When we look back on 2020, the importance of cybersecurity has grown exponentially. As more people work remotely, board members, security practitioners and regulators are focusing closely on cybersecurity risks in an effort to prevent the next cyberattack.
This year, regardless of industry, we have seen our clients continue to talk through this increased focus. Today, we look at some of the key changes we have seen, including:
- Heightened attention from the board and senior management.
- An increase in due diligence of third-party providers as it relates to cybersecurity risk.
- The impact of the global COVID-19 pandemic on managing cybersecurity risk.
- More focus on cybersecurity risk by external auditors as part of SOX procedures.
- The development of the CMMC framework for DoD contractors.
Heighten attention at the board level and with senior management
Because a cyberattack could significantly derail a company’s infrastructure, it’s no surprise that addressing cybersecurity risk is a hot topic at board meetings and with senior leadership. Through our role supporting our clients in their discussions, we have seen that board members and senior leadership are less focused on understanding the technical processes in place to address cybersecurity risks, but focused more so on the following:
- Understanding how cybersecurity risk is being managed at the organization, including ensuring that operational decisions are not solely being made by IT management and that there is cross-functional collaboration.
- Focusing on the trends that the CIO or CISO is seeing as it relates to the cyberthreats impacting the organization and the industry as a whole.
- Gaining insight into what groups are being impacted by these cybersecurity threats, what vulnerabilities are affecting the organization and what decisions are being made to help reduce or mitigate these risks.
- What resources and solutions are needed both in the short and long term to help grow the maturity of the cybersecurity program.
Our expectation is that cybersecurity is going to continue to be a conversation with senior leadership and board meetings, as governance over the cybersecurity program plays an important role. Through these discussions, our clients have seen the benefit of better collaboration and oversight, which has helped promote security awareness throughout the organization.
Cybersecurity expectations with third-party vendors
The use of third-party vendors has continued to grow as organizations look to outsource various functions to industry leaders and disruptors. However, as the old saying goes, the organization can outsource the function, but they can’t outsource the risk.
This has been a major factor in 2020 as the number of breaches resulting from third-party access rises. See: Citrix, Bank of America, the Department of Health and many more.
The reality is that cyber criminals have realized that the third-party ecosystem is another ideal entry point into the organization. With this risk in mind — and organizations continuing to be more reliant on third-party vendors — we have seen our clients think through what they can do to better manage cybersecurity in their vendor management processes.
The first step our clients are taking is performing an assessment of their current vendors to understand what data these vendors have access to and identifying which vendor-provided services are critical to the organization.
Through the creation of a robust vendor inventory system, it forms the foundation to better manage the risks associated with the use of the third-party services.
Additionally, we have seen our clients look to enhance their due diligence procedures from enhancing the questionnaire they might use, looking to their vendors to provide independent assessment of their security controls in place (e.g., SOC 2 report) and conducting periodic due diligence reviews to ensure that security requirements are being met.
Finally, we also see a trend with our clients who are starting to think through assessing existing contractual obligations and SLAs to determine how to enhance them to include specific requirements around managing cybersecurity risk. This includes language around timely breach notifications, roles and responsibilities if a breach were to occur and periodic audits over the vendor’s security processes.
The use of third-party vendors is not stopping. Figuring out the best plan to help manage the cybersecurity risks that arise will continue to be a hot topic moving forward.
COVID impact on cybersecurity
COVID-19 has had a profound impact on cybersecurity. One of the key areas was around remote work.
Prior to COVID-19, companies of all sizes, from small businesses to large multinationals, were hesitant to implement a remote work-from-home environment due to various concerns. Many companies feared that employees would not be as productive without supervision, IT departments would be unable to protect sensitive information outside the corporate infrastructure or that collaboration among employees would suffer, among other consequences.
The pandemic has demonstrated that many companies were ill-equipped to implement a full work-from-home environment. Bad actors quickly took advantage of the situation by exploiting poorly designed security controls (e.g., poorly designed firewall configurations, missing VPN authentication, unsecured Wi-Fi connections, lack of awareness of identifying phishing attempts and much more).
Users of Zoom saw firsthand what can happen when security controls are not properly implemented. Zoom had a vulnerability that could allow anyone to access a private meeting. This led to meetings having unwanted guests who often disrupted the meeting by displaying inappropriate behavior. Although Zoom has since installed end-to-end encryption for all users, the impact of moving to a remote working environment continues to be a key concern for many organizations.
As remote work looks to be the new normal, organizations are thinking through how they can better protect their people and data from cybercriminals. Some of the main areas that we have seen implemented to address this change include:
- The implementation of multi-factor authentication across all systems.
- Greater emphasis on security awareness and training, including phishing campaigns.
- A focus on patch management and vulnerability management.
- Establishing secure VPN connections for all employees.
- Assessment of Data Loss Prevention solutions and Backup and Recovery processes in place.
External auditor concerns for SOX
As most public organizations know, external auditors have started to ask key cybersecurity questions as part of their SOX procedures. Auditing standards require that external auditors gain an understanding and assess how organizations use information technology (IT) and the impact of IT on financial statements. This typically covers IT general controls and automated controls for key systems and tools used in the financial reporting process.
As part of determining the risks of material misstatement to the financial statements, auditors look at IT risks resulting from unauthorized access as well as unauthorized changes to systems — and this is where the impact of cybersecurity threats has proliferated.
Right now, the controls and processes in place at organizations and in-scope for SOX might mitigate the risk of internal employees, contractors or even third-party vendors having inappropriate access or performing unauthorized changes. However, external auditors and the PCAOB are evaluating how best to address the risk of cybercriminals gaining access to systems and data that could impact the financial statements and the effectiveness of internal controls over financial reporting (ICFR).
Additionally, if a material breach were to occur, the auditor has a responsibility to consider the impact on financial reporting, including any required disclosures, as well as the impact on ICFR. With this increased focus, our clients are seeing their external auditors requiring a better understanding of what the organization is doing to manage the cybersecurity risks that they face.
Additionally, as mentioned above, the COVID-19 pandemic has resulted in organizations shifting to remote work environments. This has resulted in many companies putting into place new cybersecurity related processes and controls or modifying existing ones. This includes items such as additional servers, implementing virtual private network controls and instituting multi-factor authentication. Additionally, companies might have implemented new technology tools to support employees working from home that might come into scope for the financial audit. This is a factor external auditors are determining as part of their risk assessment procedures.
Moreover, many organizations have faced the tough decisions of restructurings, furloughs and contractor changes. As a result of these changes, external auditors are looking deeper into the design and operating effectiveness of the organization’s access management controls, as well as activities mitigating segregation of duties risks.
Overall, external auditors are focusing on understanding new and existing cybersecurity risks and as a result have an increased focus on diving deeper into the IT environment. External auditors have the responsibility to consider the cyberthreats that could result in new or different risks of material misstatements that could impact the financial statements and/or ICFR as part of their audit procedures.
Earlier this year, the Department of Defense (DoD) released the first version of the Cybersecurity Maturity Model Certification (CMMC) in order to better protect the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within its supply chain. Prior to the certification, DoD contractors were responsible to self-assess the security of their IT systems and any sensitive information that their systems stored or transmitted.
Now, the DoD requires contractors to conduct third-party assessments of their compliance around specific practices, procedures and competencies outlined across five maturity levels. The DoD’s goal is to mature the cybersecurity programs across their vendors to ensure that each vendor has the ability to manage the rise of cybersecurity threats.
As part of the phased implementation of the CMMC, the DoD has acknowledged that by FY 2026 they hope to have CMMC as a requirement on all requests for proposals (RFPs) and requests for information (RFIs) for DoD contractors and subcontractors that wish to bid on work.
This is a key change in 2020 as many clients rely on DoD contracts as a major revenue source, and the task to put into place the appropriate cybersecurity processes as well as getting an independent assessment can be costly and timely. This new requirement is something organizations are evaluating now by determining the CMMC maturity level the company hopes to obtain, understanding the requirements outlined and determining the plan of action to ensure continual compliance.
As our world becomes more reliant on technology, the world of cybersecurity will only expand. At CFGI, we have seen cybersecurity as a point of focus for senior leadership and the board, as well as from external auditors as they perform their SOX procedures. In each instance, we have partnered with our clients to come up with a pragmatic solution that works best for the company based on the enterprise goals, the size of the company, the industry and how much investment can be put in. We understand that there is no one solution that works best and that each client has different focus areas from a short- and long-term cyber strategy.
If you are struggling with where to start, need assistance implementing your program or would like to ensure that your program is addressing the gaps that your company faces, call CFGI for an introductory discussion today.