Data breaches affect all organizations, from small not-for-profit organizations to large commercial retailers. Hackers do not discriminate. Should your organization fall victim to a cyber attack, the results could be devastating. The average cost of a data breach in 2014 was $3.5 million. Furthermore, threats to cybersecurity appear to be increasing both in quantity and in severity. Data breaches doubled from 2012 to 2013 and from 2013 to 2014, the average cost of data breaches went up by more than 15 percent.
Not-for-profit organizations oftentimes do not invest in information security because of limited resources, which leaves them particularly vulnerable to cybersecurity threats. Their IT systems and security measures may be outdated, and many do not have a cyberprotection strategy that extends beyond a few basic policies and procedures.
Most organizations also tend to focus on securing the perimeter of their digital assets—locking doors and equipment up, etc., and do less monitoring of key access points. Smartphones, websites, laptops, networks and vendor access points need protection from unauthorized access and disruption. Cybercriminals frequently use these sources as points of entry into your organization, which could have devastating financial, legal and reputational consequences. Personnel are often a weak point as well—55% of incidences in 2014 are attributed to insider (employee) misuse of organization systems, information resources and other applications. Approaching cybersecurity as a function of your internal controls can help protect the confidentiality, integrity and availability or your organization’s key information. The Committee of Sponsoring Organizations (COSO) of the Treadway Commission’s 2013 internal controls framework provides a good foundation for mitigating cybersecurity risks. A cyber incident or data breach will cause you to examine your control environment, control activities, intrusion detection methods and incident response procedures. If you have cyber risk management incorporated into your internal controls, your organization can be much more efficient in responding to and recovering from a security incident.
Everyone in your organization plays a role in minimizing cybersecurity risk, and it’s up to your organization’s management and cybersecurity team to communicate what that entails.
Misplaced or stolen electronic devices rank as a primary cause of data loss. Recommended practices for how to treat company equipment could reduce the number of these incidents within your organization. For example, you might want to require employees to take home or lock up any electronic devices at the end of the workday.
Your staff should also be on guard for suspicious emails or other unusual requests for information, as they might be cybersecurity threats in disguise. Hackers can gain access to your organization’s networks through programs that trace the key strokes on your computer or through malware inserted into your system via vulnerabilities in your control environment.
A cyber risk assessment helps prioritize your approach to cybersecurity. The first step is to consider your organization’s unique risk profile. Your industry and the kinds of information your organization collects are key predictors of which areas of your operations will be most at risk. Healthcare institutions, for example, face the most significant risk from having their medical records as the target for compromise.
Consider the value of the information your organization collects, both for the hacker and for your organization. On average, healthcare records involved in a data breach cost companies $316 per record. Compromised financial information cost companies $236 per record. Value doesn’t exclusively mean records’ monetary price, either. Information that if compromised would have a significant effect on your operations should command a larger share of your security resources.
Part of the risk assessment might include an information technology assessment. This multifaceted approach to your policies and procedures for protecting technology information helps identify the areas of vulnerability and risk. A network security assessment can identify vulnerabilities in your external and internal networks; evaluate firewall, intrusion prevention, and network access control systems and policies; and assess wireless networks to provide you a clearer picture of where your risks may lie. Network penetration testing should also be included in your information technology assessment, as this can give you a sense of whether vulnerabilities could be exploited and how easily security incidents can be detected in your current operating environment. Testing can also give you an idea of the potential magnitude of impact a cybersecurity breach would have on your organization.
Internal controls are essential to the effective operation of all organizations. They are the activities or procedures designed to provide reasonable assurance to management that operations are “going according to plan.” Without adequate internal controls, management has little assurance that its goals and objectives will be achieved. Properly designed and functioning controls reduce the likelihood that significant errors or fraud will occur and remain undetected. Internal controls help ensure that departments are performing as expected.
Control activities are the policies and procedures designed by management to protect the organization’s objectives and goals from internal or external risks. Some common and important cyber risk control activities are logical security, change management, management of mobile devices and wireless network access, performing and protecting data backups, and monitoring third party providers and cloud services.
Logical security controls help make sure that only authorized individuals can access your systems and that one person does not have too much power or influence over your organization’s applications, data, or IT environment. Consider segregating duties on your cyber risk team. Frequent password changes, limiting the system administrator function, and logging and/or reviewing system administrator changes made in the financial accounting systems are recommended logical security practices.
Change management controls can regulate system updates and other modifications that go into production. Your organization should implement procedures that notify management of changes and allow management to approve any modifications prior to the work being done. Then, your organization should test the changes using someone other than the developer. If satisfied that the modification works appropriately, there should be an approval process before the change goes into the production environment.
Mobile devices and wireless networks need controls to protect them from unauthorized access. Best practices include encrypting mobile devices and removable media, issuing unique user IDs and complex passwords and automatically wiping devices that are lost or stolen. The remote wiping of devices is especially important because, as mentioned earlier, missing devices are the most common source of organizational data loss.
Controls should also be in place to protect your data backups. Your organization needs to know what is backed up and where it is being stored, be it a data center, third party provider or cloud provider. Back-up controls to consider include real-time notification and resolution of back-up failures, off-site back-up and replication and periodic restores. Annual or semi-annual service organization control audits can help your organization manage your third party service providers. If no service organization control audit reports are available, then be sure your back-up controls include periodic visits to the third party provider or cloud provider offices and hosted data centers. You should also request and review monthly or quarterly provider reports that detail the significant events that took place, the people who accessed the third party provider or cloud provider site and planned outages by the third party or cloud provider.
Whenever you are working with a third-party service provider, you also need to make sure your organization is knowledgeable and involved in the provider’s disaster recovery plan. If an unplanned outage affects a provider, your organization should be prepared for the potential effect that would have on its operations.
The risk environment continues to change and evolve, and so too, should your cyber risk management strategy. Organizations should regularly evaluate the effectiveness of their current strategy and that of any third parties that administer their information technology security. They should then present findings to key stakeholders for consideration. Periodic cyber risk assessments should be part of your monitoring activities as well so that you can see how your systems are holding up to internal and external risks in your operating environment. Planned changes, such as adding a new third party service provider or moving office locations are also good times to revisit and update your cyber risk strategy. If you have any questions or comments, please contact us here.
Christopher Roach is CBIZ’s national information technology lead and a managing director with CBIZ Risk and Advisory Services. He can be reached at firstname.lastname@example.org or 713-871-1118.