Ethics & Compliance: Let’s Talk About Cybersecurity – Security

In recent months, the OIG short series has focused on structuring and implementing a comprehensive and effective ethics and compliance program. Often this requires a mindset shift from a check-the-box mentality to a holistic approach where everyone feels they have an important role to play. Nowhere is this more appropriate than in the field of cybersecurity, including developing a data security strategy and maintaining an effective incident response plan.

This post focuses on the importance of developing and implementing practical information security policies and procedures within your organization, as well as the ethical and legal obligations you have to protect your organization’s sensitive data. Our next post looks at the crucial role cyber incident response planning plays – not only after a cyber attack, but also in preventing many such attacks.

The security of your organization’s information systems and the data stored within them are essential components of virtually every aspect of your business. Your data must be trusted, readily available to the business when needed, and accessible only to authorized users. Depending on the type(s) of data you hold – e.g. Personal information of employees, customer information, trade secrets, credit card information, sensitive government data, protected health information, export controlled information and/or proprietary information – you will be subject to minimum security requirements set by regulations and contractual obligations, but should also consider additional practices based on your specific risk profile test.

Keep in mind that disrupting or destroying critical systems is likely to have financial and reputational consequences for your business, such as:

• Compromised or Altered Data – Theft of trade secrets can result in you losing business to your competitors. Disclosing customer information can lead to loss of trust and business.




• System Downtime – If a system is not performing its primary function, customers may be unable to place orders and employees may be unable to do their jobs or communicate.




• Legal Consequences – If data is exposed or stolen from one of your databases, you could face fines and other legal costs for failing to comply with data protection requirements such as HIPAA.

Unfortunately, many organizations still base their security plans on general minimum requirements rather than a risk assessment tailored to their organization. To be successful in today’s business environment, the simple reality is this: you are in the risk management business of information technology.

Understanding the risks specific to your organization is critical to developing appropriate security measures. Before committing significant budget or time to implementing a risk mitigation solution, be sure to answer the following questions:

• What are your organization’s critical assets — particularly data — that, if disclosed, would have a major impact on your business operations?




• What are the top five business processes that use or require this information?




• What threats could affect the functionality of these business functions?




• What risk do you actually want to reduce?




• Is this risk really the top priority security risk for your organization?




• Do existing controls adequately mitigate this risk?




• Are new risk mitigation strategies cost-effective options?

Once you know what you need to protect, you can start developing defense strategies.

Protecting your business from cyber threats – both internal and external – takes up a lot of your IT staff’s time and resources. But as most organizations now understand, good data security is the responsibility of everyone in the company. It only takes one careless employee, leaving sensitive data unprotected and possibly in the wrong hands, to oblige you to investigate, possibly report, and face the consequences of a data breach. Therefore, a robust training program, ideally involving drills and table exercises, can go a long way in minimizing the risk of human error.

In 2022, Black Fog, which tracks publicly reported ransomware attacks, reported a 29% increase in such attacks over 2021 and a 34% increase over 2020. But perhaps more worryingly, 2022 marked the first time a national government successful was the target of ransomware criminals. Beginning in the spring, Costa Rica’s government networks were infected with a strain of ransomware, leading to a series of cascading infections across the country. The disruptions to critical services caused by these ransomware attacks eventually led to Costa Rica declaring a state of emergency.

As many companies have learned the hard way, compliance doesn’t necessarily mean you’ve achieved security. Laws and regulations in this area generally lag behind technology and respond to the ever-evolving cyber threats. Therefore, along with compliance, you need to consider your risk and best practices to protect against cyber threats. Most companies know that falling victim to a cyber attack is no longer a matter of “if” but of “when”. A good awareness of information security obligations and best practices across the organization—facilitated by a focus on cybersecurity in the C-suite and an emphasis on training—minimizes the risk of an incident and helps mitigate negative consequences that damage your reputation and ability to run your business effectively.

The second part of our cybersecurity series looks at the role that developing and implementing a robust incident response plan plays in not only preparing for a cyber incident, but also in fostering a positive information security culture within your organization.

The content of this article is intended to provide a general guide to the topic. In relation to your specific circumstances, you should seek advice from a specialist.