Share

Top 5 Cybersecurity Resolutions for 2024

New Year, New Cybersecurity Program!

The start of a new year is the perfect time to enhance or implement a cybersecurity program. Now more than ever, it’s imperative to have a strong cybersecurity and risk management program to detect, mitigate, and resolve threats and vulnerabilities.

Having a detailed understanding of your current risk posture and your vulnerabilities and gaps will provide a huge advantage over companies that are in the dark, in addition to providing the leverage needed to stay ahead of potential threats and attacks. It will also help you determine HOW and WHEN to initiate incident response and contain and resolve any attacks more efficiently and timely than without having a proper cybersecurity management program in place.

Here are your top five cybersecurity resolutions for 2024:

1. New SEC Disclosure Requirements – TIME IS RUNNING OUT FOR COMPLIANCE

Companies are now required to disclose their current cybersecurity program in the annual 10-K and any material incidents (new and/or previously reported that may have an impact) within an 8-K within four days of determining the incident(s) is material. Materiality thresholds, which include nature, timing, and extent of the incident, are to be standardized and applied to all threats a company faces to determine if it requires reporting.

Companies must now disclose information regarding their cybersecurity policies, procedures, and governance for identifying and managing cybersecurity risks and threats. This will include an outline of the current cybersecurity risk management program, vendor risk management, whether any third-party assessors, consultants, auditors, etc., have been engaged or involved, how the company undertakes activities to prevent, detect, and minimize the effects of cybersecurity incidents, and if the company has a business continuity, contingency, and recovery plans in the event of a cybersecurity incident. Moreover, companies are being required to disclose how cybersecurity risks are being incorporated and integrated with the company’s overall business strategy and FP&A practices, training and awareness, governance, and oversight of the cybersecurity program. Remember – cybersecurity is not just an IT effort – it’s a business decision. 10-K disclosures are required for 2023 10-K reporting – just a few weeks left for compliance!

2. Incident Response Plans

Your company detected an incident, and it was identified as a security threat. Now what? Having a formal incident response plan will guide your executives and those involved in properly handling a security incident, from initiating the plan to stakeholder and customer communications to containment, resolution, and lessons learned. Your plan is only good if you understand what went well and what needs to be improved. Continuous improvement over your incident response plan is key to effective detection and resolution efforts. Companies that outsource their IT functions to a managed service provider (MSP) still require an incident response plan. This will help management determine when to initiate the plan, when and how communications should be handled, and help retain public relations.

3. Vendor Risk Management

If data is in the cloud, other partners or vendors that handle your data should have appropriate safeguards and controls in place, right? Your company is only as strong as your weakest vendor. Performing security assessments, performance questionnaires, and reviewing SOC reports are all required steps in ensuring your data is in safe hands with the vendors you share it with. It’s still your data, and you’re still responsible for its safeguarding, availability, and recoverability, regardless of who is managing or accessing it. If your customer’s sensitive data was breached because your vendor had a security incident, customers would not blame your vendor; they would blame you and hold you accountable.

4. Review & Monitor Logs and Keep Inventory

Activity logs are a key piece of the cybersecurity puzzle, but logs are only as good as the review performed over them. If they are not analyzed or reviewed regularly, they are effectively useless. Whether a SEIM (security event and incident management) tool is used or a manual review is done, regular activity analysis should be done at the admin level. Monitoring will help uncover unusual patterns, excessive attempts to log in, and other critical information needed to uncover potential security attacks. Don’t know where all your critical data resides? Keeping an effective inventory of your data, applications, hardware, and other IT assets will help narrow down the critical assets that need more robust monitoring and review.

5. Communicate

A cybersecurity program is only as effective as its least involved executive. Cybersecurity should not be handled in a silo by IT with a small portion of the budget allocated to it. This should be a joint effort across all levels of the organization with proper budget allocation throughout the different segments of the organization. All levels of management need to be on the same page, and it’s important that the ‘tone at the top’ around cybersecurity is positive. Clear communication should be part of any cybersecurity program – from training and awareness to incident/breach disclosure. Cybersecurity should be part of every board of directors meeting, audit committee meeting, and town hall, and be transparent with all levels of employees about the program and what is being done to ensure the safeguarding of private information.

What Should Companies Do Now?

• Confirm adequate policies and procedures covering cybersecurity have been developed and implemented.
• Adoption of an annual externally performed cybersecurity risk assessment to identify gaps and weaknesses and a path forward for resolution and mitigation.
• Assess the Board of Directors’ current role in cybersecurity risk and threat assessment and identify if any members qualify as a ‘cyber expert.’
• Develop or refine the incident response plan to include initial and periodic reporting requirements.
• Enhance and refine or develop a vendor risk management program.
• Create a methodology for determining if a cybersecurity event is considered material to your organization.
• Harden current security configurations or adopt new security measures to reduce the likelihood and impact of threat actors.
• Update SEC disclosure checklists to comply with the new cybersecurity rules.
• Take inventory of IT assets, including data, applications, and hardware.
• Monitor and review activity logs!

How Centri Can Help

At Centri, our IT risk and cybersecurity advisory services are designed with your greatest assets in mind — your people. We’re here to offer you the support, resources, and expertise you need, exactly when you need it most. Our advisory experts work alongside your senior leadership to help understand your current needs and align them with the right solutions. Please contact us for more information or to explore how our expertise in cybersecurity risk management aligns with the specific needs of your company.

Rich Sowalsky

Managing Director | IT Risk & Cybersecurity Practice Leader | CISA

Rich is a Managing Director at Centri Business Consulting and the leader of the firm’s IT Risk & Cybersecurity Practice. He has more than 14 years of combined experience in internal control consulting, IT risk, cybersecurity advisory, and risk-based internal audits and accounting. View Rich Sowalsky's Full Bio

Karyn DiMassa

Director | CPA, PMP, CISA, CFE

Karyn is a Director in the IT Risk & Cybersecurity Practice at Centri Business Consulting. She has more than 13 years of combined experience in internal IT audit and external audit support (IT controls), third-party assurance (SOC 1 and SOC 2 reporting), internal controls consulting, project management, IT risk and cybersecurity, and system implementation support. View Karyn DiMassa's Full Bio