Assess Your IT Security to Create a Competitive Advantage

by Kevin Villanueva, Senior Manager, IT Auditing & Consulting Practice

In today’s increasingly complex technology and security landscape, data breaches and hacking attempts no longer impact just a few unlucky organizations.

The pace of innovation, coupled with the rise of the Internet of Things and rapid adoption of connected devices, has increased the risk for network vulnerabilities, making every organization susceptible to attacks. Examples range from a Los Angeles–based health care system that had its electronic medical records held hostage as a result of a breach in customer credit card information for a major national retailer.

This new reality not only impacts chief information officers and IT-team operations but can also have a significant impact on an organization’s bottom line, making IT security a new mandate for CFOs. In fact, the Governance of Cybersecurity: 2015 Report revealed a sizeable uptick in the attention executives and boards are paying to cybersecurity risk management.

What has become clear to today’s executives is that they can no longer afford to gamble and wait when it comes to IT security. CFOs and fellow C-suite executives must view cyberthreats holistically, as a broader enterprise risk, and undertake regular IT security assessments—a comprehensive review of administrative, technical, and physical security. These assessments review whether the necessary safeguards and protocols are in place to protect not only the organization but also its employees, customers, and partners in the event of a data breach.

Once considered a necessary evil, assessments are now a necessary differentiator for any organization seeking a competitive advantage in an increasingly complex business environment.

Building a Competitive Advantage

Across industries, third-party verification of network security has become significant to the procurement process, and businesses can lose out on potential work if they don’t have the proper assessments in place. Many organizations have stringent security requirements any time personal or sensitive information needs to be exchanged or shared across organizations, which is often a key part of the request-for-proposal process. 

This is especially true for industries with strong compliance regimes, such as the Health Insurance Portability and Accountability Act in health care or the Payment Card Industry Security Council’s standards for all companies that process, store, or transmit payment card information.

In other industries that operate critical infrastructure—such as ports, transportation, and water utilities, where a cybersecurity framework isn’t currently mandated—taking initiative to implement the necessary safeguards can provide a strategic advantage. Adopting a cybersecurity framework, such as one from the National Institute of Standards and Technology, could aid in business pursuits: Doing so notifies potential customers and business partners that the company has strong security controls in place and stands apart from the competition.

Removing the Blinders

Many companies focus solely on external threats and network breaches, but this narrow focus can blind organizations to equally serious internal threats. Companies must evaluate and install protocols for potential threats stemming from anyone who has access to the network, such as employees, vendors, temporary workers, or consultants. Physical security threats, such as malicious individuals gaining access to sensitive network hardware in the building—or to laptops, tablets, phones, and other devices that may leave the organization’s four walls—must be accounted for as well.

Even the best-secured companies are vulnerable to a data breach, and it’s important to have an incident response plan in place that outlines how the organization will respond in the event of a possible threat. Too many companies uncover the need for response planning only once a breach has occurred.

Undergoing an Assessment

In an IT security assessment, auditors work with an organization to identify network vulnerabilities and develop security policies and procedures based on industry best practices.

The assessment examines key areas of the network, including architecture, network perimeter protection, server and workstation management, and other operational aspects of the IT environment. Ultimately, the assessment enables organizations to implement changes that strengthen the entire company, from critical data confidentiality, integrity, and availability to employee safety.

The first step in an IT security assessment is hosting the auditing team on-site. An on-site visit enables auditors to view the company in its native space and understand how employees interact with sensitive data and operate on a day-to-day basis. This allows auditors to identify potential threats and risks to the data and recommend possible improvements in policy and protocol. Prior to this visit, companies should expect to receive a documentation list, including requests for copies of network diagrams, existing policies, and screenshots of system settings.

During the assessment, organizations should anticipate examinations of many areas of their network and system settings, which can include:

  • Network architecture
  • Firewalls
  • Intrusion prevention and detection systems
  • Server environment
  • Workstation setup
  • Anti-malware and data-leakage protection
  • Access controls, including use of encryption
  • Wireless network security
  • Data backup and restoration and disaster recovery plans
  • Incident response procedures
  • IT policies and procedures
  • Security awareness
  • Compliance
  • Physical security and environmental controls
  • Penetration testing

Refreshing the Assessment

It’s short-sighted to assume going through the motions of an IT security assessment is enough. Too many organizations don’t establish a regular cadence for assessments, opting instead to undergo an assessment only once a threat is detected or prompted by the all-too-frequent news stories of data breaches and hacking attempts.

At a minimum, organizations should plan for an annual assessment, but they should also consider undergoing an assessment when changes to the IT environment impact network and system protections. This helps avoid potentially serious issues and vulnerabilities down the road. The infographic below shows changes to a company’s IT environment that would warrant an IT security assessment.

Today, nearly all business and financial operations are driven by technology, making IT systems central to an organization’s sustainability and bottom line. As the rapid pace of innovation continues, businesses—and upper management in particular—need to acknowledge the significant risks cybersecurity issues can pose and take the necessary precautions to mitigate potential harm to their organizations’ overall security and health. The current reactive mindset must change to a more proactive one, ensuring a company, and by extension, its employees, customers, and partners, remain protected.

We Can Help

To learn more about IT security assessments or what your organization can do to strengthen its security posture, contact your Moss Adams professional.

Kevin Villanueva has been in in the information technology field since 1997. His areas of practice include IT security assessments, penetration testing, PCI Data Security Standard assessments, HIPAA compliance auditing, and strategic technology planning. He can be reached at (206) 302-6542 or

The material appearing in this communication is for informational purposes only and should not be construed as legal, accounting, or tax advice or opinion provided by Moss Adams LLP. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials have been prepared by professionals, the user should not substitute these materials for professional services, and should seek advice from an independent advisor before acting on any information presented. Moss Adams LLP assumes no obligation to provide notification of changes in tax laws or other factors that could affect the information provided. The material appearing in this presentation is for informational purposes only and is not legal, accounting, tax, or investment advice, as an endorsement of any party or any investment party or any investment product or service, or as an offer to buy or sell any investment product or service. Past performance may not be indicative of future results. Different types of investments involve varying degrees of risk, and there can be no assurance that the future performance of any specific investment, investment strategy, or product (including the investments and/or investment strategies recommended or undertaken by Moss Adams Wealth Advisors LLC), or any non-investment related content, made reference to directly or indirectly in this newsletter will be profitable, equal any corresponding indicated historical performance level(s), be suitable for your portfolio or individual situation, or prove successful. All opinions expressed are those of Moss Adams Wealth Advisors LLC. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including but not limited to, an accountant-client relationship or advisor-client relationship. Although these materials may have been prepared by professionals, the user should not substitute these materials for professional services and should seek advice from an independent advisor before acting on any information, as the views and solutions described may not be suitable for all investors.

© 2017 Moss Adams LLP