06.05.2018 | Client Alert
Cybersecurity breaches permeate the news. For large businesses, with sizable budgets, it is easier to fund the essential protection. However, the need is no less urgent, yet far more challenging, for smaller businesses.
Business owners and executives are frequently asking for insights on how to enhance cybersecurity efficiently and economically. To answer this burning question, the following provides ten control practices businesses should consider implementing to effectively manage cybersecurity and other significant information technology risks:
- Firewall Administration. It is essential for every enterprise and their respective network administrators to maintain well-functioning firewalls. Firewalls are important elements in layered security for every IT network. Only traffic controlled by the firewall rules, as set by network administrators, should be allowed through firewalls. Effective firewallsrequire periodic review to ensure proper configuration for scanning, logging and reporting traffic flowing in and out of a company’s network and blocking unauthorized external attempts to access the network.Always probing and evolving, cyber criminals look to exploit firewall vulnerabilities in an attempt to attack networks. Every month, multiple patches are released by software companies to address new vulnerabilities. It is most critical to apply the relevant security patches to ensure effective firewall operation.
- Intrusion Prevention and Detection. Risk management models with multiple layers of defense provide a cohesive and coordinated approach to cybersecurity and assurance. In case firewalls fail, organizations are recommended to have the next lines of defense prepared – Intrusion Prevention (IPS) and Intrusion Detection (IDS) systems. IPS monitors networks and systems for malicious activities. Contrary to firewalls which permit or block traffic in accordance with port and protocol rules, IPS monitor the contents of data looking for traffic anomalies. IDS monitor networks and systems for malicious activities that possibly may have already breached the system. If detected, the activity or violation is reported to a network administrator.
- Incident Response Planning. It is essential for a company to be prepared to respond immediately, before it is attacked. As such, each organization should have a formally documented and management-approved Cyber Incident Response Plan. The plan should be periodically tested to ensure it is fully operational and should include:The definition of a material breach;
a. Immediate steps to be taken by employees and IT personnel if a breach is suspected;
b. Clearly identified individuals who are responsible for containing the intrusion, mitigating the harm, and collecting and preserving vital information that will help determine the nature and scope of the damage and the potential source of the threat; and
c. Specific criteria to help determine the circumstances under which law enforcement and other relevant government entities should be notified.
- Business Continuity and Disaster Recovery Planning. No one can predict when the next disaster or business disruption will happen. It is not a question of if, but when. Preparing for the inevitable by developing a Business Continuity Plan (BCP) is an easy way for companies to help reduce disruption to operations. The BCP should be formally documented, approved by management, and periodically updated and tested (at a minimum on an annual basis.) Each plan should include a business impact analysis, recovery time objectives (RTOs), and defined primary and alternative recovery sites. Employees should be trained and understand their individual roles and responsibilities, and be ready to implement them if the need arises.
- Vulnerability Assessment. How vulnerable is your network?If a business owner or company management is unable to answer that question, it is recommended to obtain an independent assessment with penetration testing conducted to determine if networks are properly configured for prevention and detection of security breaches. In the absence of a periodic certification, it is difficult to conclude whether a system and/or network are properly configured against security breaches and cyberattacks.
- Multi-factor Authentication. In today’s flexible work environment, teleworking is very common. It is critical to have a secure connection between employees and an organization’s network. Because multi-factor authentication security requires multiple means of identification at login, it is widely recognized as the most secure software authentication method for verifying access to data and applications. Multi-factor authentication can be achieved using the Three-Factor Authentication:a. Something one knows – a password or PIN;
b. Something one has – a token or smart card (two-factor authentication); and
c. Something a person is – biometrics, such as a fingerprint.
Multi-factor authentication ensures that a user is who he or she claims to be. The more factors used to determine a person’s identity, the greater the trust of authenticity.
- Password Policies. Many cyberattacks involve stolen or conjectured passwords. Passwords are only strong defense mechanisms if properly managed. Effective passwords should:a. Contain a complex combination of at least 3 upper and/or lowercase letters, punctuation, symbols and numerals;
b. Be a minimum of 8 characters in length;
c. Require fixed intervals when passwords must be changed; and
d. Not be able to be re-used.
In addition, initial passwords set by IT network administrators should be changed by users upon first login. All users should have unique usernames and passwords, which should only be known to them for maintaining accountability and minimizing the risk of unauthorized entry.
- Outside Service Provider Risk Management. When a portion or an entire IT operation is outsourced to a third or fourth party service provider, the risks associated with the function still remain with the business. For specific control practices on how to effectively manage outside service provider risks, see our article, “The Risky Business of using Outside Service Providers.”
- Cybersecurity Training. Trainingemployees on cybersecurity matters is crucial to maintaining a good cyber-safe environment. Specific policies and practices should be communicated and reiterated to all staff. The best tools and technologies are ineffective unless employees understand their roles and responsibilities. IT should send emails periodically to warn against potential IT-related security threats. By keeping employees up to date on emerging threats, a company can reduce the likelihood that an employee will be fooled into accessing a website or downloading a file that may have a negative impact on the company’s network. It is also beneficial to encourage staff to speak up when they see suspicious emails or files that may pose a threat to the organization.
- Change Management Policies and Controls. Organizations should have well documented Change Management Policies that provide specific steps covering infrastructure or product changes—including requests for a change, approval, design of the change, implementation, roll-out in a test environment, system integration and user acceptance testing and roll-out to production. These policies and controls are critical for organizations that develop software in-house. For these companies, specific care should be taken in the segregation of duties between the programmer making the change and the administrator moving the change to production.
If you have questions about the best approach to effectively manage your cybersecurity and other significant IT related risks, or would like to discuss having an Information Technology General Controls Assessment performed, contact Alexander Moshinsky, Director, Operational Advisory and Risk Management at Berdon LLP. 212.331.7488 | AMoshinsky@BERDONLLP.com
Berdon LLP, New York Accountants