Anxiety and concerns about cost – these are often the first thoughts that come to mind for board members considering cybersecurity. Despite these worries, a board must confront cybersecurity as part of its risk management responsibilities and make sure the organization has in place a reasonable approach to cybersecurity hygiene. Efforts associated with this critical topic should be part of every agenda given the outsized role cybersecurity plays in all facets of an organization, from market reputation, continuity of operations, strategic planning and more.
In a previous discussion of automation, we noted that technological advances must be accompanied by proper controls to protect data and core business functions. Now, we take a look at the specific responsibilities related to cybersecurity hygiene and all of the layers involved with it.
Cybersecurity hygiene refers to the conditions and practices that maintain your organization’s health and prevent attacks such as breaches or viruses. The tip of this spear is the IT department, which can help an organization save money by preventing costly data breaches. Management is responsible for ensuring that the IT Department is well-run and properly maintaining the IT environment. The board is responsible for making sure proper governance policies are established for the company’s risk profile, which includes risk identification, measurement, monitoring and control failure remediation tracking.
FIVE KEY LAYERS TO CYBERSECURITY DEFENSE
An effective cybersecurity approach has multiple layers; if one breaks down, another is in place ready to act. There are five key layers to cybersecurity defense – IT security frameworks, infrastructure security, knowledge, data security and vendor management – and maintaining all of them is key to good cybersecurity hygiene.
- IT security frameworks: This is where it all begins. A framework of IT policies, operational activities and procedures decrease your risk of cybersecurity issues. The scope and level of detail in a framework depends on an organization’s risk tolerance and its capacity to implement repeatable controls and procedures.
- Infrastructure security: Proper maintenance of servers, storage devices and perimeter control devices is a key part of good cybersecurity hygiene. Servers should be regularly patched with the most recent updates to protect against any new vulnerabilities. Be sure that team members responsible for the equipment have the necessary experience to address issues or keep outside vendors accountable for their part in the maintenance.
- Knowledge: Collective knowledge is a valuable IT asset. Social engineering relies on human error and is the most common way that organizations experience a breach. Conduct regular training and be sure to have consequences in place for any non-compliant employees or repeat offenders. Organizations collect data on everyone they come into contact with, so it’s crucial to have a strong data classification policy to capture and define what information is public and what is confidential. Treat data accordingly based on its classification.
- Data security: This refers to how team members access the applications needed to complete their tasks. It is the area with the most control failures because there is little consistency and documentation. IT departments must develop strong access management controls and manage essential applications through authorized updates to make sure everything is properly optimized and up-to-date.
- Vendor management: When third-party vendors perform IT tasks, they become part of an organization’s IT risk profile. A board needs to ensure that the organization has an established process for evaluating vendor security capabilities, continuity of service and financial stability. Conduct these evaluations not only when hiring a new vendor, but also on an ongoing basis.
RKL’s team of cybersecurity professionals can help board members embrace their risk management responsibilities and ensure their organization is well-protected from cyber threats. Contact RKL LLP to learn more.
Read More on RKL LLP's blog »
Read these blogs for more information about cybersecurity: