Cybersecurity experts often meet business leaders after something bad has happened. —Which is unfortunate, to say the least, as many of today’s cyber-attacks can be avoided by improving organization readiness.
Crafty cybercriminals too easily gain access to sensitive data by slipping camouflaged cyberattacks past unprepared team members, or wobbly infrastructure.
—But, you don’t know what you don’t know, right?
At REDW, we’re more reassured every day that organizations are becoming more interested in protecting themselves. In a recent interview, we talked with Certified Information Systems Auditor (CISA) and REDW Cybersecurity Consultant Jennifer Moreno on the top questions she gets about the world of cybersecurity, and how to get one step ahead of cyberattacks.
Q. Hi, Jen. First, tell us—why cybersecurity at a CPA and advisory firm?
Hey. Yes, so in the past, we facilitated IT infrastructure networking for our clients. The more we did that, the more we saw the need for REDW technology services to evolve. Over time, other types of advisors around REDW also began to see the need for more in-depth cybersecurity services as they were working with clients on financial statements, or working on internal controls in an audit. At REDW, we work with our clients’ taxes, we look at their financials, we work with them on their wealth management goals— that’s a lot of information that we have to keep confidential, and make sure that the right internal controls are in place on their side, too. In this day and age, it takes extensive effort to make sure a business client is doing the right things to stay protected. It wasn’t something we thought about 20 years ago, but now we know it’s a hot commodity for cyber criminals to get that sensitive data. And we found that we could provide really valuable advisement to our clients by expanding on areas where some needed significant help or where they were lacking in resources.
Q. What do you spend most of your time helping cybersecurity clients with?
Well, it varies, but the main thing I’m usually looking for is if a client is even able to respond to a cyber attack in the first place. You know, what internal controls do they have in place? What do they need? And pretty consistently, I’m looking at their IT governance. That’s a huge part of cybersecurity—making sure an organization can establish responsibility for any accident or cyber breach that happens. With a client, I have to look into the tone that’s going to come down from the top when their organization experiences a cyberattack. I ask,
“Is this organization’s C-suite involved in cybersecurity and do they know how to respond to an incident? How do they begin to recover from a disaster?â€
I look at their personnel and systems, the policies and controls they have in place in case of a cyber-hack—that’s a large part of consulting in cybersecurity, just making sure businesses have the right processes in place.
Q. Word on the street is that the need for company-wide cybersecurity awareness training is rising. Do you agree?
Yes, absolutely. And our team is well-versed on implementing cybersecurity awareness training for a business team or organization. We have come to learn that, while our clients have physical or virtual firewalls, their team members, after being trained, can also act as a type of firewall.
“These days businesses everywhere have numerous tech gadgets and protective technologies in place, but cyber criminals know that the easiest way to get in is through people.â€
Q. How are some of these cybercriminals trying to “get in?”
They spend a whole lot of time trying to socialize with company employees or organization team members to get information—and they’re very patient. So, it’s imperative to have security awareness training in place. And I’ll add that while the REDW team focuses more on the consulting and auditing side of cybersecurity, we do have very reliable, professional references for companies that are needing help to actually implement robust network infrastructure, and our references can assist with network monitoring and testing for vulnerabilities as well. So, we’re a good friend to have.
Q. When it comes to cybersecurity, what is the top mistake you see organizations making?
Access control. Usually, we recommend privileged access—on a need to know basis. For example, your building maintenance crew doesn’t need access to your organization’s financial data. That’s an overblown example, but the point is to have a hierarchy of access to sensitive information and to have a process in place. But we find that, often, controls aren’t in place, or they’re not being followed properly. Also, it’s just as important to have documented procedures in place for establishing employee access and responding to employee separations and transfers. Access is a big thing that we’re always looking at when we’re implementing a cybersecurity audit.
Q. Do you see organizations making other cybersecurity missteps?
Yes. Incident response is another weak spot for many organizations. Having an established, updated, and tested incident response plan is of the utmost importance, especially as the question nowadays isn’t really if your company will be targeted for a cyber-attack, but rather when. At every organization, there needs to be a disaster recovery plan and a trained, identified cybersecurity incident response team that ensures the organization can recover from a cyber-attack.
Q. What about next steps? After reading this, what should a business or organization leader do first?
We always hope that IT and management are talking, but definitely reach out to your IT team and make sure that everyone’s on the same page. Next, make sure you orchestrate some type of IT audit or assessment so you can identify where your cybersecurity gaps are. A lot of organizations we meet are really on the ball, but some have realized they’ve fallen behind the times a bit—which are always changing. It’s tough to keep up, but that’s what the REDW Cybersecurity team is here for.
“We recommend that every business or organization assess their cybersecurity at least every two to three years, regardless of how well they’re doing.â€
From a cybersecurity or IT audit to awareness training, we want help organizations to get out in front of cyber threats and empower their teams to help keep everyone digitally secure.
*****
Get out in front of cyberthreats.
Unlike traditional cybersecurity companies, REDW’s diverse team offers a range of expertise that is tailored to your needs. From cybersecurity experts to auditors and assurance professionals, our team helps established IT practices to expand as needed, adapting to the digital world to better protect, elevate and empower your business.
Have a quick question, or want to discuss a cybersecurity audit for your organization? Contact Jennifer Moreno. REDW trusted advisors are here to help you get one step ahead.
Stay connected with REDW on LinkedIn, or @REDWLLCÂ Twitter. Access other updates on the REDW COVID-19 Resource Hub.
