As the ease of doing business has increased, so has the risk for a breach. According to an FBI report, cyber complaints and losses over the last five years have reached 2.76 million complaints and $18.7 billion in losses.1 Ransomware-related breaches alone increased by 13% (more than the past five years combined) and were responsible for nearly 50% of all system intrusion incidents. However, 82% of the breaches reported still involved the use of stolen credentials, phishing, misuse, and human errors,2 proving that we are still the weakest link.
So, the question now is, are you prepared for a cyberattack? Here are five actions you can take to help mitigate your organization’s cyber risk:
1. Know Your Inventory
Understanding what you have and how it’s used to process data is key. An inventory assessment should be completed to account for physical IT assets, such as servers, routers, firewalls, switches, workstations, printers, etc., as well as software. Identifying which information is most critical to protect can help your organization classify the systems and databases that support this more sensitive data. It also can help your organization prioritize these systems and better invest in the security budget. Common levels of data classification are:
- Confidential, e.g., proprietary, financial, personnel files
- Restricted, e.g., supplier contracts
- Internal, e.g., organization memos
- Public, e.g., press releases
2. Educate Your Team
Technology isn’t a substitute for employee, board, executive, and vendor education. As part of the information security and cybersecurity awareness program that should be performed with employees each year, management should educate employees on proper usage of technology assets and systems. This is usually completed through onboarding and the annual acknowledgment of the organization’s security and acceptable use policies. Your organization also should provide periodic news alerts and evaluate employee understanding in regard to phishing emails. Employee understanding could be validated using phishing simulations, training courses, and acknowledgments to internal communications.
3. Limit Access
The principle of least privilege is crucial when it comes to both virtual and physical access. Organizations should control administrative privileges and limit access to only those functions an individual needs to perform job tasks. Don’t forget to maintain good physical security as well; make sure guests, service delivery personnel, and vendors are properly vetted and escorted when in sensitive facility areas.
4. Plan, Prevent, & Prepare
Consider implementing controls to help mitigate the potential risk caused by your fellow workers, such as locking laptops when they’re away from their workstations and filtering out suspicious emails addressed to employees. Another security measure includes developing a cyber incident response program with a policy that’s communicated across the organization.
Fortunately, plenty of guidance is available to assist with this work, including the National Institute of Standards and Technology’s (NIST) Computer Security Incident Handling Guide (NIST SP 800-61) that outlines the four key phases of any incident response effort:
- Preparation: Organizations should build out their incident response programs before disaster strikes, putting policies, procedures, and technologies in place to facilitate an effective response.
- Detection and Analysis: The faster a cybersecurity team can identify an incident taking place, the faster it can swing into action to reduce the impact of a breach.
- Containment, Eradication, and Recovery: The incident response team’s top priority is to contain the damage, limiting the scope of an incident. Once that’s done, they can move on to eradicate the effects of the incident and recover normal operations.
- Post-Incident Activity: After each incident, the team should gather to review lessons learned and improve the organization’s processes before the next incident response plan activation.
Organizations should structure their own incident response programs around this guidance to strengthen the collective experience of the cybersecurity community.
5. Establish Backups
Implement a regularly scheduled backup program that meets your organization’s needs and records retention requirements. It’s recommended that your backups are stored at a different location and are completely segmented from the network (air-gapped) to provide better security.
There are benefits to using cloud-based backups, such as storage cost, accessibility, improved recovery, and continuous syncing of files. In addition, cloud-based backups could improve mitigation and/or recovery against ransomware attacks. Also, remember to back up not just the data but the applications as well.
IT Risk & Compliance professionals at Forvis Mazars are dedicated to helping public sector entities assess their cybersecurity risks, improve their cybersecurity protections, and respond to a breach.
If you have any questions or need assistance, reach out to a professional at Forvis Mazars or submit the Contact Us form below.
Read more articles from Forvis Mazars' 2022 Tax Guide here.