The following are some best practices for developing a cybersecurity roadmap and assembling a cross-functional team to prevent, detect, manage and mitigate cyber risks.
Seek executive buy-in. An informed and involved CEO is critical for a strong cybersecurity culture.
Conduct a risk assessment to identify weaknesses in systems and controls.
Conduct a pen test to take a look at your business from the perspective of a potential attacker.
Invest in tools to increase visibility into all applications, data and devices and how they are connected.
Explore the benefits of cyber insurance.
Appoint a head of cyber and data security with sufficient resources and budget.
Give cyber-awareness training to all staff and carry out regular tests like phishing or fake invoices.
Create a comprehensive set of security policies and incident response plan
Perform continuous monitoring to comply with external regulation and internal polices
Ensure antivirus software is up to date and that trusted software patches or updates are installed.
Back up files securely and regularly.
Be prepared for the inevitable: from time to time, cyberattacks will get through.
Prioritize incidents based on business impact.
Monitor activity to identify risk events.
Consult with insurance carriers and legal (internal/external) specializing in data security regulatory requirements and state and federal law.
Perform necessary technical investigations (assessment, network, system and device forensics)
Identify initial cause (patient zero) and coordinate the required specialists to help restore operations.
Determine the likelihood of misuse and damage as a result of the data compromised.
Summarize threat analysis results and finalize the incident report.
Track, document and measure impact.
Focus on rapid and effective incident response.
Respond to all data breaches in a timely, transparent and cost-effective manner to maintain and restore customers’ trust.
Develop a corporate mindset that is open about mistakes, eager to learn, and quick to make changes.
Maintain transparency and report the incident to all appropriate parties.
Even with the right controls in place, every organization could experience a data breach at some point. Here are the basics that every organization should follow.
Create a comprehensive set of security policies.
Follow best practices including: - Configuring systems to require strong passwords
- Regularly patching computer systems - Implementing multi-factor authentication for remote access
Conduct regular security awareness training for staff.
If your company doesn’t have the staff or expertise to adequately address all the steps required for a robust cybersecurity program, consider hiring an independent CPA firm. Whether your organization is designing a new cybersecurity program or needs an assurance report on one already in place — CPAs skilled in information management and technology can assist.
For more guidance and quick tips, watch this collection of short cybersecurity videos.
AICPA cybersecurity risk management reporting framework
Use our risk framework to help you communicate and report on the effectiveness of your organization or clients’ cybersecurity programs. The framework provides a common language for organizations to describe their cybersecurity risk management efforts (in the description) and for CPAs to report on those efforts.
