Could one Data Breach Kill your Company?
SecureState had performed several External and Internal Penetration Tests for a small healthcare company. While their very small external footprint limited the number of vulnerabilities there, we consistently broke into internal servers, quickly escalated privileges, and achieved domain compromises. Because of these obvious weaknesses, the company asked SecureState to perform an INFOSEC Assessment, to provide a view of the overall maturity of their security controls and associated security program.
The INFOSEC revealed that sizeable gaps exist around the company’s Organizational Security, Data Classification, Incident Response and several other areas. In particular, the two primary areas most deficient based on their impact to the organization were Application Security and Network Security. Overall, their information security program rated at the Initial or Ad/Hoc level. Overall, 14 out of 15 (93%) control areas assessed lacked the formality and definition necessary to reach the company’s desired level of security.
Perhaps it should not be surprising that a small company focused on growth had neglected security, or at least were unable to allow it to grow at the rate of the core business. However, consider the dire potential impact a lack of adequate controls could have if a threat chose to exploit their significant vulnerability. As the company’s Director of IT stated, “If the PHI our customers trust us with was compromised or altered, we would be out of business.”
Let that sink in. One hacker or malicious contractor could quickly (and fairly easily) undo everything positive the company had been working to grow. A public data breach would most likely lead other health organizations to pull their relationships. Customer distrust would lead them elsewhere. Potential government fines would prove disastrous. When put in that context, a small investment in protecting customer PHI seems like a pretty wise investment.