Information technology and digital risks come with the territory in the modern business environment. To protect your business from cybersecurity threats and data breaches, management and IT need to be on the same page with the particular risks the organization faces and have a plan in place to mitigate those risks.
Throughout the 7 Steps to Strengthening Cybersecurity series, we have explored the areas of information security vulnerabilities and best practices for monitoring and addressing information security incidents. Management and IT should review the key areas of vulnerability and assess how well their organization is prepared to mitigate those vulnerabilities.
IT and management should be on the same page when it comes to implementing and acting on a cybersecurity plan, but many times that's not the case. To ensure your organization is adequately protected, management and IT need a routine monitoring plan in place and regular communication about the following topics.
An inventory should be kept of all cybersecurity-related policies, including IT security, security incidents, change management, vendor management and mobile device policies. The policies should be reviewed annually so that management and IT understand how they function, whether they're being followed and how the policies could be improved. The policies should be distributed to all employees at least annually or through annual security awareness training.
The human element is one of the most common ways unauthorized users gain access to sensitive data. Organizations should engage in information security training on an annual basis to ensure all employees—including temps, contractors, and new hires—understand the role they play in mitigating security incidents. Training should include social engineering risks (phishing emails, etc.), and the handling of removable media and cell phones. Information security policies should also be readily accessible to employees.
Annual Permissions Review
There should be an annual review of user IDs and permissions in key software applications, badge access systems, and physical key access performed by IT and reviewed by management for authorized access only. This should also include third party logical access to your systems as well as third party physical access to the building (such as cleaning crews, outsourced IT, etc.)
For third-parties, your organization should request and review the Service Organization Control (SOC) 1 or 2 Type II reports. SOC reports indicate the level of controls third-party providers have over your data. A review of the SOC reports can help IT and management address any potential shortcomings in the vendor's data protection. Reports can also help IT and management understand and implement the user entity controls that are listed in the SOC reports. These user entity controls are what the user of the third-party firm should have in place to completely address the control.
Evaluate Your Breach Notification Plan
It is always best to be prepared for the worst case scenario when it comes to information security. Management and IT should understand how breaches are communicated internally and the steps involved in stopping the breach and communicating about the breach to relevant third party providers and vendors. It is essential to review and understand the different state notification laws carefully, as many statutes have specific definitions of an 'incident' as well as different notification requirements and method of notification. Also each state has different notification laws.
Conduct IT Testing
Once IT and management have the IT policies and procedures in place around cybersecurity, it is advisable to conduct periodic testing of the controls. In addition, a mock run-through of the disaster recovery / business continuity plans helps ensure that recovery protocols function as expected if something were to happen. Thus, business is disrupted for as short a window as possible.
Simulated phishing emails, virus attacks or breaches may also be useful, not only for testing how a company puts its information security protocols into action but also to see the effectiveness of logical controls and other security elements during a potential event.
Social engineering and external/internal network penetration testing should be considered if your organization has not conducted these types of tests in the past. The simulation of an email phishing scheme, for example, can help indicate whether employees understand how cybercriminals can use email to manipulate users into giving away sensitive data. Penetration testing can indicate where there are holes in the firewalls and the IT control environment and where processes may need to be improved to close those gaps in security.
It is advisable to use a third-party independent firm to conduct the testing to uncover unknown shortcomings that may not be obvious to internal IT management. Third parties can review existing policies and procedures, perform testing and make recommendations to mitigate risks based on their findings.
For More Information
If you have specific comments, questions or concerns about your organization's cybersecurity or are interested in a third-party independent security assessment, please contact us.
Seven Ways to Strengthen Your Cybersecurity
- Monitor the Human Element
- Secure the Small Things
- What We Can Learn from Other Incidents
- Know Your State Notification Laws
- Questions to Ask About Third-Party Providers
- Logical Security
- What Management Should Know About the IT Environment
Published on April 18, 2017
© Copyright CBIZ, Inc. and MHM. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ). MHM (Mayer Hoffman McCann P.C.) is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. CBIZ and MHM are members of Kreston International Limited, a global network of independent accounting firms. This publication is protected by U.S. and international copyright laws and treaties. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.