Understanding the SEC Cybersecurity Rules and What They Mean for ...
Effective Internal Audit Procedures Strengthen Your Cybersecurity
This is a message to all of you internal auditors -- there are bad guys around every corner. They’ll steal your delicious turkey sandwich from the breakroom fridge, won’t hesitate to bust into your car and walk off with your airbags and, even worse, black hat their way into vital corporate systems and get their grubby hands on sensitive information. That, as they say, is no bueno for companies doing everything they can to develop and maintain a competitive advantage in a crowded, sometimes contentious marketplace.
So why is Embark addressing you, our internal auditing friends, rather than IT with this latest salvo? Simply put, in this binary-driven world filled with digital malcontents constantly looking to wreak havoc, cybersecurity should be yet another in your audit process. In fact, take this missive as a call to arms, internal auditors -- while you are not on the frontlines of cybersecurity, you do play a pivotal role in keeping your organizations out of harm’s way.
A Phalanx on the Digital Front
Before we launch into a slew of extremely beneficial best practices, let’s first take a step back and make sure we’re all on the same page. In this context, we’re defining cybersecurity as business functions and digital tools used to protect networks, computers, programs, and data from damage or unauthorized access.
Yes, that’s a mouthful but, given the consequences involved, cybersecurity must be incorporated into the systems and procedures you analyze over the course of an internal audit. In other words, that definition should be taken to heart to fully understand the scope of the problem, the role you play as a component of a strong cybersecurity posture, and the tools you utilize to protect your environments.
Granted, no one expects you to deploy advanced anti-hacker tactics during your next audit but, quite honestly, that isn’t why you play such a pivotal part in the cybersecurity equation to begin with. Instead, it’s your acute awareness of your organization, its systems and processes that make you such a valuable weapon against binary beasts that go bump in the night.
In fact, it’s the following roles, your diligent stare, and authentic desire to do right by your organization that inherently put you in a position of importance in the ongoing battle for cybersecurity in an insecure environment:
- Protection: It’s a complicated security world. As an internal auditor, you’re charged with testing and reviewing everything from bring-your-own-device (BYOD) policies to the security protocols in third-party contracts. Your efforts mix with effective IT governance to protect your organization as well as its data, customers, and employees.
- Detection: Advanced data analytics and associated technologies are quickly becoming a routine part of an auditor’s toolbox. Use such tools as a means of closely monitoring systems for even a hint of data security going sideways.
- Response: When security teams only include protection and detection in their cybersecurity program, incident response (IR) often becomes a one-off solution or doesn’t occur at all. When organizations treat IR separately, they inevitably introduce an additional gap or delay that consequently extends a threat actor’s window of opportunity to steal critical data. As an auditor, it’s imperative to ensure every aspect of a cybersecurity program is taken into consideration to provide the best defense possible.
- Continuity: Prepare for the worst and then take measures to prevent it from ever happening. Internal auditors, alongside security managers, must ensure an organization has an adequate business continuity and disaster recovery (BC/DR) plan in place that accounts for all foreseeable risk scenarios to safeguard operations in the event of a cyber attack. The key to a successful BCDR plan is to build relationships and trust across the business and amongst teams to ensure if systems go down everyone knows the plan, and can effortlessly execute and mitigate issues as quickly as possible.
- Communications: Crisis communications play a pivotal role in mitigating the effects of a cyber attack relative to a company’s customers, shareholders, and brand reputation. Auditors can greatly assist in developing communication strategies and providing assurance checks of a communication plan’s effectiveness and immediacy.
- Improvement: Given an auditor’s wide-ranging perspective of a company’s operations and systems, they can contribute unique insights into the ongoing effectiveness of an overarching security strategy, making sure it evolves over time and continuously improves.
Open Auditing Eyes, Full Financial Hearts, Can’t Lose
As discussed, internal auditors possess a singularly comprehensive view of an organization’s overall well-being. Like every other aspect of a thorough audit, a careful examination of a company’s security protocols requires open eyes and the underlying desire to keep the organization free from the potentially devastating effects of a cyber attack. Along with vigilance and a meticulous approach, keep these factors in mind to gain the most benefit from your next audit:
Risk Is In the Eye of the Beholder
Don’t waste your limited time and resources on threats and vulnerabilities that aren’t in fact risks to your organization’s data and systems. Avoid prioritizing compliance over risk, only acting upon those threats and security gaps that pose a substantive risk to an information asset when exploited. Don’t needlessly dilute your efforts.
People Will Always Be the Most Effective Defense
In an industry inundated with a constant stream of technological security marvels -- firewalls, encryption, anti-malware suites, amongst many others -- it’s easy to lose sight of a company’s most powerful line of defense. Emphasize investment in your people, increasing security awareness within your team on an ongoing basis. As useful as innovation can be at helping your company in the fight, a workforce continually educated on the ever-evolving cybersecurity landscape will always be your most formidable ally. Your people are the moat around the castle and must be treated as such.
Assemble and Maintain a Gameplan
Historically, if you were to ask most chief financial officers (CFOs) about cybersecurity, they would respond with a quick “sorry, not my department.” However, the numbers don’t lie. CFOs should be well aware of cybersecurity risks and the cost of a data breach. In the event of an active, real threat to your digital assets, an effective BCDR plan must be in place to mitigate both the damage and consequences. As the internal auditor, you must determine if crisis management protocols and your company’s communication plan can adequately enable business continuity if a breach occurs. Likewise, the organization must implement the proper tools to continually monitor and detect any intrusions and, thus, maintain a vigilant digital eye against data breaches.
Develop Agile, Scalable Security Strategies
Methods of attack change by the day, always staying a step ahead of common knowledge. Simply put, today’s most effective security solutions are likely to be severely outdated in the very near future if they don’t evolve in lockstep with the threats. Because of this, small businesses and midsized organizations (SMBs), who run with significantly less budget and resources than enterprises, often need security-as-a-service (SECaaS) vendors. These third-party providers can help optimize a businesses’ cybersecurity resources to help reduce excessive spend on tools and staff talent, while keeping the latest threats at bay.Internal auditors must gauge if security strategies and solutions are both sufficiently agile and scalable to keep up with an extraordinarily dynamic risk environment.
A Cautionary Tale
To demonstrate the absolute need for a sound, evolving set of security protocols, you don’t have to search further than news headlines for a sobering cautionary tale. Not so long ago, JPMorgan Chase, the nation’s largest bank and global financial titan, fell prey to the black hats of the world, absorbing the repercussions for years afterward while standing on already shaky customer confidence ground.
Although initial estimates of the 2014 cyber attack stated the hackers compromised roughly 1 million accounts, the actual numbers dwarfed those early figures from the bank. All told, over 76 million household accounts and 7 million business accounts were compromised in the attack, placing it amongst the most extensive cyber intrusions ever.
Perhaps even more foreboding, the thieves were able to swipe a list of the many applications and programs that ran on the bank’s systems which, unfortunately, the hackers could use to map-out system vulnerabilities. Those vulnerabilities could very well provide entry points back into the system, even years after the initial attack, meaning the hackers could possibly still regain access after JPMorgan repaired all of the known security vulnerabilities. Once again, that is no bueno.
This is also a prime example that demonstrates that just because a business meets compliance regulations doesn’t mean they are secure. This misperception is giving business leaders, compliance and security professionals, and internal auditors a false sense of security after they’ve ticked all the checkboxes at the end of a laborious regulatory compliance endeavor. Considering that compliance is only meant to set a minimum bar for security, it shouldn’t be a company’s ultimate goal.
Embark Can Help Protect Your Organization
As overwhelming as some of this might appear, there is quite a bit of good news still to be found. Internal auditors are in no way on their own when it comes to fighting the good cybersecurity fight. In fact, Embark can provide you with a wide variety of assistance as you construct and maintain an effective security strategy. Specifically, Embark can roll up its expert sleeves and help by:
- Performing a readiness assessment
- Assisting in developing a description of program details
- Strengthening your cybersecurity posture
- Identifying ERT (Emergency Response Team) vendors to fit with your specific needs and goals
- Making recommendations for program management process
When considering cybersecurity vendors, you can be up and protected in two minutes or less with our partner Armor, a born in the cloud security-as-a-service provider. Armor Security means simplicity. Simplicity means bringing speed, scalability and stability to your cloud security so you can focus on building and growing your business across the cloud. Their solutions extend your security capabilities by delivering 24/7 access to military-grade security expertise, integrated global threat intelligence gathered from over 1,200 client environments and powered by Spartan, the industry’s first threat prevention and response platform for cloud workloads and hybrid IT.
Your organization isn’t helpless to the sinister whims of the bad guys. Take these best practices as gospel, implement sound procedures within your process, and help keep your company safe in a patently unsafe environment. And as always, Embark is here to guide you along the way.