Hackers in the News
When large, brand-name companies like Target, Anthem and Home Depot are breached by hackers, they make front-page news and incur significant reputational losses. The amount of money that hacked companies spend to repair their reputation in the marketplace is staggering, which is why this is a topic of discussion on most Board agendas. Every day, hackers become faster and more sophisticated at exploiting newly-identified vulnerabilities in security architectures. These are not the hackers of the past, teenagers fishing around for information from a computer in their basement. They are highly educated and technically savvy individuals who hack into companies for the purpose of stealing information that can be resold on the “black market.” These breaches may also take the form of attacks from nation-states that seek to acquire industrial, military, or other confidential or classified information. What about your company? How prepared is your IT security plan to prevent such a breach?
What Factors Add to Hacking Risk?
FGMK continues to see higher risk profiles for companies that seek faster and better ways to integrate their business operations with their customers and their business partners. The more access such companies provide to these external constituents, the higher the risk that they will experience an IT security breach. In addition, giving access to customers and business partners brings with it the risk that a breach at a customer or business partner can “cross over” and compromise an organization’s security controls. Such risks are in addition to risks arising from internal threats within an organization, primarily from employees who misuse their access to the IT security environment, or whose access can be exploited by “phishing” attacks, or by “social engineering,” whereby hackers attempt to gain access to confidential user credentials through fraudulent phone calls or e-mails. In some cases, disgruntled employees may use their access to post confidential information and data on public sites in order to embarrass or damage their employer.
Who Wants to Know?
With all of the above in mind, it’s no surprise that Board members want to know what their company is doing to protect itself from IT security breaches, while regulators are becoming more aggressive in their approach to reviewing IT security preparedness. Other interested parties include a company’s external and internal auditors, who regularly raise questions on this topic in order assess the strength of a company’s risk control procedures. All of this scrutiny requires that management develop an action plan to address IT security risks and deploy limited resources in the best way possible.
How Do You Protect Your Company?
Where do you start? A good first step is to perform an “asset inventory” of the company’s IT environment. The company must generate a complete asset inventory, along with a network diagram and a data map, in order to secure the various tangible and intangible IT assets and develop an understanding of its IT security risks. Next, policies and procedures must be developed and maintained, governing access to the company’s IT security environment, as well as the processes for updating systems with the latest available software releases. Third, periodic assessments should be performed to ensure that the processes and controls that have been documented are actually being applied in practice. These assessments can include “penetration testing” and similar vulnerability assessments. Finally, a robust vendor management program is required to ensure that the risks of connecting to external parties (including customers and business partners) are addressed. While it may not be possible to completely eliminate the risk of a breach, given limited time and resources, an effective action plan combined with constant vigilance can significantly reduce the risk of an expensive breach.
If you have any questions about cybersecurity, please contact the author of this article, Bill Harrington, at (312) 818-4314 or firstname.lastname@example.org.
FGMK is a leading professional services firm providing assurance, tax and advisory services to privately held businesses, global public companies, entrepreneurs, high-net-worth individuals and not-for-profit organizations. FGMK is among the largest accounting firms in Chicago and one of the top ranked accounting firms in the United States. For more than 40 years, FGMK has recommended strategies that give our clients a competitive edge. Our value proposition is to offer clients a hands-on operating model, with our most senior professionals actively involved in client service delivery.
Please visit our website for our complete list of services.