Understanding, mitigating cybersecurity risk

In today’s economy, information and technology drive value creation for businesses of all sizes across every industry. Information can be accessed and stored remotely in real-time, allowing for collaboration and coordination across time zones and continents.

While information technology has changed and improved the way business is conducted, it has also changed the equation for organizational security. In a world where information is value, information is also a target. Data security is now organizational security. In order to protect themselves and their customers, business owners must now develop a strategic approach to data security.

Smart Business spoke with Jalal Nazeri, senior IT audit manager at Sensiba San Filippo LLP, to learn more about best practices for addressing cybersecurity, assessing data security and developing strategies to mitigate risk and demonstrate controls.

What is the first step a company should take when assessing cybersecurity risk?

The first step a company should take is to perform a comprehensive risk assessment for the environment, with a major emphasis on the risks with the organization’s data.

Different types of data carry different levels of value and risk. Data such as protected health information (PHI) and personally identifiable information (PII) are highly sensitive. Companies handling this type of data must comply with state and federal legal data security regulations.

Other companies may transmit highly valuable intellectual property — whether their own or that of clients or customers. Once you understand your data, you can prepare the right plan to protect it.

Once a company understands the value of their data, what comes next?

The most effective security step a company can take is to ensure that the data itself is encrypted. Encryption isn’t a bad idea for any valuable data, but for highly confidential information like PHI and PII, it’s absolutely essential.

How can companies prevent a data breach?

Encryption is the key to preventing a data breach. Annual or semiannual risk assessments are critical to identifying new weaknesses in the infrastructure.

Creating a security policy is an important piece to creating a secure environment. The purposes of a security policy is to ensure that appropriate measures to protecting the network are written down, communicated and are put in place. Once a security policy is established, ongoing monitoring and maintenance of your policies and procedures will ensure ongoing effectiveness.

What other steps can be taken to protect data?

There are many tools and strategies available for preventing both data theft and data loss including IDS/IPS, anti-virus software, system monitor logs, firewalls, off-site backups and more. Keeping data secure requires utilizing these tools strategically to mitigate potential risks. To be effective, both your security policy and the tools that you utilize to carry out your policy must be reviewed and updated regularly.

What additional advice can you offer regarding cybersecurity?

You can’t lose what you don’t have. Many businesses keep valuable data longer than necessary. Businesses should understand data retention requirements and create data policies that ensure that sensitive data isn’t being stored unnecessarily.

Regardless of the business you run, your data will continue to become a more important part of your success. As a business owner, it is critical to understand that where there is value, there is always risk. When you consider both the value and the risk associated with your information systems, you can advance and protect your organization at the same time.

Insights Accounting is brought to you by Sensiba San Filippo LLP