We know there’s a whole lot of information risk out there – the headlines tell us; letters from our credit card companies tell us – but the information about information risk management is far less accessible.
Make sure your employees know how important cyber security is and how a lack of data protection not only risks your customers’ critical information, but your employees’ careers and your company’s reputation as well.
Instead of deluging them with boring facts and stats, ask your employees these nine (and a half) information assurance questions to get their cognitive wheels spinning toward informed, actionable insight.
1. Did you know that just one lapse in information security has the potential to end your career?
Tie the dire consequences of security breaches to their personal lives. Make it real for them. A typical attitude goes something like, “I don’t care because it doesn’t affect me.” Make them care. If your organization is wiped out, they lose their jobs and, possibly, long-term professional credibility.
2. Did you know that if a computer in your organization is hacked, and that computer hacks another computer in another organization, you may be held legally liable?
Not only could your organization be penalized for lacking proper data protection, but the employee whose device was hacked may also be accountable. Perhaps it was a malicious Trojan they imprudently (albeit inadvertently) downloaded that incited the data breach. This may mean they’re vulnerable, along with your organization as a whole, to serious penalties.
3. Did you know that if you were to give away company-related information to someone who isn’t on a “need-to-know” basis, even if unintentionally, you put your organization at risk of a serious hack attack?
“Need to know” means that the person asking for the information has a legitimate job-related need to know that information. An example of someone who asks for information not on a need-to-know basis would be an employee in accounts receivable (AR) asking about the number of servers in the database. This information is not financially related, and therefore not crucial to the scope of their job. You, along with that AR employee, may be held liable.
4. Did you know that a data breach occurs every 12 hours?
It’s scary, but it’s a reality. IT security breaches can happen to any organization: from startup to Fortune 500; from a major retail chain to that mom-and-pop shop down the street.
5. Did you know that the average cost of a data breach in the U.S. is $5.4 million?
…According to research by the Ponemon Institute. If your organization has to hand over five million dollars, where is it going to come from? This is your company, your career. Five million dollars is likely to decimate both, and not just for the short run. This is long-term damage to professional credibility and reputation we’re talking about.
6. Did you know that the most common trigger of data security breaches is the disgruntled employee?
The disgruntled employee presents one of the most dangerous risks to your organization. The disgruntled ex-employee has even more perilous potential to taint your success. Let’s say a resentful ex-employee decides to take his or her anger out on your company. This employee may have your passwords and, by cunningly covering their tracks, could make it look like you were the source of the attack.
7. Did you know that while smaller organizations make easier targets, larger organizations fall victim to “the comfort trap” that poises them perfectly for a malicious cyber attack?
Once again, no organization is immune from a hacker’s diabolical intentions. You are never too small to be attacked because smaller organizations have smaller budgets, and therefore fewer resources to allocate for IT security. On the flip side, larger organizations often get too comfortable, “falling asleep at the wheel” because they think their larger budget gives them an invisibility cloak of data privacy. You may have more money to spend on IT, but relying on this fact is often riskier than having fewer resources.
8. Did you know that organizations that are proactive with IT security, and have vigilant non-technical employees on board with information risk management, have a significantly lower risk of getting hacked and/or suffering a serious data breach?
Human beings are the weakest links in cyber security, so proactive and vigilant employees have the power to counteract these vulnerabilities and get the ball rolling for stronger information security across your organization. This could mean a non-technical employee being alert and judicious enough not to let people “piggy back” into your building. It sounds simple, but it’s the simple mistakes that often spark the most complex breaches.
9. Did you know that employee-related personal information from HR could be compromised during an attack?
It’s not just customer data privacy you have to worry about. Your employees’ information is at risk too. If a hacker gets his or her hands on HR files – all your employees’ personal information – the risk of identity theft skyrockets.
9.5. Did you know that if a hacker gets his or her hands on a large supply of this personal information – bank account info, credit card information, Social Security Numbers, etc. – they could sell it for a pretty penny on the black market for credit card fraud?
HR files are a one-stop shop for hundreds or even thousands of records, and therefore present an attractive goldmine to hackers. Plus, cyber crime “shopping list” prices are falling. This means that it’s becoming cheaper to buy hacked bank details and other personal information due to a glut of stolen information. It’s basic economics: Greater supply means lower prices. For example, a hacker may buy a bank account that holds $300,000, which includes username and password, for only $300 in the underground market.
Remember, hackers gather pieces of information from anywhere they can find it. That one seemingly innocent question could open the vault to that last piece of crucial information, that last piece of the puzzle that presents them with everything they need to infiltrate your systems. Keep your employees informed, vigilant and proactive.
Ready to put your cyber security ahead of the hackers? Get on board with Enterprise Risk Management: data privacy training experts to let you in on the latest and most malicious cyber threats out there, as well as handle data security breach remediation if your customers’ information and company’s good name are caught in the line of fraud.
The information systems audit has evolved along with the computer. This is because the early days of computing were quite different than the virtual landscape of today.
The early days of computing told a simple story.
Business software applications were only really used for finance and accounting.
Numbers from paper statements and receipts were manually entered into the computer, which would then perform calculations and create reports.
Computers were audited using sampling techniques.
An auditor collected the original paper statements and receipts, manually performed the calculations used to create each report and compared the manual results to those generated by the computer.
Calculation errors were the biggest threat.
The audit findings were mainly confined to programming errors.
Today’s audits are in a whole new genre.
Computing ramps up in sophistication.
Auditors were finding fewer and fewer calculation mistakes, and more and more findings related to fraud and unauthorized access.
Cyber security steps into the spotlight.
The checks and balances that were put in place to maintain accuracy of calculations relied heavily on proper segregation of duties between programming, testing and deployment. This meant that even programming changes – the very changes that were cutting down on calculation errors – depended on cyber security controls.
An IT audit is more about information assurance than information accuracy.
Today’s information systems audit is pretty much synonymous with information security control testing.
Put surveillance in your customers’ stacks.
These days, the caliber of your customer data privacy is directly proportional to the success of your organization. Remember: It only takes one data breach to take down a business.
FIRST: GET THE STORY STRAIGHT
While IT audits need to be meticulous about the details, they must also be comprehensive: providing a panoramic, “bird’s eye” view of your entire organization.
Here’s how to think about (and go about) your information systems audit for premium data protection:
Each layer of the IT audit adds a different type of protection.
Administrative, logical, operational and physical security must all be tested. This is why what is passed off as IT auditing is often superficial and insufficient.
1. Performing the administrative security audit
It’s important to make sure the proper policies and procedures are in place to promote security. This part of the information systems audit is about digging deep into non-technical aspects of your organization: the exact procedures followed in all of your human processes.
2. Performing the logical security audit
This is where the IT audit really transcends the pen test because you’re evaluating everything and reviewing configuration, then documenting how to protect it. This means you need to do manual testing, not just automated.
3. Performing the operations security audit
Identify the role of management at your organization, making sure your “security perspective” is right at the top. If the top’s not on board with proper security, that lackadaisical attitude is only going to snowball on the way down your organizational ladder.
4. Performing the physical audit
We’ve said it before, but we’ll say it again (and again): The weakest link in your information security is the human element. Think about it: If someone can just walk through your doors, disperse a few malicious CDs or USBs and leave, the best technical security in the world won’t do you any good.
5. Performing the SSAE 16 attestation audit
SSAE 16 reviews add credibility to your organization. It makes customers feel comfortable with your company. But more than that…
If you partner with third-party IT consultants to perform your attestation services, make sure they are part of a reputable firm known for its diligence and consistent success.
This third-party company could lose its license if the audit is not done correctly. Because there’s so much at stake for the third-party company when attesting to someone’s controls, such a review is worth its weight in gold.
6. Performing the binder audit
Banks are required to create several binders full of documentation so auditors can manually go through and highlight their findings.
Regulators like to see this type of dedication and organization when they come in for audits.
The binder audit makes a strong case for compliance because it’s particularly comprehensive, even for companies outside the banking industry.
Or just leave it up to the experts.
Many organizations completely outsource their information systems audit. This has four main benefits:
You make sure the job is done right.
Outsourcing the IT audit is often much cheaper than doing it internally.
You don’t need the high level of physical overhead when you outsource: You only need one person to oversee the operation (i.e., one point of contact between your organization and the IT consultants), so you don’t have to tie up your whole team.
You’re able to hold the outsourced department fully accountable.
REMEMBER: A TEAM IS ONLY AS GOOD AS ITS PLAYERS
And an audit is only as good as its audit program. Give your company the credibility, your customers the confidence and yourself the peace of mind that comes with knowing you’ve done everything possible to ensure proper data protection.
Are you confident in your information systems audit program? Click below to contact an IT security expert at ERM about putting your customer data privacy on a pedestal of premium protection.