Fall 2015 Issue of Horizons

FEATURE | Protecting Your Company from Cyber Attacks

Users & Endpoints Understanding how information moves into, through and out of your business is essential to assessing security vulnerabilities. Identify any sensitive information that personnel or third parties have (or could have) access to via your systems. Companies should limit the information they collect and retain to prevent needless storage of data and reduce the risk of unauthorized access to it. Further, companies should protect the information they do maintain by assessing risks and implementing protections in certain key areas – physical security, electronic security, employee training and oversight of service providers. And, companies should properly dispose of information that they no longer need. Finally, have a plan in place to respond to security incidents and data breaches should they occur. The plan should be closely aligned with your continuity plan. Mobile Computing Security Employees’ use of their personal devices (Bring Your Own Device or BYOD) represents a huge potential threat to your company. This is often accompanied by international travel which exposes your systems to further security risk. With the explosion of social media use and international travel, it is essential to decide whether or not you will allow personal mobile devices on your network. Cyber criminals, locally and internationally, are increasingly targeting mobile devices; seemingly innocuous activities like downloading a video or installing a new app could represent a serious threat. Clearly document what devices can be used as well as how and when they may be used. Set similar protocols for USB drives, tablets and other hardware that may be connected to your environment. (See the Controls Assessment sidebar on page 19 for more information)

Applications Limit access to your software applications on a “need to know basis,” sometimes referred to as “least privilege.” Set up access rights for sensitive applications that limit read vs. write access and manage segregation of duties. Enable audit trails to monitor who has been on your system, when it was accessed and what changes were made. Require strong passwords and consider using multi-factor authentication, particularly when remote access into the environment is involved. Regularly review contracts to understand the risk associated with the ongoing use of each application. Require Service Organization Controls (SOC) reports for all cloud providers and understand how your data will be handled in their environment. Encrypt all data “in motion” and assess risk to determine if it should be used for data “at rest.” Vendor Management Securing information does not only focus on your own organization. Establish a process to identify, risk rank, screen and monitor vendors who use, process or otherwise access your information. Requesting Service Organization Controls 2 (SOC2) reports and other security compliance information is a good first step.

page 20 | horizons Fall 2015