Be prepared and be strategic.
October is cyber security awareness month. Let this be your reminder to be careful in cyberspace. Responsible behaviour improves your organisation’s security, whether you have a small number of end-users, or a multitude of end points.
Do not to click on strange emails – those could be phishing attempts
Do not open odd attachments – those could result in ransomware
Do not use coffee shop Wi-Fi – those could expose your passwords.
Business leaders and executives are end-users, just like everyone else on the team, and should set an example on good cyber security hygiene. Leaders must also look to the future while managing business operations. In that vein, here are some cyber security awareness tips for the leadership team. This is all about ‘taking stock’.
TIP #1: Make it OK for IT and users to raise problems and concerns.
One-fifth of Canadian businesses were affected by cybersecurity incidents in 2019, and half of these were Small or Medium Businesses (18%, 29%). Once they get into your network and systems, hackers and ransomware can spread quickly and wreak havoc. Encouraging, even rewarding, your team when they flag these risks can limit the damage. These flags raised by IT and end users may be the only warnings you get. Being forewarned is better than being surprised!
TIP #2: Think about the big picture – how could this impact your business risk?
Changes in the business environment and technological developments can create opportunities as well as new or increased risks. Considering today’s global issues, what does this do to your business execution? Are there new threats to your business that need to be considered? As a leader, it is up to you to look ahead to the horizon and ask these big picture questions. In 2020, organisations both big and small, participated in vaccine research or contact tracing app development. These organisations were targeted by foreign “state-sponsored” actors attempting to steal intellectual property or just cause havoc. Being aware of changes like this can create opportunities for you to be proactive in your risk management.
TIP #3: Business and Technology planning starts with what you have
Planning starts with an idea and a high-level business case or plan. The next step is figuring out what you have currently to work with. To do so, ask your IT team for a complete inventory of your data, systems, network paths, service providers, end points, and vendors. The first thing to do with this list is to look for points of risk, such as old servers, desktops and laptops that can’t be upgraded or patched. These points are an easy way in for hackers. Can these old servers and devices be replaced with something more secure? Second, look at your IT and cybersecurity vendor list and learn what products they provide. Ask IT if there is an opportunity to rationalise vendors to reduce the long list of system products that don’t interact easily. Simpler can be better.
If IT cannot provide the complete inventory, you have another problem that you are now aware you’re your IT team may not know what they are managing and administering, and that is scary!
TIP #4: Review user accounts and privileges
Granting access usually gets done more easily than revocation. While most users will push to get what they need to do their work, these same accounts and access privileges don’t necessarily get cleaned up when team members move roles or leave.
At least once a year, ALL accounts (user, system, and service accounts) for all your systems, on-premises and in the cloud, should be listed and reviewed by the owners of the system. This means the CFO should review finance system users, the head of HR should review payroll system users, and the CIO should review all IT and network infrastructure accounts.
If the population is large, then delegation of this task is fine but don’t give it to the people managing the user accounts – make it independent. Look for active user accounts for employees or contractors who have left; look for user accounts with no activity for three months and get them justified. For extra points, once the inactive accounts are cleaned up, look at user privileges associated with the accounts particularly for employees who have moved around or got promoted. Did the access privileges from their old job get removed when they got new ones? If not, you could have inadvertently created the opportunity for fraud – or worse as some users now can enter transactions and then approve them with their new ‘powers’!
And finally, in today’s work-from-home world, ensure that all remote access accounts use multi-factor authentication (MFA). The extra authentication mechanisms replace the implicit authentication of a valid user when they come to work physically and must go through reception and work with colleagues. MFA is not increasing authentication; it is just bringing levels back to where it was when we all went into the office. Most cyber insurance contracts now require this MFA measure as well.
TIP #5: Exercise disaster recovery and incident response plans
When was the last time your organisation tested backups and the ability to restore critical business systems and networks? Over time, backups can become incomplete. This can be due to the size and complexity of your data sets, or new systems and data are not recognised and processed by your backup systems and processes. While you are on the topic, ask if data backups are periodically archived and taken fully offline (i.e. air gapped) from your regular IT network. This can be vital if you are hit with ransomware.
Once backups are sorted out, ask yourself when was the last time your lead team conducted an incident response drill say for example simulating a ransomware attack, website defacement, major system crash or leak of personal information. This is all about ‘muscle memory’ so doing this at least once a year is good governance if your systems and data are at all important to your business.
In preparing for battle I have always found that plans are useless, but planning is indispensable (Dwight D. Eisenhower).
TIP #6: Get assurance over your IT service providers.
Continuing the inventory theme of this executive cyber security awareness message, many organisations accelerated their journey to the cloud over the last 18 months. Outsourcing (which is what cloud really is) can be good for business where you get more business process, IT capability and service than in-house. The risk with outsourcing is that this spreads out your data and systems, meaning you no longer have direct oversight of what is going on. The best replacement for this loss of control is to get independent assurance of the controls at the service provider and make sure you are zipping up your own processes and controls with theirs.
Get a list of all these business process outsourcers and IT service providers, what they do for you, and what access they have to your systems or data. The more these third parties are interwoven within your business and systems, the more risk you have. This points to getting reasonable assurance that they have effective controls and (hopefully) won’t be a source of trouble for your business.
This is not an exhaustive list of areas to ask some pointed questions, but a good one to start with. The Welch Risk Advisory team hopes this will help you to increase your awareness of some important cyber risks, and how to begin managing them. If you have further questions or would like to talk to a Welch Risk Advisory team member, please reach out to Chris Meyers or Chris Anderson.