Jackie Lee
Cyberattacks are increasing in sophistication and magnitude of impact across all industries globally. According to a recent report issued by the U.S. Security Exchange Commission (SEC) the average cost of a cyber data breach is $7.5 million and is continually increasing in value year over year.
While all organizations are potential targets of cyberattacks, the industries which possess the most valuable data are the biggest targets including: financial services, healthcare (including non-profit organizations), government, automotive, manufacturing and retail.
All organizations possess valuable information assets, which may include: intellectual property, financial payment information, client information, supply chain partners’ information, personally identifiable information (PII), protected health information (PHI), and/or payment card information (PCI).
Cybersecurity attacks are becoming more common every day, and yet many organizations think these attacks won’t happen to them. The increase in attacks show that any organization can be a target — and having proper IT security in place is only one of many preventive measures that should be taken. Here we explore some of the cybersecurity best practices your organization should consider for 2019.
Conduct email threat assessments
Given the increasing number of cyberattacks via email systems, companies are increasingly looking to conduct periodic email threat assessments, especially to detect malware that made it through their anti-virus software and firewalls which have previously gone undetected.
Perform network and endpoint threat assessments
With the expansion of information systems, software applications, bring your own devices, and Internet of Things (IoT), organizations are increasingly testing their network and endpoints via threat assessments using sophisticated Intrusion Detection Systems (IDS) to reduce potential vulnerabilities to cyberattacks.
Conduct spear-phishing campaigns
Due to the significant increase in spear-phishing attacks (where fraudulent emails appearing to be from a supervisor are sent to employees to cause them to reveal confidential information or provide bank account information), organizations should periodically test the cyber-awareness and susceptibility of their employees to cyberattacks via engaging certified ethical hackers who can conduct social engineering-based spear-phishing exercises. IT security firms can provide additional training to employees on what to look out for when receiving this type of email.
Perform vulnerability assessments and penetration testing
Most organizations either internally conduct or hire an independent firm to perform some form of vulnerability assessments, via computer malware scanning software, and penetration testing to discover potential external vulnerabilities to cyber-attacks. It is important to conduct these tests at least once a year but, twice or quarterly is better given the constant evolution of cyberattacks.
Implement effective and timely software patch management program
The most significant cyber data breaches in the past two years all resulted from organizations not implementing an effective and timely software patch management program of Microsoft and Cisco software.
Establish a cybersecurity awareness/education program
The cost effective means to improve cybersecurity is to create a human firewall by providing quality cybersecurity educational programs for all of your employees from the top of the company to the bottom.
This education should be mandatory for all employees with any access to electronic data, including email.
Conduct cybersecurity risk assessments
It is important to independently verify that an organization’s cybersecurity policies, plans and procedures are sufficient to adequately protect the organization’s digital assets and to ensure regulatory compliance with the appropriate industry cybersecurity standards.
Implement an incident response (IR) program
It is critical that every organization has a well thought through and periodically tested incident response (IR) program, including: policies, plan, process, procedures, standard forms and periodic exercises and/or simulations.
Ensure continuous monitoring, detection and response (MDR)
Every organization should invest in an appropriate level of MDR services based upon the cyber threats their organization encounters or anticipates. The key is to rapidly detect intrusions to quickly contain and eradicate the malware to reduce negative impacts upon the information system and data assets.
Invest in business continuity planning/disaster recovery to ensure resilience
Given the high probability of a cyber data breach, it is essential to have a reliable and secure off-line data back-up system to ensure minimal impact to the organization’s operational performance, and protection of the most valuable digital assets from loss or damage.
—————
Jackie Lee, CPA, is a partner with Mengel, Metzger, Barr & Co. LLP. She may be reached at Jlee@mmb-co.com.