cybersecurity: is your business ready?

CYBERSECURITY: Is Your Business

Ready?

Cybersecurity: Is your business ready?

Cyber risk is just like any other corporate risk and it must be managed from the top. An organization will spend time monitoring the market conditions, it will pay close attention to how its competitors are per-forming but they are not monitoring the risk to their corporate data. A breach due to a cyber attack can cause irreversible damage to an organization’s repu-tation and business profitability as well as other dam-ages; yet as is often the case, little time and money is dedicated in monitoring the threat.

Not too long ago information assets like customer data would be stored in a paper file or on disk within the four walls of the data center. Protecting the infor-mation from unauthorized use it was fairly simple. As technology advances, the price of storage has de-creased and processing power has increased. We are storing items in digital format. As our dependency on technology increases and the more we use the Inter-net to conduct our business, the more susceptible we are to cyber threats.

The increase in the frequency of cyberattacks into crit-ical infrastructure prompted the White House to issue Executive Order 13636 in February 2013. President Obama declared that “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on cyber-security.”

THE VALUE OF DATAHackers do not care who their target is. To them, it doesn’t matter if the company is small or large, a bank or a pizza shop. If they find an opportunity to breach your network and obtain sensitive information, they

will do it. Quite often, executives in small and medium size business think that they are too small to be a tar-get for these criminals, but that false sense of security can lead to a lot of trouble.

In a study conducted by Symantec, targeted attacks are growing against businesses with fewer than 250 employees. Small businesses are now the target of over 31 percent of attacks. The 2013 Norton Report found “Cybercrime continues to be a growing global concern. Both the total global direct cost of cyber-crime (US$113 billion; up from $110 billion) and the average cost per victim of cybercrime ($298; up from $197) increased this year.”

STATISTICS ARE GOODYou might think why would anyone want to steal my data? The answer is simple, if the data is valuable to you, it is valuable to those seeking it as well. This as-set could be a business secret, personal information about your employees such as social security num-bers, banking information or credit card numbers that belong to your customers.

Remember, a hacker does not have to physically break into your brick and mortar office to steal this information. If the individual has a computer and an In-ternet connection, they can steal your valuable assets and sell it for a profit, if you are not prepared with a cy-

© 2014 SMART DEVINE; All rights reserved.

smartdevine.com 267-670-7300


bersecurity prevention plan. Organized crime groups are serious players because of the potential financial gains they can obtain.

As the frequency of cyberattacks increase, cyber-security and the associated risk has become an im-portant topic of discussion within boardrooms across corporate America. Cybersecurity is getting quite a bit of attention from regulators as they try and prescribe a minimum set of standards that organizations should follow to keep themselves secure. There are also plenty of headlines in the news about company’s data being breached and stolen which brings a lot of ex-posure to the risk involved with cybersecurity; there-fore, in the event of litigation, directors and officers of a company cannot claim that they were unaware of the risk posed to their organization.

INTERNAL AND EXTERNAL THREATS ARE MORE COMMONCybersecurity threats are not just from external sourc-es. Close attention needs to be on internal security position as well. An employee can unknowingly bring in an infected USB memory stick and plug it into a computer attached to the corporate network. Once the malware gets into the corporate computers there are chances of it gathering and transmitting valuable information to an outside source.

A disgruntled employee could pose a potential risk to corporate security. An employee can easily transfer data on to a USB drive and walk away without any-one knowing. There have been instances where em-ployees set up their own wireless router for the con-venience of working remotely and the devices often

have weak or default passwords allowing hackers to easily gain access to the corporate network.

The weakest link for information security is employees which is why proper training is critical. An organization needs to have the proper policies and procedures in place to bring awareness to security, and help em-ployees understand their role in keeping the compa-ny’s sensitive data safe.

Many organizations spend a lot of time and effort to be compliant with different regulations such as HIPAA, Graham Leech Bliley, or industry regulations like PCI; but overlook the point that being compliant and be-ing secure are not synonymous. Just being compliant gives some executives a false sense of security that everything is fine, when that is not really the case.

CYBER RISK BEGINS WITH THE BOARD A board’s responsibility is to govern an organization by establishing broad policies and objectives, assign pri-orities, and ensure the organization has the capacity to carry out these objectives. In today’s world, computer security has become a strategic issue. It is something that should directly concern the board. The board and the executive management are accountable and have a fiduciary obligation when it comes to protecting the company’s assets.

Directors should require a risk-based approach to se-curity; in this case, the whole security posture will be defined based on the assessment that was done and the risks that were uncovered. An appropriate plan will be implemented based on the value of the assets that have to be protected. Remember, risk cannot be

totally eliminated. The goal is to figure out key risks that will affect your business and then come up with an appropriate plan to mitigate them. This is an ongoing process. Threats and vulnerabilities change; therefore, you have to constantly monitor your environment and make sure you are being proactive instead of reactive.

The board and the CEO should understand their com-pany’s cybersecurity risk profile. They do not need to be experts in the field of cybersecurity. John Reed Stark, the former chief of the SEC’s Office of Internet Enforcement said: “I do not believe it is realistic to ex-pect board members to have anything but a high-level understanding of the nature of cyber threats and how they impact the corporation. Just as you need a good accounting firm to give you financial expertise, from the board’s perspective this field…requires you to tap into wherever you can find the necessary expertise and make sure your company is doing all it can to protect itself.”

A company should study what other companies faced with similar risks have done, and if that will work for them. A review of the best practices being recom-mended by experts in the area should also be done. These steps will allow the board to demonstrate that they indeed studied the options carefully and adopted what worked best.

NO MAGIC WANDThere are no clear-cut answers when it comes to what the board should do when it comes to cybersecurity. Can the board simply trust its IT department and be-lieve that everything is in place or should they address this issue at every board meeting?

There is a cost involved to limit risk and maintain an offensive cybersecurity program. The return on in-vestment is not very clear and sometimes even a cost

benefit analysis may lead to a decision to sacrifice corporate security in favor of higher profits. But there is potentially a bigger cost if an organization does nothing to protect its digital assets.

The damage can be costly. The most obvious losses arise from recovering lost or destroyed data, notifying those whose information was lost or stolen, providing monitoring services for at least a year, the cost involved with forensic investigations and business interruption as well as a public relations nightmare. Restoring your reputation after a damaging cyber security attack and the financial impact can be very significant to an or-ganization. According to a study performed by the Ponemon institute, the average annualized cost of cy-bercrime has increased by 26% in 2013 compared to the previous year.

Most boards recognize the importance of effective-ly managing cybersecurity risks, but there is room to improve the process. A 2012 governance survey con-ducted by Carnegie Mellon CyLab found that “boards are not actively addressing cyber risk management.” Only 25 percent of those who responded review and approve top-level policies on privacy and information technology risk on a regular basis, while 41 percent rarely or never do so. These numbers show that boards are not being proactive when it comes to gov-ernance of cybersecurity risks.



The Board of Directors should clearly communicate to senior management regarding the need to address cy-bersecurity issues by creating a culture that views cy-bersecurity as everyone’s responsibility. In the coming years, Boards will have to answer the question of how they will manage cyber risk, including how threats will be assessed, mitigated, monitored, and how much in-vestment is enough to secure your business.

Finally, the question every board member needs to ask “are we taking necessary actions to protect our company’s information assets?” Each organization should assess its needs, how it conducts business, and the risks that may affect them. With an increase in awareness of threats, the adoption of security often comes after a data breach or security failure has taken place. Understanding the source of any threat and the likelihood of that threat exploiting a vulnerability in an organization is a critical step when building a cyberse-curity strategy.

MONITORING THREATS POSED BY 3RD PARTY SERVICE PROVIDERSAs businesses evolve and they start outsourcing ser-vices to vendors, proper due diligence becomes a crit-ical part of the process to make sure that the service provider’s security practices and hiring policies meet their organization’s requirements. Continuous testing of implemented controls and reviewing the organiza-

5 IMPERATIVES FOR ANY COMPANY To ensure that your organization is on the right track when it comes to a cybersecurity plan, begin with the following steps:

1. Develop a Cyber-Risk Profile – Identifying the most critical assets that are key to your business objectives. Mitigate risks for those critical assets

2. Understand the threats and vulnerabilities3. Have a framework in place that considers the

threat and how it impacts your business. This approach should be constantly evolving as new threats are always emerging. Make sure there is continuous monitoring in place that actually works.

4. Incident Response – Be prepared by planning, training and exercising the scenarios. Make sure to have the capability to provide accurate and timely information to all stakeholders that are affected.

5. Does the company maintain adequate coverage for incidents?

tion’s risk profile is very important. Without a good risk profile, it is difficult to build effective solutions. Today, most security expenditures are focused on some form of compliance and not on protecting critical business information.

Businesses will continue to become more dependent on systems. The impact of failure can be devastating to a business; therefore, having a business continuity plan is very important. A good plan will allow business activities to continue while business data and systems are recovered. It is important that an organization is able to recover from failure and continues to operate at a level expected by its stakeholders. This has to be demonstrated on a continuous basis.



A c c o u n t i n g T a x A d v i s o r y

Smart Devine provides a full range of accounting, advisory, tax and investigative forensic and litigation services to organizations across a variety of industries.

Smart Devine | 1600 Market Street | 32nd Floor | Philadelphia, PA 19103 | T 267-670-7300 | [email protected]© 2014 SMART DEVINE; All rights reserved.

SMART DEVINE CAN HELP YOUAnil Chacko is a Managing Director at Smart Devine’s Business Advisory Group. Anil

has extensive experience as an IT Executive in the Financial Services and Insurance

industries. His experience in these fields covers Project Planning, Delivery Team

Management, Process Improvement, Conversion/Interfaces, Software Implemen-

tation, Software Selection, Custom Development, Chart of Accounts Design and

Project Financial Management, IT Assessment, IT Security, IT Governance Risk and

Compliance. For more information, please contact Anil Chacko at 267.670.7311 or

[email protected] Anil Chacko, MBA, CISM

Managing Director

SMART DEVINE OFFERS A FULL LINE OF SOLUTIONS INCLUDING:ACCOUNTING & AUDIT• Audit, Reviews & Compilation• Accounting & Tax Due Diligence• Accounting Outsourcing• Agreed Upon Procedures• Business Valuation• Finance Process & Reporting Optimization• Forecasts and Projections• Forensic Accounting & Litigation Support• Internal Control Study & Evaluation• Personal Financial Statements• Retirement Plan Audits & Prep• Trust Accounting• SEC Advisory Services• Special Project Coordination & Support• Technical Accounting Consulting• Transaction Advisory Services

TAX• Tax Return Compliance• Accounting for Income Taxes• ASC 740 (FAS 109) Tax Provision Services• International Taxation• IC-DISC• Tax Planning and Advisory• Tax Controversy• Transfer Pricing• Research and Development Tax Credit• State and Local Taxation

BUSINESS ADVISORY• Financial Advisory• Management Consulting Services• Technology Consulting Services• Risk Advisory and IT Security

INSURANCE ADVISORY SERVICES• Accounting• Reviews • Claims Services • Underwriting/Premium • Forensic Accounting

FORENSIC AND LITIGATION SERVICES• Litigation Services• Environmental Litigation• Forensic Investigations• Trustee & Monitoring Services• Digital Forensics & eDiscovery