Stories of cyber-attacks, malware, ransomware and all possible variations of data breaches have been grabbing headlines in recent months. Personally, I’ve been on the receiving end of phishing emails from several of my business contacts, unbeknownst to them, asking me to click on spurious links “recommended” by them. My colleagues Kay Filler and Nick Sabbatini wrote on the topics of ID theft and data breach risks not too long ago and offered some handy tips on the subject: ID Theft – Insider View & Technology and Connectivity: Understand and Mitigate Data Breach Risks.
So as I prepared myself for an internal training regarding IT risks to consider during an audit, I found it helpful to understand from an auditor’s perspective, the kinds of risks a business might face that could directly or indirectly affect its financial reporting. The direct risks were more obvious – threats to the accounting system, sales or inventory management systems. The indirect threats require a better understanding and a dialogue with the business owners as these threats can span IT systems over various functions ranging from treasury (think electronic banking channels, apps used by a Company) to customer contact information to sales and marketing, among others.
I am by no means an IT expert, but I can still think of some obvious questions to ask ourselves as we assess vulnerabilities in an IT system:
• What kinds of logical access controls are in place? E.g. complex passwords, restricting access to certain servers and systems to appropriate individuals, monitoring of network perimeter security, etc.
• Is your computer network accessible with a single password, i.e. you do not utilize a multi-factor authentication? Many modern banking and accounting systems require a two-factor authentication these days such as a validation code sent via email or text, fingerprint, key fob, in addition to the user password.
• Do your IT controls protect application controls (such as bank IDs and passwords) from unauthorized access if your network is breached?
• Is the Company’s sensitive data encrypted?
• Are any of the applications in use by the Company operating under expired support/maintenance contracts? Are there any applications that have not received a maintenance update or other service patch in the past three years?
• When was the last time that a vulnerability assessment/penetration test was conducted against your computer network? An answer of more than 24 months should set off alarm bells in your head.
These are but a few suggestions to think about and it’s comforting to know that there are plenty of experts in the field of IT security that can alleviate your concerns if the answers to the questions above have you worried about handling these risks internally.