With the increasing number of security and data breaches being identified, cybersecurity has gained global and local attention. Increased emphasis and scrutiny from regulators, including the Federal Financial Institutions Examination Council (FFIEC), will be bringing cybersecurity awareness to the forefront of annual audits and reviewing every day risk management practices.
Cybersecurity has been defined by The National Institute of Standards and Technology as the process of protecting information by preventing, detecting, and responding to attacks. These attacks, better known as cyberattacks, target networks, infrastructures, systems, etc. using various malicious acts that usually manipulate, destroy, or steal specific data or systems. The types, frequency, and costs of these incidents, including the resulting security/data breaches, are increasing at an astounding rate. In addition, companies that fall victim to a cyberattack that results in a breach may also be violating security laws and regulations and feel the financial, legal, and reputational impact.
The following are seven items that will help your organization be more cybersecurity aware, and also ensure that the necessary controls are in place for regulatory reviews:
- Ensure that a strategic plan is in place that both addresses cybersecurity and aligns with your organization’s IT and Business Strategic Plans.
- Have multiple techniques to identify and monitor cyber threats to your organization and your industry sector (i.e., associations, tools, newsletters, alerts).
- Include cybersecurity information as a way to influence the risk assessment process.
- Continuously manage third party relationships to ensure that these third parties are also identifying, modifying, and mitigating their risk exposures.
- Implement a Computer Security Incident Response Plan (CSIRP) to respond to a cyberattack and test this plan regularly with participation from critical internal and external stakeholders.
- Supply reports and analysis on cyberattacks and risks to upper management and/or the Board.
- Prepare reports supplied to management, committees, and the Board that include timely and meaningful information with metrics on the organization’s vulnerabilities and potential business impacts from cyber risks.
As cyberattacks become more frequent and sophisticated, your organization’s security practices and safeguards also need to be increased and strengthened. These defenses and best practices are no longer solely an IT department issue and now include ‘buy in’ from business units, upper management, and Board members alike. Being prepared in today’s environment is crucial as the question is not ‘if’ but ‘when’ an incident or attack will occur.
How can FoxPointe help?
- Information Technology General Control Assessments and Audits
- Security Awareness Training
- Risk Assessments (HIPAA, E-Commerce, IT)
- Incident Response, Business Continuity, and Disaster Recovery Planning
- Vulnerability and Penetration Testing
- Payment Card Industry Data Security Standard (PCI DSS) Assessments and Compliance
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal, or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, a consultant client relationship.