Top 5 Cybersecurity Resolutions for 2024
New Year, New Cybersecurity Program!
The start of a new year is the perfect time to enhance or implement a cybersecurity program. Now more than ever, it’s imperative to have a strong cybersecurity and risk management program to detect, mitigate, and resolve threats and vulnerabilities.
Having a detailed understanding of your current risk posture and your vulnerabilities and gaps will provide a huge advantage over companies that are in the dark, in addition to providing the leverage needed to stay ahead of potential threats and attacks. It will also help you determine HOW and WHEN to initiate incident response and contain and resolve any attacks more efficiently and timely than without having a proper cybersecurity management program in place.
Here are your top five cybersecurity resolutions for 2024:
1. New SEC Disclosure Requirements – TIME IS RUNNING OUT FOR COMPLIANCE
Companies are now required to disclose their current cybersecurity program in the annual 10-K and any material incidents (new and/or previously reported that may have an impact) within an 8-K within four days of determining the incident(s) is material. Materiality thresholds, which include nature, timing, and extent of the incident, are to be standardized and applied to all threats a company faces to determine if it requires reporting.
Companies must now disclose information regarding their cybersecurity policies, procedures, and governance for identifying and managing cybersecurity risks and threats. This will include an outline of the current cybersecurity risk management program, vendor risk management, whether any third-party assessors, consultants, auditors, etc., have been engaged or involved, how the company undertakes activities to prevent, detect, and minimize the effects of cybersecurity incidents, and if the company has a business continuity, contingency, and recovery plans in the event of a cybersecurity incident. Moreover, companies are being required to disclose how cybersecurity risks are being incorporated and integrated with the company’s overall business strategy and FP&A practices, training and awareness, governance, and oversight of the cybersecurity program. Remember – cybersecurity is not just an IT effort – it’s a business decision. 10-K disclosures are required for 2023 10-K reporting – just a few weeks left for compliance!
2. Incident Response Plans
Your company detected an incident, and it was identified as a security threat. Now what? Having a formal incident response plan will guide your executives and those involved in properly handling a security incident, from initiating the plan to stakeholder and customer communications to containment, resolution, and lessons learned. Your plan is only good if you understand what went well and what needs to be improved. Continuous improvement over your incident response plan is key to effective detection and resolution efforts. Companies that outsource their IT functions to a managed service provider (MSP) still require an incident response plan. This will help management determine when to initiate the plan, when and how communications should be handled, and help retain public relations.
3. Vendor Risk Management
If data is in the cloud, other partners or vendors that handle your data should have appropriate safeguards and controls in place, right? Your company is only as strong as your weakest vendor. Performing security assessments, performance questionnaires, and reviewing SOC reports are all required steps in ensuring your data is in safe hands with the vendors you share it with. It’s still your data, and you’re still responsible for its safeguarding, availability, and recoverability, regardless of who is managing or accessing it. If your customer’s sensitive data was breached because your vendor had a security incident, customers would not blame your vendor; they would blame you and hold you accountable.
4. Review & Monitor Logs and Keep Inventory
Activity logs are a key piece of the cybersecurity puzzle, but logs are only as good as the review performed over them. If they are not analyzed or reviewed regularly, they are effectively useless. Whether a SEIM (security event and incident management) tool is used or a manual review is done, regular activity analysis should be done at the admin level. Monitoring will help uncover unusual patterns, excessive attempts to log in, and other critical information needed to uncover potential security attacks. Don’t know where all your critical data resides? Keeping an effective inventory of your data, applications, hardware, and other IT assets will help narrow down the critical assets that need more robust monitoring and review.
5. Communicate
A cybersecurity program is only as effective as its least involved executive. Cybersecurity should not be handled in a silo by IT with a small portion of the budget allocated to it. This should be a joint effort across all levels of the organization with proper budget allocation throughout the different segments of the organization. All levels of management need to be on the same page, and it’s important that the ‘tone at the top’ around cybersecurity is positive. Clear communication should be part of any cybersecurity program – from training and awareness to incident/breach disclosure. Cybersecurity should be part of every board of directors meeting, audit committee meeting, and town hall, and be transparent with all levels of employees about the program and what is being done to ensure the safeguarding of private information.
What Should Companies Do Now?
- Confirm adequate policies and procedures covering cybersecurity have been developed and implemented.
- Adoption of an annual externally performed cybersecurity risk assessment to identify gaps and weaknesses and a path forward for resolution and mitigation.
- Assess the Board of Directors’ current role in cybersecurity risk and threat assessment and identify if any members qualify as a ‘cyber expert.’
- Develop or refine the incident response plan to include initial and periodic reporting requirements.
- Enhance and refine or develop a vendor risk management program.
- Create a methodology for determining if a cybersecurity event is considered material to your organization.
- Harden current security configurations or adopt new security measures to reduce the likelihood and impact of threat actors.
- Update SEC disclosure checklists to comply with the new cybersecurity rules.
- Take inventory of IT assets, including data, applications, and hardware.
- Monitor and review activity logs!
How Centri Can Help
At Centri, our IT risk and cybersecurity advisory services are designed with your greatest assets in mind — your people. We’re here to offer you the support, resources, and expertise you need, exactly when you need it most. Our advisory experts work alongside your senior leadership to help understand your current needs and align them with the right solutions. Please contact us for more information or to explore how our expertise in cybersecurity risk management aligns with the specific needs of your company.
Managing Director | IT Risk & Cybersecurity Practice Leader | CISA
Rich is a Managing Director at Centri Business Consulting and the leader of the firm’s IT Risk & Cybersecurity Practice. He has more than 14 years of combined experience in internal control consulting, IT risk, cybersecurity advisory, and risk-based internal audits and accounting. View Rich Sowalsky's Full Bio
Managing Director | CPA, PMP, CISA, CFE
Karyn is a Managing Director in the IT Risk & Cybersecurity Practice at Centri Business Consulting. She has more than 13 years of combined experience in internal IT audit and external audit support (IT controls), third-party assurance (SOC 1 and SOC 2 reporting), internal controls consulting, project management, IT risk and cybersecurity, and system implementation support. View Karyn DiMassa's Full Bio
About Centri Business Consulting, LLC
Centri Business Consulting provides the highest quality advisory consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reporting, internal controls, technical accounting research, valuation, mergers & acquisitions, and tax, CFO and HR advisory services for companies of various sizes and industries. From complex technical accounting transactions to monthly financial reporting, our professionals can offer any organization the specialized expertise and multilayered skillsets to ensure the project is completed timely and accurately.
Centri’s Capital Conference
The Centri Capital Conference is a one-day event held at Nasdaq on April 22, 2025. This platform will connect investors with executives from presenting companies in various emerging and rapid-growth sectors, including disruptive technology, life sciences, healthcare, and more. The conference will feature industry panels, dynamic speakers, and networking opportunities and will give growth-oriented private and public companies a place to showcase their innovations.
For more details, contact us at capitalconference@centriconsulting.com.
Eight Penn Center
1628 John F Kennedy Boulevard
Suite 500
Philadelphia, PA 19103
530 Seventh Avenue
Suite 2201
New York, NY 10018
4509 Creedmoor Rd
Suite 206
Raleigh, NC 27612
615 Channelside Drive
Suite 207
Tampa, FL 33602
1175 Peachtree St. NE
Suite 1000
Atlanta, GA 30361
50 Milk St.
18th Floor
Boston, MA 02109
1775 Tysons Blvd
Suite 4131
McLean, VA 22102
One Tabor Center
1200 17th St.
Floor 26
Denver, CO 80202
1-855-CENTRI1
virtual@CentriConsulting.com