How to inventory threats to build critical IT defenses

From time to time, it’s healthy for companies to identify threats that are unique to their business and what might happen if one of those threats — a cyberattack that compromises customer payment information — manifested.

It’s also prudent for companies to understand what frontline defenses they have (or don’t have) to prevent such threats from impacting their business. Often these are IT systems housing critical data or supporting vital networks.

The recent increase of remote employees has added a layer of risk. Now is a good time to perform a risk assessment to ensure critical data and networks are secure.

Smart Business spoke with Brian Garland, a manager at Rea & Associates, about risk assessments and IT audits, and how the two work together to mitigate threats and their impact.

How do risk assessments and IT audits work together?
Risk assessments should be viewed as a strategic initiative, one that helps define the risk appetite clearly for the company in relation to the key information systems it needs to protect. They help companies understand what’s important to protect and why on a proactive basis, and what the fallout would be if they fail.

In a mature security environment, they’re followed up by IT audits, which determine if the systems and controls that are in place are functioning appropriately to stay within a company’s defined risk tolerances and meet whatever regulatory requirements they might have.

Typically, risk assessments are done annually, especially in environments that contain regulated data. However, any time a company has significant system changes or changes in its environment — the abrupt shift to a remote work environment, for example — it’s a good idea to run an assessment so companies can safeguard their assets appropriately.

How do IT audits map to regulatory compliance?
In regulated industries — banking and health care, for instance — or for companies that accept credit card data, IT audits provide evidence of the company’s compliance with the control requirements in place and establish that there’s an ongoing compliance environment. Companies that face something like a cyberbreach but have documentation of an annual IT audit have, at the very least, proof of an effort to demonstrate and maintain compliance.

With employees now largely working from home, companies need to be cognizant of the security impacts of the technology solution that they choose to make available to their employees. For instance, the decision to allow employees to utilize either an RDP or VPN solution for access to company resources should be weighed specifically by the technology’s potential impact on data confidentiality, integrity and availability. Whatever the situation and the tech used, it’s really about being aware of the potential threats, vulnerabilities and resulting risks, and ensuring that the right software tools, policies and procedures are in place to work securely.

How should companies apply what they’ve learned from an IT risk assessment?
The risk assessment process should give a clear sense of the current IT environment and controls in place, the estimated likelihood and impact of contemporary threats, and where gaps in controls exist that present significant risk. For companies without a security framework already in place, a risk assessment should lead to a list of the controls to be implemented to protect the network and data.

It should also give a sense of how a company is prepared to respond to an event that could shut it down for days or weeks at a time and what that impact might look like.

There should be documented policies and procedures in place to govern IT systems and the underlying data, outlining which activities are permitted by the company. These policies form the basis for the company’s data security program and help demonstrate the control environment in place and its alignment with any regulatory compliance requirements for data security impacting the company. Those policies and procedures should be reviewed and tested annually to make sure they cover all systems, processes and data elements considered critical to the business.

By having a clear understanding of the current risk environment, companies can spend their security resources intelligently.

Insights Accounting is brought to you by Rea & Associates