The Equifax hack generated headlines because it was huge – compromising vital personal information of potentially 145 million Americans – and forcing the retirement of the company’s chairman and CEO. You might think your company is an unlikely cyberattack target because it isn’t a corporate giant. Not so. Sixty-one percent of the companies hacked in 2016 had fewer than 1,000 employees, according to the latest Verizon Data Breach Investigations Report.
The growing frequency of data and information security breaches means that information security is no longer solely an information technology concern.
Here are some questions to answer to begin to evaluate your cybersecurity preparedness.
Do you have a security strategy robust enough to protect your high-value information?
Management and IT should regularly evaluate your organization’s risk profile – your industry, the types of information you collect and the systems in place to protect data. Ongoing cybersecurity risk assessments are critical because the risk environment is ever-changing.
What gives you confidence in your data security?
Unauthorized users have gone after a range of data types: operational, financial, customer, personal and strategic information, such as intellectual property or trade secrets. What controls are in place to protect the various data points and how do you know they are working? How often are internal controls reviewed? Have the controls ever been tested by a third-party, such as through a penetration or simulated attack?
Would your organization be able to detect a breach?
Your internal controls – including monitoring logs and network access – should be able to detect a breach. All affected parties need to be notified and management should review the underlying cause of the incident and put a recovery plan in place to minimize the risk of repeat attacks.
When was the last time your organization had a security assessment against a standard framework?
The National Institute of Standards and Technology has a framework that can be applied to all types of organizations. Critical security controls, or CIS, are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most frequent and dangerous attacks.
Some industries have unique requirements. Financial-services organizations should be familiar with the Federal Financial Institutions Examination Council recommendations, health care organizations have breach notification and other obligations under the 1996 federal Health Insurance Portability and Accountability Act, and retailers have the payment card industry data security standard.
When was the last time you reviewed the data-security risks posed by your vendors and partners?
Your organization should periodically review which outside parties have access to your systems and the controls in place to protect that access.
Establish minimum cybersecurity practices for each vendor and regularly evaluate how well each meets the requirements. You should also be part of your vendors’ notification chain should they experience a breach or cybersecurity incident.
What investments are you making in your employees’ cybersecurity practices?
Many new-hire orientation programs include information about cybersecurity policies, but then the subject is never dealt with again. Your company should clearly communicate to all employees on a regular basis information they need to know about their role in cybersecurity.
Ray Gandy is a director and leader of CBIZ Tofias’ IT risk and security practice in New England, with offices in Providence and Boston.
