Original content provided by BDO Canada
Whether you are preparing your technology business for the next stage or overwhelmed by the current challenges you face, our professionals can help. Tech Talks is a monthly series of practical articles designed to answer commonly asked questions.
With recent cyberattacks (Equifax being a notable example) and the resulting high-profile data breaches that accompanied them, technology companies must consider their cybersecurity program and compliance requirements as a crucial part of their workflow processes. As part of the review process, a compliance audit should be considered to validate whether your established cybersecurity program is working properly.
Here are 5 essential components of an effective cybersecurity strategy:
1. Policies, communication, and user awareness: Policies are the foundation of any effective cybersecurity program. They confirm managements’ commitment to information security and define the approach that will be used in many of the controls. Policies are only useful if your staff are aware of them. They must be communicated to the people that need them. According to Verizon’s 2016 Data Breach Investigations Report, 70 percent of breaches are caused by employees within the business. Additionally, user awareness can be heightened with enhanced cybersecurity training and up-to-date, threat-specific training such as ransomware and phishing awareness training.
2. Security intelligence and risk management: This can be the most technical component of a cybersecurity program and can involve the deployment and monitoring of sophisticated SOC or SIEM programs. Not all companies have the budget or expertise to operate a complex system.
3. Identity and access management: One of the most underrated controls is the need for effective user identity and access management (IAM). Many large organizations have implemented IAM software systems to manage this function because of the large numbers of users they manage. Larger organizations are even implementing the next evolution in user behavior analytics in order to be alerted to non-standard or out-of-policy behavior. Small businesses might not have the need or budget for an IAM system, but they still have the requirement to establish an effective IAM program using internal polices and workflow.
4. Change management: Change is necessary but should not disrupt business, and compliance should not impact how business support functions. IT needs to make changes with full visibility into their implications for the business, and govern these processes in a way that minimizes their impact. This means establishing change management controls and developing and implementing the processes that meet those controls.
5. Incident monitoring and response: According to Verizon’s 2016 Data Breach Investigations Report, attackers are able to compromise an organization in minutes in 93 percent of cases. Although it is necessary to install technical controls to continue to protect against intrusions, it is also necessary to establish an incident response plan to ensure that you know what to do when you are compromised.
Depending on the maturity and completeness of your cybersecurity program, BDO can offer assistance at all stages of the process. We can help with the identification and definition of your security controls and provide recommendations for controls improvement. If you have a well-established cybersecurity program, our typical audit would involve assessing and monitoring controls to provide a continuous compliance position.
Organizations can achieve trust and transparency by obtaining independent controls assurance. SOC for Cybersecurity delivers this crucial cybersecurity risk assessment with a framework that uses common reporting language. It is based on other standard security frameworks, such as NIST or ISO’s 27001.
Contact us today for a preliminary assessment of your business requirements. For additional questions or further information on this topic, contact Sam Khoury or your local BDO office.