September 27, 2017 – “Cyber” is a term that refers to computer systems, networks and information systems. The security of these systems in most businesses today is of the utmost importance.

Loss of computerized systems, even for a short period, will severely disrupt most organizations’ ability to produce product, serve customers and make a profit. In addition, the loss of sensitive information about customers, employees or trade secrets can subject an organization to reputational damage, fines and lost profits.

Simply spending money on I.T. or assuming that the I.T. department is addressing these issues is not enough. There are established controls and best practices which can be implemented to ensure that only the right people have access to information, and systems are properly configured and protected from threats, both external and internal. Knowing which controls and practices are the most important, however, is a matter of individual risk. Each business has different needs and systems, and is subject to different threats. A risk assessment is the best way to identify and prioritize the important systems and information that an organization has, the most likely threats to those systems, and the best controls to reduce or eliminate those threats. Your cybersecurity risk management program effectiveness should be regularly assessed and monitored with appropriate remediation of any identified weaknesses.

Third-Party Access to Sensitive Information

Many organizations leverage third parties for support across multiple business functions. Sometimes this is done intentionally to reduce costs, increase availability or provide “better security,” all common reasons for moving to “the cloud.” Other times, outside parties are given access inadvertently or for a very specific reason, without proper consideration for the risks that may be incurred. While third parties may provide improved efficiencies and functionality, the risk of loss or damage always remains with the organization.

Make sure that you know who your third-party service providers are, what information or systems they have access to, and how they are able to effectively maintain and protect your data. Your relationship should contractually spell out what they are expected to do, and what recourse you have if they fail. You should also ensure that you have the ability to audit their operations and controls to see that they sufficiently meet your needs, and obtain a Service Organization Control (SOC) 2 report or similar assurances.

 This post is an excerpt from the Dopkins Risk Advisory Services newsletter. To read the complete publication, please click here.  

For more information, contact William Prohn at wprohn@dopkins.com.

About the Author

William Prohn CISSP, CISA, CGEIT, CRISC

Bill oversees all aspects of information technology for the firm, and provides consulting services to a wide spectrum of Dopkins’ clients. He has over 30 years of experience in accounting and business information systems. His specific interests include creating meaningful, practical management information using computer technologies, and the security of business information and systems.