Cybersecurity and internal controls over information technology is becoming increasingly more important as information is stored digitally, data processing is automated, and more frequently third parties are engaged to access or manage information for your business.
As important as it is to have external protections in place (think firewalls, antivirus, etc.), it is also a necessity for your employees to have a vigilant and protectionist mindset when it comes to systems and access to information. External security measures can be top-notch, but if someone in your organization opens the doors and lets the bad guys in (think Trojan Horse), it doesn’t matter how strong your cyber border is.
Here are some of the malicious attackers that could enter your organization, and the controls you could implement to impede their efforts:
RED FLAG POLICY
We sometimes have the unfortunate bias of hindsight, and can pick out red flags for certain situations after they happen. But what if we could see the red flags and be told about them prior to being put in a tough position? That is what many companies are doing with their “red flag policy” which is as simple as alerting your organization that an email has come from an external source. Spammers can disguise their email, signature line, name, and other identifiers to make it difficult to discern quickly if an email is legitimate. However, your organization can flag emails that might slip by a glancing eye by letting you know that *This is an external email* and you should take a closer look regarding that transfer request, password update request, or any other questionable action needed to be taken.
EXTERNAL CONTENT DOWNLOADS
Companies should institute firewalls and anti-virus software to protect them from online threats. But another good preventative control is to remove the ability to download online content without approval. Oftentimes, Facebook links, YouTube videos, or links to articles may seem innocent but are loaded with ransomware that could impact your workstation and potentially spread to the entire organization and its data. A good practice is to require permission from IT in order to download any program not previously installed.
VULNERABILITY ASSESSMENTS AND PENETRATION TESTING
When you move into a new house, or get a spring AC tune-up, you do it to find small leaks or cracks that could hurt more in the long-run if left ignored. The same thinking is used when describing the need for vulnerability assessments and penetration testing. A scan of the business environment through a vulnerability assessment can help identify security issues, or “patches”, the organization might have missed, or have expired, in previous configurations. Just as we upgrade our smart phone software, we should be reviewing and upgrading our security configurations to ensure we are up to speed to protect against the most recent threats.
Whitley Penn contributes to the TASBO Internal Control Tips at www.tasbo.org/IC-Tips