In Brief

Thank you for reading this post, don't forget to subscribe!

Information security and cybersecurity have been major concerns of business managers for many years. The ongoing coronavirus (COVID-19) pandemic has introduced new challenges and reshuffled existing priorities. This article focuses on COVID-19 issues relevant to small and medium-sized entities (SME) and the steps they should consider when implementing their information security programs. The article also identifies resources that small and medium-sized entities can use to help with implementation efforts and, if needed, monitor the performance of consultants and other information security-related service providers.

***

COVID-19 amplifies existing risks and makes them more complicated to accept and manage. With the survival of some organizations questionable, risk and enterprise managers are focusing their efforts on continuity-related issues. Where information security and, in many cases, cybersecurity challenges reigned supreme in governance-related concerns, resiliency is now the primary area of focus. Yet this understandable change in focus must still consider an environment more conducive to computer-facilitated frauds and increased cyber-threats. To survive, small and medium-sized entities (SME) are reconsidering their (or, in some cases, rationalizing the need for an) information security program to reflect the new realities and needs of an organization more dependent on automated technologies. The revised programs reflect an examination of their service resiliency plans and information protection strategies to reflect new business realities and revenue models. Unfortunately, many SMEs’ foundational technology risk management remains immature. This article guides SMEs needing to design or upgrade its program to enable their organization to manage relevant technology risks and facilitate the organization’s ability to survive in the COVID-19 environment. When used with well recognized frameworks and resources targeted to the needs of SMEs (the Sidebar lists a sample of these frameworks and resources), SMEs can implement and monitor a cost-effective risk management information security program relevant to their size and unique needs.

Prior Challenges Remain

It is not as if the reduced demand for goods and services resulting from COVID-19 did not already threaten SME business models or their very existence. Assuming these organizations and their employees overcame the initial challenges, the ability of an SME to use technology to operate remotely (e.g., e-commerce) has a significant impact on its resiliency and survival. A joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) (“National Cyber Awareness Systems Alert AA20-099A: COVID-19 Exploited by Malicious Cyber Actors”) reminded all organizations of “growing use of COVID-19–related themes by malicious cyber actors.” At the same time, the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPN), amplifying the threat to individuals and organizations.

Despite the operational challenges resulting from COVID-19, information security’s prime objective remains enabling an organization to achieve its goals within its risk appetite. Today, organizations of all types are reconfiguring their service and product delivery strategies to both serve customers safely and obtain cost savings. Through this transition, SMEs must continue to mitigate the risks that existed before the arrival of COVID-19. For SMEs in regulated industries, this also includes the continued adherence to regulatory requirements. Those organizations accepting electronic payments, including credit cards, must also comply with applicable rules, including the Payment Card Industry Standard. (The Sidebar includes a link to “8 Tips to Help Small Merchants Protect Payment Card Data During COVID-19” published by the PCI Security Standards Council.)

Threats arising from cyber-attacks—whether the motives include computer-facilitated financial fraud, corporate espionage, political/media embarrassment, or just nuisance—will continue to divert stakeholder attention from organizational objectives, including recovering from COVID-19 and preparing the organization for a new operational environment. Many SMEs were already overwhelmed by malware and ransomware, let alone threats from insiders. According to a recent SBA survey, “88% of small business owners felt their business was vulnerable to a cyber-attack. Yet many businesses cannot afford professional IT solutions, have limited time to devote to cybersecurity, or don’t know where to begin” (https://bit.ly/3heiXvH). These realities and threats will continue to hamper SME technology enablement efforts as organizations prepare themselves for the new landscape. SME management can reduce the risk of ransomware by implementing practical guidance provided by governmental agencies. The U.S. Government Interagency technical guidance document “How to Protect Your Networks from Ransomware” provides a checklist that should be used to manage internal technology efforts or to monitor the performance of vendors and service providers.

Enabling Success in the New Environment

To survive, many organizations will need to alter their methodologies. Many SMEs already faced challenges in responding to the increasing use of emerging technologies confronting traditional business models and services. These developments impacted the expectations of employees, customers, and suppliers. Unfortunately, they will need to adopt emerging technologies and change their service models more rapidly. At a minimum, this would include reconsidering the effectiveness of existing technology investments and the ability of stakeholders to use existing assets to drive value for the organization.

This needed paradigm shift also requires greater reliance on emerging technologies and their ability to ensure the resiliency of the business. Debates weighing security and privacy concerns will now tilt toward availability and resiliency. The implementation of robotic process automation and other technologies that help promote social distancing and reduce reliance on factors that can be impeded by the virus or other health-related threats will be critical. The hesitation to adopt cloud computing solutions due to security concerns will now yield to the business resiliency potential that cloud computing can provide.

These developments necessitate the calibration of risk strategies and even risk tolerances with the reality of different customer expectations in the new environment. For example, consumers prize and appreciate electronic-based transactions rather than in-person transactions. When in-person interaction is required, video and other electronic modes of communication will be favored. Yet many SMEs, even if they did have an information security program, did not consider the relevant threats that have resulted from COVID-19. Although many SME executives recognize the privacy implications of maintaining and transacting data, they may not realize the need to protect the ever-growing storage of video-based information. SMEs will face additional technology risk as remote solutions for workers and vendors become part of the new mode of operation.

The new environment requires that SMEs strengthen and change their information security management programs to enhance the organization’s resiliency yet protect the assets entrusted to it. These asset protection strategies should include both electronic and physical protection of their people, processes, and technologies. The organization’s viability will significantly rely on the program’s ability to adapt to changing conditions and its effectiveness in helping it achieve desired objectives. That is why, as part of their COVID-19 recovery strategies, many SMEs are revisiting their Information Security Programs, emphasizing both resiliency and facilitation. The National Institute of Science and Technology (NIST) guideline “Small Business Information Security: The Fundamentals” provides SMEs with instructions, worksheets, and other tools to help them identify gaps and prioritize remediation.

Understanding Risk Appetite and Tolerances

Many accounting professionals have been promoting the concept of finance business partnering. A recently published article in Financial Management (an AICPA-related magazine), defined finance business partnering as “what finance teams do when they create value by providing insights, thus influencing their business counterparts to make better decisions” (https://bit.ly/2XPIVOw). Accounting and finance professionals are well positioned to uniquely apply many of our profession’s tools to help with the design and maintenance of an SME’s information security program. One such tool to help cyber and information security technical experts to better understand how to align their skills and talents with the organization’s strategies and objectives is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) framework.

A previous CPA Journal article written by one of the authors, “Enterprise Risk in a New COSO ERM World” (https://www.cpajournal.com/2019/09/05/icymi-enterprise-technology-risk-in-a-new-coso-erm-world/), discussed how executives “can no longer manage technology risks from an IT department silo; rather, they require an integrated enterprise risk management (ERM) approach—as suggested by the framework—that considers the impact of technology risk in the strategy-setting process, as well as in driving performance.” A subsequent publication, “Managing Cyber Risk in a Digital Age,” authored by Deloitte and sponsored by COSO, discussed how the COSO ERM framework could help executives navigate digital risk. This document provides guidance “on cyber risk management through principles defined in the COSO Enterprise Risk Management Framework” (https://www.coso.org/Documents/COSO-Deloitte-Managing-Cyber-Risk-in-a-Digital-Age.pdf). These publications provide the rationale and the impetus to use COSO ERM to solve information security program challenges creatively.

Stakeholder expectations and experiences drive the type of information security program needed. The effort required to sell the program investment is a function of stakeholder knowledge, expectations, and experience with technology risk and related control strategies. In most SMEs, the accountability for setting objectives, funding initiatives, and balancing opportunities against risk resides with the stakeholder. Unfortunately, stakeholder pressure also includes deciding and allocating precious resources amongst competing priorities. In the cash-starved COVID-19 environment, SME stakeholders face tremendous challenges in protecting the organization from what may happen rather than addressing immediate needs such as cash flow. This balancing act is why organizations should develop information security programs using the business risk-based approach of COSO-ERM to obtain and determine risk appetite and tolerances from an enterprise-wide perspective.

Exhibit 1 lists sample considerations that SMEs should consider in the program’s development.

Exhibit 1

Sample Considerations in Information Security Program Development

COSO-ERM; Representative Factors that SMEs Should Consider Governance and Culture; What do stakeholders expect, and what is the tone at the top? How much is enough to protect our technology-related assets? Do we have the right people, and are they appropriately trained? Strategy and Objective Setting; How will the program be managed, and how will we know it is working? What risks are we willing to accept to obtain and manage the business opportunity? What types of regulatory or legal issues must we mitigate? Performance; How will we know if we are hacked? How do we monitor the effectiveness of our program? Are we spending too much on the protection we have? Review and Revision; How will we maintain the program as the business evolves? How do we monitor for changing risk? How will we respond to new cybersecurity threats? Information Communication and Reporting; Are we measuring and monitoring the right indicators? Are stakeholders getting the information they need to govern? Are we effectively using what we paid for to manage risk better? COSO-ERM: Committee of the Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management SMEs: small and medium-sized entities

Technical Considerations

After obtaining the above understandings, they need to be applied to manage the applicable technology risk. Typically, technology risks should consider both the business process and pervasive levels. Depending on the industry, SMEs will also need to consider the technology-related impact on complying with any regulatory, legal, or industry requirements. Examples of the challenges involved are noted in Exhibit 2.

Exhibit 2

Technical Challenges for Information Security Programs

Business Process Controls; Pervasive Controls; Compliance Controls ▪ Understanding the business process through data and workflows, and their impact on the enterprise's risk profile ▪ Identifying the unique information security challenges of critical business cycles (e.g., revenues and expenditures) ▪ Changing management and related testing controls; ▪ Maintaining appropriate levels of resiliency based on SME objectives ▪ Protecting from cyber-security attacks ▪ Minimizing the risk of migrating to the cloud ▪ Implementing robotic process automation and artificial intelligence technologies; ▪ Adhering to Payment Card Industry Standards ▪ Ensuring compliance with specific industry rules (e.g., GLBA, HIPAA) ▪ Complying with Department of Defense cybersecurity requirements for defense contractors GLBA: Gramm-Leach-Bliley Act, SME: small and medium-sized entities HIPAA: Health Insurance Portability and Accountability Act

Treat the Program as a Business Investment

Now more than ever, with resources extremely tight, the business rationale for obtaining resource allocations should closely align with the future of the business. It is not just a question of investing in protection, but an appreciation that every dollar spent on security takes resources away from potential business expansion. In the wake of the COVID-19 crisis, stakeholders are more likely to invest in the opportunities that information security can provide for the SME, rather than the worry and anxiety that it can avoid.

It is essential to match the investments in program development to the measurable cost of the risk. In developing program requests, the need to convince stakeholders using traditional financial measures is vitally important. Using a recognized tool such as Annualized Loss Expectation (ALE) is key to convincing nontechnology executives of investment needs. The ALE, calculated by multiplying the number of risk events by the cost per incident, measures the magnitude of remediation to identify the applicable cost benefits. Other traditional financial measures can also serve to rationalize information security investments in a manner familiar to the SME’s decision makers. The budget request should, to the extent possible, measure hard-to-quantify risks, such as loss of reputation and goodwill. Other expenses to include in any investment proposal include training and human capital (e.g., the right mix of skills, technical tools, in-house or consultants, hardware, software, related training materials).

In the wake of the COVID-19 crisis, stakeholders are more likely to invest in the opportunities that information security can provide for the SME, rather than the worry and anxiety that it can avoid.

SME financial professionals already appreciate that one of the advantages of creating a formal business plan is the thought process and conversations that stakeholders must go through to arrive at the plan’s contents. The proposed budget for an information security program should provide a similar path, thereby using a model that is familiar to stake-holders. Similar to the business plan, the security investment should be allocated based on organizational objectives and desired mitigation. For example, if the organization lacks the means to manage infrastructure resiliency, it may need to deploy qualified staff and tools to identify and monitor the activity of embedded or hidden malicious code. The organization should weigh the immediate expenses related to training the in-house team on these methodologies and tools to the ongoing costs of hiring external help. Another example that necessitates program development and the accompanying budget discussion is how the company would respond to a breach, including which skills it needs to maintain to simulate testing and response on an ongoing basis.

The above resiliency concerns take on heightened meaning in the COVID-19 environment. For SMEs, resiliency goes beyond recovering from an intruder’s attack or natural disaster. The information security program may be called on to lend expertise or coordinate with other organizational functions to address financial and service delivery disruptions. During the program development, the SME will need to balance the need to have specialized skills with the practical approach of employing generalists who can call upon specialists as required. Alternatively, outside experts can create repeatable roadmaps and “swim lanes” that detail roles and responsibilities for permanent staff who can use these checklists to provide a reasonable, yet cost-effective approach.

Similar to an investment prospectus, the program serves as a guide identifying the activities expected and for which the organization remains liable if it takes no further action. Like a prospectus, dollars, cost, returns, and disclosure are critical. The business case supports the program where the magnitude and probability of risks are disclosed. It includes consideration of best practices versus the current state versus each bucket of risk presented. The program is often most persuasive to present peer and best practices in mitigating risks since stakeholders often compare the proposed investment to industry practices. Stakeholders often want to know if the risk mitigation or “risk treatment” is commercially reasonable, a term with significant legal meaning denoting that the risk treatment is no different than what peers do. The prospectus should recognize pressures on funding by separating one-time and annual investments to sustain the risk treatment. Presenting ALE on expected losses is a useful technique for addressing the pressure placed on funding.

In the COVID-19 environment, outsourcing and the strategic use of vendors will probably increase, but so will expectations for oversight.

The program should address efforts to learn where sensitive data exists, where it flows, and with whom it is shared. Unknown data is unprotected data. The potential for regulatory sanction is high, regardless of industry, as regulators can interrupt a business’s operations or halt its growth. Financial professionals should evaluate critical business partners who represent risk and may incur liability or reputational damage.

The program should also address configuring the right tools, following vendor recommendations, and reporting their output through correct metrics. Such metrics may be the strong point for risk events. Sufficient provisions for scaling risk education and awareness initiatives should reflect the size of the organization.

An investment in an information security programs should enable the business to meet its goals by earning the trust of the public and private customers. These stakeholders rely on the organization to continue operating and keep their data safe, free from prying eyes. Investors reading the “prospectus” will likely challenge the organization’s ability to execute the plan; it should be ready to discuss the tools and the skill sets needed for specific risk assessment tasks, such as data extraction.

SMEs will find the Federal Communications Commission (FCC) “Small Biz Cyber Planner” to be a reputable tool that SMEs can use to create unique guides to help them develop plans with practical guidance that SMEs can cost-effectively implement to manage cybersecurity risks.

Delivering the Information Security Program

The approved “prospectus” can serve as an organizational road map that will communicate expectations and serve as a performance benchmark. The primary purpose of implementing the program is not to have the best information security program, but to enable the organization to achieve its objectives. Although the threats faced by information security may change in the new environment, core internal and external threats remain that require appropriate protection from theft (whether data or financial) and interference with critical business processes. Exhibit 3 lists the perennial issues that will continue to challenge information security programs and that require heightened attention as a result of COVID-19.

Exhibit 3

Continuing Challenges for Information Security Programs

Component; Objective; Potential Risks; Popular Control Activities Change Management and Organizational Disruption; The process of introducing change to systems, applications, and business processes in an authorized, controlled manner. Responding to dramatic organizational changes, including stakeholder relationship management and electronic activities.; Unable to maintain organizational objectives while reengineering the daily processing of activities. Inadequate training and systems to help the organization pivot its operating models.; There should be an independent review of changes, including analysis of application code, to identify errors which could disrupt financial and operational reports or data delivered to stakeholders. The review should cause end-users to check the accuracy and completeness of activity reports. There should be controls to prevent unauthorized changes to business-critical and financially significant systems and processes. Configuration Management; The process of setting security parameters (e.g., passwords, approved services) following vendor recommendations and industry best practices and frameworks for avoiding vulnerabilities.; Inadequately using security features embedded in various technology assets or security-specific applications. Security tools may not be targeted or defined to address the most sensitive assets and devices whose theft or manipulation could cause the most significant damage.; Develop test scripts to ensure that security tools expectedly report events and anomalies and that reports are actionable. Security tools, such as vulnerability scanners, should evaluate the entire networks and not omit critical systems or locations. Two-factor Authentication to Sensitive Systems; Accessing parts of the network containing sensitive data and systems which grant user access require more than a password.; Hackers can guess a weak password quickly, or the user cannot provide additional credentials for gaining access. Ineffective configuration, administration, and monitoring of systems enforcing two-factor authentication.; Two-factor authentications: includes two of the following: • Something you know (personal information), • Something you have (an access token), • Something you are (employee ID) Use of two-factor authentication reports monitored. Implementing Security Patches; The process of ensuring that threats to data and application integrity and availability are identified and triaged according to risk probability and magnitude.; Security patches and fixes to application code are not sufficiently evaluated for applicability and risk on a timely basis.; Install critical security patches within 30 days of issuance. Zero-day vulnerabilities are remediated promptly as emergency changes. Vulnerability Assessment (application and network); The process of ensuring the testing of applications and networks (using security tools) for coding and other flaws which could allow hostile users to disrupt or seize control of an application.; Applications that are critical to business sustainability, revenue, and reputation contain vulnerabilities that can be exploited by threat actors.; Remediate application code promptly based upon established policies and testing results. If not practical to remediate, another risk treatment is applied, such as network isolation (segmentation). Monitoring Third-party Providers; Define which providers have access to critical data and systems and establish an effective means to monitor compliance with applicable contract provisions and regulations.; Providers may not comply with organization expectations for resiliency. Providers may not satisfy organization risk and information security requirements.; Incorporate right to audit clauses in critical vendor contracts. Annually obtain independent control attestations (e.g., SOC2, ISO27001). Review remote and logical access rights granted to the provider with access to the network.

In the COVID-19 environment, outsourcing and the strategic use of vendors will probably increase, but so will expectations for oversight. Monitoring critical organizational partners and mandating adherence to an organization’s security standards, including business continuity expectations, will need to become a strategic competency in order to avoid losses. Implementing an effective program using a multi-layered approach will help reduce the probability of, and minimize the scale of, an attack launched under the purview of the provider.

Application vulnerability assessments also require an intuitive sense to seek out the hidden or subtle threats to an organization. It is essential to look for advanced persistent threats (APT) and insider threats. APTs are significant because they can escape detection by using subtle, hostile code and programs placed deep within the organization. The program’s tools and metrics should be structured to highlight slower system performance and changes in the files. Red flags may signal that hackers are quietly learning about the organization’s network and probing its defenses. Information security services should also be inwardly focused on controlling privileged user IDs, as insiders may also have the same capabilities as hackers; the location of sensitive data should be considered in conjunction with this threat. Confidential data that is not needed should be redacted periodically. Patching applications with vendor fixes can reduce this exposure.

SME-Targeted Information and Cyber-security Publications

Best Practices for Victim Response and Reporting of Cyber-incidents

https://www.justice.gov/criminal-ccips/file/1096971/download

  • Guidance from the U.S. Department to assist in the development of incident response plans.

COVID-19: 8 Tips to Help Small Merchants Protect Payment Card Data

https://blog.pcisecuritystandards.org/8-tips-for-small-merchants-protecting-payment-data-during-covid-19

  • Quick check list that identifies high-level security tips focused on smaller organizations.

FCC Small Biz Cyberplanner

https://www.fcc.gov/cyberplanner

  • Online interactive planner that facilitates the ability of an SME to assess and design an overall technology risk program.

How to Protect Your Networks from Ransomware

https://www.justice.gov/criminal-ccips/file/872771/download

  • A U.S. government interagency document that provides guidance preventing malware in plain English.

Small Business Information Security: The Fundamentals (NISTR 7621 Rev 1)

https://csrc.nist.gov/publications/detail/nistir/7621/rev-1/final

  • Trustworthy and recognized guidance from the NIST targeted to unique SME security challenges.

NIST: National Institute of Security and Technology

SME: small and medium-sized entities

Monitoring the Program

For an SME to get the most value from investments in security tools, it is vital that any metrics it develops are actionable and provide guidance for investigating and mitigating any identified anomalies. It is also helpful to implement an automated Security Incident Event Monitor (SIEM) to capture and triage the large volume of alerts. Monitoring through SIEM is often outsourced to specialized Managed Security Service Providers (MSSP) who specialize in this area. The MSSP often uses artificial intelligence to learn an organization’s network topology and correctly identify anomalous traffic. Should an SME identify or suspect a potential cyber-incident, the U.S. Department of Justice’s “Best Practices for Victim Response and Reporting of Cyber-Incidents” provides best practices and an incident preparedness checklist to help the SME navigate these problems should they occur.

Organizations that have been able to transition stakeholder relationships and service delivery to an electronic mode have a greater chance of potentially succeeding in the current environment.

Alignment with Organizational Objectives

In the short time since the onset of the COVID-19 pandemic, SMEs have realized the importance of technology in driving changes in business models and the impact of technology and its risks are evident. Organizations that have been able to transition stakeholder relationships and service delivery to an electronic mode have a greater chance of potentially succeeding in the current environment. Given this increased reliance on technology, SMEs also need to better manage emerging technology risks. A stronger information security program that is aligned with an organization’s objectives will be invaluable both during the current crisis and the eventual recovery. By using publicly available frameworks and publications specifically targeted to their environment, SMEs can ensure that their organization and its vendors properly understand information and cybersecurity risks and mitigating controls.

Joel Lanz, CPA/CGMA/CITP/CFF, CISA, CISM, CISSP, CFE, is the founder and principal of Joel Lanz, CPA, P.C., Jericho, N.Y. He is a member of The CPA Journal Editorial Advisory Board.
Bruce Sussman, CPA, CISA, CISSP, CIPP/T, is the PCI Global Executive for AIG.