Armanino Blog

Simple Processes Can Strengthen Cybersecurity

by Jeremy Sucharski
January 31, 2017

Although data breaches at corporations like Target and Anthem dominate the headlines, big companies aren’t the only ones under attack. As the risk of a hack continues to rise, smaller organizations can protect their sensitive data by implementing some simple and inexpensive cybersecurity processes.

Small and mid-size companies are at risk
A 2016 Ponemon Institute survey of IT leaders at small and mid-sized businesses (up to 1000 employees) found that half of the companies had suffered a breach within the last 12 months. As the volume of available data continues to multiply, and data becomes increasingly connected, this threat will only keep growing.

Cybercrime is a huge and profitable enterprise, and most hackers have a purely financial motivation. They use malware to steal data and then sell it on the black market, where each stolen record may bring anywhere from a few cents to hundreds of dollars, depending on what it contains and how the buyer can use it.  Hackers also use ransomware to encrypt data and then demand payment from their victim, typically in bitcoins, to decrypt it.

In most cases, breaches are crimes of opportunity, rather than targeted attacks on a specific company. The weak link in the security chain is usually a person. The most prevalent form of attack is phishing schemes, which infect a system with malware or ransomware when the user unwittingly opens a malicious attachment or clicks a link in a legitimate-looking email.  

For a hacked company, even a minor breach can carry a hefty price tag.  According to Ponemon, the average cost of incident response and remediation is now $221 per compromised record.  Some hourly expenses, such as legal fees, accrue regardless of the number of records that are affected. A breach can also damage a company’s reputation and value. In late 2016, Verizon was widely reported to be exploring a price cut or possible exit from its pending acquisition of Yahoo, after Yahoo disclosed two massive breaches that occurred back in 2013 and 2014.

Start with simple controls
Elements of a Cybersecurity ProgramThe good news is that there is a lot you can do to protect your data, without making large expenditures on technology. The 2012 Verizon Data Breach Investigations report found that a whopping 97% of breaches were avoidable through simple or intermediate-level controls. You can greatly mitigate your risk, often within weeks, by implementing these basic cybersecurity steps:

  1. Assess your risks. These include vulnerabilities related to your industry, your people, your technology and your business partners. Vendor/supplier security is critical, so in addition to assessing your internal risks, you need to determine what data these outside parties can access, and what their controls and safeguards are.
  2. Classify your data. You need to know how sensitive various information is, so that you can prioritize your security efforts and apply your resources where they are needed most. Protecting your data also requires that you understand how it is flowing through your organization. For example, are you using the cloud to send proprietary information to a manufacturer?
  3. Implement controls. These are simply the processes that you put in place to mitigate risks. For example, you can implement email filters, hold data security training for your workforce, encrypt your laptops and require your vendors to have service organization control (SOC) audits.     
  4. Verify the controls.  Once your processes are in place, run periodic tests on select controls, to validate that they are working as intended.
  5. Create a breach preparedness plan, and test it. Treat cyber incidents the same way you do disaster recovery or business continuity. Have a plan for how you will evaluate the damage, and how you will communicate and manage it internally and externally. Then test and refine your plan, by regularly sitting down with key personnel to run through your response to various hypothetical scenarios. 
  6. Consider cyber insurance.  You may want to use insurance instruments to transfer your risk to a third party.  (If your organization has a cybersecurity program, and you are knowledgeable about your risks, you’ll also be a stronger candidate when you apply for an insurance policy.)

As your business changes, your risks change, so you should reassess your situation annually. If you have an existing enterprise risk management (ERM) program, you can leverage it and fold in your cybersecurity processes.

Ongoing board involvement and oversight is also important to your cybersecurity efforts. Evaluate your board composition and update it, if necessary, to add someone with data security expertise, and redefine your board committees to include cybersecurity responsibilities. You also need to establish proper governance and board oversight of your cybersecurity processes and strategy. 

Although there is no way to completely prevent a breach, a strong cybersecurity program can help you mitigate your risks and be better prepared to respond to an attack. As the old saying goes, an ounce of prevention is worth a pound of cure.

January 31, 2017

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

More News and Insights
Dynamics GP to Dynamics 365 BC
Learn how to keep maximizing the value of your Dynamics solution.

July 14, 2021 | 10:00 AM - 11:00 AM PT
Washington State Legislative & Tax Update
What can you do to prepare for some potentially significant tax law changes?

June 24, 2021 | 10:00 AM - 11:00 AM PT
Transform Your Nonprofit FP&A Process
FP&A experts break down strategies for nonprofits to enhance their budgeting and planning processes.

June 23, 2021 | 11:00 AM - 12:00 PM PT