Categories
Articles Executive Recruiting

Myths in Recruiting – Part 2 of Make Better Hiring Decisions

Myth #3: HR Orientation includes all the On-boarding Needed for New Hire Success

 

Many companies spend hundreds of thousands of dollars on complex onboarding plans that all too often require an unrealistic commitment of time and effort from several busy individuals.  One of the foremost myths in recruiting is these “one-size-fits-all” plans ever actually work. The truth is they are rarely successful.  All companies include orientation, but orientation is not actual on-boarding.

Retained executive search consultants are experts in this area as our reputation is dependent on new hire retention.  An on-boarding plan must be simple and easy and require a minimum amount of time.  As the executive recruiter has already defined the team profile and discovered how the new hire’s skills and behavioral traits will impact the team he/she will work within, it is a matter of producing two documents.

Good On-boarding Plans are Not Myths in Recruiting

 

The Personal Action Plan, used by the new hire, right at the start is based on conversations between the new hire and his/her immediate supervisor.  After consultation, the new hire has an action plan to not only meet the objectives of the role he/she were hired into, but provides self-development that will allow for career growth, utilize the new hire’s strengths, and work on their weaknesses.  A second document, the Mentoring and Coaching Plan, is used by the actual Hiring Manager.  It was designed for that new hire, not a “one-size fits-all”.

What is the result of orientation that uses an expensive all-encompassing on-boarding?  Waste of valuable time and little to show for it.  The result of a retained executive search firm’s personalized on-boarding plan?  Streamlined efficient means that results in fast assimilation, quick productivity, and longer retention.

Myth 4:  HR and/or Hiring Managers Should Always Make the Offer

 

Another of the myths in recruiting is that HR makes the offer as that is part of their job function.  Often, we see a hiring manager or HR extend an offer to a candidate who would have helped the manager’s company and career enormously – only to receive a turn down.  In many instances, the offer fails to emphasize the specific elements of the opportunity which are of greatest interest as well as fail to address the aspirations and goals of the candidate.  These quality performers are not actively looking and may need to be “sold.”

Myths in Recruiting and OnboardingIt is so frustrating to watch human resources and hiring managers think that THEIRS is the ideal company, opportunity, and offer and that passive candidates should be 100% sold into the opportunity.  The fact is often HR low balls the offer or insist they be the sole negotiator.  I’ve got news for you – great candidates don’t believe you; they are not going to work for you, and really it is rather insulting to them.

After all they are considering working for the actual hiring manager.  While there are various reasons why good candidates are open to making a change, the fact is that virtually none would be comfortable sharing those concerns with an internal recruiter.  It is extremely frustrating when an executive recruiter must come in to save the day on a turn down.  It’s gotten to the point that at NextGen we simply will not accept a loss and insist in our contract that we make the offer and close.

Professional recruiters have great expertise in developing in-depth individual relationships with the candidates they present. As part of a professional recruiter’s service, they will provide the candidate’s primary motivators to making a move – and by advising the client on the compensation plan in the offer and making the offer verbally acting as the go-between thereby reduce or eliminate turn downs, and assure the manager of securing the best talent available.

 

Who Makes the Employment Offer – Myths in Recruiting

 

While companies do experienced turn downs, retained executive recruiters rarely do. We know what it will take to get the offer signed and when a candidate appears unreasonable, retained search forms have the experience and skill set to pull the offer when needed and get the candidate won over by addressing their concerns,

In the final part of this series, we’ll look at the biggest in the myths of recruiting, which is that executive search, specifically retained search fees are too expensive.  In that article, we actually lay out why recruitment fees based on performance and delivery by the search firm, the hire, and the success of a hire that meets or exceeds the objectives of the role is far more cost effective than any other means with the rare exception of a great referral.

 

Categories
Articles Executive Recruiting

Affordability of Retained Search Fees – Make Better Hiring Decisions – Part 3

In the first and second articles of this three part series, we discussed the differences  and utilization of HR, internal recruiters and executive search firms.  In particular Part 1 reviewed unearthing passive candidates and vetting, while part 2 looked at onboarding and negotiating offers.  In conclusion, we discuss how retained executive search actually provides affordability of retained search fees.

 

Myth #5: Retained Executive Search is too Expensive.

 

Retained executive recruiters report that many of the companies that can most benefit from their services employ internal recruiters. This may lead to the belief that utilizing retained search firms when internal recruiters or HR people are employed is not cost effective.  A simple cost analysis will show otherwise. Consider the combined cost of salaries and benefits of HR personnel and internal “recruiters”, as well as the time that HR people spend doing non-productive interviews with unqualified candidates. These direct and indirect costs are substantially higher than paying out a one-time fee for an executive recruiter’s services.

Executive recruiters eliminate the time and expense required by a firm to find, hire and train a new internal “recruiter”. And any truly successful in-house recruiter will soon leave his salaried position to become a successful external executive search consultant.  Additionally, your chances of securing a long-term contributor are much better if an experienced executive search consultant is involved. Studies have shown that a bad hire costs companies three times more than an employee’s annual salary.

many times, HR or internal recruiters will give the same search to several contingency search firms, in the hope that multiplying the quantity of resumes and applicants will result in something that sticks to the wall.  What they fail to realize is that since the companies have no skin in the game, contingency recruiters research and send the same candidate resumes to everyone of your competitors at the same time.  After all they only receive a fee if a candidate they present is hired,  At the same time, the job posting is duplicated across the Internet on job boards and emails making it seem like their may be an issue with the quality of the opportunity and /or the company.

Retained search firms never use job boards.  They unearth the best candidates, vet and assess and deliver a shortlist of 2 to 4 finalists to consider.  With retained executive search firms, their work isn’t done once a candidate has been placed successfully. A guarantee covering the candidate is often one year; at NextGen we offer a 24 to 36 months replacement guarantee – far exceeding the probationary period.  Seasoned recruiters make a point of periodically checking in with candidates that they have placed and will share any concerns with the hiring manager. This is invaluable information and directly contributes to a long-term successful employee, longer retention, and a highly productive staff.

Success Based Recruitment Affordability of Retained Executive Search Fees

 

Affordability of Retained Search FeesFinally, many retained executive search firms have gone to a performance based (or rather success based) fee structure.  While the initial deposit can range from ¼ to 1/3 depending on the role, usually the 2nd invoice occurs once the shortlisted candidates are delivered and scheduled for in-person interviews.

The final invoice occurs upon hiring one of those candidates.  For the senior executive level succession bench, the final invoice can occur up to one year later dependent upon the new executive meeting their MBOs.

It’s a win-win for the company and a good retained search firm will not look at it as a gamble on money, rather confidence in the placement they have made.

Internal recruiting can be a good solution to filling l=lower toi mid-level non-critical positions. They can screen the candidates that apply via the company portal and can provide hiring managers with candidates for lower end roles.  However, for critical and key roles, it is an excellent and necessary business decision to utilize the services of a highly skilled retained executive search firm, especially one that has expertise in your industry and knows your market.

Final Analysis on the Affordability of Retained Executive Search Fees

 

The cost of a bad hire is often 2 to 3 times the salary paid, and it doesn’t stop there.  It’s not just the loss of time and the need to hire a replacement but other aspects of failure that occur

  1. Loss of momentum in a product or service launch into the marketplace which occurs in bad hires within R&D, product management, marketing, sales, and sales engineering
  2. Failure to meet customer needs and reduce customer acquisition costs when the wrong software, hardware, or R&D engineers are hired
  3. Failure to properly implement a strategy when a functional leader role is a bad hire.
  4. Failure to meet maximum goals or M&A or IPO when the wrong CFO or SVP is hired
  5. Failure to meet sales targets and expand market share when the wrong CMO or VP Sales is hired
  6. Failure to meet stockholder and investors ROI when a bad CPO< CDO, or CEO is hired

Whether it is a key sales, engineering, operations, functional leadership, or senior executive role, a quality retained executive search firm actually SAVES you money in the long run and brings forth shortlist of candidates that can meet and most often exceed the objectives of the role. Therefore the affordability of retained search fees is evident they pay off in the long run.

 

Categories
Articles Executive Recruiting

Make Better Hiring Decisions Amid Myths in Recruiting – Part 1

Executive hiring managers depend on the quality of their people to achieve goals and implement strategy. A better understanding of the skills and capabilities of executive recruiters can enable any hiring manager to make better hiring decisions by increasing the quality of their hiring decisions, and thereby enhance their own career!

Some executives are aware and take full advantage of the best possible means of identifying and selecting top quality candidates for critical staff openings. However, many do not. Frequently, this stems from myths regarding the merits of utilizing the services provided by topflight retained executive search firms. By a better understanding of these realities, hiring managers will dramatically improve their ability to secure the most qualified candidates in a timely manner.

In the first part of this series, we’ll explore the myths behind sourcing exceptional talent, the differences in the screening and assessments methods used by internal HR and talent acquisition groups, how that is done by experts in retained executive search, and the pros / cons of behavioral testing, and how they impact the ability to make better hiring decisions.

Make Better Hiring Decisions Start with Finding the Right Talent

 

Myth # 1: Companies Often Unearth the Same Talent that Executive Recruiters Do

 

With the rise in popularity among HR and internal talent acquisition in the use of online job boards, job aggregators, and networking platforms, many companies mistakenly believe that these sources contain the same talent that can be found through retained executive search firms.
This belief couldn’t be further from the truth. Good executive recruiters don’t post ads on job boards to find qualified applicants. Instead they focus on specific industries and even specialize by types of positions within those industries. The benefits of doing so are enormous. It allows them to invest tremendous time and energy forging relationships with high performing candidates within these niche markets, learning the types of positions in-demand people would see as advancing their careers.

Make Better Hiring DecisionsProfessionals who genuinely excel have neither the time nor desire to peruse online job ads or to respond to the dozens of email inquiries sent by internal recruiting staff. It is only when an executive search consultant personally approaches them that the best people take the step to becoming available to discuss an opportunity.

Retained executive search consultants invest countless hours establishing unique connections and building relationships with key performers. These connections allow access to talent pools built over many years…and which are available through no other sources.

 

This, along with the ability of these search consultants to carefully screen and evaluate the best candidates, is what allows them to bring the strongest talent to the table – those “A players” at any level who produce 8 to 10 times more than the next level of “B players”. Instead companies continue to rely on job boards, career sites, and networking platforms that will never find the outstanding quality of talent that retained executive recruiters can provide.

Myth #2: Internal Staff can Access and Vette Candidates as well as an Executive Search Firm

 

While this belief is prevalent within many companies, a thoughtful analysis will prove the opposite. Retained executive recruiters make a living by finding talent that companies cannot find on their own. While in-house resources may be effective for lower level and even some middle level roles, when it comes to functional leadership or key critical roles, retained search firms are not limited to C-levels. it makes sense for hiring managers to give themselves every opportunity to interview the very best candidates to make better hiring decisions.

Internal recruiters typically spend their time vetting applicants who apply or can be found through online portals. Think about it – in a less than 4% unemployment world we live in, the best candidates are simply not found that way. Retained search firms focus on finding superior candidates who are successful in their present situation and can show similar expertise, accomplishments, and skills relevant to the role you need to fill. This very different methodology results in a very different level of candidate.

A Solid Assessment Method Enables You to Make Better Hiring Decisions

 

Moreover, retained search firms look at many other factors, such as discovery and validation of candidates’ industry relationships – with internal customers, as well as suppliers and eternal customers. In addition, seasoned executive recruiters do not focus on “corporate culture”. Why is simple. Each team that a candidate will be hired within is unique.

Therefore using psychometrics to discover and measure this team members as stakeholders of the role allows the executive recruiter to measure values and motivations, real and situational communications skills as well as the traits within conflict resolution, problem solving, and decision making. This Team Profile allows executive recruiters to then conduct behavioral interviews and scientific testing of potential candidates to make sure they are only a role fit, but a team fit as well.

Finally, the ability to call proven performers with direct competitors to discuss career options is a significant factor in what sets external professional recruiters apart from internal recruiters or HR people. Having the ability to reach out to these peak performers offers hiring managers access to highly-sought-after candidates they would never see otherwise in order to make better hiring decisions

In part 2, we will discuss HR Orientation including onboarding process that do and do not work, as well as pros and cons of having human resources and/or hiring managers making employment offers.

Categories
Articles Executive Recruiting

Engaging a Retained Search Firm for Multiple Key Staffing Needs is Best Option

The truth of the matter when engaging a retained search firm for multiple key staffing needs is they produce far better candidates, have much deeper relationships in the industry they are working in and have a search process that in the end delivers candidates who can meet or exceed the objectives of the role in which they are hired into.

Many company’s HR and Talent Acquisition groups think more short term than long term when it comes to staffing critical roles.  The long term strategy is most often used – a combination of career site branding, job boards and job aggregators, LinkedIn talent solutions, and using multiple contingency search firms to help build a large database of potential candidates.

What is missing is that for critical roles that must be filled with quality new hires, the long-term strategy rarely works.  Even though using RPOs and contingency search firms will result in the most resumes, it is pure folly to believe quality is the main driver produced by those outsourced means.  Therefore, engaging a retained search firm is the best of all options when outside recruitment help is needed.

Engaging a Retained Search Firm

Let’s look at the recognized statistics in the global workforce. The majority of all workers – approximately 55%, are “C players”. They are literally just bodies taking up space.

They show up on time, can perform assigned tasks assigned such as software or QA engineer, customer service, inside sales, operations, manufacturing and production roles.  But the reality is that they don’t develop intellectual property or design anything new;

 

They are not problem solvers, entrepreneurial or creative and contribute virtually nothing to increasing market share or improving P&L ratios.  In addition, many “C players” are just not good employees. Often a lack of upwardly mobile skills, education, and more equates to lack of motivation outside of a repetitive paycheck.

Next are the “B players” who make up to 35% of the workforce, have real education and skills, contribute to developing IP, producing revenues, or some other vital contribution.  However, the cream of the crop is approximately 14% of the workforce known as “A players”.  From janitor to CEO every type of role has their “A players”.  What is so great about hiring them?  Leadership IQ and SHRM have developed studies and surveys that demonstrate that “A” players” produce 8 to 10 TIMES MORE than even “B players”.

 

Reasons for Engaging a Retained Search Firm

 

With over 30 years of experience in the executive search business, we have rarely seen contingency search firms or RPOs deliver “A players” and have no consistency in delivering “B players” for clients to consider. How do we know this?

  • In a less than a 5% unemployment rate environment, most exceptional professionals are happy where they are now in terms of their role, their employer, and compensation. If they were to become passive candidates and look to make a change due to desiring new challenges or relocation, they would simply network and reach out to hiring managers in their industry directly. They rarely look at job postings and have no need to post their resume to a job board.    They will not fill out an online application on any company career web site. They are bombarded with emails, InMail’s, and calls every day from corporate recruiters and contingency search firms who generally speaking fail to understand these professionals will likely only speak or reply to an actual executive hiring manager or a retained executive search consultant with a solid reputation among industry Board of Directors and CXOs.
  • Contingency and RPO firms rely heavily on job postings and job aggregators.  But many of those applicants are the unemployable, unemployed, or “C players”.
  • In large contingency search firms the recruiters are graded on the number of send outs (resumes that need to be sent daily to meet a quota).  And RPOs have a LOT of clients.  Ask yourself, as a client, how much of a priority are you to a recruiter working on 12 to 25 searches at a time?   What type of quality and search process would you expect?

I’m not knocking contingency recruiters.  I used to be one before I changed to retained almost 20 years ago.   Why did I make that move?  One, I realized to really have clients as a priority and deliver a superior service, I personally could only work on 3 to 4 searches at a time.  To do more than that means both the client and my reputation suffer.  Two, with using a search process that was very sound I knew the methodology would unearth those “A players” so I could assess and deliver proof that the shortlisted candidates I presented could meet or exceed the expectations and objectives of the role and client required of the new hire.

As for cost and benefit analysis, the benefits of using retained search is overwhelming while the costs are not much different than contingency search fees.

  1. When looking to engaging a retained search firm, you are assured that the vetting and development process are superior as you usually receive only 3-4 shortlisted candidates for each role.
  2. Retained Search provides detailed interview and assessments including current / prior KPIs, depth of industry relationships, and similar accomplishments relevant to the new role.
  3. Team fit analysis and Target Candidate Profile – by conducting brief online surveys of the stakeholders for each role (team the role will work within and key internal customers), a team profile allows the recruiter to use behavioral analysis and assessment to determine how the potential candidate will fit in and affect team dynamics. One-way behavioral testing of candidates never works as it fails to have anything to measure against.
  4. Much longer retention of new hires from retained search firms. For instance, 94% of our placements are still working for that client after 4.5 years.
  5. Superior Replacement guarantee – most contingency firms incorporate a 30 to 90 days refund or replacement. Retained search firms are often 6 to 12 months.  We believe in our process so much that we offer 24 to 36 months replacement guarantee depending on the assignment.
  6. Success based search fees – this is relatively new for retained search firms but a practice we have used for the last 5 years. With most large retained search firms, you pay 100% of the fee regardless if the outcome was successful.  Other search firms like NextGen Global Executive Search are performance based.  After the initial deposit, the remainder of the fees are paid based on deliverables, including the hire.
  7. Flat based fees – this is also a relatively new concept. This arose out of the obvious conflict of interest associated with compensation-based search fees.  If the recruiter negotiated a higher compensation that was agreed to by both client and candidate, the search fee increased.  While some retained search firms use the same fee for every search on a flat fee basis, at NextGen we realized we are being paid for our work.  Therefore the basis of the flat fee is appropriate to each role depending on factors such as limitations on relocation, the actual candidate pool size, the number of hours expected in research, search strategy, recruiting, and delivery.

For instance we have clients in the Bay area, NYC and Boston who funny as it sounds believe few exist outside their geography that are worthy of consideration as they often think of themselves as the center of the technology universe.  Additionally, for some roles the candidate pool overall is small such as AI architects and power electronics design engineers.

 

Engaging a Retained Search Firm for filling multiple roles

 

As retained search firms are like good lawyers and executive management consultants, we ask for a deposit,.  This means the client is a priority as they have “skin in the game”, knowing the search firm has a track record in longer retention and producing exceptional new hires.  So, the overall flat search fees mean that engaging a retained search firm is clearly the best choice.

Categories
Articles Executive Recruiting

Ditching Recruiting Firms Contingency, RPOs, and Old-Fashioned Retained Search

Why are more and more forward-thinking employers ditching recruiting firms that produce, to put it bluntly crap. Most firms that have spent the time to really investigate the search marketplace have learned that Contingency, RPOs, and traditional retained search firms need to be ditched in favor of the 21st century success based recruitment?

In a 3.5% unemployment rate, most Hiring Managers know the undisciplined, inexperienced, and average “C players” are predominant on job boards.  In addition, with job aggregators, job openings get overexposure to the point the company suffers in public relations and branding.  same goes for RPOS and contingency search firms – the more they re-post the same job posting, the worst candidates are revealed.

Ditching Recruiting  Firms that Fail to Produce

You have certain objectives you want a new hire to meet, for most C-level executives there is not a cookie cutter template to be applied to their position.  Your target market are passive candidates, those that would never read job postings that have been picked over by every Tom, Dick and Harry, they simply are not actively looking,   What interests passive candidates?  A new challenge, a different product or service portfolio, location, company size, and more.   A typical job posting showcasing responsibilities and requirements is a no enthusiasm road map.  It is in reality a robotic drone of words strung together that entices only the unemployed or average active job seeker.

Ditching Recruiting Firms that Fail to DeliverEven the traditional retained search model, which does produce much better candidates, is going by the wayside.  More and more companies are ditching recruiting firms that are traditional retained search models.

While employers understand the deposit to initiate a search, they expect results.   Most have a 90 day to 6 month replacement guarantee.  But they collect all the fees within 90 days regardless of outcomes.

‘The new paradigm, which NextGen Global Executive Search has used for a decade, is a search should be success based in regards to the recruitment fees.  Also known as a performance based search, after the deposit (which is a very reasonable percentage of the overall cost) the 2nd invoice is due upon acceptance of the shortlist and in-person interviews are scheduled. The final invoice is due upon the hire being completed.

Ditching Recruiting Firms with Compensation Based Fees

In addition, success based search fees should be a flat fee and not based on compensation.  The reason is simple, in that compensation based fees can cause an increase in the overall recruitment fees during offer negotiations which is an inherent conflict of interest.  As stated earlier the 3rd and final invoice occurs on the hire and is backed by a  24 to 36 months replacement guarantee.

The end result is both the employer and recruiter have skin in the game and the employer is confident that the majority of the fee is based on the recruiting firm meeting the objectives and a solid new hire.  To read further on why companies are ditching recruiting firms and comparisons between contingency, RPO, traditional retained search, and success based retained search, download the PDF.

Categories
Articles Candidate Assessments

Why Two-Way Behavioral Assessments is Key to a Great Hire

Why do an increasing number of astute Hiring Managers want behavioral assessments?  The end goal is to make the RIGHT HIRE to achieve quick ASSIMILATION, faster PRODUCTIVITY, and longer RETENTION.  Behavioral assessment (sometimes referred to as “Psychometric Testing”) has become increasingly recognized as a valuable source of information when making hiring decisions.

There is a wealth of data to demonstrate that using behavioral assessments in conjunction with sound, responsible recruitment methods reduces employee turnover, and it’s quickly becoming standard practice for many employers and recruiters.

When used strictly one-sided whereas applicants/candidates are tested, the results are vague and often mis-interpreted.   In addition, when compared to a one-size fits-all “corporate culture” , the results don’t help in determining if said candidate is really a good fit for the team he/she will work within AND what effects they will have on team dynamics .  The one-sided test isn’t worth the additional time and expense

When in the current economic climate is behavioral assessments REALLY an essential part of assessing potential candidates?  When testing a candidate, what are you measuring the results against?

Just in case you’re unfamiliar with behavioral assessment, although the process varies from company to company, it usually involves a questionnaire that asks the candidate about their opinions, preferences and priorities.  Behavioral reports can include information such as preferred working environment, how they respond to tight deadlines, preferred management style, approach to selling, and much more.

Behavioral Assessments Key to a Great Hire

Define the Role using Team Behavioral Assessments

Figuring out exactly the kind of candidate you’re looking for and creating a job description to match can be a time‐consuming headache. But a simple job survey of the direct stakeholders to the role you are recruiting for, lasting around 12-14 minutes, will produce detailed analysis on how those stakeholders view the role and a composite team analysis on these FOUR POINTS:

 

Save TIME by Conducting Fewer Interviews

A resume or LinkedIn profile tells you whether a person has some of the qualifications and job history but usually it’s impossible to tell if a person has the right attitude, accomplishments until you interview them. Behavioral assessments, on the other hand, can provide you with that information in a fair and objective fashion.

So if, for example, you have 3 to 4 candidates that look great on paper, TWO-WAY behavioral assessments can help you reduce that shortlist to a more manageable number, and leave you with a much more efficient interview process.

An often-overlooked feature of behavioral assessment is its ability to tell you the training and management styles to use to get the best results from your new employee. Getting your recruit up to speed quickly and making them feel comfortable in the role with fast productivity is not only a time saver but it also reduces the expenses incurred through downtime.

Two-Way Behavioral Assessments Reduces Employee Turnover

We’ve already mentioned the fact that behavioral assessments reduces employee turnover, but have you ever stopped to consider just how expensive and time consuming it can be to replace a bad hire?
Aside from the fact that you have to spend time and money, repeating the recruitment process all over again, you also have to repeat the expense of onboarding and assimilation for the eventual replacement.

Although prices vary quite a bit, the average cost of behavioral assessments are s often far less than employers imagine. And any one of the above four points would more than justify the additional, modest investment. But put these four elements together and you have a potential saving of time and money that represents thousands of dollars. Especially in consideration of reducing employee turnover.

Categories
Articles Cyber Security

Healthcare Cyber Attacks to Medical Devices, EMR Apps, and Cloud

Embracing next technology healthcare without adequate preparation will only open new risk avenues and threat vectors for healthcare cyber attacks.  Technology is perceived as a solution to address operational inefficiencies within the healthcare industry and to expand the reach of high quality healthcare services to remote regions. But the risks are mounting.

Vulnerable Devices for Critical Medical Practices

The proliferation of smart technologies will encompass the healthcare industry in coming years. Digital devices such as smart pacemakers and insulin pumps are used widely today, and the next generation of smart technologies will cover a variety of critical cardiovascular, respiratory, and neurological medical practices. However, next technology healthcare devices aren’t immune to sophisticated attacks. In control of malicious actors, vulnerable smart medical devices can deliver the killer blow to patients instead of maintaining stable health.

Cloud Vulnerabilities for Healthcare Cyber Attacks

Cloud connectivity is critical to access patient information anywhere-anytime, a promise that’s driving transition to the cloud for healthcare institutions. PHI data is effectively stored in off-site data centers beyond the control of healthcare providers originally in charge of maintaining patient data privacy and security. Any vulnerability in their cloud networks is an open invitation for hackers to compromise sensitive patient information.

IoT Networking

Unlike cloud vendors subject to stringent compliance regulations, patients themselves are unable to secure IoT-connected medical devices at home. A malware infected dialysis machine could be part

of a DDoS attack intended to bring down the entire network infrastructure of a hospital. Since IoT devices come from multiple vendors, through different processes and offer different technologies, it’s not entirely possible to maintain a consistent standard and control around healthcare cyber attacks and IoT device security.

Next Technology Healthcare Cyber Attacks to Mobile Apps

Healthcare providers adopting telemedicine practices using smartphone health apps may not realize or control the personally identifiable information shared with third-party advertisers. These apps run on mobile platforms vulnerable to security threats, especially when the OS is not updated to apply the latest available security patches.

Considering the general lack of security awareness among patients using outdated mobile app and OS versions, and fall prey to mundane social engineering ploys, the industry has a long way to go before considering mobile apps as secure channels to offer effective firewalls and security against healthcare cyver attacks.

Do you think the next technology healthcare industry is ready to take a deep dive into cyber security adoption without adequate preparation and fixing loopholes that exist within the technology itself?

Recruiting expertise in medical devices and electronic health records

Need an executive search consultant with deep knowledge and contacts in the medical field?  NextGen has identified and recruited key personnel ranging from principal / chief engineers in software development, systems design, and embedded wireless to directors and VPs in sales, business development, and technology to president of business unit for medical device manufacturers, electronic health records developers, clinical integration, and bio medical research and development.

Categories
Articles Cyber Security

Proactive Ransomware Mitigation Strategy for EMR

Ransomware is distributed as a social engineering ploy via email, malicious links and malvertizing, among other techniques. A proactive ransomware mitigation strategy for EMR is needed as once a user falls prey to these human exploits, ransomware is downloaded to the victim’s computer to begin the malicious process.

The virus attempts to connect with encryption-key servers, takes hold of public encryption keys and uses various encryption algorithms to encrypt mission-critical data on the network.

This data typically includes file formats of PDF, JPG, and Microsoft Office extensions. Basic OS recovery and reboot systems are disabled. The compromised data is moved, renamed, encrypted, and renamed again to ensure the required data cannot be queried using actual file names when ransomware is executed, which is when ransom is demanded via Bitcoin or other digital money transfer services. At execution, the start-up screen and several basic features are also locked until this payment is processed.

Why a Proactive Ransomware Mitigation Strategy for EMR Matters

Despite the prevalent security awareness, phishing schemes and drive-by-downloads remain one of the most effective techniques to deliver ransomware payloads onto target computers. To combat ransomware, a proactive ransomware mitigation strategy is to set up systematic corporate security training programs to prevent ransomware payload delivery onto your EHR systems in the first place.

Employ expert social pen-testers to phish your own staff. Emulate real-world exploits but do no ream harm to your organization or employees. Establish gamification-based rewarding programs to encourage dedicated adoption of security best practices. And yes, prior executive approval will be required to prevent awkward situations.

Secondly, it’s best to perform social penetration testing procedures on a separate, isolated network infrastructure such that sensitive data remains inaccessible and uncompromised. This strategy will essentially build the most effective line of defense against ransomware: the human firewall.

Advanced phishing attacks are known to bypass standard spam filtering standards set up by email clients. Another part of a proactive ransomware mitigation strategy for EMR is to establish strong spam filtering techniques such as blacklisting and whitelisting email and IP addresses, and real-time blackhole lists that are maintained by third-party security providers. Use content-based filters to ward off malicious content that’s most relevant to your organization.

Email validation systems such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and Domain Keys Identified Mail (DKIM) can prevent phishing emails from reaching your workforce. Establish strong administrative and access controls to prevent unauthorized and unintended downloads of executable files via email or the Web – even legitimate website could be compromised to deliver ransomware as downloadable content.

Strict controls that allow the absolute least user privileges to appropriate users will reduce the proportion of workforce who can inadvertently facilitate ransomware delivery to the corporate IT network. This approach will prevent anomalous and unauthorized downloads, installations, data transfer, editing and encryption from taking place.

Furthermore, streamline the updating, patching and validation processes for every tool used in the EHR systems. Most of the ransomware attacks exploit known vulnerabilities that remain unpatched. Standardizing mass rollout of updates across all systems is a time-consuming and cumbersome process if the operating systems and software are installed on local hard drives.

Organizations that maintain such systems take months and sometimes years before evaluating, authorizing and installing updates individually on each computer. On the other hand, organizations that maintain virtualized and cloud-based environments for the delivery of desktop OS and electronic heath records solutions can automate and streamline the process of software updates.

Although these measures drastically reduce the chances of successful malware delivery to your systems, your organization should be prepared to tackle the threat of ransomware infection and prevent execution of malicious programs. For instance, another proactive ransomware mitigation strategy is to limit user privileges and controls to install software against targeted file extensions.

If an installation is critical, the process should be flagged and transferred to a sandbox environment for detailed security assessment. Unauthorized changes to medical devices, files and data sharing should be blocked to prevent potential ransomware processes from executing.

Proactive Ransomware Mitigation Strategy for EMR Advanced Security

Deploy advanced security solutions that would detect anomalous processes, raise the alarm and cut-off compromised systems from the network to prevent the malware from spreading. Maintain an efficient backup recovery system that performs data backup in real-time and can be used to retrieve mission-critical data in a matter of minutes, as required. Consider using differential backup techniques that preserve the only the new changes performed to data that’s already backed up.

The minds behind ransomware attacks intend to hold this data to hostage so that victims are left with no option but to process the payments. If you can access this data using alternate means within acceptable schedule, the ransomware attack is rendered useless and you can eventually get security and IT experts to clean up the infected systems.

Finally, a sound proactive ransomware mitigation strategy for EMR is to coordinate with your security solutions providers and federal agencies to report possible ransomware attacks – they may already have relevant information and could be able to crack down on the perpetrators with the additional reporting, thereby preventing future attacks from the same sources.

Need help recruiting Cyber Security Professionals for HL7 or EMR Development?

NextGen Executive Search as successfully recruited and placed software developers, analysts, firewall and firmware design, sales, and product management for clinical integration, healthcare patient records management vendors, including medical device manufacturers for over 20 years.

 

Categories
Articles Cyber Security

Mobile Threat Exploits Are You Prepared to Defend Against Malicious Apps?

When we think of cyber threats to endpoints, typically what comes to mind is the need to protect our PC’s and laptops. Many more businesses are adding comprehensive security solutions and user policies administered to include mobile threat exploits.

But it’s unquestionable now that mobile phones are just as likely (if not more likely) to be targeted by cyber criminals. There are a few reasons for that.  The first reason that mobiles are now a legitimate target is the sheer number of them. It’s estimated that there will be over 6 billion smartphones in use by the year 2020. That’s around 70% of the world’s population using a smartphone in 3 years’ time.

Modern smartphones are now small computers. The processing power, functionality, and the way we’ve integrated them into our lives make them a treasure trove of valuable information and easy food for hackers wishing to use mobile threat exploits. And IoT Botnets further increases the vulnerability of cloud based data and mobile devices.Many people today use their mobile phones to access online banking and as a physical payment method in store. Cybercriminals tend to follow the money and so are putting resources into targeting mobiles. Last year, security vendor ESET discovered a form of malware that presented a false version of online banking login screens to steal credentials.

Exposing Vulnerabilities of Mobile Threat Exploits

Like any operating system, there is a continual process of discovering vulnerabilities and attempting to patch them before hackers can take advantage.

This can be complicated on the Android OS. Android is open source, allowing stakeholders to modify and redistribute it to fit their needs.

This means that when mobile threat exploits and vulnerabilities are fixed at the source, it doesn’t always translate to the problem being resolved for the user.

Mobile Threat Exploits 2018

The most famous example of this is the Stagefright vulnerability. This was mobile threat exploits in the code library associated with media playback. If a hacker sent malicious code within a video via MMS, the attack could be successful without any interaction from the user.  This vulnerability was said to affect 95% of Android users making patching a nightmare. Although there had been previous serious vulnerabilities in Android, such as FakeID, TowelRoot, and PingPong, this was the first exploit of this scale that could be successful without any user input.

No OS is Safe

Typically, we see most of mobile attacks targeted at Android devices. But iOS is not completely bulletproof. XcodeGhost was a copycat version of Apple’s development environment, used for creating apps.  Developers that used the rogue version of Xcode to create their apps unwittingly delivered their product to the App Store with the malware in tow.

Mobile Threat Exploits Protection Starts with Education

So clearly, we need a robust plan in place to protect mobile devices from mobile threat exploits. But how do we go about this? The first thing to consider is user education. When using a laptop, most people know not to open attachments from unknown sources.  But mobile users are not always as careful. Educate them to apply this same level of caution to mobiles; only downloading apps from trusted sources and giving the application, the minimum permissions required to perform its task.

Management is Not Security

Your company likely already has an Enterprise Mobility Management (EMM) solution in place. This is useful for managing a fleet of mobiles and preventing opportunistic crimes by enforcing passcodes, for example. But EMM is not sufficient to protect against more advanced threats, and most suites don’t have the functionality to detect, analyze and respond to cyber attacks. For this reason, it’s important to supplement your EMM with a Mobile Threat Defense (MTD) product.MTD has far greater mobile threat exploits threat-detection capabilities and can help to prevent man-in-the-middle attacks, detect non-compliant or malicious apps, and spot jailbroken devices. It’s important to have this level of security on your mobile devices due to the amount of corporate data that can typically be accessed via mobile now.

User-Based Access Controls

A cloud-based Identity as a Service (IDaaS) solution can also help to increase security. The benefits of this to a business are two-fold: For the user, all their corporate systems can be accessed via a single sign-on (SSO). This eliminates the need to remember multiple login credentials.It’s likely to be a multifactor sign-on process which is more secure than a static password. IDaaS also allows users to be automatically granted certain access rights or privileges based on their role. Employees get the right tools to complete their job function and no more. This means that in the event of a mobile threat exploits, the compromise, the amount of accessible information can be limited.

Effective Patching

As mentioned, patching mobile devices is not always straightforward, particularly in Android ecosystems. Updates can be blocked by Google, the handset manufacturer, or the mobile operator. However, this situation has improved since Stagefright. Even given these difficulties, it’s important that you have a process for keeping your operating systems up to date. This should be easy to configure in your EMM solution.Ultimately, we don’t need the statistics to tell us that mobiles are here to stay in the business world; we see evidence of this every day. Mobiles are now integral to huge chunks of our working lives. And because of this, the threat from hackers will continue to grow.

What steps are you taking to ensure that mobiles aren’t an easy attack vector into your business?  And do you feel that your users are as educated on mobile threat exploits as they are about conventional PC-based malware?

 

Categories
Articles Cyber Security

Healthcare Is Unprepared for Cyber Attacks and here’s why…

Healthcare is unprepared for cyber attacks and as the cybercrime threat landscape for medical devices and electronic health records is evolving at unprecedented rates this lack of preparation does not bode well.  The malicious intent of financially motivated or state-sponsored cyber-criminals was best served by victimizing financial institutions, power infrastructure and the business sector.

The sheer wealth of profitable consumer information stored within the servers and IT networks powering these industry segments have attracted cyber attack interests for decades. At the same time, these industries are investing vast resources to strengthen their security posture. Cyber criminals pursuing easier targets are aiming for the healthcare industry instead, where a similarly vast deluge of sensitive personally identifiable information powers increasingly digitized healthcare services from less-secure network infrastructure.

Inherent Loopholes as Healthcare Is Unprepared for Cyber Attacks

Healthcare institutions excel in medical practices but are inherently prone to security attacks. 2017 might have seen only a limited number of successful attacks, but make no mistake that healthcare is unprepared for cyber attacks and this is a very real threat, and here’s why. The future of healthcare centers are paperless medical practices. Digital patient information stored in network-connected servers is a recipe for disaster unless strong security defense capabilities are in place to ward off sophisticated cyber attacks. And that’s precisely the problem with the healthcare industry they are woefully unprepared for technology adoption.

While the government and the industry is pushing to embrace Electronic Health Record (EHR) systems, the same attention is not given to invest in strong security solutions, technologies, and processes across the widening industry of healthcare institutions, hospitals, surgery centers and EMR/EHR management providers.

Equating Compliance to Security: Global regulatory authorities enforce strict laws to ensure security of digital health records and electronic systems used in the healthcare industry. However, these laws are designed to establish and maintain a minimum standard of security capabilities and practices. The risks could be far worse and varied. Therefore, it becomes more obvious why healthcare is unprepared for cyber attacks by maintaining compliance standards such as HIPAA do not translate into strong security capabilities.

Lack of Security Awareness: A significant proportion of life-threatening spearphishing and ransomware attacks are designed to exploit the human element. Random clicks to malicious links by unsuspecting workforce in the healthcare industry cost millions of dollars in damages. Inadequate workforce education and training on maintaining security of digitized records and new healthcare technologies is prevalent in the industry considering the simple root causes of these costly attacks.

Lack of Resources: Many healthcare institutions do not operate on the same IT security budget in comparison with financial and business organizations. A recent conducted by The Ponemon Institute finds healthcare organizations rate their ability to defend against cyber-attacks at a meager 4.9 out of 10.

Outsourcing May Alleviate Healthcare Industry Unprepared for Cyber Attacks

Healthcare institutes work to excel in the services they have to offer, and tend to outsource critical healthcare IT operations. These IT service providers are subject to strict regulations including HIPAA, whereas healthcare organizations cannot accurately assess the risk of business associates or ensure security of Protected Health Information (PHI) shared with them.