Cybersecurity – IT Takes a Village
It’s vital for all organizations to strengthen their efforts to protect clients’ sensitive personal data. But that is a big task for any organization because there are so many elements involved.
Many organizations believe cybersecurity is the sole responsibility of the IT department. While IT is often responsible for implementing security controls, it should not have complete responsibility for your organization’s cybersecurity efforts. This information technology vs. cybersecurity infographic shows the important roles the two functions play and reinforces the need to devote adequate resources to each.
Due to the severity of the vulnerabilities and risks associated with cybersecurity threats, it is crucial for your organization to have upper management’s support for cybersecurity. This includes your board of directors.
It is important to align cybersecurity with your organization’s vision, risk appetite, and strategic direction and commit appropriate financial support. Here are some questions your board should ask about cybersecurity at your organization:
- Do we have an information security officer with the appropriate skills and authority? While your board may not be involved in the daily activities, its support is imperative. Appoint an information security officer with the authority to oversee cybersecurity and ensure there is ongoing monitoring to confirm that controls are operating as designed. This individual can serve as the liaison between the board and the rest of the organization, providing periodic updates on your organization’s cybersecurity position.
- Do we have a comprehensive inventory of all infrastructure, systems, and applications used? You cannot manage what you do not know you have. Do you have a record or inventory of your hardware and software? Only after identifying every application, server, workstation, laptop, mobile device, switch, router, firewall, and peripheral can you ensure that critical processes and controls are in place (e.g., anti-malware, backup and patch management oversight, physical security, and logical access controls such as account lockout and multi-factor authentication).
- Is there adequate monitoring and ongoing awareness to alert staff to changing threats and other potential issues? Controls and management systems alone are inadequate unless combined with appropriate monitoring. The information security officer should periodically update the board on the results of monitoring so the board can evaluate the need for additional support, resources, and controls.The following should be considered:
- What is the strategy for identifying and addressing emerging cybersecurity developments and risks? Are you in compliance with applicable laws and regulations? If you are not aware of what is going on in your organization and the industry, you can’t properly protect your environment or maintain compliance with the changing legal requirements, such as GDPR and the new Colorado data privacy law. Note that many of these apply if your organization collects or maintains the personal data of residents in the areas covered by the laws, even if you don’t operate there.
- Does your staff have the ability to effectively and efficiently monitor logs, reports, and alerts so they can investigate and respond to potential issues in a timely way?
- Do you have regular IT audits? These should include general controls reviews, vulnerability assessments, and penetration tests.
- Do we have an Incident Response Plan? Because it’s no longer a matter of if a breach will occur but when, your organization should invest in planning your response to a cyber attack. The plan should address various types of incidents including vendor issues, external attacks, internal compromises, customer-initiated incidents, and zero-day vulnerabilities. The plan should consider areas such as forensics, retention of audit and activity logs, procedures for resuming normal operations, and notification of appropriate parties, which may include customers or clients. Threats are constantly changing, so review and test the plan regularly to evaluate its effectiveness.
- Are all employees and executive management trained on information security and cybersecurity issues? It’s vital for everyone with access to the network to receive ongoing cybersecurity training and understand the current landscape of cyber risks. In addition, while the board may not have network access, it is imperative they understand these same threats and risks to ensure they recognize the need to devote ongoing resources to cybersecurity.
Cybersecurity is no longer the responsibility of the IT department alone. It takes a village to implement proper cybersecurity within your organization. Involve your board or an appropriate management oversight committee in this process to ensure that cybersecurity remains a top priority.
Katie is a manager at CapinTech. She has 15 years of banking technology experience and nearly four years of information security auditing experience. Katie also has an extensive knowledge of Automated Clearing House (ACH) rules and regulations and is the ACH specialist on staff. She stays current on changing threats and government regulations to better assist clients in protection against cybersecurity threats.