Using Third-Party Assurance Services to Mitigate Cybersecurity Risks

Cybersecurity is a hot topic in today’s headlines. Phrases such as “credit card and personal information was leaked,” “user accounts and passwords were stolen,” or “ransomware has seized control of the system” are unfortunately becoming more common. What would happen if an organization made the news for something like this? How much would it cost? Could a business recover from the loss of reputation? These questions can worry even the steadiest companies.

It is common knowledge that as long as an organization is connected to the internet or to other organizations, it may be at risk for a cybersecurity incident. No organization, despite significant amounts of money or resources invested in securing information, can provide 100 percent protection from this scenario. The universal reliance on software and the potential financial value of electronic data motivates malicious entities to continually search for new vulnerabilities. The constant feed of critical and recommended software patches and updates can attest to this. Unfortunately, operating in today’s environment inherently exposes all companies to cybersecurity risk.

If an organization cannot be fully protected from this kind of incident, what can be done? The best way to protect a business is to identify and understand the critical risks and implement controls to effectively mitigate them. Organizations should prioritize their specific cybersecurity risks in order to focus on the ones that will likely or most adversely impact operations and reputation. Protecting an organization from every cybersecurity risk is impractical given limited money and resources, but focusing on critical, impactful incidents would allow the organization to operate within tolerable risk limits.

An effective way to assess tolerable risk limits is to engage a third party with technology and risk-management experience that can complement an organization’s industry-specific knowledge and experience in these matters.

The American Institute of CPAs recently developed a cybersecurity risk management reporting framework which allows an organization to engage a third party to examine and report on its cybersecurity risk management program. In these engagements, the third party issues a report that expresses an opinion on whether “the description is presented in accordance with the description criteria” and whether the controls within an organization’s “cybersecurity risk management program are effective” in achieving the cybersecurity objective. Based on the information gathered, the third party can also express an opinion on whether an organization complies with the appropriate laws and regulations, which can offer assurance to the organization’s customers or clients.

It can be a daunting task to identify where an organization stands within the cybersecurity realm. However, this issue cannot be ignored in today’s technology-driven world. It is important to trust a partner to help navigate the unfamiliar territory of cybersecurity risk in order to know with reasonable certainty where the risks lie.

KSM offers assurance services that can provide customers and clients comfort that an organization’s cybersecurity risk management program is structured and performing effectively. KSM Consulting, part of the Katz, Sapper & Miller Network, also offers a broad suite of cybersecurity services, including comprehensive technology evaluations and network security vulnerability assessments.