April 18, 2017
Information technology and digital risks come with the territory in the modern business environment. To protect your business from cybersecurity threats and data breaches, management and IT need to be on the same page with the particular risks the organization faces and have a plan in place to mitigate those risks.
Throughout the 7 Steps to Strengthening Cybersecurity series, we have explored the areas of information security vulnerabilities and best practices for monitoring and addressing information security incidents. Management and IT should review the key areas of vulnerability and assess how well their organization is prepared to mitigate those vulnerabilities.
IT and management should be on the same page when it comes to implementing and acting on a cybersecurity plan, but many times that's not the case. To ensure your organization is adequately protected, management and IT need a routine monitoring plan in place and regular communication about the following topics.
An inventory should be kept of all cybersecurity-related policies, including IT security, security incidents, change management, vendor management and mobile device policies. The policies should be reviewed annually so that management and IT understand how they function, whether they're being followed and how the policies could be improved. The policies should be distributed to all employees at least annually or through annual security awareness training.
The human element is one of the most common ways unauthorized users gain access to sensitive data. Organizations should engage in information security training on an annual basis to ensure all employees—including temps, contractors, and new hires—understand the role they play in mitigating security incidents. Training should include social engineering risks (phishing emails, etc.), and the handling of removable media and cell phones. Information security policies should also be readily accessible to employees.
Annual Permissions Review
There should be an annual review of user IDs and permissions in key software applications, badge access systems, and physical key access performed by IT and reviewed by management for authorized access only. This should also include third party logical access to your systems as well as third party physical access to the building (such as cleaning crews, outsourced IT, etc.)
For third-parties, your organization should request and review the Service Organization Control (SOC) 1 or 2 Type II reports. SOC reports indicate the level of controls third-party providers have over your data. A review of the SOC reports can help IT and management address any potential shortcomings in the vendor's data protection. Reports can also help IT and management understand and implement the user entity controls that are listed in the SOC reports. These user entity controls are what the user of the third-party firm should have in place to completely address the control.
Evaluate Your Breach Notification Plan
It is always best to be prepared for the worst case scenario when it comes to information security. Management and IT should understand how breaches are communicated internally and the steps involved in stopping the breach and communicating about the breach to relevant third party providers and vendors. It is essential to review and understand the different state notification laws carefully, as many statutes have specific definitions of an 'incident' as well as different notification requirements and method of notification. Also each state has different notification laws.
Conduct IT Testing
Once IT and management have the IT policies and procedures in place around cybersecurity, it is advisable to conduct periodic testing of the controls. In addition, a mock run-through of the disaster recovery / business continuity plans helps ensure that recovery protocols function as expected if something were to happen. Thus, business is disrupted for as short a window as possible.
Simulated phishing emails, virus attacks or breaches may also be useful, not only for testing how a company puts its information security protocols into action but also to see the effectiveness of logical controls and other security elements during a potential event.
Social engineering and external / internal network penetration testing should be considered if your organization has not conducted these types of tests in the past. The simulation of an email phishing scheme, for example, can help indicate whether employees understand how cybercriminals can use email to manipulate users into giving away sensitive data. Penetration testing can indicate where there are holes in the firewalls and the IT control environment and where processes may need to be improved to close those gaps in security.
It is advisable to use a third-party independent firm to conduct the testing to uncover unknown shortcomings that may not be obvious to internal IT management. Third parties can review existing policies and procedures, perform testing and make recommendations to mitigate risks based on their findings.
For More Information
If you have specific comments, questions or concerns about your organization's cybersecurity or are interested in a third-party independent security assessment, please contact us.
Previous Issues of the 7 Ways to Strengthen Cybersecurity