#29 | Cyber Security and SOX

Welcome to the top 10 cyber security issues and SOX. A lot of our clients ask how cyber security interacts with SOX. As you know SOX is about financial reporting and the disclosures and controls around financial reporting and how they impact financial reporting. Cyber security is relevant to SOX to the extent that the losses impact your financial statements. They have to be disclosed. A recent example is the spear phishing epidemic that hit a lot of companies where scammers were using emails pretending to be CEOs and CFOs and authorizing fraudulent wire transfers. Companies like Ubiquiti or Xoom lost millions of dollars. The fraud has to be disclosed in your 10K and 10Q and you have to look at the underlining internal controls to prevent those types of losses from happening again.

I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.

Here are the Top 10 things of our clients are doing about cyber security:

1. Governance or risk management programs
2. Spear phishing for wire transfers
3. System access controls
4. Physical access
5. Security monitoring or incident management
6. Security awareness training
7. Threat and vulnerability management programs
8. Patch management
9. Supplier risk management system
10. Data classification

1. Governance or Risk Management Programs

Management needs to understand that cyber is a type of business risk. Scammers have a lot more electronic tools to get into our systems. Some companies believe they are not big enough to be a target. Maybe it’s not you that scammers are after. Maybe it’s your customers’ information. When you look at the attack on Target for credit card data, it wasn’t by hacking IT systems.

It was actually through the HVAC system, something very basic that the scammers were able to get into. You want to consider the risk of attack from your internal and external sources. Sometimes it’s as easy as leaving physical doors open or having one of your vendors being able to access something for maintenance that allows them to get into your system.

2. Spear phishing for wire transfers

Scammers are using emails and spear phishing which is targeted at companies where someone pretends to be the CEO or CFOs. And 95% of those dollars are being transferred to fake bank account outside US which makes it hard to trace and retrieve the money back to US.

We did the special blog series on the spear phishing attack in 2015 if you would like to learn more about spear phishing. Companies are putting in better controls.

3. System access controls

Companies have enterprise-wide, standardized policies and procedures that include

• User ID and passwords on all systems
• Segregation of duties (not just financial but thinking about who has access to warehouses and do whatever they want to our system, not just financial systems)
• “Least privilege” needed philosophy. This is granting someone the least amount of privileges needed to do their job and if they need more access, they have to incrementally ask the managers for more.
• Using of dedicated corporate account and separate system admin accounts to do selected activities for IT team members. It’s easier to trace back who has been doing specific activities in the system.
• Lock down Wi-Fi, corporate LAN, customer LAN and VPNs

4. Physical access controls

• Know who has access to your facilities (especially ones with networks and sensitive information)
• Lock down secured areas with the development server, production server and customer support server
• Lock down kiosks that maybe located outside of your company that allows access to get back into the company
• Could someone download everything to a laptop and walk away without the company knowing?
• Could someone copy files to USB drive?

5. Security monitoring or incident management

Monitor your system usage levels to identify unusual access. Let’s say you have 10 thousand users everyday and you see a spike during lunch time. This is more than likely because people are surfing the web during their lunch time which is pretty normal. Then suddenly you see a huge spike at 9am in the morning and its continuing to build. Maybe it’s a denial of service attack.

Monitoring can help you see what looks unusual and having a process in place to investigate these types of incidentsgoing on in your system.

6. Security awareness training

You should have on-going and frequent awareness about what’s going on or the potential risks and vulnerabilities. Maybe hold a brown bag training sessions. For example, one of our clients training sessionsincluded having FAQs on the social engineering tricks like phishing. If you find a USB drive, don’t plug it into your computer. It could contain a virus or Trojan horse that allows someone to get access into the entire company’s system. While your IT team is very sophisticated and understands all this, your everyday user may not.

We often find that social engineering and the day-to-day users that create the most vulnerability for a company. Have employees sign certifications after completing awareness training saying they understand security.

7. Threat and vulnerability management programs

Have proactive discussions about threats that could potentially happen and hold periodic practice sessions to help identify these threats. Maybe one item is not high risk today but maybe six months from now, it could change and you want to inventory the assets you have to see what potential vulnerabilities they have and also fully understand the root cause to address the potential flaws in your policies.

How are your processes, configuration standards or how you set up particular systems? These could be vulnerabilities and is worth living with that vulnerability for now. Every company has vulnerabilities. Sometimes you have to live with them but there are others you know are a higher threat and need to be taken care of immediately

8. Patch management

Patch management is where you have small upgrades or bug fixes to existing software.   For example, Microsoft programs have periodic updates because they find viruses or back doors to their software so they give you updates to correct these issues. Patch management is the easiest thing you can do to protect your system.

Hackers or scammers out there are looking for easy opportunities. The harder you make it for them, the more likely they will find another company that is easy to break into.

9. Vendor/Supplier Risk Management Program

Companies with vendor management programs look their supply chain and the people that they depend on to run the business. For example, if your company is heavily reliant on the web with ecommerce and you outsource your data center to Equinix or 365 Main, hopefully they have strong controls.

What you need to understand is if their server goes down,our data center goes down. Even if someone not attacking us, it’s our vendors and by their systems going down it impacts us. How much of our data does that vendor have? How safe is our data? Do they have a disaster recovery plan? What do we do when they are exposed? How do we cut them out as a vendor in our business process without damaging our business?

Some of our clients are creating programs to classify vendors high, medium and low which allows them to know which vendors to focus on because they are critical.

10. Data Classification

Data classification is understanding and classifying the types of data you have in your system. It could be intellectual property, customer lists, customer emails, social security numbers, personal identifiable information, private health information or payment card information. Putting restrictions on who can access the data is important. Classes of data type could be restricted data, public data or private data. The restricted data has the most security so we need to lock it and have multiple ways to authenticate before you can have an access to it.

Summary

To recap, here is the Top 10 things of our clients are doing about cyber security:

1. Governance or risk management programs
2. Spear phishing for wire transfers
3. System access controls
4. Physical access
5. Security monitoring or incident management
6. Security awareness training
7. Threat and vulnerability management programs
8. Patch management
9. Supplier risk management system
10. Data classification