Continued advancements of firewalls, intrusion detection devices and security monitoring software offer organizations across a host of industries new levels of security against cyber-attacks. At the same time, these measures and other steps taken by Information Technology (IT) professionals cannot eliminate every threat from hackers, scam artists and even employees intent on obtaining, sharing or selling data for their financial gain. Additionally, IT security measures can’t always prevent an employee’s unintended exposure of non-public or proprietary data.
In today’s environment, investments in the latest security hardware, software and services can create a false sense of protection for organizations. The reality is that all organizations have some level of exposure to potential cyber threats. The quality and depth of the measures that are in place and the comprehensiveness of an organization’s strategy to mitigate and respond to cyber events are two of the main considerations for an effective cyber security plan.
According to a Data Breach Investigations Report from Verizon, results showed that approximately 87 percent of all breaches could have been avoided by implementing simple or intermediate internal controls. Verizon has further noted this vital observation regarding IT Security: “Some organizations will be a target regardless of what they do, but most become a target because of what they do (or don’t do).”
Responding to the Cyber Threat Revolution
As cyber threats continue to evolve, it’s not a question of if some type of breach will happen. The more relevant questions have become when will it happen and what form will the breach take. To be clear, this is not an IT-only issue. IT security and internal controls have become an important company-wide concern. Internal controls are the responsibility of everyone in an organization. Given the ever-present danger of the threats that exist, it’s short-sighted for any organization to place the entire burden of IT security on IT departments – particularly those that are already stretched to the limit in relation to manpower and resources.
The IT resources for a small or mid-sized company are typically limited when compared to today’s cyber threats and the damage those threats can inflict. The reactive stress on the daily demands within existing in-house IT Departments can divert resources away from proactive tasks of managing security and cyber threats. For many organizations, the trend in recent years has moved toward less IT staffing as companies have sought to realize savings by keeping the number of full-time employees to a minimum and utilize specialist where needed. As a result, companies are relying more on third-party vendors to assist with security aspects; however, this does not necessarily reduce overall risks.
Organizational Challenges & Real-Life Scenarios
At the small- and mid-size business level, IT security is often overseen by the owner, CFO or CEO. Some organizations will even choose to outsource their IT security oversight. Generally speaking, owners and company management are not well-versed in the technical aspects of IT Security. The trap of believing that a third-party resource has the security needs sufficiently covered awaits all senior executives who engage or oversee the work of external IT resources (vendors or contractors). The simple reality is no group of external resources nor team of employees can totally eliminate cyber threats, and the false sense of security senior executives can hold regarding potential exposure to cyber criminals or bad actors accessing their systems can be as dangerous as the threats themselves. Furthermore, within the realm of closely held businesses, the range of needs is vast. Those businesses that feature corporate office operations with a core staff and locations that are spread across multiple states have differing needs, no less important, are those who might be a sole practitioner working out of a home office. In-house IT staffing at small- or mid-sized companies can typically range from one to four full-time employees. These professionals are usually assigned to oversee the operation of the network, handle any issues with the email server and work with the printers on site. Along with other daily IT maintenance and support tasks, they may be called upon to support certain applications, especially those that are critical to the daily operations of the business.
Within small- and mid-sized business settings, the owner and company management are ultimately placing a great deal of trust in their IT people and vendors. Often times, those who are overseeing the IT activities of their companies don’t know the questions to ask in regard to IT security. Unless they hold expertise in the intricacies of systems operations, most executives will likely have difficulty challenging their IT teams on points related to security of their data and systems.
Consider Scenario No. 1: A phishing email is sent to a small company. The phishing e-mail appears to come from the CEO directing the Controller to make a sizable payment of funds, typically via a wire transfer. Lacking the proper security protocols, the money is disbursed into the account of the hacker. Phishing scams along these lines are both commonplace and effective in breaking through the minimal procedural security measures set up by small- and mid-sized businesses. In many cases, it takes an event like a phishing email and/or a breach that leads to a financial loss before the leadership at many organizations will realize that it can indeed “happen to them.” From that point forward, IT Security and internal controls become a priority. According to a Verizon study on data security, phishing scams are the easiest and most frequent initial point of entry “into” an organization.
Questions to Consider in Evaluating the Quality of Data Security & Internal Controls
Assessing the quality of an organization’s data security and internal controls requires an in-depth analysis. There are a myriad of questions to be considered, including the following:
- Does your company or organization have a current cyber security program? If so, when was the last time any the following were performed:
- A cyber security risk assessment?
- An internal network vulnerability assessment?
- An external network vulnerability assessment?
- A penetration test (exploiting vulnerabilities identified during network assessment)?
- A remote social engineering (Spear Phishing) assessment?
- When was the last time your company had an independent assessment of your IT environment?
- Do you know if your organization has solid IT controls in place to maintain a secure environment?
- Do you have any concerns related to your Information Technology or Information Security?
- Has your IT organization experienced a lot of turnover, or do you have any concerns related to the knowledge level of your IT team?
- Has your company had (or are there plans to have) any new financial systems implemented during the current fiscal year? Have you significantly changed the program logic to any of your key financial systems?
- Are you planning, or have you recently completed, an acquisition or do you expect to significantly expand your business acquisitions?
- Is your company experiencing significant business growth?
- Is your company planning to go public or is it being positioned to sell within the next two years?
We Can Help
At Elliott Davis Decosimo, our professionals have the right kind of expertise with financial, operational, and IT controls to evaluate the overall cyber security risks of an organization and assess the most significant needs going forward. Our approach is based on taking a defined set of controls and applying those standards to our clients’ infrastructure. Our process is initially facilitated through inquiries with management, review of policies and procedures, and other related documentation. Our process may also include verification procedures to evaluate the operating effectiveness. Not only does our firm’s report highlight risk areas and potential vulnerabilities, but organizations can use this analysis to assist in prioritizing dollars spent for an upcoming budget year, including the addition of training for employees on cyber security threats and regulatory requirements. To learn more on what our firm has to offer in the area of internal controls and data security, contact your Elliott Davis Decosimo advisor or Bonnie Bastow.