Getting comfortable with your company’s cybersecurity program is not just a matter of being able to answer questions like: “Does our organization have the right governance structure?” or “Is our company adequately staffed with the right people to address key risks?”
Rather, it’s being able to answer questions like: “Are we thinking about security the right way, and where is all this going?” and “How do I know we are doing okay in terms of cybersecurity, and what should I be seeing that will make me reasonably comfortable that we’re in good shape?”
The human immune system provides an apt analogy. When a germ breaches the body’s natural barriers, it mounts a three-step defense: Sound the alarm, solve the problem, then recover and remember.
The effectiveness of a cybersecurity defense, like that of the immune system, depends on each component efficiently fulfilling its role. Here are three steps you should take to prevent attacks:
1. Sound the Alarm
In any security system, when the firm’s boundaries are breached, an alarm goes off. The problem is that most accounting professionals do not know what their high-value assets are, what’s connected and communicating with them and how someone would access them. It is important to first understand the environment you are trying to protect to actually make your detection and response processes better.
Content seriesView full content series
Similar to an attack on your personal computer, the first signs of a problem are generally slow connections. These are often the result of denial-of-service ( DoS) attacks, which target systems with an onslaught of data requests that quickly overload servers and networks. In those companies that are specifically targeted for attack, emails are sent to staff that spoof the sender’s name to make the email look as if it is coming from a trusted source. These have malware attached that an unsuspecting user could download to their computer.
Constant surveillance is critical, as are early warning indicators and multiple layers of defense. Your firm should already have developed – and be monitoring – internal measures of cybersecurity ratings and external metrics, such as training effectiveness, staff sophistication levels and negative cyber security publicity. Furthermore, no single individual should have sole responsibility for managing these processes. A team is less vulnerable to missing something and mortally damaging the corporation.
Many firms now choose to outsource aspects of their IT infrastructure, and many teams believe their technology service provider(s) bear the responsibility for data control. If this is the case, you have a problem: Simply put, when it comes to security, whether on-premises or in the Cloud, your organization is responsible for all your data, not the third-party service providers you use.
Senior management should require an independent cybersecurity review process on an annual basis, much as you would seek an annual physical exam from an expert physician. (This year, I would also check to see if the organization can cope with the new European GDPR data protection regulations and whether investments are being made in data management to harness the benefits of artificial intelligence.)
2. Solve the Problem
Corporations need to manage cybersecurity at the enterprise level and must continuously improve the ability of each element — line management, operations, internal audit, risk and compliance — to fulfill individual and organizational functions. Check to see that everyone is pulling in the same direction, sharing the same priorities and making appropriate trade-offs.
Discussions about cybersecurity management with the accountable corporate officer should be allotted regular and adequate time at meetings. Management should define what is appropriate behavior, as well as recognize and reward it.
3. Recover and Remember:
An effective cyber risk management program includes careful planning, smart delegation and a system for monitoring compliance — all of which firm leaders should own. When things go wrong, whether in a major or minor way, the ability to identify and respond to a problem quickly will determine the company’s ultimate recovery. Your organization’s cyber resilience program should bring the areas of information security, business continuity and organizational resilience together. Remembering and learning from events are the final critical pieces of cybersecurity. Check to see that postmortems are conducted for each and every incident. Then, facilitate discussions of lessons learned and ways to cultivate best practices.
Directors and senior management should have their noses — not their fingers — on cybersecurity. They should feel comfortable with the answers they hear to the following questions:
Are we thinking about security the right way?
-What assets are most valuable?
-Do we have the right strategy regarding security?
-Do we have the right leadership?
-Where are we relative to best practices?
Where is this all going?
-What are our future risks/challenges?
-What externalities should we be monitoring?
-Do we have the right priorities? Are we building the talent and making the right investments/tradeoffs to meet the challenges?
How do I know we are okay?
-Do we have clarity/consistency across the organization?
-Are we measuring the right things the right way?
-Are we building the right culture?
-Do we have any holes in our immune system?
Most accounting professionals – especially those with non-technical backgrounds – may never feel entirely comfortable with cybersecurity. And maybe that’s a good thing. Perhaps it will stimulate additional due diligence, ultimately leading to further safeguards.
However, as long as the organization has a strong cyber-immune system, you can feel reasonable comfortable that your firm is thinking about cybersecurity in the right way and taking appropriate steps to protect the enterprise.
About David X. Martin
I am passionate about helping business leaders sleep better at night – by equipping them with critical cyber risk management tools that protect their enterprises while enhancing strategic business growth.
My career is grounded in managing risk – from cybersecurity to financial and operational risk. In addition to setting successful strategies as a senior executive at PwC, Citibank and AllianceBernstein, I also provide expert witness testimony in high level risk and cybersecurity cases, and work with government agencies.
I enjoy writing, speaking at conferences, and teaching, as well as serving on boards of directors. I published Risk and the Smart Investor (McGraw Hill, 2010) and The Nature of Risk (Amazon, 2012), and my articles for GARP, Institutional Investor and Oliver Wyman can be viewed through DavidXMartin.com.
I'm delighted to serve as a member of the Sanctions Subcommittee of the US Department of State’s Advisory Committee on International Economy Policy and as a Special Counselor to the Center for Financial Stability on emerging risks.