Surviving busy season, whether in public practice or corporate accounting, requires task prioritization. With the pressure to get things done, operational controls are sometimes relaxed to facilitate performance or service delivery. When it comes to cybersecurity and the protection of information, businesses of all types face the continuous challenges of balancing security with the need to make technology services available. Now that busy season is over and you’ve had a few weeks to recover, it’s time to do some late spring cleaning by updating critical controls and closing backdoors that can increase your or your company’s exposure to potential cybersecurity attack damages.
Clean out the user access list
Periodically reviewing the user access list is a familiar risk-mitigation strategy, and many organizations already have a policy to review these lists periodically for terminated employees. Cleaning the list should also include determining who is accountable for the use of each individual user ID. For example, in the rush to get things done, user IDs are sometimes assigned generically (e.g., “Training1” rather than a specific user name). This can result in the sharing of user IDs and the reduction of accountability over use of those IDs. The list should also be reviewed to ensure the user access list continues to enforce intended organizational segregation of duties.
Remove unneeded system administrators
System administrators are the power users of your systems. Sometimes, to install software or remotely support your technology operations, vendors may be given these privileges on an emergency or short-term basis to help resolve production issues. Frequently, vendor personnel may share client user IDs and passwords among their staff. Other “emergency system administrators” can include special use “software installation IDs,” supposedly one-time-use IDs just for installing software. Over time, these privileged user IDs are forgotten, yet their ability to manage the entire network and system remain. All system administrators should be accounted for, reconciled to approved use, have their activity monitored, and have their privileges promptly removed when their necessity expires.
Update software with critical security patches
Patches are typically fixes that a vendor provides to update or repair its software. Frequently, these updates or repairs are used to fix security risks that can be exploited. Yet, the risk to apply the patch needs to be weighed against the risk that, if the patch were applied, it could negatively impact the availability of systems. This is why many businesses choose to delay the implementation of these patches to a less busy time. Sometimes, patches are delayed because another vendor’s software may not operate properly if the patch is applied. Yet, these patches should not be delayed longer than necessary as recent reports have suggested that many cybersecurity attacks succeed because the attackers have taken advantage of patches issued more than a year earlier. Outstanding patches should be inventoried, and target dates for remediation assigned and monitored.
Remove old or unused software and hardware
It’s one thing to monitor for, manage, and assume security risks for software or hardware that a business needs. However, many organizations have software on their system or hardware attached to their network that is no longer used or needed. These could be remnants of trial software, software whose licenses have expired, or hardware kept “just in case.” These create tremendous cybersecurity risks as their existence on the system is frequently forgotten and their use is not monitored. Patches may not be applied, often creating attractive cyberattack targets. These resources should be reviewed against current invoices to ensure that your organization is not paying for maintenance or warranties that are no longer required. And while you are at it, make sure your inventories of what is on the network and what should be there match.
Test backups and update recovery plans
Many organizations already appreciate the need for backups, yet they frequently do not test these backups to ensure they work properly. Changes in applications, operating systems, and network architecture could render the previous modes and formats of backups useless. Plans need to incorporate changes in people, processes, and an ever-changing technology landscape. Additionally, new products and changes in service delivery can also dramatically impact recovery strategies. Current and effective backup and recovery strategies continue to be cited as a critical control to mitigate the risks from increasing cyberattacks. Backups and plans should be tested at least annually and more frequently as their risk impact dictates.
Update breach response and insurance coverage
Breaches continue to increase and are becoming more of a business threat. Many industry breach incident analysis reports are issued in the first quarter of the calendar year, incorporating new breaches and preventive strategies from the previous year. Organizations should update their breach response plans to incorporate the latest practices and defenses. Additionally, as insurance coverage evolves to reflect a more competitive marketplace, evaluation of the price competitiveness and coverage of existing policies should be performed. Policies should be reviewed and company compliance with any underwriting assumptions or clauses confirmed.
By investing the time and performing a spring cleanup on your technology assets, you and your organization will help reduce the probability of spending your summer recovering from a cybersecurity incident.
Joel Lanz, CPA/CITP/CFF, CGMA, CISA, CISM, CISSP, CFE, is the founder and principal of Joel Lanz, CPA PC, a niche CPA practice focusing on information assurance, technology risk management, and security. He also chairs the AICPA Information Management and Technology Assurance Executive Committee and is an adjunct professor in the business school at The State University of New York at Old Westbury in Old Westbury, N.Y.