Creating a Cybersecurity Awareness Culture in your Business by Paul M. Perry, CISM, CITP, CPA
Cyber-attacks are increasing in sophistication and magnitude of impact across all industries globally. According to a recent report issued by the U.S. Security Exchange Commission (SEC) the average cost of a cyber data breach is $7.5 Million and continues to rise year over year. The estimated aggregate amount that businesses will have lost to cyber-related crime by 2020 is $3 trillion. Protecting valuable information assets, including financial payment information, client information, personally identifiable information (PII), protected health information (PHI), and/or payment card information (PCI), should be a high priority for everyone who handles it. The recommendations below are geared toward the Company as a whole – but remember the first line of defense for your organization (and the information assets it holds) is your employee…all of them. They need to be as diligent as the Company – which requires constant training and reminders about the possible threats people will go through to complete an incident or cyber-related event.
KEY CYBERSECURITY RECOMMENDATIONS FOR 2019
- Conduct Email Threat Assessments
Given the increasing number of cyber attacks via email systems, companies are increasingly looking to conduct regularly scheduled email threat assessments, especially to detect malware that made it through anti-virus software and firewalls which had previously gone undetected.
- Perform Network and Endpoint Threat Assessments
With the expansion of information systems, software applications, bring your own devices, and Internet of Things (IoT), organizations must prioritize the testing of their networks and endpoints via threat assessments using sophisticated Intrusion Detection Systems (IDS) to reduce potential vulnerabilities to cyber-attacks.
- Conduct Spear-Phishing Campaigns
Due to the significant increase in spear-phishing attacks (i.e., fake emails that appear to come from a reputable entity or known individual), organizations should periodically test the cyber awareness and susceptibility of their employees to cyber-attacks by engaging certified ethical hackers who can conduct social-engineering-based spear-phishing education and exercises.
- Perform Vulnerability Assessments and Penetration Testing
Most organizations either internally conduct or hire an independent firm to perform some form of vulnerability assessments via computer malware scanning software, as well as penetration testing to discover potential external vulnerabilities to cyber-attacks. It is important to conduct these tests at least once a year, but twice each year or quarterly is better, given the constant evolution of cyber-attacks.
- Implement Effective and Timely Software Patch Management Program
The most significant cyber data breaches in the past two years all resulted from organizations not implementing an effective and timely software patch management program of Microsoft and Cisco software. This would be less necessary if you are using cloud-based systems that automatically update and patch.
- Establish a Cybersecurity Awareness/Education Program
The most cost-effective means to improve cybersecurity is to create a human firewall by providing quality cybersecurity educational programs for all your employees, from the top of the company to the bottom. This should be an ongoing process. Redundancy is needed to help get the education points across to your employees on a consistent basis.
- Conduct Cybersecurity Risk Assessments
It is important to independently verify that an organization’s cybersecurity policies, plans, and procedures are sufficient to adequately protect the organization’s digital assets and to ensure regulatory compliance with the appropriate industry cybersecurity standards.
- Implement an Incident Response (IR) Program
It is critical that every organization has a well thought through and periodically tested IR program, which includes: policies, plans, process, procedures, standard forms, and periodic exercises and/or simulations.
- Ensure Continuous Monitoring, Detection, and Response (MDR)
Every organization should invest in an appropriate level of MDR services based upon the cyber threats their organization encounters or anticipates. The key is to rapidly detect intrusions so that they can be quickly contained, and the malware can be eradicated, thereby reducing negative impacts on the information system and data assets.
- Invest in Business Continuity Planning/Disaster Recovery to Ensure Resilience
Given the high probability of a cyber data breach, it is essential to have a reliable and secure off-line data back-up system. This ensures minimal impact on the organization’s operational performance and protection of the most valuable digital assets from loss or damage caused by a cybersecurity breach.
Spending thousands of dollars on some or all the key cybersecurity recommendations, including conducting email and network threat assessments, performing vulnerability assessments and penetration testing, implementing spear-phishing testing, and providing cybersecurity educational programs, can serve to reduce your cyber vulnerabilities and the impact of a data breach, saving you millions of dollars. Don’t be penny wise and pound foolish. Invest in cybersecurity for the benefit of your organization.
Paul M. Perry, CISM, CITP, CPA is a Member and Practice Leader for the Security, Risk and Controls Group of Warren Averett, LLC, the 33rd largest CPA and Advisory firm based in Birmingham, Alabama. This group focuses on control related projects; including SOC reports, IT Control Reviews, Risk Assessments and Internal Audit outsourcing.