Cybersecurity
Cybersecurity is concerned with activities in cyber space, while information security also addresses risks that arise from computer systems that are physically isolated from other electronic systems and the protection of information stored in a format that is not accessible through electronic means, such as printed paper stored in filing cabinets (SOC for Cybersecurity). Unscrupulous actors can gain access to sensitive and private information by exploiting vulnerabilities including our altruistic desire to help others. Now is a good time to ensure you have proper protocols in place to protect against the compromise of sensitive and private information. Having a cyber security plan is a step in the right direction. A good cyber security plan includes, at a minimum, the following five steps:
- Identification: Identifying who has access to, and control of, business information is the first step in a good cybersecurity plan. Individuals that have access to, and control of, business information should have been vetted during the hiring process; that is, they should have been subjected to a background check that involved, at a minimum, assessing their experience and competence as it relates to the handling of sensitive and private information. Management however, is obligated to ensure that there are proper policies and procedures in place to guide the handling of sensitive and private information.
- Protection: The protection of sensitive and private information, albeit challenging, can be achieved through vigorous physical and logical access controls aimed at preventing or timely detecting and correcting compromise. Limiting employees’ and vendors’ access to the information that is required for them to perform their duties can aid in preventing the compromise of sensitive and private information. An employee or vendor should not have access to information they do not need to perform their duties. In addition, Management is obligated to ensure that there are proper policies and procedures in place, including continuous awareness training, to minimize the risk that outsiders can gain access to sensitive or private information through phishing and social engineering scams.
- Detection: Prevention is best and detection and correction is next best only if correction is aligned to the risk response time needed given the gravity of the breach. There is really no excuse for not having, or having but not updating, anti-virus, malware, and spyware programs on your system. Management is obligated to ensure that there is an assigned process owner for cyber-attack monitoring and response.
- Response: A risk assessment plan without a risk response plan is virtually useless. If sensitive or private information is compromised, it is important to have, at a minimum, a plan to prevent further breach. Management should ensure there are policies and procedures in place to ensure the proper response to incidents and breaches.
- Recovery: Backup and recovery should be performed as a normal business operation that occurs in real-time, daily, or at an interval that the company, its regulators, and its clients find reasonable. If your business is small you could use external hard drives to make these backups, but for a more convenient solution, or for larger businesses, cloud services are a good option for backup. If you choose to use cloud services, ensure that such service providers have proper security protocols in place and can provide evidence of such by; for example, a successful yearly SOC 1, SOC 2 and/or SOC for cybersecurity examination (System & Organization Controls).
Protecting sensitive and private information is important. A stark reminder that staying vigilant in protecting yours and your clients’ information, is the numerous scams that unscrupulous actors/hackers have been attempting and perpetrating during the recent storms. If you need guidance on best practices in protecting sensitive and private information, please contact the advisors at CompVisory today.
