May 18, 2017
Cybersecurity Made Simple: Start With Your People and Processes
Posted by Jeremy Sucharski
The hack known as WannaCry that began on May 12th locked up at least 200,000 machines and wreaked havoc across the globe. While the U.S. fortunately escaped major impact from this particular cyberattack, many businesses and nonprofits are fearful that similar attacks could impact their operations soon.
Cybersecurity can seem overwhelming when you first start to consider it, but creating a data security program is much less complicated than you may think. In a nutshell, it’s about making fundamentally simple organizational changes in three areas―people, processes and technology―by assessing your risks, then defining and implementing controls to address them.
There is a widespread misconception about those three areas, however. Many businesses make the mistake of assuming that digital security is all about finding a technology solution, when in reality, your cybersecurity efforts should start with your processes and people. Implementing sophisticated technology is generally one of the last steps you should take. It can cost hundreds of thousands of dollars, and you may go down that path and find that it makes no sense for your business.
On the other hand, you can identify and address your people and process weaknesses―which is where most of your digital risks reside―and define cybersecurity controls for a relatively low level of investment. Here’s a simple overview of the steps to take.
Assess your risks
To assess your risk from a cyber perspective, you first need to choose an information security framework. This provides an objective measure that defines what you should be doing and allows you to compare that against what you are doing.
The frameworks we focus on are the International Organization for Standardization (ISO) 27000 standards and the National Institute of Standards and Technology (NIST) 800-53 standards. The two have a lot of overlap, and you can use whichever is best suited to your needs. ISO may be better for some global companies, for example, because it is an international standard, while NIST is widely used by U.S. businesses, because the SEC has pointed to it as their suggested framework.
Whichever you use, a framework is a great starting point to benchmark yourself. You can determine which parts of the standards apply to you, based on your organization, and see how your processes stack up against what you should have in place.
For example, let’s say you are a nonprofit organization and all of your data is in the cloud―you’re using Intacct for accounting, Blackbaud for fundraising, etc. Since you don’t have physical security risks around things like servers, you can basically ignore those areas of the framework. But on people-related issues ―do you have a cybersecurity training program, how frequent is it, how often do you update your team on emerging threats, etc.―you may realize that you’re not doing anything, which elevates those risks.
Define your processes
After you’ve identified your risks, based on your framework, you need to define and implement controls. This can also seem overwhelming, but it’s really just about defining your processes.
If your risk assessment reveals that you have no program for people security, for example, you first have to consider what your processes will be, before you implement any controls. What is the best way to address the need for employee training? Do you build your own program, or do you outsource it? And what will the program look like?
You define what you want to do and how that process is going to operate. For instance, for step one of your program, you may take everyone through the training and benchmark the entire company. Then going forward, new hires will do the program as part of onboarding, and everyone in the company will retake the training once a year.
From there, the controls are simply the pieces of the process that are going to mitigate risk on an ongoing basis. An example would be testing everyone at the end of their security awareness training to make sure they absorbed the information. This produces auditable evidence, and someone independent of the process can review the results. If you have 100 people in the company, but the test shows that only 20% successfully learned the material, you know you need to go back and identify changes to improve the process so that people learn more. For example, an online self-service format may work better than the in-person classroom training you are currently using.
Keep evaluating your controls
Finally, it’s important to note that controls are not a one-and-done thing. You have to verify that they are working, and you should be continually evaluating, refining and improving your processes, based on your control feedback.
So how often should you review your controls? The frequency depends on the relative risk―you need to look at higher risk controls more often. But as a general rule of thumb, if you are not evaluating all of your controls at least once a year, you are not getting value for the time and money spent on your cybersecurity program. You’re doing all the implementation, all the building, and you’re not reaping the benefit from making sure your controls are actually protecting your organization.
Contact Armanino and our Cybersecurity Services team to learn more about building a cybersecurity program to protect your business.
Jeremy has over twelve years of experience delivering internal audit, and consultative services to clients in a variety of industries. Jeremy manages teams and works closely with clients to analyze risks associated with information systems and business processes, implement controls and test those controls for operational effectiveness. He has extensive experience in developing and executing a detailed audit plan to test effectiveness of systematic and manual information system and business process controls. Furthermore, Jeremy is the leader of the firm’s GRC practice. Jeremy is a member of the Information Systems Audit and Control Association (ISACA) and has a B.A. in Business Administration, MIS Concentration, from California State Polytechnic University, San Luis Obispo.