Over the past few months, the OIG shorts series focused on
structuring and implementing a comprehensive and effective ethics
and compliance program. Many times, this requires a mindset shift
from a checking-the-box mentality to a wholistic approach in which
everyone feels they have an important role to play. Nowhere is this
more apropos than in the area of cybersecurity including developing
a data security strategy and maintaining an effective incident
response plan.
This post focuses on the importance of developing and
implementing practical Information Security policies and procedures
within your organization as well as the ethical and legal
obligations you have to protect your organization's sensitive
data. Our next post will cover the vital role cyber incident
response planning plays – not only in the aftermath of a
cyber-attack, but in preventing many such attacks.
The security of your organization's information systems and
the data stored within are essential components of virtually every
aspect of your business. Your data needs to be trustworthy, readily
available as needed for the business, and only accessible by
authorized users. Depending on the type(s) of data you hold –
e.g., personal information of employees, customer information,
trade secrets, credit card information, sensitive government data,
protected health information, export controlled information, and/or
company proprietary information – you will be subject to
minimum security requirements through regulations and contractual
obligations, but also should explore additional practices based on
your specific risk profile.
Consider that when critical systems are interrupted or
destroyed, there will likely be financial and reputational
consequences for your organization such as:
- Compromised or Altered Data – Theft of trade secrets
could cause you to lose business to your competitors. Exposure of
customer information could result in loss of trust and
business. - System Downtime – When a system fails to perform its
primary function, customers may be unable to place orders and
employees may be unable to do their jobs or communicate. - Legal Consequences – If data is exposed or stolen from
one of your databases, you can incur fines and other legal costs
because you failed to comply with data protection security
requirements such as HIPAA.
Unfortunately, many organizations still base their security
plans on generic minimum requirements rather than a risk assessment
tailored to their company. To be successful in today's business
environment, the simple reality is this: you are in the Information
Technology risk management business.
Understanding the specific risks to your organization is
essential to developing appropriate security measures. Before you
spend substantial budget or time implementing a solution to reduce
risk, you should feel confident in your answers to the following
questions:
- What are your organization's critical assets –
specifically data – which if exposed would have a major
impact on your business operations? - What are the top five business processes that utilize or
require this information? - What threats could affect the ability of those business
functions to operate? - What is the risk you are actually attempting to reduce?
- Is this risk really the highest priority security risk for your
organization? - Are existing controls sufficiently mitigating this risk?
- Are new risk mitigation strategies cost-effective options?
Once you know what you need to protect, you can begin developing
defensive strategies.
Protecting your organization from cyber threats – both
from within and without – demands a great deal of your IT
staff's time and resources. But, as most organizations now
understand, good data security is the responsibility of everyone in
the company. It only takes one careless employee leaving sensitive
data unprotected, and potentially ending up in the wrong hands, to
create an obligation for you to investigate, potentially report,
and suffer the consequences associated with a data breach. Thus, a
robust training program that ideally includes drills and tabletop
exercises can go a long way to minimize the risk of human
error.
In 2022, Black Fog, which tracks publicly reported Ransomware
attacks, reported a 29% increase in such attacks over
2021 and 34% increase from 2020 In 2022. But perhaps more
concerning, 2022 brought with it the first occurrence of a national
government being successfully targeted by Ransomware criminals.
Beginning in the spring, Costa Rica's government networks
became infected with a strain of Ransomware that led to a series of
cascading infections through the country. The interruptions to
critical services caused by these Ransomware attacks ultimately led
to Costa Rica declaring a state of emergency.
As many companies have found out the hard way, compliance does
not necessarily mean you have achieved security. Laws and
regulations in this space generally lag behind technology and are
responsive to the ever-evolving cyber threats. Thus, in addition to
compliance, you must consider your risk and the best methods to
protect yourself from cyber threats. Most organizations understand
it is no longer a matter of "if" but "when"
they will be subject to a cyber-attack. Good awareness of
information security obligations and best practices throughout the
organization – facilitated through focus on cybersecurity in
the C-suite and emphasis on training – will minimize risk of
an incident and help mitigate negative consequences that can hamper
your reputation and ability to do business effectively.
The second installment in our cybersecurity series will take a
look at the role that developing and practicing a robust Incident
Response Plan plays in not only preparing for a cyber incident, but
in fostering a positive Information Security culture within your
organization.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss