Ethics and Compliance: Let’s Talk Cybersecurity – Security

Over the past few months, the OIG Short Series has focused on building and implementing comprehensive and effective ethics and compliance programs. In many cases, this requires a mindset shift from a checkbox mentality to a holistic approach where everyone feels they have an important role to play. Nowhere is this more relevant than in the area of ​​cybersecurity, such as developing a data security strategy and maintaining an effective incident response plan.

This post highlights the importance of developing and implementing practical information security policies and procedures within an organization and the ethical and legal obligations necessary to protect sensitive data in an organization . In my next post, I will discuss the critical role a cyber incident response plan plays. This is important not only in the aftermath of cyberattacks, but also in preventing many such attacks.

The security of an organization’s information systems and the data stored in them is an integral part of almost every aspect of business. Data should be reliable, readily available when the business needs it, and accessible only to authorized users. Depending on the type of data we hold (personal employee information, customer information, trade secrets, credit card information, government sensitive data, protected health information, export control information, company proprietary information, etc.), regulatory and Minimum security requirements due to contractual obligations should be followed, but additional practices should also be considered based on the specific risk profile.

Consider the potential financial and reputational consequences of disruption or destruction of critical systems, including:

• Compromised or tampered data – Theft of trade secrets can result in lost business with competitors. Leakage of customer information can lead to loss of trust and business.




• System Downtime – If a system fails to function as it should, customers may not be able to place orders and employees may be unable to work or communicate.




• Legal Consequences – Failure to comply with data protection security requirements such as HIPAA can result in fines and other legal costs if data is exposed or stolen from one of your databases.

Unfortunately, many organizations still base their security plans on common minimum requirements rather than on their own customized risk assessments. Here are some simple realities for success in today’s business environment: You are in the information technology risk management business.

Understanding the specific risks to your organization is essential to developing appropriate security measures. Before you spend a lot of money and time implementing a solution to reduce risk, you should confidently answer the following questions.

• What are your organization’s key assets, especially data, that would have a significant impact on business operations if exposed?




• What are the top five business processes that use or require this information?




• What threats could impact the functionality of these business functions?




• What risks are you actually trying to reduce?




• Is this risk really the top security risk for your organization?




• Do existing controls sufficiently mitigate this risk?




• Are new risk mitigation strategies a cost-effective option?

Once you know what you need to protect, you can start developing a defense strategy.

Protecting an organization from cyberthreats, both internal and external, requires a lot of IT staff time and resources. However, as most organizations now understand, proper data security is everyone’s responsibility within the company. Just one careless employee of hers could leave sensitive data unprotected and eventually end up in the wrong hands to investigate, possibly report and destroy the data. You will be obligated to suffer the consequences associated with infringement. Therefore, a robust training program, ideally including drills and tabletop exercises, goes a long way in minimizing the human her risk of error.

In 2022, Black Fog, which tracks publicly reported ransomware attacks, reported a 29% increase in such attacks in 2021 and a 34% increase from 2020 to 2022. Targeted by ransomware criminals. In early spring, Costa Rica’s government network was infected with a ransomware strain, causing a series of chain infections across the country. Critical service disruptions caused by these ransomware attacks ultimately led to Costa Rica declaring a state of emergency.

As many companies have found the hard way, compliance does not necessarily mean security has been achieved. Laws and regulations in this area generally lag behind technology and keep up with evolving cyber threats. Therefore, in addition to compliance, we need to consider the risks and how best to protect ourselves from cyber threats. Most organizations understand that cyberattacks are no longer a question of “if” but “when.” A strong awareness of information security mandates and best practices across the organization, a senior executive focus on cyber security, and a focus on training will minimize the risk of incidents and effectively protect reputation and business. It can reduce the negative effects that can impair your ability to do. .

In Part 2 of our cybersecurity series, we look at the role that developing and implementing a robust incident response plan can play not only in preparing for cyber incidents, but also in fostering a proactive information security culture within your organization. increase.

The content of this article is intended to provide a general guide on the subject. You should seek professional advice for your particular situation.