Managing Cyber Risks in Turbulent Times

Managing cyber risks in today's digital environment was already challenging enough ...

... but now amidst a once-in-a-century event, it’s straining our ability to keep systems and data secure. Individuals with malicious intent are taking advantage of the current chaos to launch attacks and break down defenses already weakened by a myriad of impacts.

Hitting the pause button on security initiatives and technical audits could lead to catastrophic security breaches jeopardizing critical business processes. Keeping this in mind, we have identified 10 steps your organization should be taking right now.

Update your Policies and Procedures – Policies and procedures provide guidance for ensuring that the right things are done in the right order. They provide “guardrails” for less experienced personnel and help ensure consistency and repeatability in the proper execution of controls. Your policies and procedures need to cover acceptable use and steps for protecting corporate data when working from home.
Perform a Control Rationalization Review – Controls require periodic review to ensure they remain relevant and serve their intended purpose. In times of dramatic change, new risks will emerge. As organizations seek to reengineer business processes to respond to the changing business landscape, controls need to keep pace. Accordingly, they require reevaluation.
Automate Control Design and Testing – With staffing shortages, organizations should investigate automating both controls and the testing of those controls. Automated controls tend to have lower failure rates, making them preferable for their effectiveness and ease of testing. Automation may be achieved using Robotic Process Automation or various scripting tools and other methods.
Increase Security Awareness Training – Security awareness training is always a best practice, but even more so in the current environment. Training should include typical modes of attack. It should be customized to different groups, as IT staff will require different training than those in the business units. Awareness training should also include best practices for securing the home environment against cyber-attack.
Implement Data Loss Prevention (DLP) – DLP is an important preventive tool for protecting information that may otherwise be subject to copying. It should be leveraged in combination with data classification so that PII and other confidential information is protected commiserate with its sensitivity and value to the organization.
Cross-train Key Staff – It is important to avoid having a single point of failure. For cross-training critical staff positions, give consideration to having a diverse staff when it comes to who may be in Covid-19 at-risk groups. Formally document procedures to avoid having to rely exclusively on institutional knowledge, and leverage SMEs in related areas with procedures serving as a useful training tool.
Expand Security Assessments – Quarterly may not be frequent enough for vulnerability assessments. Too much can change. Leaving parts of your IT infrastructure out-of-scope means the most vulnerable areas go untested, as legacy systems are an easy target. In the case of Pen Testing, ensure that the scope is not overly limited. Also, testing employees with simulated Phishing and Social Engineering attacks reinforces their security awareness training.
Assess Vendor Cyber Risk – Review the applicability and timing of previous assessments. Where warranted, perform a cyber risk assessment to identify which vendors present the most significant risks. From this, develop a roadmap for establishing cyber resilience for key vendors, and implement a triaged program of periodic vendor assessments to ensure continued compliance.
Inject Agility Into Your Technical Audits – Annual audit plans should become more dynamic. Shorter more concise audits are better than huge audits that are obsolete by the time they are issued. Make audit execution more iterative in nature, using time-boxed sections known as sprints. Strive for greater collaboration in defining key risks, as auditees often have a better understanding of which risks are most important.
Assess Cyber Risk in 3 Dimensions – Cyber risk assessments performed in 2019 are most likely out-of-date. Many assessments are also missing a critical component, which is velocity. Likelihood and magnitude are important criteria, but in turbulent times, velocity is a necessary 3^rd dimension of measurement. It measures the speed at which risks are changing, the speed of onset and offset, and the amount of time needed to adapt and react to change.

Together, these 10 steps will help your organization weather the storm, keep a challenging situation from becoming disastrous, and withstand these attacks while keeping essential services running.

Stephen Head, CPA
Director, IT Risk Advisory Services
+1 704 953 6688
stephen.head@jeffersonwells.com

About the Author
Stephen has broad-based experience in cyber risk, regulatory compliance, IT governance and aligning controls with multiple standards and frameworks. He is the author of the internationally recognized Internal Auditing Manual and Practical IT Auditing, both published by Thomson Reuters, and has served as International Chair of ISACA's Standards Board. Stephen is a CPA, CISSP, CISM, CDPSE, CMA, CFE, CISA, CGEIT, CRISC, CBCP, MCSE, CHP, CHSS, CITP, CGMA, CPCU, and holds an MBA from Wake Forest University.

We welcome the opportunity to discuss your needs in this area and share our thought leadership to help your team. www.jeffersonwells.com

Managing cyber risks in today's digital environment was already challenging enough ... ... but now amidst a once-in-a-century event, it’s straining our ability to keep systems and data secure. Individuals with malicious intent are taking advantage of the current chaos to launch attacks and break down defenses already weakened by a myriad of impacts. Hitting the pause button on security initiatives and technical audits could lead to catastrophic security breaches jeopardizing critical business processes. Keeping this in mind, we have identified 10 steps your organization should be taking right now. Update your Policies and Procedures – Policies and procedures provide guidance for ensuring that the right things are done in the right order. They provide “guardrails” for less experienced personnel and help ensure consistency and repeatability in the proper execution of controls. Your policies and procedures need to cover acceptable use and steps for protecting corporate data when working from home. Perform a Control Rationalization Review – Controls require periodic review to ensure they remain relevant and serve their intended purpose. In times of dramatic change, new risks will emerge. As organizations seek to reengineer business processes to respond to the changing business landscape, controls need to keep pace. Accordingly, they require reevaluation. Automate Control Design and Testing – With staffing shortages, organizations should investigate automating both controls and the testing of those controls. Automated controls tend to have lower failure rates, making them preferable for their effectiveness and ease of testing. Automation may be achieved using Robotic Process Automation or various scripting tools and other methods. Increase Security Awareness Training – Security awareness training is always a best practice, but even more so in the current environment. Training should include typical modes of attack. It should be customized to different groups, as IT staff will require different training than those in the business units. Awareness training should also include best practices for securing the home environment against cyber-attack. Implement Data Loss Prevention (DLP) – DLP is an important preventive tool for protecting information that may otherwise be subject to copying. It should be leveraged in combination with data classification so that PII and other confidential information is protected commiserate with its sensitivity and value to the organization. Cross-train Key Staff – It is important to avoid having a single point of failure. For cross-training critical staff positions, give consideration to having a diverse staff when it comes to who may be in Covid-19 at-risk groups. Formally document procedures to avoid having to rely exclusively on institutional knowledge, and leverage SMEs in related areas with procedures serving as a useful training tool. Expand Security Assessments – Quarterly may not be frequent enough for vulnerability assessments. Too much can change. Leaving parts of your IT infrastructure out-of-scope means the most vulnerable areas go untested, as legacy systems are an easy target. In the case of Pen Testing, ensure that the scope is not overly limited. Also, testing employees with simulated Phishing and Social Engineering attacks reinforces their security awareness training. Assess Vendor Cyber Risk – Review the applicability and timing of previous assessments. Where warranted, perform a cyber risk assessment to identify which vendors present the most significant risks. From this, develop a roadmap for establishing cyber resilience for key vendors, and implement a triaged program of periodic vendor assessments to ensure continued compliance. Inject Agility Into Your Technical Audits – Annual audit plans should become more dynamic. Shorter more concise audits are better than huge audits that are obsolete by the time they are issued. Make audit execution more iterative in nature, using time-boxed sections known as sprints. Strive for greater collaboration in defining key risks, as auditees often have a better understanding of which risks are most important. Assess Cyber Risk in 3 Dimensions – Cyber risk assessments performed in 2019 are most likely out-of-date. Many assessments are also missing a critical component, which is velocity. Likelihood and magnitude are important criteria, but in turbulent times, velocity is a necessary 3rd dimension of measurement. It measures the speed at which risks are changing, the speed of onset and offset, and the amount of time needed to adapt and react to change. Together, these 10 steps will help your organization weather the storm, keep a challenging situation from becoming disastrous, and withstand these attacks while keeping essential services running. Stephen Head, CPA Director, IT Risk Advisory Services +1 704 953 6688 stephen.head@jeffersonwells.com About the Author Stephen has broad-based experience in cyber risk, regulatory compliance, IT governance and aligning controls with multiple standards and frameworks. He is the author of the internationally recognized Internal Auditing Manual and Practical IT Auditing, both published by Thomson Reuters, and has served as International Chair of ISACA's Standards Board. Stephen is a CPA, CISSP, CISM, CDPSE, CMA, CFE, CISA, CGEIT, CRISC, CBCP, MCSE, CHP, CHSS, CITP, CGMA, CPCU, and holds an MBA from Wake Forest University. We welcome the opportunity to discuss your needs in this area and share our thought leadership to help your team. www.jeffersonwells.com