Cyber Security is considered the “battleground of the future.” More devices, newer communication methods and increasing data volumes are allowing multiple avenues from which potential cyber threats may originate.

In 2009, President Obama created a new office in the White House dedicated to cyber security matters. In a speech announcing the new office, President Obama stated “cyber threat is one of the most serious economic and national security challenges we face as a nation.” Marc Goodman, a cyber security expert and a bestselling author, gave a 2012 TED Talk in which he noted “More connections to more devices means more vulnerabilities. If you control the code, you control the world.” This reality was witnessed in the major cyber security breaches of 2015.

From an established healthcare giant like Anthem Inc. to a growing technology company like Slack, nobody is completely safe from security threats. When we analyze the loopholes that hackers have exploited in these IT systems, the signs appear ominous. If companies don’t recognize this potential threat and enact counter-measures, it won’t be long before they are victims of similar cyber attacks.

There are certain tried and true measures that companies can employ to prevent cyber threats. These are as follows:

Identify critical data

Identifying the most critical information to an organization is the first step in preventing and safeguarding critical data. This can be anything from financial information to consumer or client information. Further, seeking feedback from process owners about the most critical data will give more clarity to understanding the areas of focus.

Strict access, restrictions and permissions policy

Creating and implementing a strong IT security policy that clearly articulates roles, restrictions and exceptions can go a long way in setting the right tone for cyber security in an organization. For tips on how you can start, ComputerWeekly provides a great guide on how to draft a good IT security policy.

Hire and nurture the right IT talent

Many companies value experience over education when hiring IT staff. It is important to note this may not always be the right approach, as you need specialists in new technologies to thwart the determined efforts of hackers. Further, investing in additional training, professional development, and workshops for existing staff can also help ramp up security efforts.

End user training

Initiatives such as a clean desktop policy, good password practices, and suspicious email alerts act as a fine first line of defense against cyber attacks. Employees should be made aware of these best practices and be rewarded for adopting them. For pointers, Kathleen Coe, Education Director for Symantec Corporation, does an excellent job of explaining what’s required to set up a computer security training program.

Have a strong encryption policy for sensitive data

A strong encryption policy prevents a company’s IT assets from being easily accessed. This won’t prevent data from being intercepted, but it will prevent its contents from being readable. As evidenced from the recent Apple vs FBI case, successful and vigilant companies highly value their encryption policies, and it is best to follow suite.

Demand the same standards from third parties

Third parties vendors such as payroll processors, outsourced IT teams, and cloud server providers hold significant responsibility in protecting a company’s data. Management should demand transparency from these agencies to ensure the company’s data are protected and comply with privacy laws.

In conclusion, cyber security is a process rather than a phenomenon. It takes concerted effort from an organization to achieve the desired level of IT security and uninterrupted vigilance over critical data.


John Kim
About the author: John Kim, CPA is a SOX Subject Matter Expert and Technical Sales Director at AuditBoard. He has over 10 years of experience in Internal Audit, first as a Risk Assurance Manager at PricewaterhouseCoopers and then as the Senior Manager of Internal Audit for Zynga.