Forensics & Risk Advisory Services Partner, Kreston MCA, Chile and Kreston Global Audit Group Business Director
Ricardo is an expert in fraud, audit, and risk advisory services. He worked 21 years at Ernst & Young (EY), 10 of which as an Audit and Forensics Partner, in Canada, Chile and Argentina, leading some of the most important clients of the firm mainly in the utilities, retail, manufacturing and mining sectors such as Coca-Cola, McDonald’s, Siemens, Fluor Daniels, Ontario Power Generation, Danone, Xstrata, Peugeot, Sherwin Williams, Verizon, among others. He is a Certified Public Accountant (CPA) from the United States, Chile and Argentina, a Certified Fraud Examiner (CFE) and holds an MBA designation. He is also a university professor and researcher on occupational fraud and published a book on the subject.
How to improve digital security against cyber threats
August 23, 2022
Sector: Technology, Media & Telecom
In 2021, technology companies were alarmed by the cyberattack on the IT provider SolarWinds, a company that suffered a highly sophisticated, extremely targeted manual attack that was carried out by an external national state. The importance of this case lies in the fact that SolarWinds’ clients include most large companies in the United States, as well as government organizations such as NASA, the air force or the Pentagon.
And if this can happen to a leading technology company such as SolarWinds, what can happen to a company like yours?
The digital transformation has pushed companies to digitize their processes and use software and IT tools to automate processes that were previously manual. The advantages are many, from cost savings and the resulting increase in profits to well-being at work, as employees can abandon the most monotonous tasks and spend more time on creative work.
However, in my professional experience, improving the digital security of systems is one of the pending tasks in many companies.
But the digitization of processes and services is also accompanied by new dangers: cyber-attacks, threats and security breaches in systems that hackers and cybercriminals can take advantage of to penetrate your databases and extract information from your computer systems. Adware, malware, phishing, virus, exploit, man in the middle, and social engineering, are widely known threats that occur daily.
But the security of information and computer networks cannot only be compromised by external attacks. They are also victims of weaknesses in the design and implementation of your internal procedures to manage data.
In fact, cyber-threats can be divided into four groups:
· Intentional external cybersecurity threats: espionage, sabotage, vandalism, and theft of confidential information are some of the external threats that your company face. On some occasions the attacks will be through social engineering techniques or denial-of-service (DoS) attacks.
· Accidental external cybersecurity threats: on many occasions the threats are unintentional or the result of natural disasters like floods or fires.
· Intentional internal cybersecurity threats: these are security threats originating from your organization’s own personnel, such as an employee committing an occupational fraud scheme by taking advantage of their access to your company’s IT systems.
· Accidental internal cybersecurity threats: they include bad practices by an employee, without having a bad intention, for example by inserting an infected pen drive into a corporate computer.
According to CISCO, cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. Typically, these cyberattacks aim to access, modify, or destroy sensitive information, extort money from users, or disrupt business continuity.
There are three principles on which cybersecurity is based and they are known as CIA: Confidentiality, Integrity, and Availability.
Protecting information means guaranteeing compliance with the three fundamental principles of computer security, that is, ensuring the confidentiality, integrity, and availability of information. For this purpose, you must implement security controls and response plans to mitigate the multiple risks that affect both information in transit and in storage.
Confidentiality refers to how to prevent information from being disclosed to unauthorized persons or entities. The goal of Integrity is to keep data intact from tampering or modification. Finally, Availability refers to controlling the flow of data so that you can always find the information that you request.
How can you defend yourself?
Some of the main good practices that guarantee compliance with the three fundamental principles of information security are the following:
· Policy of least privileges: the employees of your organization should not have access to all its information, only that which is useful and important for the execution of their work. By effectively applying a user privilege management policy, the risks of information leaks and unauthorized manipulation of the same are minimized, thus minimizing the possibility of an attack on your organization.
· Access control policy closed by default: all access to information and the systems that process or store it should be closed to all users and will only be allowed to those who are authorized to access it.
· Segregation of functions: you should define and implement an effective separation of the functions and responsibilities of your personnel to avoid conflicts of interest and minimize the risks of information security derived from the accumulation of privileges and knowledge in your employees.
· Cybersecurity training: the weakest link in your company’s information security is its people. Most security incidents suffered by organizations are caused by internal personnel in an unintentional or fortuitous manner and derived from their lack of knowledge of the best cybersecurity practices, or of the organization’s policies and procedures. For this reason, it is essential that you define and implement computer security training plans for all your company personnel and in accordance with their functions and responsibilities.
· Computer security audits: it is advisable that you carry out audits where the effectiveness and compliance with the technical and organizational policies and procedures of your organization’s information security are verified, and that allow the detection of weaknesses and/or vulnerabilities that can be exploited by potential attackers. Based on their results, you must design and implement corrective action plans to solve the issues found.
Due to the ever-increasing use and reliance on IT systems, there is also an ever-increasing possibility that your company will suffer a cyber-attack. In other words, the number of risks that threaten your company’s IT systems and the information contained in them increases every day.
For this reason, I recommend that you design and implement various levels of IT security based on a rigorous risk assessment. During this evaluation you must detect the cyber-threats to which your organization is exposed, evaluate their potential impact and the possibility of their occurrence, draw a heatmap and, finally, design and implement controls to mitigate these risks.
How can Kreston Global help?
If you would like to know more about our cyber security services, our team are here to help – simply get in touch with your queries or challenges. You can even go one step further and join us as a member. Doing so gives you access to our unique global network that spans more than 110 countries, 160 independent accounting firms, and 23,500 skilled advisory specialists.