From the colossal data breach at Target last year, to revelations that an Internet security bug  left Web surfers prey to hackers, recent headlines have pushed executives and their boards to reexamine how equipped they are to protect their businesses from cybersecurity attacks. Here’s a look at some common assumptions businesses make about cybersecurity threats that could leave them vulnerable.

1. We’re small, and therefore, hackers won’t waste their time with us.
Hackers, unfortunately, appreciate that smaller businesses may not be able to afford the tools and other risk-mitigation strategies larger companies employ to effectively reduce cybersecurity risk. They also know that smaller businesses may face challenges in attracting, compensating and keeping cybersecurity protection professionals. Because of this, small businesses have become an increasingly favorite attack target. What’s more, a significant number are not even aware that they’ve been hacked.

2. We know where our critical information is and have implemented protective strategies.
In the early days of computing, companies had a pretty good idea of where their data was stored and a realistic sense about who had access to it. But with the advent of the “Internet of things”—a tech concept that calls for the everyday items of our world to connect to the Internet, not to mention the increased reliance on third-party service providers and their subcontractors, and the deployment of cloud computing solutions—understanding where data are kept has become a heightened challenge. Even among companies that maintain all data in-house, understanding where data are kept in a distributive environment can be an overwhelming task. Reconsider what you know—and don’t know—about where your data are stored. Otherwise, you won’t be able to adequately assess and respond to threats facing it.

3. We use a firewall and are therefore protected from cyber threats.
Using a firewall is a critical component for deploying a multilayered cybersecurity protection strategy. However, to be effective, the firewall needs to be properly configured and its rule sets need to be appropriately defined. Vulnerable organizations, more often than not, set these guidelines when first installing the firewall, but rarely go back to review their applicability or effectiveness, let alone apply industry-recommended security-hardening guidelines. (FYI, the best of these guidelines call for data traffic to be appropriately monitored and for data leaving the organization to meet established or expected criteria in order to minimize the impact of data leakage, in case of a breach.) 

4. Our people are too smart to fall victim to cybersecurity hoaxes.
Ideally, yes, but in practice, not always.  The weakest link in cybersecurity strategies is the human element. For instance, studies show that people continue to share passwords and, if not properly guided, use easy-to-guess passwords.  In fact, listings of frequently used passwords indicate that unbelievably simple ones such as “12345678” and “password” continue to be popular choices. In addition to enforcing complex password configurations, companies should consider the benefits of using a password-cracker tool to determine the effectiveness of their employees’ passwords.

5. Our data are encrypted, so we must be OK.
Encrypting data is an important risk management strategy.  However, encryption is only as good as the controls used for its implementation and control—for example, the complexity of the password used to encrypt the information. If it is easily guessed, the data can then be decrypted.  Another challenge facing businesses is the control over the encryption keys— ensuring that they are under dual control and are appropriately safeguarded. This includes ensuring that these keys are kept physically separate from the data that are being protected.

6. We don’t need to worry since we outsource.
Unfortunately, you do. Rare is the service contract that adequately addresses and protects a business from cybersecurity risk. For example, your contract may call for critical patches to be applied, but makes no mention of important patches (yes, in the technology lexicon there is a difference).  By the way, your contract does contain a reasonable contracted timeframe for which the critical patches will be applied, correct? In short, without appropriate written agreements, confusion may arise regarding the level of services that have been contracted for and what is delivered.

7. Cybersecurity isn’t a business issue, so let the techies handle it.
It only takes one breach—which could cost a business millions of dollars—for executives to realize that cybersecurity risk is a business issue. As more businesses move toward digital service delivery and interact with their customers electronically, managing cybersecurity risk will become a critical skill—and a business’s success and reputation will rely on management’s ability to master this area. Implementation of periodic testing and implementation of core controls will go a long way to determining and assessing the effectiveness of cybersecurity protections.

Joel Lanz, CPA/CITP, CFF, CISA, CISM, CISSP, CFE, is the sole proprietor of Joel Lanz, CPA P.C., and an adjunct professor at SUNY–College at Old Westbury. He is a member of the NYSSCPA’s Technology Assurance Committee and The CPA Journal Editorial Board, as well as a past chair of the Technology Assurance Committee. Mr. Lanz can be reached at jlanz@joellanzcpa.com.