In this issue: The Top 4 Risks Facing Your Company, Enhance your Organization's Cybersecurity Strategy and 5 Mistakes to Avoid When Business Continuity Planning.
2. PAGE 21-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz
BRIAN GREGORY
Senior Managing Director
Denver, Colorado
713.562.1154 | bgregory@cbiz.com
financial information.
The vendor’s location is an important consideration
with the vendor’s risk. Some entities may have more
regulatory risks because they’re multinational. Others
may be in areas commonly affected by disruptive events,
such as natural disasters, fires or labor strikes.
Past performance is also key. Vendors that have had
cybersecurity attacks or other disruptive events may
present a higher risk. Consider what triggered the initial
incident and what has been done to prevent a similar
event from occurring.
Your company should conduct a thorough, annual
vendor risk assessment and perform the necessary due
diligence with its third-party relationships to reduce its
vendor risks. Due diligence can help you identify what the
vendor might require in terms of controls and monitoring.
Information Technology
Your organization needs to be vigilant about protecting
sensitive data that involves addresses, phone numbers,
Social Security numbers and credit card information.
Cybercriminals have shown they can get into a range of
systems to access personally identifiable information.
Sensitive information should have multiple layers of
protection, including strict limits on who has access to
the systems. You may also consider whether this sensitive
information needs to be encrypted. The U.S. Office of
Personnel Management was recently criticized for failing
to encrypt Social Security numbers. Formalized policies
and user training about intrusion detection, IT security
and incident response can also lower your IT risks.
To mitigate security risks, storing data in the cloud
may be appealing, but it requires careful monitoring.
Oftentimes, companies do not have control over where
their data in the cloud are stored, and depending on the
type of data involved, you may run the risk of regulatory
noncompliance. For example, human resources
information cannot be housed on computers overseas.
Other data may be subject to state requirements, and
what those are will vary by region. Before moving any
information to a cloud system, do your research about
what would be permissible and what should remain in
data centers under your company’s control.
Your IT risks should be continually monitored and your
systems updated to keep pace with the ever-evolving
cyber threat environment.
Staff Management & Succession Planning
In all the focus on improving your profit margins or
your internal processes, you may have overlooked an
essential element of your operations—your staff. Company
leadership is essential to keeping your business running
smoothly.
As your executives near retirement, you should be sure you
have a process in place that can help you identify the right
successors. You should evaluate which positions will need
to be filled, from managers through chief executive officers
and chief financial officers. As part of the evaluation,
consider the position’s responsibilities. You may find
that an executive retiring provides an opportunity to shift
around responsibilities or reshape the role being vacated
to better suit the current needs of your organization. Having
a clear idea of what you need will help you pinpoint the
right candidates and the right process to take to identify
those personnel.
Emerging Markets
Working internationally can bring numerous benefits
to your operations, but anytime you enter new territory,
you’re also increasing your risks. Be sure you have an
understanding of the rules and regulations you may face
in the international market. A legitimate transaction in the
United States might not be permitted in your new location.
Emerging markets may be particularly challenging, as
fraud and corruption tend to be more prevalent. You’ll need
processes in place that make sure you are not in violation
of the Foreign Corrupt Practices Act of 1977 (FCPA),
among other anti-corruption provisions.
A Proactive Approach is Key
Consideration of all your risks should also be part of an
ongoing risk management process. Your risk environment
is always in a state of flux. Only by periodically reviewing
your areas of exposure can you keep up with those
changes. For information on how you can set up a
comprehensive risk management strategy, please contact
us.
(Continued from page 1)
3. PAGE 31-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz
Data breaches affect all organizations, from small not-
for-profit organizations to large commercial retailers.
Should your organization fall victim to a cyber attack, the
results could be devastating. The average cost of a data
breach in 2014 was $3.5 million. Furthermore, threats
to cybersecurity appear to be increasing both in quantity
and in severity. Data breaches doubled from 2012 to
2013, and from 2013 to 2014, the average cost of data
breaches went up by more than 15 percent.
Your traditional approach to risk management may
involve information security measures such as processes
to protect your physical data from unauthorized access,
use or dissemination. Nevertheless, the current
environment demands a risk approach that also protects
your organization’s electronic data and processes.
Smartphones, computers and their networks need
protection from unauthorized access and disruption, too.
Cybercriminals frequently use these sources as points of
entry into your organization, which could have devastating
financial, legal and reputational consequences.
Approaching information technology and cybersecurity
as a function of your internal controls can help protect
your organization’s key information. The Committee of
Sponsoring Organizations of the Treadway Commission
(COSO)’s 2013 internal controls framework provides a
good foundation for how to monitor and mitigate your
largest threats to cybersecurity. Data breaches will cause
you to examine your control environment, cyber risks,
control activities, internal and external communication
strategies and your monitoring strategies. If you have a
robust cyber risk management incorporated into your
internal controls, your organization can be much more
efficient in responding to and recovering from a security
incident.
Control Environment
Everyone in your organization plays a role in minimizing
your organization’s cybersecurity risk, and it’s up to your
organization’s management and cybersecurity team to
communicate what that entails. Common sources of data
loss offer a good indication of the types of policies and
practices that should be part of your risk management
culture. Misplaced or stolen electronic devices rank as
the primary cause of data loss. Recommended practices
for how to treat company equipment could reduce the
number of these incidents within your organization. For
example, you might want to require employees to take
home or lock up any electronic devices at the end of the
workday.
Hackers perpetuate roughly 18 percent of security
incidents. They gain access to your organization’s
networks through programs that trace the key strokes
on your computer or through malware inserted into your
system via vulnerable software or third-party plug-ins.
Your staff should be on guard for suspicious emails or
other unusual requests for information, as they might be
cybersecurity breaches in disguise.
Risk Assessment
A cyber risk assessment helps prioritize your approach
to cybersecurity. The first step is to consider your
organization’s unique risk profile. Your industry and the
kinds of information your organization collects are key
predictors of which areas of your operations will be most
at risk. Retailers have shown to be targets of hacks
involving customers’ credit card information. Health care
institutions are highly vulnerable to having their medical
records compromised.
Consider the value of the information your organization
collects, both for the hacker and for your organization. On
average, health care records involved in a data breach
cost companies $316 per record. Compromised financial
information cost companies $236 per record. Value
doesn’t exclusively mean records’ monetary price, either.
Information that if compromised would have a significant
effect on your company’s operations should command a
larger share of your security resources.
EnhanceYourOrganization’s
CybersecurityStrategy
(Continued on page 4)
4. PAGE 41-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz
(Continued from page 3)
Part of the risk assessment may include an information
technology audit. The multifaceted approach to your
existing protocol helps identify the areas of vulnerability
and risk. A network security assessment can turn up
vulnerabilities in your external and internal networks
and review firewall, intrusion prevention and network
access control systems and policies and assess wireless
networks to provide you a clearer picture of where your
risks may lie. Network penetration testing should also be
included in your information technology assessment, as
this can give you a sense of how easily security incidents
can be detected in your current operating environment.
Testing can also give you an idea of the potential
magnitude a cybersecurity breach would have on your
organization.
Control Activities
Internal controls are essential to the effective
operation of all organizations. They are the activities or
procedures designed to provide reasonable assurance
to management that operations are “going according to
plan.” Without adequate internal controls, management
has little assurance that its goals and objectives will be
achieved. Properly designed and functioning controls
reduce the likelihood that significant errors or fraud will
occur and remain undetected. Internal controls help
ensure that departments are performing as expected.
Control activities are the policies and procedures
designed by management to protect the organization’s
objectives and goals from internal or external risks.
Some common and important cyber risk control
activities are logical security, change management,
mobile devices and wireless, backups, monitoring of
third party providers and cloud services.
Logical security controls help make sure that one person
does not have too much power or influence over your
organization’s cybersecurity. Consider segregating duties
on your cyber risk team. Frequent password changes,
limiting the system administrator function and logging
and/or reviewing system administrator changes made
in the financial accounting systems are recommended
practices.
Change management controls can regulate updates
and other modifications that go into production. Your
organization should implement procedures that notify
management of changes and allow management to
approve any modifications prior to the work being done.
Then, your organization should test the update using
someone other than the developer. If satisfied that
the modification works appropriately, there should be
an approval process before the change goes into the
production environment.
Mobile device and wireless access need controls to
protect them from unauthorized access. Best practices
include encrypting mobile devices and removable data,
issuing unique user IDs and complex passwords and
automatically wiping devices that are lost or stolen.
The remote wiping of devices is especially important
because as mentioned earlier, missing devices are the
most common source of organizational data loss.
Controls should also be in place to protect your data
back up. Your organization needs to know what is
backed up and where it is being stored, be it a data
center, third party provider or cloud provider. Back-up
controls to implement include real-time notification
and resolution of back-up failures, off-site back up
and replication and periodic restores. Annual or semi-
annual service organization control audits can help your
organization manage your third party service providers.
If no service organization control audit reports are
available, then be sure your back-up controls include
periodic visits to the third party provider or cloud
provider offices and hosted data centers. You should
also request and review monthly or quarterly provider
reports that detail the significant events that took place,
the people who accessed the third party provider or
cloud provider site and planned outages by the third
party or cloud provider.
Whenever you are working with a third-party service
provider, you also need to make sure your organization
is knowledgeable and involved in the provider’s disaster
recovery plan. If an unplanned outage affects a provider,
your organization should be prepared for the potential
effect that would have on its operations.
Information and Communication
A breach rarely occurs because of one incident,
which makes it imperative that your organization
have the means to collect and analyze meaningful
information about its cybersecurity. A system that
aggregates data from different sources can identify
patterns, which indicate whether your organization is
facing a breach. Written communication plans that
address what information is distributed to whom are
highly recommended. Third parties involved with your
organization’s IT security should be considered part of
this communication plan, and your organization should
be part of theirs, as data breaches on their end could
affect your data. Depending on what is lost, you may be
at risk for legal action by the affected parties. Your legal
team should be involved to help minimize your liability
exposure. They can also help you identify who needs to
receive communication. Sometimes law enforcement,
state attorneys general and even federal agencies
may need to be included in the conversation about the
breach.
(Continued on page 5)
5. PAGE 51-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz
(Continued from page 4)
CHRIS ROACH
Managing Director
Houston, Texas
281.844.4239 | croach@cbiz.com
Monitoring Activities
The risk environment continues to change and evolve,
and so, too, should your cyber risk management
strategy. Organizations should regularly evaluate the
effectiveness of their current strategy and that of
any third parties that administer their information
technology security. They should then present findings
to key stakeholders for consideration. Periodic cyber
risk assessments should be part of your monitoring
activities as well so that you can see how your systems
are holding up to internal and external risks in your
operating environment. Planned changes, such as
adding a new third party service provider or moving
office locations are also good times to revisit and update
your cyber risk strategy.
Protect Your Organization
Understanding your organization’s areas of vulnerability
and the best practices to improve your strategy are key
to protecting your organization from cyber-attack. If you
have questions, concerns or comments related to your
existing cybersecurity strategy, please contact CBIZ Risk
& Advisory Services.
6. PAGE 61-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz
Natural disasters, supply chain disruptions, security
breaches and even short power outages can paralyze
a business. Almost 40 percent of small to mid-size
businesses do not survive an initial catastrophic event.
A business continuity plan can help a company ensure
it will be in the 60 percent that survives. However, not
all plans are created equal. Making one of the following
five mistakes can be the difference between a company
resuming profitable operations quickly or making headline
news.
“My business continuity plan specifically targets my
company’s primary natural disaster threats.”
Business disruptions have expanded. Companies that
create plans targeting only natural disasters may be
overlooking other harmful hazards to their day-to-day
business operations, such as cyber-attacks or network
outages. Business continuity plans that are simple yet
holistic are most effective in addressing interruptions and
maintaining business as usual.
“My CEO is prepared to lead our business if a disruption
should occur.”
When disaster strikes, members of your senior
management team may not be available or capable
of making the critical decisions necessary to get
your business back on track. Establishing a crisis
management team comprised of individuals from
departments such as information technology, finance,
legal and human resources guarantees that there are
multiple people prepared to respond and that core
functional areas of your business are covered.
“I already have a business continuity plan. I am
prepared for future disasters.”
Each executed contract should detail the reimbursable
lDeveloping a business recovery strategy should be
incorporated as an extension of your normal operations
rather than a reactive project. Your organizational
structure, vendors, clients and regulatory environments
change over time. You don’t need to write a new plan
every year, but you should factor in any of these changes
that may occur and test your plan for viability and
effectiveness.
“My employees are trained on our plan and capable of
handling the process efficiently.”
Having a strong business continuity plan as the roadmap
for working through an incident is not enough. Poor
communication with staff, clients and the general public
is typically the largest pitfall that makes it difficult for
companies to recover. Using emergency communication
technology can aid your crisis management team in
responding to the situation at hand and keep your
employees informed about what to do next. Additionally,
maintaining open lines of communication with your
clients allows them to feel secure that you are handling
the situation without compromising their account
information.
“My third-party vendors can pitch in during our recovery
to help us service clients.”
If you rely on third-party vendors to deliver products or
services to your clients, then your business continuity
plan is only as strong as these vendors. Not only should
they be prepared to support you when an incident
occurs, but you should also be informed of their strategy
in case disaster strikes on their end. Including a list
of back-up vendors that can provide similar services
in your plan greatly increases the likelihood that your
customers will not experience a loss of service during an
emergency.
Situations that compromise the security or longevity
of your business are inevitable and failing to have
an effective response strategy in place can lead
to devastating financial, legal and reputational
consequences. However, a holistic business continuity
plan paired with a properly trained crisis management
team empowers your company to react and recover from
disruptions quickly in a way that protects your data,
customers and revenues.
5MistakestoAvoidWhenBusiness
ContinuityPlanning
MARK MADAR
Director
Cleveland, Ohio
216.525.1956 | mmadar@cbiz.com