IT Risk Advisory Services
Cybersecurity Baseline Risk & Control Assessment
BRC has developed a cybersecurity practice that can help our clients identify, evaluate, measure, and manage cybersecurity risks. As potentially damaging cyberattacks continue to affect more organizations, and as news about cybersecurity, hacking, ransomware, and data breaches increases, you may have found yourself wondering about your organization’s susceptibility. Ask yourself the following questions:
- How does my IT environment and security compare to my peers?
- Are my IT policies, procedures and controls meeting the industry best practices?
- Am I taking the proper steps to secure my critical data and/or the personally identifiable information (PII) that has been entrusted to my company?
- Is there an inventory of where my critical data / PII resides?
- Are my systems being patched and updated appropriately?
- Do my cybersecurity functions have access to adequate resources?
If you are not comfortable with the answers to these questions, or if you have customers and vendors who are asking these questions about your organization, BRC can help you gain confidence about your organization’s cybersecurity posture, and help you make well-informed decisions about how best to address your security risks.
Our team can help you understand where you are now and give you the information needed to manage your cybersecurity resources to get the most protection for your critical data.
BRC Cybersecurity Risk & Control Assessment Services
- Gain an understanding of the current IT environment and the critical data to scope assessment.
- Review the current IT policies, procedures and practices.
- Review the current IT controls and correlate them with an Industry control framework such as the National Institute of Standards and Technology (NIST) Cybersecurity control framework, or the ISO 27002 Information Security Standards.
- Review the current system configurations.
- Prepare a comprehensive report of suggested items to change to meet the cybersecurity industry best practices and items that are already being performed well.
Cybersecurity User Training Overview
Phishing, Social Engineering, Spear Phishing, Business Email Compromise……whatever the term you use or are most familiar with this type of attack is “behind 90% of successful cyberattacks”. 1Phishing takes advantage of the idea that the human user is still the weakest link in the data security chain. Despite the increased press and awareness of successful attacks (Mecklenburg County, Dec 2017), Verizon’s 2017 Data Breach Investigations Report found that roughly 7% of people will automatically click on any attachment or link they receive – and 25% of them were tricked into clicking more than once. The same Verizon report found that two-thirds of all malware (malicious software) attacked the computer systems via email attachments. While only 7% of users would automatically click on an attachment, an Intel Security survey in 2015 found that 97% of users could NOT tell the difference between an authentic email and a well-done fake one.
It is not a matter of if, but when. However, with proper training users can avoid falling for the phishing scheme. Users can also be trained to recognize when a mistake happens, how to respond and who to call as soon as the mistake happens to mitigate the damage. A culture of security can be developed in your company, and BRC can help.
BRC Cybersecurity User Training Services
- Launch an effective awareness campaign across the organization to help keep the potential of phishing on the employee’s minds by providing recurring and visual reminders about common risks, best practices, and the importance of security to the organization.
- Provide on-site or online role-based training to users across the organization, from the C-suite to accounting, HR, IT staff, administrative workers and every other group to ensure that each employee understands the risks, their potential exposure in their specific role, and ways to respond if they suspect an issue.
- Conduct monthly, quarterly, or semi-annual simulated social engineering phishing attacks to evaluate the employee’s susceptibility to such tactics. You can decide the frequency.
- Review / help develop clear security policies and procedures. Facilitate communication to ALL employees.
- Have the employees sign a document outlining their own responsibility to uphold those standards on the company’s network, infrastructure and devices.
- Encourage the use of two-factor authentication to mitigate the misuse of stolen passwords.
Benefits to Clients
- Cybersecurity becomes a business process.
- Increased Security. Phishing simulation provides quantifiable results that can be measured. These measurements allow improvement to be identified and tracked.
- Visibility. With the comprehensive reporting, key stakeholders can understand the security weaknesses. This reporting helps obtain executive management buy-in for current and future security initiatives.
- Demonstrated Responsibility. As responsible organizations, you need to demonstrate to your stakeholders that you understand the current threat environment and are taking steps to reduce risk. By ignoring the threats from social engineering attacks, you could be exposing yourselves to litigation.
- Improved Training Retention. Employees can receive training on what to do and what to avoid, but until an employee experiences it, their actions are unknown. After seeing what is capable, employees understand and are more security conscious. This fact will help improve training retention.
- Net Reduced Training Cost. By pinpointing employees who are more susceptible, such as via the Repeat Failures Report, additional training can be provided to those employees without the cost and burden to other employees.
- Lower Cyber Insurance Premiums. The stronger your cybersecurity posture and the better trained your users, the lower your cyber insurance premiums will be.
BRC has created a multi-faceted, risk-based, scalable approach to your cybersecurity concerns.
Kyle Corum Partner, CPA, CFE
Kyle Corum is a Partner with BRC and is the leader of the Firm’s Advisory Services practice, which includes a variety of different types of engagements including: Cybersecurity Due diligence for mergers and acquisitions Fraud and Forensic Investigations Agreed upon procedures Internal control reviews and analysis Outsource CFO and Controller duties Litigation support Shareholder […]
1. Former Rep. Mike Rogers, R-Mich., who served as chairman of the U.S House Intelligence Committee from 2011 to 2015, speaking at the U.S. Chamber of Commerce’s cybersecurity summit in late 2015.