Cybersecurity, at its core, is about protecting what’s valuable to you as an organization.
For some, that might mean protecting valuable customer data—credit card information, Social Security numbers, or patient health care records. For technology companies, it’s also about protecting intellectual property. This includes source code, designs, products, or future product strategies. Collectively, that intellectual property defines the value of a tech company, and that value is usually sitting on a server as an easy target to be hacked.
For many organizations, it’s no longer a question of whether a network will be compromised but when a network will be compromised. Almost 50% of all companies experienced at least one security incident during a 12-month period, according to a 2017 survey by the Ponemon Institute. If that isn’t an impressive enough figure, then consider this: The average data breach costs a company $3.9 million.
That’s a frightening perspective with a huge cost attached to it—and things aren’t going to get better anytime soon.
Accountability
High-profile enterprise hacking leads to the painful loss of precious data, customer confidence, and hundreds of millions of dollars in legal fees, notification costs, and technology remediation. It’s no wonder C-level executives are now paying more attention to their organizations’ vulnerabilities when it comes to cybersecurity.
Other individuals also demand results:
• Investors and boards of directors are increasingly holding senior management accountable for cybersecurity.
• Customers and partners demand adequate cybersecurity controls are in place before conducting business.
• US states, regulators, and regulatory bodies are legally mandating cybersecurity compliance.
Influencing Factors
Emerging Technology
The rapid proliferation of new technology, including a wide array of mobile devices and cloud-based solutions, means that hackers now have many more entry points to attack.
Universal Vulnerability
Additional vigilance is required for larger companies because of their access to valuable information and pervasive technologies, which makes them a natural target. This doesn’t let the small guy off the hook, though. If there are rumblings that a start-up has the next killer app in development, for example, they’re vulnerable to attack.
International Threats
Economic espionage, or cyberespionage, isn’t limited to borders. It isn’t uncommon for overseas companies to target entities releasing products with high potential for profit and revenue. While the act itself isn’t necessarily something new, there are now organized and contracted teams leading the attack.
Social Engineering Attacks
Even with stronger security defenses, organizations are still at a disadvantage in the fight against hackers. Why? Because cyberattacks are increasingly aimed at individuals rather than systems—and the human factor is much harder to manage. People, however, are also the first line of defense with proper training.
Assessing Your Vulnerabilities
Risk Assessment and Analysis
There are many ways to infiltrate a company. Often, a company’s biggest weakness is not knowing how exposed it is to a cyberattack. An IT security risk assessment and analysis can help identify and assess the holes in your operation—a good first step toward protecting your organization.
A risk assessment can help answer several key questions:
• What systems are most at risk?
• Who has access to the most significant organizational data?
• How was mission-critical data acquired?
• What vital data is being processed, and how?
• What essential data is being stored, and how?
• What valuable data is being transmitted, and how?
• Where is crucial data being transmitted?
A cybersecurity risk assessment and analysis needs to be conducted annually and should focus on internal cybersecurity controls each year as well.
Penetration Testing
In addition to conducting a cybersecurity risk assessment and analysis and focusing on internal cybersecurity controls, prudent cybersecurity management also requires penetration testing.
Penetration testing allows highly skilled and experienced security consultants to identify vulnerabilities by invading your systems from a cyberattacker’s perspective. Put another way, penetration testing is “ethical” hacking.
Third-Party Due Diligence
If you use cloud-based or third-party hosting services or other services that help manage an aspect of your technology environment, such as firewall management or data backup, then you should ascertain the protections and security measures the vendor has in place to protect client data.
Audits: Attestation Reports on Controls
A company should request and review a System and Organization Controls (SOC) examination report, also known as SSAE 18. Alternatively, utilize an ISO 27001 audit by an independent and objective firm that specializes in technology audits before entering into an agreement with the service provider and giving them access to your sensitive data. In addition, the contract between your organization and the service provider should include language that allows you to conduct audits of their hosting environment.
Cybersecurity is a bit like playing cat and mouse. The risk of a breach will always be present, but staying one step ahead and being aware of evolving cybersecurity threats will go a long way toward enhancing your organization’s security. If you’d like to learn more, download the Moss AdamsCybersecurity Guide.
More on our authors:
Mark Edwards has been solving corporate cybersecurity problems since 2001. His experience covers a range of industry groups, regulations (GDPR, PCI, HIPAA, CFS, etc.), and frameworks, including NIST, ISO, HITRUST CSF, and COBIT. He can be reached at (858) 627-5530 or mark.edwards@mossadams.com.
Joan Taylor has provided internal control services since 2004. She specializes in risk management and assessment as well as compliance services across many industries. She also manages audits under the requirements of Sarbanes-Oxley (SOX) Section 404. She can be reached at (949) 221-4086 or joan.taylor@mossadams.com.
Assurance, tax, and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.
