Blog
← Back to Blog
January 05, 2017 general

5 IT Resolutions Your Practice Should Actually Keep in 2017

Modern office workspace representing fresh start

Happy New Year. 2016 was... a lot, from a cybersecurity perspective. Yahoo lost 3 billion accounts. Ransomware hit hospitals. The NSA's own hacking tools got stolen. The internet went down because someone hacked a bunch of security cameras.

So let's start 2017 with some practical resolutions. Not the ambitious-but-unrealistic kind that get abandoned by February. The achievable kind that actually make a difference.

1. Schedule Monthly Backup Tests

We've said this before, but it bears repeating because almost nobody does it: test your backup restores monthly. Put it on the calendar. The first Tuesday of every month, restore one file from backup and verify it's complete and usable. That's it. Fifteen minutes, once a month.

If January's test reveals that your backup hasn't been running since October (this happens more than you'd think), you'll catch it before it matters instead of discovering it during a ransomware attack.

2. Implement a Password Manager by March

Give yourself a deadline. By March 31st, your practice should have a business password manager deployed, all shared passwords eliminated, and unique credentials generated for every account. This is the single highest-impact security improvement most practices can make, and it costs less than your monthly office supply order.

Our recommendations: 1Password Business or LastPass Teams for small practices. Both are well-designed, both support two-factor authentication, and both make it easy to manage shared access to practice accounts without actually sharing passwords.

3. Do One Phishing Simulation Per Quarter

Send a simulated phishing email to your team every three months. Track who clicks. Don't shame anyone. Use it as a learning opportunity. Over the course of the year, your team's click rate will drop dramatically.

Services like KnowBe4, Proofpoint Security Awareness, and Cofense offer affordable phishing simulation platforms. Some include training content that you can assign to people who clicked. The investment is minimal; the protection is significant.

4. Review Vendor Access Quarterly

Every three months, review who has access to your systems. IT vendors, billing companies, PMS support, telecom providers. Verify that their access is still necessary, that their credentials are current, and that you have signed BAAs where required.

This is also a good time to review internal access. Has someone's role changed? Did someone leave? Are there dormant accounts that should be disabled? Access control isn't a set-it-and-forget-it exercise.

5. Get Cyber Liability Insurance by February

If you don't already have it, get quotes in January and have a policy in place by February. Cyber liability insurance is one of those things that feels unnecessary until the moment you desperately need it. After the year we just had, there's no excuse for operating without it.

Most small practice policies cost between $500 and $2,000 per year. That covers breach notification, forensic investigation, legal fees, and business interruption. Compare that to the average breach cost of $355 per compromised record, and the math speaks for itself.

The Theme for 2017

If 2016 was the year of the breach, let's make 2017 the year of preparation. The threats aren't going away. They're going to keep evolving. But the practices that are prepared, that have tested backups, trained teams, and a plan for when things go wrong, those are the ones that survive.

Five resolutions. All achievable. All affordable. Pick one and start today.

Here's to a safer 2017.