We are constantly reading about Cybersecurity issues in the news. As a sports fan, one of the more interesting stories occurred back in May, when the Milwaukee Bucks of the NBA were victims of a security breach. To give a brief recap, this incident occurred when an unknown party using a fake email address impersonated the team’s president, requested player’s W-2 information (which contains names, addresses, social security numbers, salaries, and birth dates), and an employee unknowingly responded with all the requested information. Stories like this prove that these issues do happen in the real world- big companies and small alike, and we must do all we can in order to prevent their occurrence.
Here are eight tips for improving your company’s cybersecurity:
1. Have a training/awareness session with all employees to ensure no stone is left unturned. Even with all the best controls in place, all it takes is one employee to compromise your company. Explain to them the dangers of phishing and the importance of keeping data secure. Don’t just send out an email and think you’ve done your part. Basic polices should be established such as strong passwords, frequently changing passwords, Internet use guidelines, always locking computers when away, and most importantly how to responsibly maintain customer information and other sensitive information.
2. Phish your employees to test how they’d respond in a mock scenario. It sounds ridiculous, but what better way to obtain a barometer of how your employees would respond? You can create a fake email similar to that of the top official of your company – so instead of firstname.lastname@example.org, you can create email@example.com and send an email as him, requesting key information. An ideal response to this would be spotting the change in email address, but other proper responses should be to call the person and confirm the email. Another way would be to quiz them with real and phished websites, email addresses and links to see if they can identify the differences.
3. Cyber liability insurance can cover costs incurred due to a data breach caused by a malicious cyber security attack. Some of the expenses covered include the costs to notify affected customers who may have had personal information exposed, and a forensic investigation to determine where the breach occurred. Most businesses have insurance to cover the loss or damage of computers, but the information on those computers is likely just as valuable.
4. Back up your data with secured cloud based storage platform (not like Dropbox). These are also a safe way to exchange sensitive information. Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.
5. Keep your firewall and anti-virus up to date, and secure your network. If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router. If employees work from home, ensure that their home system(s) are protected by a firewall. Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.
6. Mobile devices are a very convenient way of allowing ourselves to continue working while away from our computers. However, security on a mobile device is often taken for granted, and left exposed to hackers. Data on mobile devices should be encrypted and only those devices that support encryption should be used. Without intruding in your employees’ private space, monitor work related applications on your employees’ phones. Also, there should be a way to remotely wipe the devices clean if they are lost or stolen.
7. Hire a cyber security consultant. They can provide an initial risk assessment of your company’s security and surrounding controls, which will expose weaknesses. They can perform tests to determine whether products, applications, and networks, are sufficiently resistant to cyber security threats. They can also assist with preventing attacks and creating a security breach response plan (see below).
8. If a security breach were to occur, what would you do? Developing a security breach policy that will provide guidance in the unfortunate occurrence of a breach. There should be a way for management to notify individuals whose sensitive information may have been stolen. There should be a thorough investigation of the events leading up to and following the discovery of the breach. Legal counsel may need to be contacted to determine whether law enforcement and/or regulatory agencies need to get involved.
Shari Diamond, CIA
Shari has been with Cerini & Associates, LLP since 2008 where she works primarily with the firm’s school district clients providing internal audit and claims audit services. She has over twenty years’ experience performing internal audits, risk assessments, and compliance reviews, as well as recommending processes to strengthen the internal controls environment while increasing efficiencies. Her prior experience at PWC and Northrop Grumman included performing Information Technology audits.