By Nick Sabbatini, Audit Senior
In previous posts, Technology and Connectivity: You Are at Risk and Technology and Connectivity: The Most Likely Way That You Are at Risk of Being Breached by a Cyber-attack, it was suggested that everyone is at risk of experiencing a data breach and human error was the weak point leading to a majority of breaches. This third and final installation helps provide some general advice on mitigating the risk of potential data breach.
How can data be protected from the risk of a potential data breach?
The sad truth is, regardless of cyber security measures and other security controls, risk of a data breach can never be completely removed. It can, however, be managed. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides a framework that provides invaluable guidance in this area. The Framework is applicable to entities of all sizes, and gives guidance on enterprise risk management, internal control, and fraud deterrence. This framework, updated in 2013, is the most widely used internal control framework in the US, and is also widely used around the world.
COSO’s framework consists of five components, Control Environment (standards set by senior management or board of directors, if applicable), Risk Assessment (processes that identify and analyze risks, both internal and external), Control Activities (policies and procedures that mitigate identified risks), Information and Communication (internal and external communication of responsibilities and importance of controls), and Monitoring Activities (evaluations to determine if the five components are present and functioning).
A company seeking a more secure operational environment should review the COSO framework and apply the guidance to address specific risks it has identified.
In relation to the threat of cyber security, most entities already apply at least some guidance offered by the COSO framework, whether they know it or not. For instance, many companies have identified cyber security needs, implemented security hardware and software, obtained cyber insurance coverage, or established a clear cyber security policy, or tone at the top, all of which are measures suggested by the guidance in the COSO framework. Although each of these processes is vital, individually and in aggregate, they are fairly basic and are not enough to sufficiently mitigate the risk of cyber security. A more robust security environment should include additional measures, based on a more holistic approach, including assessment and/or monitoring of service providers, contractors, and other external parties that may have access to a system.
While the specific security measures and controls will differ for each entity, based upon specific risks identified, type of industry, data involved, and other unique factors, one general improvement is applicable across the board – widening the risk view.
Widening the risk view and grasping the bigger picture will allow for a complete analysis of risk and help to identify where additional security measures may be necessary.
This wider view is innately supported by the COSO framework, which defines an entity’s information system as “the set of activities, involving people, processes, data and/or technology, which enable the organization to obtain, generate, use and communicate transactions and information to maintain accountability and measure and review the entity’s performance or progress towards achievement or objectives.” Taking this definition into consideration, an entity’s risk view should clearly include all contractors, vendors, and others who are connected to an organization’s data system.
Not incorporating additional security measures related to external users is a massive miss, especially in light of the fact that these players are often the key factors, if not the direct causes, of major data breaches. Some potential measures that can be used when addressing cyber security risks related to external parties are;
- establishing contracts that require endpoint protection,
- implementing enhanced authentication processes,
- ensuring access levels are appropriate for each user, and/or
- understanding the security and control measures in place at the external party.
While these are just a few potential measures that can be implemented, the bottom line is that there must be a wider risk view, which considers external risks related to connected third parties, and appropriate mitigating controls must be put in place to address the risks identified. Simply requiring a username and password, and relying on the firewall or basic network monitoring is not enough.
We are now standing on the edge of a vast interconnected technological horizon, promising unlimited potential for advancement. The infancy of computer-based technology and world-wide connectivity has long passed. In this ever-modernizing world, data breaches will increasingly pose a serious threat to sensitive data and finances, and reactionary measures are not enough.
In order to protect against cyber-attacks, it is imperative that companies, as well as individuals, take a pro-active approach to cyber security.
While we know that risks can never be fully overcome, widening one’s risk view and mitigating all aspects of potential risk, even those which may lie outside of direct operations, greatly reduces exposure and is vital to the integrity of data and a company’s life-blood. Ignoring these risks only serves to increase the likelihood that an incident will occur, leading to adverse media attention, the tarnishing of brand image, potential drop in customers, and significant monetary loss.
As we experience the benefits of technology and connectivity, enthralled by the many wonders brought to us by that electric glow of a digital screen, we must maintain an astute awareness of our surroundings or we may look up from our screens only to find ourselves alone, with our wallets empty (so to speak), struggling to make sense of what happened.