by A. Ben Hunter, III, CPA, CISA, CRISC, CFE (Greensboro Office)
The word evokes a lot of different thoughts and feelings. To some, it is a fancy buzzword for information security. To others, it is a protection they pay for. Still other people hear “cyber” and immediately picture computer masterminds hacking into their computers to steal their data or family photos. Cybersecurity is all of this and more.
What is cybersecurity? The AICPA defines it as the process of designing, implementing, and operating controls and other risk management activities to:
1.protect information and systems, and
2.detect, respond to, mitigate, and recover from attacks.
A few of the common types of attacks are phishing, system intrusion (hacking), malware (ransomware), dumpster diving (looking for information to use in a social engineering attack), media drops (flash drives dropped in the parking lot), tailgating/piggybacking, and phone calls. There are many different variations of these common attacks. The threat agents (criminals) are extremely creative and only need to succeed once to do massive damage to our systems, our reputations and our customers.
Constant vigilance is key. New vulnerabilities are found in our systems almost daily. In the 3 days from December 5th to December 7th, I received notification of new vulnerabilities found in Mozilla Firefox, Google Chrome, Apple products, Apache Struts, Mozilla Thunderbird and Google Android OS! These vulnerabilities are not yet being exploited, but it shows we need to constantly keep our systems and applications up-to-date. There are many fancy (read: expensive) tools to enhance your cybersecurity posture. Some tools are essential to your defense, while other tools are flashy decorations. The most important cybersecurity tools you have are your users!
User education and security awareness is the most important defense layer in any cybersecurity program. No matter what fancy tools you have, if a user clicks on a malicious link, the systems are lost. If you have not heard, Mecklenburg County, NC, is currently recovering from a ransomware attack because a user opened a malicious email attachment:
I am passionate about helping clients defend themselves against the threat of cyberattacks. I began my career in the US Marine Corp in infrastructure and information security, and I strive to communicate cybersecurity risks in plain English to help stop the threat agents from disrupting operations.
If you have not stopped to think about your cybersecurity risks, I urge you to start the conversation to discuss your risks and the controls needed to put in place to help prevent significant damage from cyberterrorists.
Ben Hunter, III CISO, Advisory Services Principal, CPA/CITP, CISA, CRISC, CDPSE, CISM
Ben is the Chief Information Security Officer for BRC and is a Principal in our Firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit training […]