Cybersecurity Isn’t Just IT’s Job Anymore — It’s a Team Sport…And the First Step Is Knowing Where Your Gaps Really Are

If your first instinct after a data breach is to look at your IT team and ask,

“How did this happen?”

you’re not alone — but that reaction is outdated.

Modern cybersecurity isn’t just about firewalls, passwords, or antivirus software. It’s about people — their behaviors, their decisions, and their daily habits.

In fact, the most serious vulnerabilities we typically find aren’t buried in complex code or systems. They live in plain sight — in everyday workflows.

A click on a phishing email.
A reused password.
An unencrypted file sent from a free email account.

Technology can only protect you so far. The rest comes down to culture — how every person in your organization understands, values, and practices cybersecurity.

Because in 2025, cybersecurity isn’t an IT initiative.
It’s a team sport — and knowing your gaps is how you build your roster.

The Problem: The “IT Department Only” Mindset

Many practices still treat cybersecurity as a job for the “tech people.” It’s seen as a technical challenge rather than a clinical or operational one.

But attackers don’t care about your org chart.
They care about entry points — and your biggest entry points aren’t your servers.

They’re your people.

Siloed Responsibility

When cybersecurity lives only in IT, everyone else disengages. Non-technical staff assume it’s “not their problem.”

That’s exactly why phishing succeeds — because attackers know humans are the easiest way in.

We regularly find organizations where clinical and admin staff have never received practical phishing awareness training — even though 91% of attacks start with email.

Reactive Instead of Proactive

Too many clinics only start caring about cybersecurity after an incident. The conversation becomes:

“How do we prevent this from happening again?”

instead of

“How do we build a system that prevents it from happening at all?”

We can identify high-risk behaviors before they turn into HIPAA violations — from unsecured file sharing to missing encryption on devices — and create a Plan of Action & Milestones (POAM) to fix them.

Over-Reliance on Tools

Security software can detect threats, but it can’t stop an employee from forwarding PHI through a personal @outlook.com or @gmail.com account.

We find it all the time — free, unsupported email accounts used for business communication or staff logins to things like practice management systems. It’s convenient and cheaper, sure, but also a direct HIPAA violation.

Why?
Because free email accounts:

• Don’t offer a Business Associate Agreement (BAA)

• Don’t encrypt emails by default

• Don’t provide access logging or audit controls

That one cost saving and convenience shortcut can cost your practice up to $50,000 per violation ($2.5M annual cap) — and your reputation along with it.

Real-World Impact: People, Not Hackers, Cause Most Breaches

Over 80% of data breaches are caused by human error or social engineering — not by technical system failures.

And every single one of those errors is preventable with awareness, structure, and accountability.

Example 1: The Accidental Insider Threat

A billing coordinator receives a phishing email that looks like it’s from an insurer. She clicks, logs in, and hands over credentials. Within hours, attackers access patient data.

What we’d catch: No phishing simulation or staff awareness program in place; MFA not enforced; shared admin accounts with no monitoring.

Example 2: The Shared Password Shortcut

A small ABA practice uses one shared login for its scheduling software. An employee leaves — no one updates the password. Later, that old laptop is compromised, giving outsiders access to active client records. Or maybe the former employee is disgruntled and decides to sabotage your business because she remembers the password.

What we’d catch: Shared credentials, lack of password management, no credential audits, and unmonitored device access.

The Common Thread

In both cases, the technology worked.
The vulnerability was behavior — and lack of visibility and control.

That’s exactly what our Audit Readiness Assessment is designed to uncover before it becomes a reportable incident.

The Solution: Building a Cyber-Aware Culture (Starts with Knowing Your Baseline)

Creating a cyber-aware organization doesn’t require fear — it requires shared responsibility, clear communication, and leadership that models accountability.

But before you can train, align, or enforce… you have to measure.

That’s what our assessment does.

Here’s what we look for:

• Free or unencrypted email systems (like @outlook.com, @gmail.com, @yahoo.com)

• Missing or outdated MFA on devices and user accounts

• Unmanaged or unencrypted laptops and tablets

• Shadow IT — staff using unapproved apps or personal accounts

• Weak access controls or shared logins

• No incident response plan or escalation path

• No HIPAA Security Risk Assessment (SRA) or POAM documentation

• Outdated cyber insurance policies that wouldn’t pay out in a breach

These aren’t “nice to haves.” They’re the difference between Tier 1 compliance fines ($1,000/violation with $15,000 annual cap) and Tier 4 negligence ($50,000/violation with $2,500,000 annual cap).

Culture Change Through Collaboration

WOM Technology Management Group and ABA Impact are partnering with ProTask Solutions to bring affordable, enterprise-grade cybersecurity assessments to ABA practices — because protecting client data shouldn’t be a luxury line item.

The Audit Readiness Assessment helps you:
✅ Identify your top 20 risks across admin, technical, and physical safeguards
✅ Get a clear POAM roadmap (so you can show progress to auditors and payers)
✅ Simulate phishing, ransomware, and real-world threat scenarios
✅ Optimize the tools you already pay for in M365 or Google Workspace
✅ Receive a compliance summary you can actually understand and act on

Normally valued at $7,500, this complete assessment is available now for $497 through our partnership initiative.

Changing the Culture: From Fear to Empowerment

Cybersecurity doesn’t have to mean fear, audits, or endless policies. It can mean peace of mind — knowing your systems, staff, and data are secure and ready for anything.

The truth is simple:
Firewalls and encryption protect data.
Culture and visibility protect people.

Cybersecurity isn’t just IT’s job. It’s an organizational habit — a shared responsibility that starts with understanding your own risks.

If your email still ends in @outlook.com or @gmail.com, if your devices aren’t encrypted, or if you’ve never had a HIPAA Security Risk Assessment…or if you’re just not sure: your check engine light is on.

Don’t wait until something breaks.

Take action before it’s too late:

Culture change beats software upgrades every time — but it starts with clarity.

Get your Audit Readiness Assessment today and take the first step toward a secure, compliant, and resilient ABA practice.

👉 Schedule your $497 assessment here

WOM Technology Management Group x ABA Impact X ProTask Solutions
Helping ABA leaders protect what matters — people, data, and trust.

 Contributed by: Josh Nelson