Cybersecurity for 2017: Empower Your People

Digital viruses and hackers are nothing new, but the severity and prominence of cyber attacks is growing.  Is the impact of breaches greater?  Or are there truly more breaches now than in the past?
Security Breach Alarm Cybersecurity
The answer is “yes” to both, as leaks and breaches were thrust into the spotlight during the recent election cycle.  Hackers have increased their reach into even the most sophisticated of organizations, capitalizing on lax security to gain access to sensitive information.
Companies are caught in a tech quandary. Technology advances bring outstanding efficiency to organizations of all shapes and sizes, including electronic funds transfers (EFTs), electronic time sheets and expense reimbursements and “bring your own device” policies… With each new element comes an increase in complexity.  Companies must evaluate how to manage the intrinsic risks to find the right balance of security and effectiveness.
No easy task, and cyber security often takes a back seat to revenue-generating activities.  According to a recent survey, 80 percent of companies have a medium-level of vulnerability and 10 percent are at high risk for breaches.  As the Wall Street Journal [subscriber content] noted, “Among the highly vulnerable companies, 91% of non-executive directors cannot read a cyber security report and nearly 100% of those companies don’t track devices on their network. Among this group, only 9% said their systems were regularly updated in response to cyber threats, and 87% of them don’t consider their malware, antivirus software and patches to be 100% up-to-date at all times.”
Too many organizations consider themselves to be in a low-risk category – but nearly all companies have information on hand for hackers to extort, whether in the form of donor records, credit card data, or healthcare records.
Indeed, healthcare providers are increasingly found in the cross hairs of attackers.  A 2016 incident at Hollywood Presbyterian Medical Center underscores the risk, as the hospital was forced to acquiesce to ransom demands from hackers.  The cyber attack locked the staff out of hospital technology, and the results were felt immediately.
“While the employees were shut out, they were forced technologically back in time: writing down patient orders, exchanging paper, and using faxes,” reported Nonprofit Quarterly. “Area hospitals accepted diverted patients who would have otherwise been accepted at Hollywood Presbyterian’s emergency room.”
Companies looking to improve their cyber security posture should be guided by three proven realities:

  • People are the best protection
    In the end, an organization’s security is only as strong as its people. The HR department should work closely with IT to set and enforce policies, and employees must remain vigilant. One of the most common types of attack comes through social engineering, when hackers send seemingly innocuous emails with links to entice recipients to click, thereby opening access to the network.  Other attacks start with a simple request for the password to the wireless network. Staff members should be educated and reminded regularly of the types of bait used in these “phishing schemes” and how to avoid falling into these ever-evolving traps. Education is not “one and done,” however.  Consistent and periodic training will help keep security top of mind and promotes a more reliable reaction from employees.  According to a study on IT security training by PhishMe, average response to a phishing email is about 20 percent.  If they are trained through simulations, though, by the third exercise the click rate drops to 13 percent and by a fifth exercise to just 0.2 percent. Managing the risk presented by human behavior is a relatively new twist for IT professionals. A decade ago, their role was focused on building virtual walls; now they face a much more nuanced challenge with staff behavior a cornerstone of keeping their organization safe.
  • Updates are critical and not automatic
    Beyond maintaining a threat-savvy team, organizations must be certain that vulnerabilities are kept in check.  Anyone with a computer has some level of responsibility to update their systems when necessary, helping to keep malware and network breaches in check.  Often lapses come down to neglecting simple exercises, such as updating software that provides security patches and service packs that ensure a strong defense is in place.

At a higher level, business leaders should be aware that critical security elements such as firewalls will not maintain themselves.  If IT resources leave them unattended even for a three- or six-month window, that gap can wreak havoc on the environment.  Organizations can buy the best firewall on the market – but if not routinely updated, it will not provide the intended safety measures.
There is no doubt that cyber threats are increasing in frequency and impact.  But at the same time, organizations can equip themselves by proactively securing their systems and staying at the ready to react quickly if a breach occurs.  The right training around the right controls will go a long way to bringing companies some cyber-peace-of-mind.
For more information about cyber security and IT risk assessment, please contact your AAF Partner, or James Jumes, leader of AAFCPAs’ integrated business & IT advisory practice at: 774.512.4062 or

About the Author

James Jumes
James joined AAFCPAs in 2013 to lead the Business Consulting Services practice. He has more than 25 years of experience working with information technology systems and diverse business operational processes. James is highly experienced in IT controls and assurance, SOX 404, and Service Organization Control (SOC) reports: SOC 1 (SSAE 18), SOC 2, SOC 2+ and 3 attestation reporting.  James developed a unique methodology to delivering SOC reporting services, and he is an AICPA-approved Peer Review SOC Specialist, assisting peer review teams to review SOC 1, 2, 2+ and 3 engagements. He is a HITRUST Certified Common Security Framework (CSF) Practitioner, providing HITRUST CSF self-assessment consulting, or SOC 2 + HITRUST for assessing against the evolving compliance landscape shaped by HITECH, HIPAA, CMS and various other federal, state and business requirements.

Leave a Reply