Are You Playing With Cyber Fire?
By Joel White, CPA, CGMA, CISA, CIA, CFE, Senior Director – Internal Audit, Risk & Compliance, Association of International Certified Professional Accountants
Lost revenue. Fewer customers. Potential lawsuits. You know the risks associated with a cyberattack. But, has your organization done everything it can to help prevent one? Here are four signs that you might be playing with fire when it comes to cybersecurity.
1. You don’t have a formalized plan.
Having a general concept about how you will protect data isn’t enough. You need a documented, structured plan that has been fully vetted. Start by making sure you can answer these questions:
• What information is most important to protect and why? What are the most common threat vectors for the assets that your organization has?
• Which departments and divisions within your organization need to be involved in developing the plan?
• What training would most benefit employees in helping them understand the role they play in your cybersecurity plan?
• Are you considering a trusted framework (ex. NIST, ISO’s 27001, AICPA’s Cybersecurity Framework, etc.) for developing your plan? If so, which one did you choose and why?
• Can you communicate your efforts to your board and other key stakeholders? Cybersecurity risk management is complex. Being able to share a plan that is transparent and readily digestible is key to instilling trust, prioritizing your next move, and keeping management and the board informed of risks the organization is susceptible to. It also goes a long way in having budget discussions.
2. You assume everything is working.
Care and feeding is one of the most important aspects of preventing a cybersecurity breach. Service providers have lapses, known vulnerabilities are missed, and the latest and greatest security tools become obsolete to new risks. Constantly evaluate and update your cyber activities, and their associated risk, to make sure you are maintaining your core responsibilities and doing everything possible to prevent a breach. In addition to an annual penetration test, consider engaging an independent auditor to evaluate your cybersecurity program via a SOC 2 report (for service organizations) or SOC for Cybersecurity report (for businesses, not-for-profits, and all other organizations).
3. You don’t play well with others.
If you still think of cybersecurity as just an IT problem, you’re missing a huge opportunity to strengthen your program organically. Cybersecurity is a business risk, and it should be treated as such. Build a team that leverages strengths from across the organization. For example, your IT team understands your technological capabilities, your internal audit team is knowledgeable in risk assessment, and your HR team can help organize meaningful training around IT security risks (ex. phishing, passwords, data protection, etc.). Bring these and other teams together to make sure your cyber plan is comprehensive.
4. You have already given up.
It’s not a matter of if you get hacked, but when – right? Data appears to support this saying. According to the Better Business Bureau, over one-third of businesses have lost money in a cyberattack in the last year. However, this isn’t an excuse to let your guard down, after all, more than half of all breaches are still due to the failure to patch known vulnerabilities. While you may feel you don’t have adequate resources, there are often plenty of opportunities to make significant strides in your cyber defenses by using the tools and relationships that you already have.
A strong cybersecurity risk management program will prevent attacks from taking place, detect attacks sooner, help respond to and recover from attacks more quickly, and will go a long way in describing what exactly it is that you do. While the job can range from mundane operational chores to implementing the latest and greatest technology solution, it’s important to be able to take step back and make sure there’s a method to the madness.