Q and A: Cybersecurity Matters Because the Stakes Are Higher Than Ever

Regardless of industry, cybersecurity fundamentals apply to all businesses, organizations, and levels of government — and the stakes are higher than ever. Ransomware attacks can put a small company out of business or leave a large organization scrambling for answers and rehabbing its reputation for years to come. 

Cyberattacks can impact all areas of society — including food supply, the energy sector, financial sector, education, and national security. Professional cybersecurity advisors are spending more and more time answering questions and providing guidance to business owners, other executives, and board members. The following are some of the most common questions.

As a small business owner, I am too small to matter. I do not need to worry about a cyberattack, right? 

The size of your business or organization does not matter. A staff of any size can be on the receiving end of all types of social engineering. Social engineering involves the use of various forms of deception to coerce or manipulate an individual into divulging confidential information that could be used for fraud. 

Popular forms of social engineering include phishing attacks (unwanted malicious email), vishing (voice phishing), smishing (text), and other forms of on-site and remote social engineering. Smishing can be particularly troublesome. Smishing involves using a text message to coerce the individual into thinking the message is from a reputable company to entice the individual into revealing passwords, credit card numbers, and more. 

As a small business or organization, you may be more susceptible to social engineering for reasons including a lack of understanding of the topic, lack of employee training, or lack of direction from management. Additionally, your small business or organization may not have the financial budget to sufficiently prepare for and defend against cybersecurity threats.

All of our computers run antivirus software, so I am safe ... correct? 

The short answer is no. Antivirus software helps protect against certain types of malware, but a layered approach to cybersecurity can offer better protection. 

Intrusion detection and intrusion prevention systems are designed to detect or prevent malicious activity at your firewall — which protects your internal local area network from the internet. Other layers of protection include monitoring network accounts with elevated privileges, as well as monitoring network activity. 

Security information and event management (SIEM) is a useful tool. A SIEM can provide real-time analysis of security alerts and network activity — which is useful in detecting and preventing a cybersecurity event.

Ransomware attacks are frequently in the news, and this really worries me. What can my business or organization do to prepare?

Many companies offer products and services to prevent, detect, and remove ransomware. Case in point: the Ransomware Self-Assessment Tool (R-SAT). R-SAT is a free assessment tool developed in 2020 by the Bankers Electronic Crimes Task Force, state bank regulators, and the United States Secret Service to help financial institutions develop risk mitigation plans regarding ransomware. 

The tool is a questionnaire that helps evaluate your cybersecurity program to identify weaknesses and gaps that can make you susceptible to ransomware or have issues recovering from a ransomware incident. The R-SAT can be easily modified to fit any business, organization, or government entity and is available at csbs.org/ransomware-self-assessment-tool.

I am a board member and not a cybersecurity expert. How can I be expected to provide oversight in an area I do not understand?

The answer can vary depending on the type of business or organization the board member is part of. For example, did you know the Security and Exchange Commission (SEC) will soon require public companies to discuss their cybersecurity governance capabilities? 

In March 2022, the SEC issued a proposed rule titled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. In it, the SEC describes its intention to require public companies to disclose whether their board members have cybersecurity expertise. Board members must take the position that cyberattacks are likely and exercise their oversight role to verify that executives and managers have made proper and appropriate preparations to respond and recover from an attack. 

Cybersecurity threats are so significant that risk has risen to a level requiring board attention. There are some simple steps you can take to make sure your board of directors is exercising its oversight responsibility.

• Appoint at least one board member with cybersecurity proficiency.
• Provide the entire board with ongoing cybersecurity training:
  • Bring in outside professionals to provide training
  • Each quarter, review a cyber-related event that recently occurred in your industry or is deemed relevant by the board
  • Exchange board-level cybersecurity practices with other boards in your industry or geography
• Add cybersecurity as a standing agenda topic to each board meeting.
• Develop relevant cybersecurity reporting metrics for your business or organization to be reviewed monthly by the board.
• Hire a full-time information security officer (ISO) or bring in a fractional ISO from a cybersecurity consulting firm to develop a cybersecurity strategy and risk management program to be approved by the board.
• Make sure all cybersecurity-related business decisions are reviewed and approved at the board level.

Our company has a budget for IT, but we cannot afford the technology and services consultants recommend. Is there anything we can do that won’t break the budget? 

Improve your organization’s proficiency at basic IT and cybersecurity blocking and tackling by implementing the following 10 key defensive measures: 

1. Implement an information security and cybersecurity program (ISP). At a minimum, the ISP includes relevant IT policies with defined controls, an information security risk assessment, and identification of critical data in transit and at rest. 
2. Define user access roles and access permissions. Users should not have system administrator rights. Implement the principal of least privilege by providing users with just enough network and application access to do their job and nothing more. 
3. Harden internal systems. Turn off services that are not needed, change default passwords, and use complex passwords of at least 16 characters for user accounts and 26 characters for administrator accounts. 
4. Encrypt critical data in transit and at rest. 
5. Develop a vulnerability management program. This includes patch management, application whitelisting, and regular testing for effectiveness. 
6. Implement network segmentation. At a minimum, place servers and workstations on separate network segments. 
7. Centralize audit logging, analysis, and alerting capabilities. Do this with servers, applications, and other infrastructure. 
8. Develop a defined incident response plan and procedures. Prepare for a cybersecurity incident before it happens. 
9. Test, test, and test. Develop a testing approach with an experienced cybersecurity consultant. 
10. Enable multi-factor authentication (MFA). MFA requires a password plus a second form of unique identification the user must enter to gain access to system resources. 

I know I should be concerned about cybersecurity, but I have other pressing issues to deal with every day. To manage cybersecurity risk, I added a cybersecurity rider to our insurance policy. I am all set, correct? 

Cybersecurity insurance is a not a replacement for an effective cybersecurity program. Not only is cyber insurance becoming much more expensive — it does not repair the reputation of your business or organization if you have a cybersecurity incident. 

Work with qualified insurance professionals to identify a policy that helps mitigate cybersecurity risk. Be sure to have the board review and approve the policy. ABI 

For more information on developing a robust cybersecurity program, contact John Moeller at john.moeller@CLAconnect.com or 319-558-0282. 

The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, investment, or tax advice or opinion provided by CliftonLarsonAllen LLP (CliftonLarsonAllen) to the reader. For more information, visit CLAconnect.com. 

CLA exists to create opportunities for our clients, our people, and our communities through our industry-focused wealth advisory, outsourcing, audit, tax, and consulting services. Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.