Cybersecurity Is Critical for all Organizations – Large and Small

Steve Ursillo, Jr., Christopher Arnold | November 4, 2019 |

Introduction

In today’s computerized world, new risks emerge every hour of every day. Connecting to the Internet opens up the possibility of a hacker targeting your organization. Cybercrime is becoming big business and cyber risk a focus of organizations and governments globally. Monetary and reputational risks are high if organizations don’t have an appropriate cybersecurity plan.

A ‘Cyber Security Breaches Survey 2018’ revealed that over four in ten (43%) businesses and two in ten (19%) charities in the UK suffered a cyberattack. The survey found that 38% of small businesses had spent nothing at all to protect themselves from cybersecurity threats. A separate survey also found that a third of UK small businesses are risking their online safety by operating at or below the “security poverty line”. The most frequent types of cyber-criminal activity were sending fraudulent e-mails and impersonating organizations online. Malicious e-mails were also found to be the most common type of cyberattack in the Internet Security and Threat Report. The consequences of cyber-crime are costly as the total average cost of a data breach in 2019 is $3.92 million in research conducted by the Ponemon Institute.

What is Cybersecurity? 

Cybersecurity is making sure your organizations data is safe from attacks from both internal and external bad actors. It can encompass a body of technologies, processes, structures, and practices used to protect networks, computers, programs, and data from unauthorized access or damage. The goal of any cybersecurity strategy is to ensure confidentiality, data integrity, and availability.

There are several primary means by which cybersecurity issues can affect (or even destroy) an organization and its reputation. There is the risk that a hacker might obtain sensitive information such as bank account or credit cards details. There are open markets for such information on the “dark web”. If others access such sensitive information, the organization might find its banking or credit card facilities withdrawn or in breach of privacy laws. Each month high-profile security breaches impacting individual data are reported globally.

A second but related issue is that when a hacker obtains sensitive information about the organization it may find its reputation ruined. Few small organizations can survive the damage to its reputation that such lost data might cause. The damage to reputation and goodwill might be more crippling than the actual data loss itself. Loss of customer data may result in legal or regulatory action against the organization. A third party might file a suit against an organization as they have themselves incurred a loss. Organizations might also be subject to significant penalties and/or legal action arising from breaches of the privacy laws in many jurisdictions.

The most recent and alarming aspect of cybersecurity that causes considerable problems for organizations is ransomware. As early as 2012, reports of ransomware campaigns have adopted commercially focused business models. In many cases, a piece of malware is disguised and embedded within another type of document only waiting to be executed by the target user.  Upon execution, the malware may encrypt the organization’s data with a secret 2,048-bit encryption key or communicate to a centralized command and control server to await instructions carried out by the adversary. Once infected, the organization’s data continues to be inaccessible as the encrypts the data using the attackers encryption key. Once all the data accessible is encrypted, including in many instances the backup data and systems, the organization will be instructed on how to pay a ransom within days, or the adversary will remove the encryption key and the data will be lost. Literally, the adversary holds the data to ransom—hence, ransomware. The encryption key is sufficiently strong enough that cracking the key instead of paying the ransom is uneconomic—some estimate that an average desktop computer would take five quadrillion years to decrypt the data without the key In some cases, the target organization can hope that some researchers may have discovered a way to decrypt the data based on a design flaw. Otherwise the organization will have to look to restore the systems and data from a safe back up or consider paying the ransom. Keep in mind that even data restoration does not eliminate the risk the ransomware will not be reenabled or return based on the compromised integrity of the environment.

Cybersecurity Governance

A cybersecurity governance and risk management program should be established which is appropriate for the size of the organization. Cybersecurity risk needs to be considered as a significant business risk by the owners and directors. This should be at the same level as compliance, operational, financial and reputational risks with suitable measurement criteria and results monitored and managed.

There are voluntary frameworks which can be used to consider the risk assessment and related best practices. For example, the National Institute of Standards and Technology (NIST) Cybersecurity Framework includes five concurrent and continuous functions:

  1. Identify: Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data and capabilities.
  2. Protect: Develop and implement appropriate safeguards to ensure delivery of critical services.
  3. Detect: Develop and implement appropriate activities to identity the occurrence of a cybersecurity event.
  4. Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
  5. Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

Protection from Malicious Software and External Attack

New threats continue to emerge and each organization needs to be sure it is equipped to deal with a dynamic threat landscape. The following are some of the more critical system utilities and solutions used to help mitigate these malicious attacks:

  • Firewalls are software (and also hardware) designed to protect the system from attack from people accessing the organization’s systems via both internal and external communication links.
  • Malware/spyware and web proxy protection solutions protect the system from software code that may be from pop-up windows or have more insidious intent, such as logging usernames and passwords for fraudulent purposes.
  • Anti-spam software protects email inboxes from being clogged by unwanted broadcasted email.
  • Anti-phishing software protects users visiting websites that are designed to trap user information that can then be used for fraudulent purposes.

All are mandatory for any well-managed system utilizing a defence in depth strategy. The cost of an attack can be significant, involving loss of data, fraud, and the cost of rebuilding systems and should be analysed against the cost to defend against such threats.

It is recommended to use a well-known, reputable supplier. Some companies purport to supply these utilities but in fact the utilities themselves can be malicious software. Be cautious about using free software or software from an unknown vendor. Generally, it is best to use the utilities recommended by the business’s systems integration (technical support) organization, as they will be responsible for its installation, configuration, and maintenance.

Maintenance of these applications is critical. New malicious software emerges every day. Most software vendors provide at least a daily automatic update to their databases to ensure that the system continues to be effectively protected. Ensuring that these updates are correctly implemented is essential.

Hardware Maintenance Plans

Maintenance contracts should be maintained with hardware suppliers so that hardware failures can be quickly rectified. These contracts should specify the service levels that the supplier will meet in the event of failure. Critical hardware such as servers, switches, and backup technologies require prompt attention. Many contracts specify four-hour response for failure of these components. Other, less critical hardware such as individual workstations can have longer response times.

Some organizations, particularly in remote areas, purchase some critical components that have a higher potential to fail, such as power supplies, as spare parts that can quickly replace a failed component. Organizations that rely on maintenance contracts should ensure that the support company maintains an adequate supply of spare components to meet the organizations service level commitments.

The quality of the organization’s external IT support company is critical in ensuring the systems are correctly implemented and supported. Issues that need to be considered in selecting an appropriate company include:

  • Their knowledge and experience with the organization’s hardware and operating system configuration.
  • Their knowledge and experience with the organization’s application software.
  • Certifications held with major hardware and software companies, which provides an assurance as to the competency of the people in the organization.
  • The number of people within the company who have the required knowledge to support the system—this is critical as a reliance on a single individual can result in significant delays and cost should that individual be unavailable for any reason.
  • Their ability to provide support services remotely to enable rapid response to issues at a reasonable cost.
  • Proper due diligence and vendor risk management to ensure that the third party is providing the services based on the organizations expectations.

People and Documentation

Every organization should establish a plan to mitigate the risk of key people being unavailable in the event of a system failure. Keep a list of contact details for backup technicians. Document the configuration of hardware and software applications and keep this up to date so that a new technician can quickly rebuild the system.

Policies and Procedures

Proper IT governance procedures within an organization are critical. Implement a formal risk assessment process and develop policies to ensure that systems are not misused and ensure that applicable policies are continually reviewed and updated to reflect the most current risks. This includes developing incident response policies and procedures to properly respond to, account for and help mitigate the cost of a potential breach.

Ongoing education to all employees on technology risks should form part of the organizations risk management framework, with potential security breaches being mitigated as a result of education and policies being promulgated to all levels of staff. Policies should include but are not limited to:

  • User Account Management: rules and policies for all levels of users; procedures to ensure the timely discovery of security incidents; IT systems and confidential data are protected from unauthorized users.
  • Data Management: establishing effective procedures to manage the repositories, data backup and recovery, and proper disposal of media. Effective data management helps ensure the quality, timeliness, and availability of business data.
  • IT Security and Risk Management: process that maintains the integrity of information and protection of IT assets. This process includes establishing and maintaining IT security roles and responsibilities, polices, standards, and procedures.

Individual jurisdictions are likely to have enacted legislation that may require particular policies, or issues within a particular policy, to be addressed. Common policies are listed below and cover system use, e-mail use, internet use and remote access.

System Use Policy

A system use policy generally outlines the rules by which the organizations IT systems can be used. Example elements to be considered in this policy include:

  • Mandatory use of passwords on all systems, such as phones and tablets, including the need for passwords to be changed regularly and a prohibition of providing passwords to other team members or third parties.
  • Prohibition of copying organization data and removing the data from the office without approval.
  • The encryption of memory/USB sticks.
  • The physical security of equipment.
  • Use of the system during business hours.
  • Rules for the private use of the system, if allowed, outside office hours.
  • Multifactor authentication - using more than one method of authentication from independent categories of credentials to verify the user’s identity for login.

Email Use Policy

Example elements to be considered in an e-mail use policy include:

  • Prohibiting the use of personal email accounts for business matters.
  • Prohibiting opening email attachments from unknown sources (as they may contain malicious software).
  • Prohibiting accessing email accounts of other individuals.
  • Prohibiting sharing email account passwords.
  • Prohibiting excessive personal use of the organization’s email.
  • Notification that the organization will monitor email.

Internet Use Policy

Example elements to be considered in an internet use policy include:

  • Limiting Internet use to business purposes.
  • Notification of the ability of the organization to track Internet usage.
  • Prohibiting access to sites that are offensive to a person’s gender, sexuality, religion, nationality, or politics.
  • Ensuring that downloads occur only from a safe and reputable website.
  • Prohibiting downloading executable (program) files as they may contain malicious software, and also prohibiting downloading pirated music, movies, or software.
  • Prohibiting providing the user’s business email address in order to limit the likelihood of spam.
  • Consequences of violation.

Remote Access Policy

Example elements to be considered in a remote access policy include:

  • Approvals required for external access.
  • Reimbursement of external access costs.
  • Security procedures (including disclosure of passwords, third-party use of system, disconnection from other networks while accessing the organization’s systems, use of firewalls and installation of appropriate software to protect the remote system from malicious attack and multifactor authentication).
  • Physical security of organization-supplied equipment such as laptops.
  • Reporting of any possible breach of security, unauthorized access, or disclosure of the organizations data.
  • Agreement that the organization can monitor the activities of the external user to identify unusual patterns of usage or other activities that may appear suspicious.
  • Consequences of noncompliance.

Insurance

Adequate insurance should cover the cost of replacing damaged infrastructure as well as the labor costs to investigate the incident, rebuild systems and restore data. Consider also insurance for productivity  loss resulting from a major system failure or catastrophic event.

Gateway Articles and Videos

The Gateway has a range of other material related to cybersecurity, including:

 

 

 

Steve Ursillo, Jr.

Partner, Risk Assurance & Advisory and National Leader: Information Assurance & Cybersecurity, Cherry Bekaert LLP

is a Partner in Cherry Bekaert's Risk Assurance & Advisory Services (RAAS) group and serves as the National Leader for the Information Assurance & Cybersecurity practice. He specializes in technology risk management, internal control over financial reporting, information system security, privacy, cyber fraud, cybersecurity governance, IT assurance and IT advisory services. With more than 20 years of experience, Steve provides a variety of IT audit and security services for his clients across multiple industries. Steve holds several professional designations that are relevant to his experience and the firms’ practice consisting of the following: CPA, CIA, CGMA, CFE, CISA, CISM, CITP, CISSP, CGEIT, CRISC, CEH and CCSFP.  See more by Steve Ursillo, Jr.

Christopher Arnold

Head of SME/SMP and Research, IFAC

Christopher Arnold is the head of SME/SMP and Research at IFAC. He was previously an Audit Manager for Deloitte and qualified as an accountant in a mid-tier accountancy practice in London (now called PKF-Littlejohn). Christopher started his career as a Small Business Policy Adviser at the Association of Chartered Certified Accountants (ACCA). See more by Christopher Arnold

Join the Conversation

To leave a comment below, login or register with IFAC.org

Thank you for your interest in our publications. These valuable works are the product of substantial time, effort and resources, which you acknowledge by accepting the following terms of use. You may not reproduce, store, transmit in any form or by any means, with the exception of non-commercial use (e.g., professional and personal reference and research work), translate, modify or create derivative works or adaptations based on such publications, or any part thereof, without the prior written permission of IFAC.

Our reproduction and translation policies, as well as our online permission request and inquiry system, are accessible on the Permissions Information web page.

For additional information, please read our website Terms of Use. ALL RIGHTS RESERVED.