Cybersecurity, data security, and data privacy continue to be hot topics for all market segments. Information security incidents put a lot at stake and can cause financial harm, brand and reputational damage, increased regulatory scrutiny and personal liability for business leaders, and of course, repercussions for customers, clients and others in the value chain.
Most cyberattacks are designed for financial gain—data for dollars. Personally identifiable information (PII) and financial transaction and account access are points of focus for most hacking efforts. The data suggests the trend will only increase.
Understand the Business Trends That Run Straight Into Data Security Risks
Enterprise risk management (ERM) professionals identify cybersecurity risks as one of the fastest growing concerns across all industries. There are several trends converging that are making information security more complex, and companies should be prepared for how trends may affect data security considerations.
Capital commitments are increasing and appear to be favoring non-traditional ventures. More funds are being pumped into global markets with an apparent preference for newer business models like data centers and health care facilities. This translates to significantly higher levels of data security and data privacy responsibilities for all parties in the value chain.
Technology investments in digitization, data modeling, artificial intelligence (AI), the Internet of Things (IoT) and virtual intelligence (VI) are increasing. Even buildings are becoming smarter, as companies look for ways to reduce their carbon impact and make their office spaces more eco-friendly. Data-driven usage and operational efficiencies help companies, consumers, and vendors reduce costs, but each new piece of technology comes with new considerations for information security.
Evolving Cyber Data Market
Cyber criminals’ tactics and strategies are developing rapidly. Prior data breaches (e.g., Equifax, Yahoo, Target) have fed data aggregation and analytics used on the Dark Web along with social engineering and sophisticated phishing scams. This information is readily available and sold to competitors, hackers, employees, previous employees and others, along with easy-to-use applications and services to invoke an attack against any company.
Use of Third-Party Suppliers & Outsourcing
Use of third-party suppliers (outsourcing) is increasing for data processing, data storage, data analysis and other data and processing services, as well as common business practices such as payroll production. Vendor-management practices need to include controls and processes associated with availability, security, privacy, confidentiality and processing integrity. These service providers include software as a service (SaaS), infrastructure as a service (IaaS), managed service providers, and other cloud-based solutions.
Understand What Information Security Threats Look Like
Most businesses handle personally-identifiable and financially-sensitive information, such as Social Security numbers, bank account information and credit-debit card numbers at some level, whether it’s just for payroll purposes or as part of ongoing business activities. Sensitive information, in any form, can be used to defraud an organization and its customers.
Identifying the types of information that cyber criminals may target is the first step, but almost more important is being able to recognize the methods cyber criminals use to access that information.
Business Email Compromise
A business email compromise (BEC) is a cyberattack that tricks a business into wiring money to a criminal’s bank account. The hackers do this by spoofing email addresses and sending fake messages that seem like they are from a trusted business professional, such as the CEO or a company attorney. The FBI has found that multibillions in business losses can be attributed to BEC. One of the easiest and most effective ways to substantially reduce the risk of becoming the victim of a BEC scam is to implement a policy of never sending a wire based solely on an email. There should always be a way to verify the accuracy of the information in an email, such as talking to the individual who sent the email in person or by calling the person at a known phone number.
The WannaCry event in 2017, and most recently a cyberattack on the city of Baltimore, both involved ransomware, a type of malware that makes the data on your device or network unavailable until you pay a ransom. This is very profitable for hackers, of course, and is becoming more and more popular. All it takes is one member of your team clicking on a link in an email, and all of your data could be locked. In addition to operational systems, ransomware can target any device that is connected to the internet, including smart locks, smart thermostats and smart lights.
Most businesses rely on electronic information and systems to run day-to-day operations. A cyberthief doesn’t have to hack into a company to get its data; all they need to do instead is target the company’s cloud provider. In most contracts with cloud-computing companies, the customer (your business) is not well protected in the case of a cyberattack.
Understand Where You Need to Go
We are long past assigning the safeguarding of this critical data solely to the information technology (IT) department. Company leadership has a key role to play in oversight and “tone at the top.” Action plans should touch on these areas:
Governance, responsibility, and accountability begin with education. Companies need to understand where they are and where they need to go. Establishing an IT Risk & Security Steering Committee is key. This should include the company’s IT professionals, business leadership, and critical data stakeholders (department leads, operations managers, etc.). Periodic meetings regarding critical data protection, including key metrics and progress against a plan, should be the main focus of this group.
Action Plans & Risk Roadmaps
Your company should develop actionable priorities and a risk-remediation roadmap from a third-party assessment against a recognized, security-controls framework (e.g., NIST CSF, CIS 20). Similar to financial controls evaluation in a company’s annual audit, companies should evaluate and establish a baseline regarding where they are relative to an industry-recognized security controls framework. This baseline helps establish priorities that may take several years to implement. The good news is that the highest risks are being mitigated early, and this sets the stage for continuous security advancement.
Although easier said than done, companies need to change their security mindset and culture. Security is everyone’s responsibility. Enhance training and awareness, and use data-driven actions to improve the overall culture. Awareness is first, training is second, but an enduring security culture and improved behavioral change is the goal. This includes all employees, suppliers, third-party providers, and even clients working together to ensure safety and security for all.
Improve the skillsets and talents (internally and externally) associated with strategic digitization and security plans. This includes employees, clients, leadership, the board and your partners. Continually assess and improve the positions that touch, protect and secure critical data and processes of the company. The pace of technological change is progressing rapidly, and the company and investors should ensure that the right people, processes and technology are in place to protect the investment and clients.
Understand How to Get Started
While the topic and associated efforts may be overwhelming at times, companies need a step-by-step approach to mitigate these business risks. Cybersecurity comes down to understanding those risks and creating a plan to mitigate them.
Knowing where the data comes from and where it goes is critical to security. The first step a company should take is to conduct an independent assessment against an industry-accepted security controls framework (e.g., CIS 20, NIST CSF). This effort should include a prioritized roadmap and plan to be shared with the board of directors (typically the Audit and Risk Committee).
A data-driven response and action plan, aligned and supported by business leaders and the board, will go a long way to protecting a company’s and clients’ data – and livelihood.
Unauthorized access to your data can lead to devastating financial, legal and reputational consequences. If you have questions or require additional information about cybersecurity, don’t hesitate to contact us.
Ray Gandy is a Director and Leader of the IT Risk and Security Practice at CBIZ & MHM New England. He can be reached at email@example.com or 617.761.0722.
© Copyright 2019 CBIZ, Inc. and MHM. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.