustworthy. It’s another to be able to demonstrate and document trustworthiness credibly and on demand to any and all stakeholders—from customers, partners, and prospects to auditors and regulators. This is a major, long-term, continuing effort. And everything you do to make and keep your organization’s IT infrastructure comprehensively, demonstrably secure greatly aids these efforts. Comprehensive, proactive, user-centered security is a firm foundation for managing governance, operational transparency, and reporting. All of these, in turn, enhance your organization’s ability to both claim and credibly demonstrate trustworthiness.

Make the goal of trustworthiness a significant part of every plan, strategy, and process that governs your business, especially those focused on IT security, since the security of your IT infrastructure has direct and profound effects on your organization’s ability to be trusted. Include your internal and external clients and partners in this effort wherever practical. It may be the single most significant thing you can do to minimize time to success and maximize the number and value of constituent relationships, for your constituents, your team, and your enterprise.


Shavlik is Your Single Solution to Creating an ART-ful Enterprise

GettyImages-519491604While tools alone will not guarantee comprehensive, effective, user-centered security, the right tools can enable and accelerate your progress toward that goal.

Shavlik offers a number of tools that can support your efforts to maximize your organization’s IT security.

Shavlik Protect

When the majority of vulnerabilities come from third-party applications, patching operating systems isn’t enough protection for your organization.

Shavlik Protect is an effective, easy-to-use solution for automating the patching of everything from data center servers to client workstations and virtual environments. It automates patching of not only Microsoft Windows and Office software but also third-party applications from hundreds of vendors, including Adobe, Google, and Oracle.

Shavlik Protect can be configured to deliver agentless or agent-based patch management, and can patch both online and offline virtual machines, including templates and the hypervisor itself. It can even take snapshots prior to patch deployment, so you have a rollback option if something goes wrong. Other capabilities include a library of ITScripts (pre-created PowerShell scripts) that can be customized easily to automate scores of IT maintenance tasks, on demand or on a regular schedule.

Shavlik Protect is also intuitive and easy to configure and use. For many users, Shavlik Protect can be deployed and begin delivering value in as little as 30 minutes.

Shavlik Empower: Heterogeneous Patching in the Cloud

This cloud-based solution delivers patch management for and asset intelligence about Windows and Mac OS X devices. Empower sentinels scan for devices across your environment, then leverage Microsoft Active Directory to extract and map significant intelligence about your organization’s IT assets. Empower then deploys agents that enable comprehensive, flexible patching of Windows and Mac OS X systems, wherever they are.

A browser-based interface enables administrators to view and manage the information collected by Empower sentinels and agents from almost any Web-connected device. Empower can be deployed independently, or as an add-on for Shavlik Protect, Shavlik’s patch management automation solution for datacenter servers, client workstations, and virtual environments.

Fully automate Windows patching, with the flexibility to define policies that lets you filter what you patch by severity, vendor, product family, or product version. Employ the same workflows to manage Mac OS X patching (with some slight differences in filtering options). Minimize user disruption with flexible scheduling and reboot control. Create a firm, flexible foundation for pervasive, effective, transparent security at your enterprise with Shavlik Empower.

Shavlik Patch for Microsoft System Center

For organizations that already know and use Microsoft System Center Configuration Manager (SCCM), Shavlik Patch is an ideal add-on for enabling SCCM to patch third-party applications. Shavlik Patch delivers updates for more than 1,500 application versions from an easyto-use plug-in that snaps right into the SCCM console. Shavlik Patch enhances security and extends the value of Microsoft SCCM investments, with no additional infrastructure or expertise required.

Secure Mobile Email by LetMobile

LetMobile also supports comprehensive, configurable data loss prevention (DLP) filtering rules for both inbound and outbound traffic based on device, user, location, network and time. LetMobile also integrates with any incumbent corporate DLP systems to inherit existing rules and policies. It’s the best of all worlds for a “bring your own device” (“BYOD”) or “company owned, personally enabled” (“COPE”) environment, since it provides robust data security without interfering in any way with personal use of the mobile device.

The Shavlik Team: Your Expert Security Partners

The Shavlik website features authoritative, timely blog posts, as well as white papers, forums and security alerts. The site is an ideal go-to resource for your ongoing security education and promotion efforts.


5 Secrets to Achieving and Sustaining Resilience

GettyImages-608512524There is one thing you must do – and keep doing – to start down the path toward true enterprise resilience: Patch everything. All the time. Starting now.

To make your enterprise truly resilient you need a firm, reliable foundation of security. The successful laying of that foundation begins with patching. Why is this step so critical to effective security and enterprise resilience? Here are a few reasons:

According to the Verizon 2015 Data Breach Investigation Report, “Many existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. In fact, many of the vulnerabilities are traced to 2007—a gap of almost eight years.”

Gartner analyst Anton Chuvakin addressed this grave security concern in one of his blog posts.

“Although patching has been ‘a solved problem’ for many years, even decades, a lot of organizations struggle with it today—and struggle mightily,” he observed. “In the darkest woods of IT, patching third party applications on a desktop remains a significant challenge for many organizations.”

By the way, the National Vulnerability Database managed by the National Institute of Standards and Technology (NIST) states that some 86 percent of reported vulnerabilities come from third-party applications. So even the most robust patching of operating systems is inadequate to assure that your environment is secure enough to be truly resilient.

Do whatever it takes to ensure that all of your enterprise’s critical applications, operating systems, servers, and user devices are patched and updated consistently and in a timely fashion. Then begin the following actions:

  1. Plan – To make and keep your enterprise as resilient as possible, you and your team must develop and implement a comprehensive, business-centric plan for achieving and sustaining the resilience levels your business demands. Whether described as “high availability,” DR/BC, or otherwise, the goals of your plan should be the same—maximum resilience. And that plan requires a well-thought-out planning lifecycle, which in turn depends upon a formal, detailed policy for DR/BC.
  2. Analyze – Your plan should also be based on a business impact analysis (BIA) that maps out all critical processes, systems, and services, their owners, and their interdependencies. You and your team should then establish formal recovery time objectives (RTOs) and recovery point objectives (RPOs) for all critical business functions and supporting services. In addition, all of your service level agreements (SLAs) should be closely aligned with these objectives.
  3. Engage – To be as successful as possible, your plan must also include specific guidance for keeping the constituents IT supports engaged and informed about efforts to maximize resilience, security, availability, and recoverability. Such marketing and sales efforts may be unfamiliar territory for many in IT. However, they can be essential in gaining support from and eliminating objection or obstruction by those constituents.
  4. Update – Finally, a comprehensive plan must also include specific recovery and continuity plans and procedures. It must also include processes for testing these regularly and for regular review of all relevant policies, plans, processes, and procedures.

No enterprise can be fully agile or trustworthy if that enterprise is not sufficiently resilient. In fact, insufficient resilience can kill an enterprise in the face of a major disruption or disaster.

Begin by patching everything, all the time, starting now. Then, assess whatever current DR/BC resources and efforts are in place at your enterprise. Evaluate and triage these, then build upon them to reach and maintain the levels of resilience you, your constituents, and your enterprise want, need and deserve.


Surviving the Storm With Agility and Resilience

Data warping into safe box - 3D Rendering“The oak fought the wind and was broken, the willow bent when it must and survived.” – Robert Jordan, The Fires of Heaven

Many businesses are suffering the same fate as the oak mentioned in Robert Jordan’s quote. It’s Jordan’s willow that is standing the test of time thanks to its agility and resilience.

Business resilience

As is true with business agility, business resilience is a much broader and deeper consideration than many typical discussions of the subject.

Discussions surrounding resiliency tend to focus on disaster recovery and business continuity (DR/BC) tactics and tools. However, true business resilience is more than disaster recovery and even more than business continuity.

True enterprise resilience is a strategic focus on maintaining operational integrity and restoring it as quickly and completely as possible after any disruption—planned or unplanned, minor or catastrophic.


ISACA (formerly the Information Systems Audit and Control Association) is a membership organization that provides certifications, information, and guidance focused on auditing controls for computer systems.

Volume 3 of the 2009 ISACA Journal features an article by information security expert John P. Pironti called “Key Considerations for Business Resiliency.” That article provides both a comprehensive definition and a significant caveat for those pursuing business resilience (or resiliency).

“Business resiliency is the maturation and amalgamation of the individual processes of crisis management, incident response, business continuance and disaster recovery into one succinct set of processes and capabilities that work collectively, instead of independently.

This combination allows organizations to have minimal disruption in the event of a business-impacting incident that affects the entire organization, instead of focusing on incidents that involve specific information infrastructure areas.

“When evaluating these capabilities, it is important to understand that they are only as effective as the proactive planning and considerations that go into their development. Too often, planning accounts for only the most obvious considerations and does not incorporate crucial and essential considerations that have a greater effect on the business.”

Resilience defines the bottom line

As the ISACA quote above states, resilience includes multiple other elements beyond DR/BC. Despite the inclusion of BC in the description and intent of most DR/BC plans, these tend to focus on DR and IT.

True resilience, however, focuses more on the needs of and effects upon the business.

The goal of true resilience is to enable the business to avoid threats, disasters, and disruptions, and to recover rapidly and seamlessly from those that cannot be avoided.

A specific focus area for resilience plans and strategies is the availability of essential IT and business services. Small-seeming differences can mean a lot.

For example, the difference between 99 percent availability and 99.9 percent availability is the difference between just more than 10 minutes and 1.68 hours of downtime every week. Most IT service level agreements (SLAs) focus on availability levels of 99.99 percent, or “four nines,” and 99.999 percent, or “five nines.”

These differences merely hint at the range of options available to those seeking to balance availability with cost, since higher availability almost always requires higher investment in infrastructure. IT decision makers are often significantly challenged by the need to associate costs with availability levels in ways meaningful to their business colleagues.

This challenge is a primary driver behind the growth of enhanced reporting and “chargeback” and “showback” features in IT infrastructure and service management offerings.

However, these can only improve the presentation of relevant information. They do nothing to make the underlying infrastructures and the services they enable more available, resilient, or robust. Such features can and should be included in resilience strategies and solutions, but they cannot and should not stand alone.


The One Thing Leading Businesses All Have in Common

GettyImages-513642194Agility is more than simple, reactive adaptability. It’s even more than what’s usually covered by the discipline known as “change management.” (An aside: to succeed with change management, it is often necessary to… change management.)

So, what exactly is agility?

In August 2014, The Center for Effective Organizations (CEO) at the University of Southern California (USC) published its first book, The Agility Factor: Building Adaptable Organizations for Superior Performance. The Center has conducted its Organization Agility Research Program for more than a decade and studied more than 230 companies as part of the research that led to the book.

The authors found that “consistently high performers possess a capability to change their resources and processes repeatedly.” Such enterprises also “have the strategies, structures, resources, processes, and routines that allow them to both sense and adapt to environmental threats and opportunities as well as intentionally execute on strategic initiatives.”

This comparatively broad and proactive view of agility requires an equally agile IT infrastructure—and to be truly, reliably agile, that infrastructure must be secure.

Agility’s bottom-line benefits

Security obviously matters to those focused on agility, but why should those who focus on security care about agility?

In 2006, organizational effectiveness experts Edward Lawler and Christopher Worley wrote the book Built to Change: How to Achieve Sustained Organizational Effectiveness. According to Lawler and Worley, between 1973 and 1983, 35 percent of the top 20 Fortune 1000 companies were new to that list. That percentage of new top-20 companies grew to 45 percent between 1983 and 1993, and to 60 percent between 1993 and 2003.

Many, if not most, of the companies displaced by newcomers to the Fortune 1000 top-20 list not only fell to lower positions but ceased to exist entirely. Why? Because they were not sufficiently agile. So agility can be seen as a type of job security for security teams and their colleagues across the enterprise.

Agility also has more direct and positive effects on an enterprise’s bottom line, as a separate USC CEO study revealed. For that research, the Center evaluated the financial performance of more than 240 large firms across 17 industries and 30 years. “In every industry we studied, there were two or three ‘outperformers’: companies that achieved above average industry…performance more than 80 percent of the time.

When we compared our survey and interview data with the performance data, we observed a strong relationship between a company’s basic approach to management and its long-term profitability patterns. When markets and technologies changed rapidly and unpredictably—as they did in every industry over these 30 years—the outperformers had the capability to anticipate and respond to events, solve problems, and implement change better than thrashers. They successfully adapted. They were agile.”


User-Centered Security Is a Fine A.R.T.

Cyber Security

While every enterprise is different, there are three fundamental characteristics common to all successful modern enterprises. The successful modern enterprise is:

  • Agile – able to navigate nimbly all types of internal and external change, expected and unexpected.
  • Resilient – able to avoid threats, disasters, and disruptions and to recover rapidly and seamlessly from those that cannot be avoided.
  • Trustworthy – able to credibly demonstrate and document operational transparency in ways that create and justify high levels of trust among all stakeholders.

It turns out there is also a single prerequisite for all three of the characteristics that make an enterprise “ART-ful.” That prerequisite is security. Specifically, user-centered security.

User-centered security is a focus on what users use to do their jobs—applications, information, devices, and network connections. Protect those things, and you can protect users from being victims of malware and other threats. Just as important, you can also protect users from being conduits into the enterprise for malware and other threats, all while keeping critical enterprise resources safe.

How to Achieve User-Centered Security

User-centered security is not only desirable, it’s achievable. The Australian Signals Directorate (analogous to the National Security Agency (NSA) in the United States) estimates that up to 85 percent of targeted attacks on IT environments are preventable by taking four simple steps:

  • Application whitelisting
  • Timely application patching
  • Timely operating system patching
  • Restricting administrative privileges to users who really need them

Unfortunately, such protections are like smarter eating and exercise habits. Most of us know what would be best for us to do, but we don’t always do it.

Take patching, for example. In an April 2015 alert, the US Computer Emergency Readiness Team (USCERT) identified the Top 30 Targeted High Risk Vulnerabilities. The newest dates from 2014, the oldest from 2006. That means there are patches designed to remediate all 30 vulnerabilities, but many enterprises have not yet installed those patches, for whatever reasons.

Agility, resilience, and trustworthiness are the pillars supporting the successful modern enterprise. User-centered security, beginning with timely, effective patching, is the foundation that supports those pillars and enables the enterprise to implement the practices, processes, and services that make agility, resilience, and trustworthiness possible.

To build that foundation, your enterprise must first automate, integrate, and optimize management of its IT security efforts, starting with patching. As these efforts make IT security more consistent and user-centered, that security can be expanded across all of the IT-empowered services that enable the business. Security and its effective management make up the bedrock that complements the foundation.

Of course, none of these strengths can be achieved or sustained by processes or technologies alone. As with almost everything else a successful enterprise does, effective security and ART-fulness are achieved and sustained by people. Specifically, you and your people in concert with colleagues from across your enterprise. Evolution into a secure and ART-ful enterprise requires leaders, evangelists, champions, and supporters to implement and manage the user-centered security policies, processes, technologies, and services that make ART—agility, resilience, and trustworthiness— possible.


A Three-Pronged Approach to Thwarting Healthcare Data Breaches

A 3d render of a large connected network of security padlocks. Online digital security conceptAging software, shared access, and the growing popularity of mobile devices has made the healthcare industry an easy target for hackers.

According to Healthcare Informatics, data breaches at health institutions represent 21 percent of global cyberattacks in the first half of 2015, exposing the personal information of millions of customers. Hackers are selling that data for hundreds of thousands of dollars.

To enhance security significantly, healthcare organizations can and should harness two strategies. One is comprehensive operating system and software application patching. The other is securing access to personal health information, personally identifiable information, and other business-critical information, for fixed-location and mobile users, devices, and applications. Both are relatively simple to implement and unlikely to generate user resistance.

Patch Management

Most breaches start with malware infection and most malware infections exploit vulnerabilities in unpatched software. Comprehensive patching of operating systems and software applications is, therefore, essential for maximum security and for compliance with relevant laws, regulations, and business requirements. This is especially important in environments that include old and shared systems running many different types and versions of operating systems and software.

Many organizations have spent years perfecting their server operating system and Microsoft software patching strategy, using essential tools such as Microsoft System Center Configuration Manager (SCCM). However, hackers seeking softer targets now focus their efforts on vulnerabilities in common, less-widely protected, third-party applications and browser add-ins, such as Adobe Acrobat Reader and Flash Player, Google Chrome, Mozilla Firefox, and Oracle Java.

According to the Center for Strategic and International Studies, 75 percent of attacks use publicly known vulnerabilities in commercial software. The 2016 Verizon Data Breach Investigations Report says that the top 10 vulnerabilities are responsible for 85 percent of all successful breaches and that eight of those are 13 or more years old. Attacks aimed at these and other vulnerabilities can be easily and consistently thwarted by regular patching.

Tools such as Microsoft SCCM excel at automated operating system patching. However, their abilities to patch third-party applications are insufficient.

Secure Information Access

Healthcare organizations looking to support mobile device use among doctors and other healthcare staff should start with a strategy that focuses on comprehensive, consistent protection of information. To be of maximum effectiveness and value, such a strategy must provide protection from threats whether users’ devices are “at rest” or “in motion.”

By far, the most widely used application is email. An effective data protection strategy must therefore be equally effective at guarding against malware hidden in email attachments and in other file types, whether those are being accessed by users of mobile or fixed-location devices. That strategy must also provide effective protection against threats from rogue applications.

The Shavlik Solution

Shavlik offers three essential tools for implementing a comprehensive software patching and information protection strategy:

  1. Shavlik Patch for Microsoft System Center integrates tightly with Microsoft SCCM to extend its patch vulnerability detection and deployment to third-party applications. Using SCCM’s own patch delivery mechanism, Shavlik Patch monitors and patches hundreds of popular, third-party applications, including those of Adobe, Apple, Google, Java, and Firefox. The intuitive Shavlik Patch SCCM console plug-in eliminates the manual steps required to define and load patch information into SCCM.
  2. For organizations that aren’t using SCCM or that lack an existing tool for server patching, Shavlik Protect is an effective, easy-to-use solution for automating the patching of everything from data center servers to client workstations and virtual environments.
  3. Advanced Endpoint Protection from BUFFERZONE, a Shavlik partner, provides effective, transparent protection of authorized applications and critical information from a wide variety of threats. This solution uses virtual containers to isolate entire application environments, including memory, files, registries, and network access. Malware, whether known or new, is restricted to the boundaries of the virtual container, never actually reaching the user’s system or the rest of the network. The BUFFERZONE solution can even defeat infections by ransomware or removable storage devices. Its protections provide a strong complement to Shavlik’s patch management offerings

Where hackers are concerned, the worldwide healthcare industry is a prime target, but healthcare organizations can take steps today to ensure that they are protected. A security strategy that encompasses automated, comprehensive application and operating system security patching and secure information and application access can be implemented quickly and cost-effectively. Such a strategy can provide comprehensive protection from both known and emerging threats and attacks.


The Black Market for Medical Records and What It’s Costing Hospitals

Cybercriminals have discovered how profitable it is to steal and sell personal healthcare information. Now hospitals and medical centers are warding off more cyber-attacks as hackers look to pad their bank accounts.

89% suffered data breaches between 2014-2016

Between 2014 and 2016, 89 percent of healthcare organizations experienced some kind of data breach, according to a study conducted by the Ponemon Institute. The study found 45-percent of those organizations were hit five or more times in that same time period.

A majority of breaches, 68 percent to be exact, can be traced back to lost or stolen devices with access to sensitive data, this according to a Forbes article on the recent trend in attacks on the healthcare industry.

112 million records compromised, selling for $10 to $500 per record

In the first half of 2015, the healthcare industry suffered more than 20 percent of global data breaches in which 84.4 million records were compromised. By the end of that same year, 112 million records had been accessed in a total of 253 breaches, according to Forbes.

So what’s the payout? On the black market of stolen data, sensitive patient information is worth anywhere from $10 to $500 per record, compared to credit card numbers which only sell for about a dollar.

While hackers make money, these attacks are proving to be costly for medical providers. In December of 2014, Anchorage Community Mental Health Services agreed to pay a $150,000 fine for violating HIPAA laws as a result of a data breach.

Hackers are also using stolen information to make fraudulent Medicare claims and pocket the cash. The feds lose roughly $60 billion to Medicare fraud annually.

99.9% of exploited vulnerabilities were compromised more than a year after a patch

With aging software running equipment used by techs, nurses and doctors – plus, the growing popularity of being able to access critical medical data on mobile devices, the time is now for health providers to reinforce their IT defenses.

Don’t let the hackers win!

Shavlik solutions offer superior protection for data centers, endpoints, and mobile devices. A security strategy that encompasses automated, comprehensive application and operating system security patching and secure information and application access can be implemented quickly and cost-effectively. Such a strategy can provide comprehensive protection from both known and emerging threats and attacks.