Why Are Clients Requiring Cybersecurity Audits?
You’ve probably noticed that specific types of clients tend to drive requests for information security audits, namely:
- financial institutions,
- insurance companies,
- publicly traded organizations, and
- health care organizations.
Of course, other types of clients may also request cybersecurity audits, but typically the industries listed above are the primary drivers. For these industries, vendor oversight is part of their regulatory obligations. That’s right—your clients are being judged (in part) on how diligently they examine you.
Keeping Your Clients Happy
Remember, your clients are overwhelmed—just as you are—by cybersecurity requirements. The most important thing you need to do is make their jobs very, very easy. The best way to do this is by being prepared.
Before your clients come knocking, be ready to provide three things:
- Cybersecurity controls assessment. This is an evaluation based on a common cybersecurity controls framework (more on that shortly). It is sometimes called an “information security controls assessment” or a “gap assessment.”
- Technical test results. A letter of attestation or summary of your penetration test or vulnerability assessment results.
- Risk assessment and risk management plan. This prioritizes threats and vulnerabilities based on risk and then outlines your plan to address issues over a period that is typically one to three years or longer.
The results from your assessment might show that you have a lot of work to do. That’s okay. The important thing is that you have a plan and that you can demonstrate progress. And that’s where your risk assessment and risk mitigation plan come in: You can use these to show that you have, for example, a three-year implementation plan and that you’ve prioritized the highest-risk items first.
There’s a balancing act to disclosure (or as legal-tech writer Sharon Nelson so eloquently puts it, “lifting [your] data security skirt”). Remember, you may not need to provide the full audit results to your client. Most third-party cybersecurity providers are happy to create a summary report or letter that gives a high-level picture of their assessment and the results. Talk to your clients to determine if this type of documentation is suitable for their purposes.
Getting to Good
How do you ramp up quickly and build an effective cybersecurity program, no matter what your size? Here are the nine building blocks of an effective cybersecurity program.
1. Choose and use a cybersecurity controls framework. The foundation of your cybersecurity program is your controls framework, basically just a “to-do” list for your organization’s cybersecurity program. It can include tasks such as “conduct cybersecurity awareness training” or “perform vulnerability scans.”
The most important thing to remember is to pick a widely accepted cybersecurity controls framework to use as the basis for your cybersecurity program. Many popular frameworks are available, such as the NIST Cybersecurity Framework (great for U.S.-based organizations) or ISO 27001/2 (an international standard). By choosing a popular controls framework, you avoid reinventing the wheel and benefit from all the hard work that hundreds of people put into development and revision.
You may be tempted to base your cybersecurity program on a list sent by one specific client. Resist this temptation. Other clients will follow with additional requests, or your first client will update its framework. You will save yourself time and headache in the long run if you do it right the first time and pick a widely accepted framework. Clients like to see this, too, because their regulators encourage the use of common frameworks.
Once you’ve picked a framework, use it! Conduct controls assessments regularly and track your progress over time.
2. Test your security. Does reality match what’s on paper? Conduct technical security testing. Make sure to choose a third party that did not set up your network to conduct your technical security testing. It can be tempting just to call your IT provider to conduct the vulnerability scan, but often a third party will catch details—such as weak passwords—that your everyday IT provider might not check or report.
Not sure where to start? Here are some additional details about common types of testing:
- An external penetration test or vulnerability scan is a security assessment of your Internet-facing computers. If you’re a small firm, this might only include your firewall or VPN. It’s very important to get these high-risk systems checked regularly because attackers on the Internet are constantly scanning for vulnerable computers.
- An internal penetration test or vulnerability scan is a security assessment of your internal network—your desktops, servers, printers, even VoIP (Voice over Internet Protocol) phones.
- Social engineering testing is an assessment of your “human firewall”—in other words, do your staff click on links in phishing e-mails or respond to phone scams? You can have a third party create fake phishing e-mails and track the number of clicks, or make phone calls to assess your staff’s susceptibility to phone scams.
3. Assess your risk (often). Conduct an information security risk assessment at least annually to identify your risks and develop a mitigation plan. Use a widely accepted risk assessment and management framework, such as NIST SP 800-30.
A risk assessment is critical for prioritizing your cybersecurity “game plan.” When you conduct your cybersecurity audit, chances are you’re going to find a lot of gaps. Don’t despair. The risk assessment gives you the opportunity to assess the risk associated with each security control, prioritize, and develop a long-term risk management plan. It’s normal for a risk management plan to address implementation of security controls over a three- to five-year period or more.
4. Train your staff and your clients. Humans are the most critical component of your security infrastructure. Conduct cybersecurity awareness training regularly for all your employees, IT staff, and (yes!) even your clients. If your organization is small enough, you can conduct employee training all at once on a quarterly or annual basis, either live or via webinars. These webinars can be approved as CLEs so that attorneys can get cybersecurity training and credit at the same time.
5. Prepare for a breach. Every day, another company gets hacked and makes the news. Plan ahead. The first step in planning for a breach is formally to designate responsibility for managing your cybersecurity response. Make sure to assign responsibility in writing in a policy.
Finally, practice! Run through a “tabletop exercise” with your team at least once a year to make sure that your process is working as expected.
6. Keep track of your data. In order to secure your data, you first need to know where it is. Identify sensitive information and track where it is stored, processed, and transmitted. Make sure to include mobile devices and USB drives. Decide whether staff may access and store data using personal devices.
The biggest hole in many organizations’ security practices is remote access to e-mail and files. Does your team check e-mail, view attachments, or download files on home computers and other personal devices? If so, your sensitive client information may also be on home computers or phones. If a family member uses the computer or if it is infected with a virus or is stolen, then the confidentiality of your client data can be compromised. Make sure that you carefully think through the “flow” of all your information, and plan for these situations.
7. Maintain policies and procedures. Cybersecurity audits often draw heavily from your written policies and procedures. Before you conduct your first audit, make sure that you document all your cybersecurity policies and procedures. Important policies include an acceptable use policy and a data classification policy. All staff members should sign the acceptable use policy before they use your firm’s IT resources. The data classification policy is fundamental for your cybersecurity program because it clearly defines the types of information that you have, along with the levels of confidentiality for each type. Only after you define your sensitive information can you develop proper handling procedures.
Don’t have time to write cybersecurity policies? You’re not alone! To speed policy development, you can purchase cybersecurity policy templates or have a third party customize them for you. At my firm, LMG, we use a “workshop” process for development, in which a full document planner is produced at the start of the project, and then workshops are held with key stakeholders to get input on each policy as it is developed. This is an effective strategy, and the result is a set of policies that is actually useful, reflects reality, and is suitable for a cybersecurity audit.
8. Monitor your IT. How do you know if you have a cybersecurity problem? Monitor your IT infrastructure. This includes network monitoring as well as security software installed on desktops, mobile devices, and servers.
Monitoring and security software alone won’t do you any good if your systems are constantly generating alerts but no one has the time to read or respond to them. Make sure that you budget enough resources for staff and a third party to detect and respond to alerts. Two tactics that work:
- Leverage automation as much as possible. The less human involvement in your security systems, the better.
- Outsource. Your internal IT staff like to sleep and eat lunch. It takes a team of dozens of people working around the clock to properly monitor the network of even a small organization. Cybersecurity monitoring is one area where scale matters. Make sure to outsource to a security monitoring company that is large enough to have multiple people watching at all hours. You can even hire third-party security professionals to test your monitoring service and make sure they catch attacks.
9. Get insurance. You can’t solve information security issues overnight. Transfer risk to a third party by purchasing cybersecurity insurance. Make sure the policy you select covers your highest-risk scenarios.
Not all “cyber” insurance policies are created equal (and unfortunately, not all insurance agents understand what they’re selling). Make sure you have the coverage that your firm actually needs. For example, some policies (such as the Beazley Data Breach Response policy) are designed to cover HIPAA (Health Insurance Portability and Accountability Act) and PCI (Payment Card Industry) violations, as well as other regulatory non-compliance. Other policies are geared for direct financial losses owing to wire transfer fraud.
If you manage trust accounts on behalf of clients, make sure you’re covered for direct cash losses in the event that a computer on your network is hacked and used to transfer funds.
Insurance policies will often cover indirect costs of a breach, such as public relations firm costs, attorney fees, and credit monitoring/notification fees. Check that the limits of your policy are in line with the number of confidential records that you keep.
Whichever policy you choose, go through it carefully before you sign and take the following steps:
- Develop a list of items that you will want to agree clearly on in advance with your insurer, such as the names of approved providers for legal/breach response services and any other items where advance approval would be appropriate. It typically is easier to get approval prior to signing any contract.
- Put together a list for your IT management that includes any technical requirements (for example, mobile device encryption) you will need to have in place and documented for the insurance to be maximally effective.
- Plan to integrate your insurer’s breach response processes and documentation requirements formally into your firm’s incident response practices—that way you can take full advantage of the coverage and services and won’t miss any notification deadlines.
- Note any contractual obligations required, such as documentation you need to maintain with third-party providers, that you may need to provide to your insurer in the event of a breach.
The foregoing discussion is only a very high-level overview of cybersecurity insurance selection. Above all, consult with a qualified cybersecurity professional to review your cyber insurance quote before you sign up for a policy.
Cybersecurity can seem overwhelming—but it doesn’t have to be if you take a methodical approach. Remember your first three steps: a cybersecurity controls assessment, technical testing, and a risk assessment. This three-step approach will help make sure you tackle the most important things first and give you a clear road map for the future.