Hood & Strong’s Brian Wan on What You Need to Know About Cybersecurity Risks

Brian Wan, CISA, leads Hood & Strong’s IT Audit and Cybersecurity Assessment team. He joined the firm in 2022 after more than 10 years of experience in IT and financial accounting at a Big Four accounting firm, and previously worked closely with CFOs and financial planning and analysis teams within government agencies, private organizations and public companies. Brian’s industry expertise includes financial services, manufacturing, technology, health care, construction and utilities. He can be reached at bwan@hoodstrong.com.

  1. How has the COVID-19 pandemic affected cybersecurity?

Due to sudden office closures and a “new normal” where working from home became standard practice, the pandemic created new challenges for many businesses who were not ready for a major shift to remote work. Since most of the work prior to the pandemic was performed on the premises, where company assets were monitored on the office network for threats and vulnerabilities, assets and cybersecurity software was needed to support this shift.

Consequently, technology has become even more important in our everyday lives, opening new opportunities for cyber criminals to take advantage of unprepared businesses. For instance, meetings traditionally held in person now take place virtually, demanding a greater focus on cybersecurity. In one example, a large company that provides virtual meeting services had a major security flaw in their systems: the screen-sharing function inadvertently leaked user’s sensitive data to other participants on a call, providing an opening for an outside attack.

Cyber criminals continue to exploit weaknesses in remote work applications like video conferencing and are taking advantage of the security flaws, using them to hack into systems. It can be very costly to companies when a security breech occurs, and the damage has the potential to be irreversible.

  1. What are the biggest cyber threats today?

The biggest threats we see regularly are social engineering and phishing emails. Social engineering is the psychological manipulation of getting people to perform an action or divulging confidential information. Phishing is a type of social engineering where an attacker sends a fraudulent or spoofed message that is designed to trick the person into revealing sensitive information.

These methods are not very sophisticated when compared to other attacks, such as a Brute Force password attack or a Denial of Service (DoS). However, social engineering and phishing emails are some of the most common we see because they work very well.

Humans tend to be the weakest links when it comes to cybersecurity. The simplest – but most important – thing clients can do to reduce these threat risks is to provide all staff with proper, regular cybersecurity awareness training.

  1. What sizes and types of companies are most vulnerable?

All sizes and types of companies, even the largest corporations, are vulnerable to cyber-attacks. That’s why it’s critical to invest in enterprise-wide staff training and take proper precautions to protect your networks. Information Technology is evolving every day, and it is important to keep up on the latest cyber news, tools and software.

  1. What is Hood & Strong’s approach to cybersecurity assessments?

Our first steps are to understand the client’s IT environment, infrastructure and organizational structure, and to identify if the company has a formal risk assessment process in place. The concept of a cybersecurity assessment is similar to IT General Controls over financial reporting, where we assess risk areas and rank them to determine controls to address any risks.

The difference in cybersecurity is that it follows a different set of standards depending on what regulations are enforced or the framework used. One example is the NIST Cybersecurity Framework, which stands for the National Institute of Standards and Technology at the U.S. Department of Commerce.

  1. How can companies most effectively protect themselves? What controls should they put in place to minimize risks?

One of the most effective ways for companies to protect themselves is to get cybersecurity awareness training for their staff. A simple mistake such as clicking on email links that appears to be from a legitimate source has proven time and again to be one of the easiest ways for cyber criminals to install malware onto the computer of an unsuspecting staff member.

Another approach that companies may take is to outsource this burden to a cybersecurity firm. It is unfortunate that businesses have to deal with cybersecurity issues, but it is something that should definitely be included in discussions among company leadership. When an attack happens, it is already too late, and the damage could be irreversible.

One control that should be put in place is to also have a policies and procedures manual addressing cybersecurity. This can serve as a guide for employees to reference if an incident occurs. The policies and procedures should be revisited, updated annually, reviewed and approved by management on a regular basis.

  1. Do you recommend that clients purchase cyber insurance? What should a company be looking for when selecting coverage?

Cyber insurance, where the risk of an incident is transferred to a third party, is one method to address risk. From a cybersecurity standpoint, I always recommend purchasing cyber insurance, as it is always better to have than not.

But, for each company, purchasing cyber insurance depends on whether the benefits outweigh the cost, as some may have the financial capacity while others may not. Cyber insurance coverage requires a mandatory evaluation of the business, and a discussion with an experienced insurance agent that includes coverage and terms.

  1. If your business is hacked, what should you do?

It depends on the type of hack. For example, if the incident is a data breech (where a customer’s identity or social security numbers are leaked), then one of the steps to take is to alert the customer of the breech so they can take the proper precautions to protect their identity and credit. Authorities should also be notified so that the appropriate actions can be taken to track down the hacker. 

  1. Anything else you think clients need to know?

There are many resources out there to learn about cybersecurity. Clients should keep themselves informed and always plan ahead, as a breech could cause irreversible damage to their company’s reputation and potentially their bottom line.

Staying up-to-date

Minimizing risks and protecting your business from cybersecurity threats is one of the most important investments your company can make. Contact your Hood & Strong advisor to help better understand your IT and cybersecurity audit options.