Dan Andrea is the director of information security for Kahn, Litwin, Renza & Co. Ltd., an accounting and business advisory firm based in Providence. Andrea will host a cybersecurity forum for nonprofits on Wednesday, April 26 at KLR’s office in Providence. For more information, visit www.kahnlitwin.com.
PBN: Have you seen corporate concerns about cybersecurity on the rise in the last year?
ANDREA: Corporate concerns are increasing as breaches increase in volume and in publicity. Ransomware events are on the increase and companies continue to struggle with paying the ransom or hoping that their backup and restore routines are sound. However, we have an increasing concern that there may be “cyber fatigue” setting in at the senior levels of organizations. This could result in a scaling back in their protection efforts or becoming lax in their awareness.
PBN: What sort of questions do companies need to be asking when it comes to developing a cybersecurity program?
ANDREA: We generally advise clients to incorporate the following themes (amongst others) when they develop their cyber program:
- Does our structure have the ability to address a cybersecurity event? Cybersecurity is an enterprise-wide endeavor and should involve all functional areas of the organization as part of the program.
- What is our approach to data protection? Do we have sufficient monitoring of our environment and have we built in redundancy as part of a layered protection scheme?
- What is our process for handling a cyber event? We advise our clients not to think of “if” an event will occur but rather “when.” Do we have an incident response plan that will address a cyber-enabled breach?
PBN: Is cybersecurity an issue best handled at the executive level in a corporation, or at a lower “front-line” level?
ANDREA: As indicated above, cybersecurity is an enterprise-wide responsibility. We recommend that it starts at the board or executive level, so that the entire organization realizes that cybersecurity has senior commitment, perhaps through a formal cyber committee. Day-to-day execution of the program can be delegated to less senior individuals across functional lines. However, this does not mean that the senior team does not stay engaged; indeed, cybersecurity updates should be part of regular senior management meetings.
PBN: How can social-engineering tests help secure a corporation against cyber attacks?
ANDREA: Social-engineering testing can be an invaluable tool as part of an organization’s overall security awareness training. It provides immediate feedback to senior management as to the success of its ability to communicate appropriate preventive measures to be taken by employees, which are often the weakest link in a company’s cybersecurity defense. The testing should be frequent and should not result in punitive measures against employees (unless there are habitual offenders). Results of the training should be published and training curriculums revisited as appropriate.
PBN: How is the issue of cybersecurity different for a nonprofit?
ANDREA: Conceptually, cybersecurity defense should not vary between types of organizations. However, nonprofit entities face unique challenges such as:
- Potential imitation of resources (financial and employees) that are available to construct an adequate cybersecurity program. Survey data indicates that “hackers” are more prone to go after smaller entities because of this general belief.
- Lack of knowledge, perhaps, at the board level regarding cybersecurity. This can result in less-than-adequate cybersecurity programs.
- Nonprofit organizations are more likely to accumulate large amounts of personal information (members, donors, etc.), which enhances their exposure to the “bad guys.”
- The potential for reputational risk if a cybersecurity event occurs could result in debilitating consequences for nonprofit organizations.
Kaylen Auer is a PBN contributing writer.