Would you have a plumber fix your car or your doctor do your taxes? Many CFO’s and executives think it may be perfectly logical to hire the accounting firm they trust to review and manage their IT and information security. However, every attorney will tell you regardless of the rigor and detail you put in a contract you can always be sued.
The same goes for IT security in the eyes of an accounting firm. Accounting firms’ approach is too narrowly focused on policy, procedures, and documentation. However, it pays little regard to the actual tools and practices which protect you and your data. Much of accounting firm’s experience and perspective stems from internal controls and Sarbanes Oxley regulations. This is important; however, it is the mere fundamentals of sound technology governance practices and cyber security management. Many firms will charge you $80,000 to $250,000 to perform a “cyber security audit” or “Technology Governance Assessment” but they primarily focus on assessing if you have the right policies and procedures in place and provide you with a report showing you the areas you are lacking.
Well too often we come across companies which have completed a cyber security assessment and have developed policies and procedures documented but don’t have the software tools in place or the practices deployed to protect their company.
A true detailed IT Cyber Security assessment should not only review the gaps in your policies and procedures, but it also should perform a vulnerability assessment deploying software tools which test the controls and identifies the weaknesses in your technology environment. Some refer to this as penetration testing or vulnerability assessments, etc. The fact of the matter is a complete evaluation of your IT environment should include all the above. So why pay an accounting firm an exorbitant fee to come in with an internal controls template and check a box whether you have a policy in place or not? It’s a waste of time and money.
A more thorough review of your systems should test the controls in place and test the tools which are deployed to measure if they are effective and there is compliance to the policies.
A thorough review should look at:
- Are threat detection tools deployed and in place and tested regularly?
- Is there a regular organizational risk assessment performed and do the tools and controls deployed effectively mitigate those risks?
- Are employees trained and regularly tested on phishing and other on-line scams and a practice of continual education is reinforced?
- Have you incorporated employee turnover into your risk assessment and its impact on security?
- Are all assets accounted for which are assigned to people and how are they controlled?
- Are you effectively using a remote device management software to control all company devices deployed and wipe them if potentially compromised?
- Is data encryption properly used for sensitive data?
- Are you effectively deploying multifactor authentication on all applications and access?
- Do you regularly perform tests of your back-up and recovery methods, performing the full recovery of your systems environment of not only the data backed up but the applications and hardware availability?
Many accounting firms and consultants just scratch the surface of policies and procedures, but they lack the technology insight and experience to test your practices and controls to make sure you are best protected based upon your risk profile. A binder of policies and procedures doesn’t guarantee actual protection but it satisfies the needs of the auditor’s template.
Sagin, LLC is an IT Managed Services and Consulting company focused on the complete management of IT environments and IT security. We operate our own global IT security committee which analyzes on-going threats across our client base and deploy the leading technology tools to deter threats, while incorporating the human element of training and development of your team. For more information, contact us at: email@example.com or www.saginllc.com or +1.312.294.0290