Cybersecurity and Privacy – What You Need to Know (Part 3 of a Series)
March 21, 2014
By John Fodera, CPA and Jerry Ravi, CPA
Effective Risk Management Practices and Tools
In our last blog, we explored the various cybersecurity risks that could affect your organization. You will need to identify the risks that apply to your business and the specific mitigation strategies for each risk. The key benefit of performing this cybersecurity risk assessment is that it enables a business to prioritize a responsive action to improve risk mitigation activities and ensure resource allocation.
Who has Control Over and Access to the Data?
Effective risk management practices should be integral to all departments in an organization. Any department that has access to information or distributes information can contribute to risk. Meet with the key departments in your organization that have access to sensitive data, such as IT, finance, operations, and marketing. This will help a business understand how they are vulnerable across cross function areas in the organization. The objective is to gain an understanding of the data people have access to and the potential risk that data represents. Brainstorming different ways information can be at risk will help you develop an effective risk mitigation strategy and enable you to implement the proper security controls throughout the organization. Some organizations utilize a scale from 1 through 5 to measure the critical risk factors of key data points, with 5 representing the highest risk or the most sensitive data, thus aligning to more resources allocated to risk mitigation activities.
Consider Impact – Severity – Mitigation
It may be natural to prioritize and focus on the risks that matter the most; but, how do you determine what risks are most important? Begin by looking at the worst case scenario and its impact on the organization. You can also look at the likelihood of that risk occurring, given the current circumstances (i.e., internal controls) and factors (internal and external). Keep in mind that even if the risk is low, there should still be a risk mitigation plan in place.
Developing a Response Plan
If your company becomes a victim of a cyber-security breach, what is your response plan and how are you going to allocate your resources? Having a written document will help you guide your business toward proper mitigation and timely response to breaches. It also shows that you performed the proper due diligence in having a risk management plan in place.
The media had varying opinions on the most recent Target cybersecurity breach. The main themes were:
- Was the response timely?
- What could they have done to avoid the breach?
- Why did it take a blogger to discover the breach and not the company?
- Was the response genuine to its customers or just a defensive move because they got caught?
Your plan should cover mitigation strategies, including how you are going about this now and how you can improve in the future. It might be hard to determine what mitigation efforts are enough. Where does it end and how far can you mitigate the risk? If absolute risk mitigation is impossible, can damages be minimized or contained?
The plan will also cover how to respond when a cybersecurity breach occurs. Business insurance might be able to mitigate some of the financial burden but it neglects to address reputational risk that can be particularly damaging to a company.
The next blog in this series focuses on establishing a Written Information Security Program (WISP).
Need assistance with effective risk management techniques specific to your business? Contact EisnerAmper’s Consulting Services group.