News

Smart Tech Investment: Meaningful Cyber Security

 

gridface

The past year has been a study in many an uncomfortable lesson, spurring necessary conversations on everything from mental health to gender equality. Every vulnerability of modern business was exploited in one fell swoop, each of them a known risk and each of them exacerbated by circumstance. Of course, some of those exploitation points were more immediately obvious than others. For years, experts have warned that cyber security is among the largest threats to companies and public institutions, but many firms were unprepared for the toll of remote work on this issue’s overburdened camel’s back.

In 2020, the number of firms targeted in cyberattacks rose from 38% to 43% with many experiencing more than one, according to the latest cyber readiness report by Hiscox. Of course, when a problem comes knocking, the obvious solution for many is to throw money at it, assuming it is there for the throwing. The same report reflects this strategy, at least, with spending on cyber security increasing an average of 63% overall. Not surprising, considering just how much firms had to contend with:

“Three-in-ten targeted firms (31%) had to deal with a (non-ransomware) virus infection, 28% with payment diversion fraud arising from business email compromise and 27% with a DDoS attack (see Fig. 3). German, French and US firms were most likely to suffer these outcomes. A remarkable 39% of US firms had to deal with IT resource misuse – such as hosting malware or having the infrastructure hijacked to mine cryptocurrency – compared with just 25% overall1.”

Budgeting for cyber security is but one piece of the overall picture, however. People play the most important role. According to CNBC, employees were cited as the leading cause of security breaches in 2018. In that report, over half of small businesses stated they had no policy for remote workers in terms of cyber security practices2. In a new report from the American Society of Employers, a survey of 1,200 U.S. employees revealed that while 59% had received training in cyber security, 69% of those failed a test on the subject3.

This people problem extends all the way up the chain, a fact that many larger companies are beginning to recognize following the recent attacks on major corporations SolarWinds Corp. and Microsoft. Many boards are now considering their need for members with cyber security expertise, Bloomberg Law reports. While some boards are calling for the addition of cyber experts, others are posing the argument that it would be better for all board members to have greater understanding of their company’s security profile. Moreover, Directors are recognizing the cascading impact of security breaches and their ability to affect hundreds of interconnected businesses at once. The need for tech savvy directors is an obvious one, and many are considering certification programs to boost their cyber security understanding4.

Taken all at once, from the team on the floor to the executives in the c-suite, this illustrates the need for meaningful action. No business is too small or too big for cybercriminals. Whether you think your company is a big target or not, it is a target, and you and your employees are its greatest vulnerability.

According to Forbes, endpoint management and endpoint security are the foundation of the next generation of security. To promote a culture of security, companies should consider the following strategies5:

Secure data and devices. Phishing scams and botnets are the most significant threats to organizations due to the number of devices outside the perimeter (office). These devices are vulnerable to increasingly sophisticated threats.

Security is everyone’s job. It always has been, but those companies not yet working toward better training for employees will find themselves shouldering more risk and potentially greater losses the longer it takes to adopt some form of awareness training.

Real-time monitoring of endpoint performance and configuration management. Consult with your IT experts on the tools available for scanning devices to detect compliance, vulnerabilities, anomalies, and necessary maintenance. Consider a configuration management database to provide a single source of truth to track and manage all facets of the network.

Stay on top of updates and patches. Endpoints that are not up to date pose significant security risk to organizations. Adopting a security platform, a single interface, that can locate, control, and manage all endpoint assets is an essential step to ensuring all devices are current and have network visibility.

Manage privacy and data risk. According to Forbes, 75% of firewalls are mismanaged, 80% of endpoint devices are barely protected, if at all, 35% of those devices use weak or default passwords and more than 60% of remote employees use their corporate credentials for personal e-commerce and online accounts5.

MICPA members can take a deep dive into how to apply their knowledge of effective cyber security risk management programs to analyze a client's program and conduct a readiness assessment with this course and other cyber security courses available now in the MICPA CPE store.


References

  1. “Hiscox Cyber Readiness Report 2021.” Hiscox Group. 2021. Accessed on 19 Apr. 2021.
  2. Reinicke, Carmen. “The Biggest Cyber security Risk to US Businesses…CNBC. 21 Jun. 2018. Accessed 19 Apr. 2021.
  3. Nezich, Heather. “Employees Lack Basic Cyber security Training.American Society of Employers. 13 Apr. 2021. Accessed on 19 Apr. 2021.
  4. Holland, Jake & Andrea Vittorio. “Rippling Cyberattacks Force Corporate…Bloomberg Law. 15 Apr. 2021. Accessed on 19 Apr. 2021.
  5. Wilder, Christopher R., et al. “IT & Security Operations Teams Must…Forbes. 15 Apr. 2021. Accessed on 19 Apr. 2021.

Source: MICPA

 Back to List

2884d1c7-9dc3-4aa7-9dee-9cf053584add