Ten Ways Small And Midsize Companies Can Strengthen Information Security

Susan Weisenfeld

As cybercrime becomes increasingly sophisticated, security breaches at major corporations around the world are becoming quite commonplace. Just last year, the private information of 143 million Equifax consumers was compromised. And if a major corporation cannot protect its information, how does a small or midsize corporation stand a chance?

Most modern organizations, whether large or small, heavily rely on information systems to conduct business, so any weakness in information security puts the entire organization at risk. Organizations suffering a security breach not only encounter internal disruption, but may also be subject to government penalties, industry fines, consumer lawsuits, and worst of all, reputation damage. For small to midsize organizations, these consequences can be particularly damaging.

While there is no silver bullet to protect your organization against all cyber threats, the foundation for strengthening information security is to implement controls and policies that can be amended as new security risks arise.

Here, we look at 10 ways small and mid-sized companies can strengthen information security.

Take inventory of your data. Every firm should know, and have properly documented, what information they have, where it is stored, and precisely how it is protected. Examples of proprietary, confidential, or otherwise protected information include any personally identifiable information (PII) or personal health information (PHI), as well as intellectual property and any unique data that could impair the firm’s competitive advantage if disclosed.

Identify zero-day threats and update security patches. An epitome of the constantly changing nature of cybersecurity threats is the phenomenon of the zero-day threat. Any previously unknown threat would fall under this classification. An example of this is ransomware attacks. Often in such an attack, an unsuspecting user clicks on a link, typically in a spam email, that launches malicious software (malware) that encrypts the user’s files, rendering them inaccessible. The malware creator then offers to decrypt the user’s files for a fee. Many large firms have been victimized by this type of attack. Practitioners should validate that the organization has a practice in place to identify zero-day threats and that it has a policy in place to update its anti-virus and anti-malware libraries on a constant basis.

Utilize anti-virus and anti-malware software. In 2015, research by Internet security teams at Symantec and Verizon revealed that one million new malware threats were released every day the previous year. Given the need for up-to-date anti-virus and anti-malware software, organizations should verify not only that software is constantly updated, but also that it is properly updated and deployed on all the organization’s devices. For various reasons, a firm’s devices may not have the current version of the software installed or that software may not have been properly updated. Internal auditing should check a sample of individual devices in a variety of locations to ensure that all devices have the anti-virus software properly installed and constantly updated.

Encrypt your data. Secret, confidential, proprietary, and other types of secured data should be encrypted, at a very minimum, when in transit outside the firm’s firewall and while stored in any cloud environment. Even when hackers cannot gain access to the organization’s internal network, they can intercept Internet traffic, so it is important that the firm’s information is encrypted while in transit, as well as when it is stored in a location the organization does not control.

Outline security specifications for cloud computing in a service-level agreement. The cloud refers to a massive combination of data-centers, servers, routers, connections, and switches located all over the world, to house and operate software applications of all types. Currently, innumerable cloud-based data centers and software applications are in use by many organizations. Many software applications are offered exclusively as software as a service (SaaS), which allows for massive economies of scale, much like an electric grid.

The management of cloud computing operations is normally automated, and the current scale of cloud computing is unfathomable. This poses a unique set of risks for the organization using cloud computing and the internal auditor’s ability to ensure information security. To begin with, there is the physical security risk. Given that most firms do not even know where their company’s data is stored, it is difficult to ensure that the data centers are physically inaccessible to someone who might simply steal the physical data servers.

Fortunately, a framework has been developed for the procurement of SaaS that ensures physical, virtual, and data security. These security specifications are outlined in a service-level agreement (SLA). An SLA signed by the organization should provide for location security, transmission security, encryption, and all other information security concerns related to cloud computing. Practitioners should review SLAs for all the organization’s cloud computing solutions. All key information security concerns should be addressed in the SLA.

Implement controls for data loss. If a hacker gains access to your organization’s system, the hacker will then attempt to exfiltrate (i.e., remove) data assets. The intrusion detection system (IDS), intrusion prevention system (IPS), firewall, and other tools used by the firm should be configured to monitor all outbound Internet traffic. Data loss controls include other techniques as well, such as prohibiting the use of removable media and encrypting and filtering outbound email. The organization should have proven data loss prevention techniques, and alert logs should be prepared, tracked, analyzed, and acted upon.

Document change-control procedures. Technology has evolved enormously over the last 30 years. Each successive change to any of the software, hardware (including Internet-based cloud computing), or internal processes used to produce, store, or process a firm’s financial information should be subject to documented change-control procedures. Correct change-control procedures involve the following:

  • Specification/request (typically called a change request)
  • Approval by proper levels of management
  • Planning
  • Testing, including user acceptance testing
  • Scheduling
  • Communication
  • Training
  • Implementation
  • Documentation
  • Implementation verification of effectiveness

Explore and document previous hacking events. A popular axiom holds that there are only two types of organizations in the U.S.: those that have been hacked and those that don’t know they’ve been hacked. One of the best indicators of information security weakness is that the firm has had information security, or hacking, events in the past. The fact that there are many thousands, perhaps even millions, of bad actors attempting on a constant basis to hack into companies and steal information and money should provide a sense of urgency to all companies’ information security activities. As such, the circumstances regarding the nature of previous hacking events must be explored and documented.

Conduct security training (at least annually). Information security is obviously very detailed and complex. It requires that all participants—employees, customers, vendors, etc.—have knowledge of their part in the organization’s overall information security program. For these reasons, virtually all firms should require their employees—and perhaps vendors and other stakeholders—to complete an information security awareness training course at least annually. A variety of in-house personnel can be used to provide training in their area of expertise, or alternatively, there are numerous firms and organizations that provide this training. It is imperative that all employees involved with internal control understand the key terms and control points related to information security.

Engage a third party for “white-hat” external and internal vulnerability scanning tests. The sheer magnitude and complexity involved in information security virtually ensures that some potential vulnerability will go undetected by the firm. It is therefore a solid practice for the firm, at least annually, to engage a third-party “white-hat” (i.e., good guy) hacking firm to conduct a vulnerability scan. Ideally, the white-hat hacker will use all the techniques that might be employed by a “black-hat” (i.e., bad guy) hacker to identify potential information security weaknesses. This is the best way to find any weaknesses, remediate those potential weaknesses, and harden the firm’s information processing environment.

Remember: No matter the size of your organization, a failure in any area of the IT structure, no matter how small, can compromise the entire system and enable a hacker to access the application software and source data. Proper security must include user education and the application of preventive, detective, and reactive controls.

For more information on how to strengthen your organization’s information security, including a risk assessment, download our white paper, How Small and Mid-Sized Entities Can Protect Themselves from a Cybersecurity Breach.


Susan Weisenfeld

About Susan Weisenfeld

Susan B. Weisenfeld, J.D., is a managing editor with Thomson Reuters, with responsibility for products covering financial management and controllership, corporate governance, internal auditing, and GAAP.