In an recent interview with SafetyDetectives, Randy Steinle, CEO and Co-Founder of Cyber Trust Alliance, Inc., sheds light on the motivations behind the establishment of the organization. Stemming from a managed I.T. consulting firm, Cyber Trust Alliance evolved to address the compliance challenges faced by small and mid-sized healthcare organizations. Steinle emphasizes the importance of strategic partnerships for small businesses to achieve and maintain compliance, stressing the need for education and documentation in this process. Discussing cybersecurity risks, he talks about human factor as a significant threat and advocates for comprehensive training to combat issues like phishing and ransomware.
Can you introduce yourself and tell me what motivated you to start Cyber Trust Alliance?
Cyber Trust Alliance was born out of a managed I. T. consulting firm that my partner and co-founder Chris Canada has run for the past 30+ years. I joined Chris 17 years ago to lead business development and build partnerships. In 2012, we partnered with the Texas Organization of Rural and Community Hospitals (TORCH) to assist their hospitals with achieving Meaningful Use. This included performing security risk assessments annually for the hospitals so they could qualify for incentive payments. While this program was very successful and we helped over 50 hospitals achieve this goal, we recognized a much bigger opportunity. As Meaningful Use program dollars ran out, we saw the “carrot” of incentive payments replaced by the “stick” of fines and penalties that applied to all healthcare organizations.
One key takeaway from our work with TORCH, discovering that there weren’t great options for small and mid-sized healthcare organizations when it came to compliance. There were TurboTax-type do-it-yourself program, or you had high-end consulting firms that were too expensive for many of these organizations.
We set out to create a hybrid solution that uses humans to perform risk assessments, but with virtual, scalable technology solutions so it could be included in our affordable subscription model. We also needed humans to help coach our clients and walk the compliance journey with them. Finally, we needed a way to capture all that hard work and we created our SAAS CEBA Compliance suite to document all the evidence, train people, provide policy and procedure templates and management and a dashboard so people can see where they stand at a glance. What we’ve created is a perfect blend of these that provides high-end services but in an affordable subscription model.
What are some of your main services and features?
One of the big things that was important to us when we created CEBA was having a comprehensive solution, but we knew it had to be easy for people to learn and use it. Healthcare organizations are significantly understaffed right now, and folks are struggling to keep up with regulations and costs. The last thing they need is another high cost, complicated solution.
In order to keep it simple, we created a solution that:
- Provides a dashboard because it’s important for busy professionals to have meaningful information at a glance.
- Has built-in training that meets regulatory requirements and prepares employees to better protect the information entrusted to an organization.
- Includes templates for all required policies and procedures and a policy management module that’s designed to simplify that process.
- Compliance coaches who meet with clients regularly to walk them through the process and make sure they are getting the most value from their time invested.
- Virtual telassessment so we can perform risk assessments at a lower cost and with less interruption for our clients.
Clients who buy a subscription service don’t want to pay separately for required components, like risk assessments. Therefore, we wanted to make sure everything necessary was part of the package so our clients don’t have to worry about surprises when it comes to billing.
What are some strategies that you recommend for small businesses to achieve and maintain compliance?
I believe strategic partnerships are key to success for small businesses. I recently read an article about how that’s on the top of a lot of hospital leadership minds as we start the new year.
One of the misconceptions we come across often is “My IT firm handles compliance.” Then we talk to the IT firm, and they say, “We do?” There’s a need for some education and understanding about the importance of compliance with standards like HIPAA and who is responsible for what. Partnerships, allow doctors and nurses to be doctors and nurses, utilizing the expertise of others to minimize cost and risk.
Another concern I have is that people are often working on compliance issues, but they don’t document their work. This documentation process is essential to demonstrating due diligence and as we like to say, “getting caught doing the right things”.
So, to summarize, I recommend partnering with people you trust and documenting all the work you are putting into compliance.
What are some of the key cyber security risks that businesses are facing today and how can they be mitigated?
I regularly remind business leaders, that humans are still our number one threat. You can spend millions of dollars on the perfect network and cyber security tools, but if you’re not educating your people, you are still at great risk of a breach.
Educating people about phishing and ransomware is one of the first lines of defense that we recommend to everyone as it’s the #1 threat to healthcare organizations today.
Some other examples of key threats and strategies:
- Make sure you train your staff.
- Don’t use things like free email. It’s imperative in today’s business climate to be on a paid service that has built-in compliance and security components.
- Patch your laptops and systems. People tend to ignore this and leave their machines unprotected.
- Use multi-factor authentication (MFA) for validating the identity of users on your network and systems. This has quickly become a must have especially for cyber insurance policies. It is critical to be able to properly identify your users and make sure only the appropriate people are logging into your systems and accessing information. MFA is not overwhelmingly expensive, making the return on investment almost immediate.
What are some of the key stages involved in a standard pen testing process?
Penetration testing is a simulated attack on a company’s digital environment attempting to exploit vulnerabilities and “penetrate” the environment or assets.
Just like bad actors aka hackers, the first step in the penetration testing process, is to look for vulnerabilities. This involves running scans on the network, looking for things like missing or outdated patches, open ports, and misconfigurations to name a few.
Next, any found vulnerabilities are sorted into risk categories, where risk is calculated by determining the likelihood of a vulnerability being exploited times the impact to the network if it is.
Step 3 involves attempting to exploit a representative sample of the highest risk vulnerabilities. Through this process, pen testers are able to validate the vulnerability scan results and provide examples or proof of the system weaknesses and recommend steps to remediate the vulnerability.
It is this last step that is most critical. Rathen than merely delivering a list of potential issues, this final step provides a roadmap of remediation work that is needed, and the impact it can have on a client’s risk.
How do you see artificial intelligence and machine learning impacting compliance and security?
Artificial intelligence (AI) and machine learning have great potential; however, I believe they can be a “double-edged sword” for us.
Both have significantly improved cybersecurity tools over the past year, and we are just getting started.
However, hackers/bad actors also use AI and machine learning to create more credible looking attacks and “learn” where our weaknesses are.
Phishing scams in particular are getting more sophisticated and are no longer just badly written emails that comes from a strange email address that is easy to spot.
I’m reserved on my position on AI and machine learning. I believe we have to use it carefully, but at the same time, I think we have to recognize how it can be used against us and tread carefully. It is imperative that our leaders determine how to regulate it and hold people accountable as we determine how best to harness the awesome potential for good.