Protecting information technology systems is rapidly becoming a top concern for business owners, C suite executives and boards of directors. Whether a small, middle, or large company—the size of your organization doesn’t affect your threat risk. One report of data breach incidents found that 61 percent of data breach victims in 2016 were businesses with fewer than 1,000 employees.
The prevalence of data breaches and information security breaches means that information security is no longer solely an IT concern. Boards of directors need to be involved and informed about their company’s information security risks so they can ensure their organization’s management and internal audit functions are adequately addressing them. Threats are evolving and becoming more complex, and so too should information security protocol. The following questions may provide boards of directors with a solid starting point for a cybersecurity check-in with their IT and management teams.
Do You Have an IT Security Strategy and Plan That Is Aligned with Your Highest Value Information?
Management and IT should regularly be evaluating the organization’s risk profile—its industry, the types of information the company collects and the systems in place to protect data. Ongoing cybersecurity risk assessments are critical because the risk environment changes. System updates could create gaps in information security, as was the case in the WannaCry incident. A solid risk assessment includes criteria for evaluating and categorizing cybersecurity risks and threats, criteria for assessing confidentiality, integrity and availability of information systems and private information, and how the organization will mitigate identified risks.
What Makes You Feel Confident in Your Security and Controls Over the Company's Data?
Unauthorized users have gone after a range of data types, including operational, financial, customer, personal and strategic information, such as intellectual property or trade secrets. Management and IT should be able to explain not only what controls are in place to protect the various data points, but also how management knows the controls are working. How often are internal controls reviewed? Have the controls ever been tested by a third-party, such as through a penetration or simulated attack?
Penetration and vulnerability assessments that cover wireless security, firewalls, VoIP systems and DMZ architecture can help expose areas of weakness within your current control environment before a real incident were to take place.
Would Your Organization be Able to Detect a Breach? How Often Does Management Review Incidents and Breaches and When Was the Last One?
An organization’s internal controls, including monitoring logs and controls of network access, should be able to identify when unusual activity is occurring that would indicate a breach may have occurred. Boards of directors should have a clear understanding of how often internal controls are reviewed and what the organizations cybersecurity incident response plan includes. Affected parties should be notified, and management should review the underlying cause of the incident and put a recovery plan in place to minimize the risk of the same vulnerability being exploited again. If not already, Boards of directors may want to request that they also be notified of significant cybersecurity incidents.
When Was the Last Time the Organization Had An IT Security Assessment Performed Against a Standard Framework?
There are several “best in show” frameworks available for cybersecurity plans, and the organization’s plan should reflect the scope and activities included. The National Institute of Standards and Technology (NIST) has a framework that could be applied to all types of industries. The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive and dangerous attacks. A principal benefit of the Controls is that they prioritize and focus a smaller number of actions with high pay-off results.
Other sectors have unique requirements. Financial services organizations should be familiar with the Federal Financial Institutions Examination Council (FFIEC) recommendations, health care organizations have breach notification and other obligations under HIPAA and retailers have Payment Card Industry (PCI) Data Security Standards. If their framework has never been evaluated, organizations may want to undergo a voluntary Service Organization Control (SOC) Report for Cybersecurity, a voluntary assessment of how a cybersecurity policy compares to framework supported by the AICPA.
When Was the Last Time Key Suppliers and Partners Were Reviewed with Respect to Access to Data and Systems?
Third party vendors can be a critical source of risk. Your organization should be periodically reviewing which outside parties have access to which systems, and the controls in place to protect that access.
Organizations also need to understand the cybersecurity risks posed by third-party vendors. While your organization may have robust controls over sensitive information, a third party’s controls may not be as well-developed. Organizations should have established minimum cybersecurity practices for each vendor to meet and regularly evaluate their vendors to determine how well each vendor meets the requirements. They should also be part of the vendor’s notification chain should the vendor experience a breach or cybersecurity incident.
What Investments Are You Making in Improving Your Employees’ Understanding and Everyday Use Regarding Information Security?
Many training programs include information about cybersecurity policies as part of initial employee onboarding and training, but then the topic is not regularly addressed after that point. Organizations should be clearly communicating to their staff on a regular basis the information they need to know about their role in cybersecurity. Consider notifying employees about emerging threats, particularly ones that involve social engineering such as phishing emails.
If your organization works with a high volume of sensitive data, it may also want to conduct a simulated social engineering exercise to see how employees respond to a typical attack, such as a phishing email. Schedules should also be put in place for ongoing cybersecurity awareness training.
Boards of directors can play a critical role in the cybersecurity risk management process so long as they are informed about the steps their company is taking to protect its information. Having a detailed conversation with members of the IT team and also with company management can help ensure that there is an enterprise-wide approach being taken to mitigate information security threats. For more information about how to enhance your cybersecurity strategy, please contact us.
Ray Gandy is a Director and Leader of the IT Risk and Security Practice in New England. He can be reached at firstname.lastname@example.org or 617.671.0722.