Fall 2015 Issue of Horizons

FEATURE | Protecting Your Company from Cyber Attacks

How is Our Technology Protected? Do we have adequate perimeter controls to detect and prevent attacks against our IT systems? Do we have adequate internal controls to detect and prevent attacks from within our environment? Is our technology physically protected to prevent tampering? Do we have disaster recovery and continuity plans in place? How Will We Know? Unfortunately in today’s world, it is not “if” but rather “when” we’ll become a victim. How will we know if/when a security event or breach has occurred? Do we have enough security intelligence to inform us when something abnormal is occurring so it can be investigated, contained and eradicated? Once you have the snapshot you can develop plans, processes and designs to protect the information. Limit Your Exposure A good next step is to review your vendor contracts with your legal advisor to ensure you are limiting your exposure in case of a data breach and to obtain security assurance reports (Service Control SOC2) from the vendors. It is critical to review your vendor contracts and SOC2 reports for the same issues, especially vendors providing data center, cloud and software services and IT specialist services. Include other outside suppliers with access to your internal systems. Talk with your industry peers about what they have learned and which systems they are implementing, and assign responsibility within your own organization. Regularly review your company’s cyber liability insurance coverage to determine whether coverage is appropriate. Determine what risks you are willing to take on at your company. A board management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach.

Consider the following questions to develop a clear snapshot of your company’s sensitive information: What Sensitive Information Exists in Our Company? Do we have social security numbers, driver’s license photos, credit information, or other personally identifiable information for our customers, employees, contractors or vendors? Do we have marketing, pricing or other information valuable to our competitors? What kind of customer information is covered by confidentiality agreements? Where Does the Sensitive Information Exist? Where do we store paper documents, scanned documents, electronic files, email and application data? Are we using cloud service applications to store data outside our environment? Who Has Access to Our Data? Who in our organization has the ability to login and access the data? Once logged in, are there rules to restrict who has access to only what is needed? Do we have any partners, suppliers, or other vendors in our systems with access to our data? Do we use segregation of duties to limit and detect fraudulent activity? How is Our Data Protected? Is our data encrypted as it is transmitted between our internal environment and outside recipients? Is our data encrypted when stored? Do we have appropriate authentication methods in place? How do users get provisioned for access?

page 18 | horizons Fall 2015