As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.
Clean out the user access list. Many organizations already have a policy to review these lists periodically for terminated employees. Cleaning the list should also include determining who is accountable for the use of individual user IDs. For example, in the rush to get things done, user IDs are sometimes assigned generically. This can result in the sharing of user IDs and the reduction of accountability over use of those IDs. The review also should ensure that the list continues to enforce intended organizational segregation of duties.
Remove unneeded system administrators. Sometimes, to install software or remotely support technology operations, vendors or others may be given short-term system administrator privileges. All system administrators should be accounted for, be reconciled to approved use, have their activity monitored, and have their privileges promptly removed when the necessity expires.
Update software with critical security patches. Patches are typically fixes that a vendor provides to update or repair its software, often to close security holes that can be exploited. Yet the risk of not applying the patch needs to be weighed against the risk that, if the patch were applied, it could disrupt the availability of systems. This is why many businesses delay pushing out patches to a less busy time. But they should not be delayed longer than necessary.
Remove old or unused software and hardware. Many organizations have software on their system or hardware attached to their network that is no longer needed. These could be remnants of trial software, software with expired licenses, or hardware kept "just in case." These can create attractive cyberattack targets.
Test backups and update recovery plans. Current and effective backup and recovery strategies are a critical control to mitigate the risks from increasing cyberattacks. Backups and plans should be tested at least annually and more frequently as their risk impact dictates.
Update breach response and insurance coverage. Many industry breach incident analysis reports are issued in the first quarter of the calendar year, incorporating new breaches and preventive strategies from the previous year. Organizations should update their breach response plans to incorporate the latest practices and defenses. Additionally, insurance policies should be reviewed and company compliance with any underwriting assumptions or clauses confirmed.
Editor's note: This checklist is adapted from "6 Steps to Shore Up Your Technology Defenses," CPA Insider, May 31, 2016.
By Joel Lanz (email@example.com), CPA/CITP/CFF, CGMA, founder and principal of Joel Lanz, CPA PC, in Jericho, N.Y., a CPA practice focusing on information assurance, technology risk management, and security. He also chairs the AICPA Information Management and Technology Assurance Executive Committee and has been an adjunct professor in the business school at The State University of New York at Old Westbury.