Why Emerging Businesses Need to be Concerned with Cybersecurity
Posted on 04.21.15
By Scott M. McAuliffe, CPA, CISA, CFE,
Partner Risk Advisory Services | Emerging Business Team
In early April, Verizon released its annual Data Breach Investigation Report (2015 Data Breach Investigation Report). In reviewing the report, it’s clear that data breaches are happening to more and more companies—big and small. Highlighted below are some report findings that I found particularly interesting:
- Nine percent of exploited vulnerabilities happened a year after a patch was published. Meaning, companies are not patching their servers/PCs in a timely manner.
- The largest percentage of attacks (29 percent) results from miscellaneous errors. The majority of miscellaneous errors are caused by incorrect delivery (sending information to incorrect recipient), publishing error (publishing nonpublic data to public web server), and disposal error (insecure disposal of personal and medical data). Demonstrating, human error still plays a big role in data breaches.
- Twenty-one percent of attacks result from insider misuse. Of these attacks, 55 percent were the result of individual abusing their user access. Moreover, 38 percent of attacks involved end users – only 6 percent and 2 percent were related to developer or system admin abuse, respectively. This illustrates that it is very important to restrict access based on the individual’s job responsibilities and proper segregation of duties.
- Fifteen percent of attacks result from physical theft/loss. Of these thefts, 55 percent occurred at the victim’s work area.
In short, it seems that data breaches can be prevented with better controls and diligence inside your company. As detailed in a recent article in Security Magazine, emerging businesses should consider these six defenses for Cybersecurity:
- While security costs money, lack of security can cost your company more.
- Establish an incident response plan that trains employees on what to look for, provides contingencies for different incidents, and defines roles and responsibilities.
- Understand your IT environment, including your IT partners and vendors.
- Depending on how sensitive the data you maintain, strong passwords might not be enough and should be supplemented with multifactor authentication.
- Access to sensitive information should be restricted to only those people who need it to perform their job responsibilities.
- Retain data and data logs for a sufficient period of time in the event a breach does occur so that it can be adequately investigated and prevented in the future.
Copyright ©2015. All Rights Reserved BNP Media.
Scott focuses on providing his clients with cost effective solutions to build strong, efficient internal control systems/practices that support their strategic objectives. Scott has more than 15 years of experience in public accounting, creating opportunities and providing risk advisory services to clients in the financial services, manufacturing, retail, and utility industries. He leads the Firm’s Risk Advisory Services practice, which focuses on providing internal audits, information technology audits, Service Organization Control (SOC) audits, and Sarbanes-Oxley assistance.