In today’s increasingly complex technology and security landscape, data breaches and hacking attempts no longer impact just a few unlucky organizations.
The pace of innovation, coupled with the rise of the Internet of Things and rapid adoption of connected devices, has increased the risk for network vulnerabilities, making every organization susceptible to attacks. Examples range from a Los Angeles–based health care system that had its electronic medical records held hostage as a result of a breach in customer credit card information for a major national retailer.
This new reality not only impacts chief information officers and IT-team operations but can also have a significant impact on an organization’s bottom line, making IT security a new mandate for CFOs. In fact, the Governance of Cybersecurity: 2015 Report revealed a sizeable uptick in the attention executives and boards are paying to cybersecurity risk management.
What has become clear to today’s executives is that they can no longer afford to gamble and wait when it comes to IT security. CFOs and fellow C-suite executives must view cyberthreats holistically, as a broader enterprise risk, and undertake regular IT security assessments—a comprehensive review of administrative, technical, and physical security. These assessments review whether the necessary safeguards and protocols are in place to protect not only the organization but also its employees, customers, and partners in the event of a data breach.
Once considered a necessary evil, assessments are now a necessary differentiator for any organization seeking a competitive advantage in an increasingly complex business environment.
Building a Competitive Advantage
Across industries, third-party verification of network security has become significant to the procurement process, and businesses can lose out on potential work if they don’t have the proper assessments in place. Many organizations have stringent security requirements any time personal or sensitive information needs to be exchanged or shared across organizations, which is often a key part of the request-for-proposal process.
This is especially true for industries with strong compliance regimes, such as the Health Insurance Portability and Accountability Act in health care or the Payment Card Industry Security Council’s standards for all companies that process, store, or transmit payment card information.
In other industries that operate critical infrastructure—such as ports, transportation, and water utilities, where a cybersecurity framework isn’t currently mandated—taking initiative to implement the necessary safeguards can provide a strategic advantage. Adopting a cybersecurity framework, such as one from the National Institute of Standards and Technology, could aid in business pursuits: Doing so notifies potential customers and business partners that the company has strong security controls in place and stands apart from the competition.
Removing the Blinders
Many companies focus solely on external threats and network breaches, but this narrow focus can blind organizations to equally serious internal threats. Companies must evaluate and install protocols for potential threats stemming from anyone who has access to the network, such as employees, vendors, temporary workers, or consultants. Physical security threats, such as malicious individuals gaining access to sensitive network hardware in the building—or to laptops, tablets, phones, and other devices that may leave the organization’s four walls—must be accounted for as well.
Even the best-secured companies are vulnerable to a data breach, and it’s important to have an incident response plan in place that outlines how the organization will respond in the event of a possible threat. Too many companies uncover the need for response planning only once a breach has occurred.
Undergoing an Assessment
In an IT security assessment, auditors work with an organization to identify network vulnerabilities and develop security policies and procedures based on industry best practices.
The assessment examines key areas of the network, including architecture, network perimeter protection, server and workstation management, and other operational aspects of the IT environment. Ultimately, the assessment enables organizations to implement changes that strengthen the entire company, from critical data confidentiality, integrity, and availability to employee safety.
The first step in an IT security assessment is hosting the auditing team on-site. An on-site visit enables auditors to view the company in its native space and understand how employees interact with sensitive data and operate on a day-to-day basis. This allows auditors to identify potential threats and risks to the data and recommend possible improvements in policy and protocol. Prior to this visit, companies should expect to receive a documentation list, including requests for copies of network diagrams, existing policies, and screenshots of system settings.
During the assessment, organizations should anticipate examinations of many areas of their network and system settings, which can include:
- Network architecture
- Intrusion prevention and detection systems
- Server environment
- Workstation setup
- Anti-malware and data-leakage protection
- Access controls, including use of encryption
- Wireless network security
- Data backup and restoration and disaster recovery plans
- Incident response procedures
- IT policies and procedures
- Security awareness
- Physical security and environmental controls
- Penetration testing
Refreshing the Assessment
It’s short-sighted to assume going through the motions of an IT security assessment is enough. Too many organizations don’t establish a regular cadence for assessments, opting instead to undergo an assessment only once a threat is detected or prompted by the all-too-frequent news stories of data breaches and hacking attempts.
At a minimum, organizations should plan for an annual assessment, but they should also consider undergoing an assessment when changes to the IT environment impact network and system protections. This helps avoid potentially serious issues and vulnerabilities down the road. The infographic below shows changes to a company’s IT environment that would warrant an IT security assessment.
Today, nearly all business and financial operations are driven by technology, making IT systems central to an organization’s sustainability and bottom line. As the rapid pace of innovation continues, businesses—and upper management in particular—need to acknowledge the significant risks cybersecurity issues can pose and take the necessary precautions to mitigate potential harm to their organizations’ overall security and health. The current reactive mindset must change to a more proactive one, ensuring a company, and by extension, its employees, customers, and partners, remain protected.
We Can Help
To learn more about IT security assessments or what your organization can do to strengthen its security posture, contact your Moss Adams professional.