Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everybody, welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you with us today. If you're watching us on YouTube, you've probably noticed some differences.
We've been making some pretty cool upgrades. Obviously got some new lights, got a new setup, different colors, different way of doing it, no longer look purple in the frame or completely washed out like in some of them. Still trying to figure out some of the editing in Premiere that's messing some of it up.
But in any case, very cool new lighting setup. Very excited about that. Have some stuff out of frame.
Obviously a new camera lens definitely helps. Some books stacking up so that we can have a monitor and actually see what's going on as we're giving the episode. We don't have to keep looking away.
That doesn't seem like it should be helpful, but it is. And another very major investment have actually got quite a few of these is a wine cork. Now, for those of you that don't know whether or not you have a podcast, you don't have a podcast, you just do speaking, whether it's whether it's to a group, whether it's a big presentation, you can use a wine cork to help improve your speaking.
Now, that is not including the wine, the entire bottle of wine that goes with it, even though that will typically get you talking more and about more interesting things. Specifically using the wine cork, you can actually put it right in your teeth. And then you enunciate every word cast in the cyber seat, and you keep doing that for about 10, 15 minutes in your mouth is going to get super tired, but it really helps build up all those speaking muscles.
It really helps with articulation. Now, I would caution against doing this in public, people will probably think you're pretty weird, even my wife laughs at me about it, although jokes on her because she's been enjoying the dividends of those stronger mouth muscles. In any case, moving on to today, definitely want to break up, try doing the episodes in a different way.
We're starting to get a lot more interest with people being on the show, so we're getting all those lined up. And to be able to give good information, to be able to have people on the show and it not take an excessive amount of time so that you can actually consume the stuff, really trying to shorten up some of the different segments. So today I want to talk about some of the most common issues that we see when auditing financial firms, CPA firms, specifically, we see these issues a lot of places, but specifically with CPAs, we, we see these so much that I basically got a list, the dirty 13, and we'll go through each, each of these on the list, but rather than like we would normally do and really dive into them each, we're going to split it up to where we'll talk about one of, one of them in depth over the next few episodes.
And that way it's again, just much easier to consume. We can take that, pair it with with different partners that are coming on different businesses that we're interviewing. So trying it out, we'll see how it works.
Maybe we love it. Maybe we don't. But before we go any further, please show us some love.
Click that like button, click the subscribe, follow us wherever you're listening to us, wherever you're watching us. Also pause the show for a second, yell out. I'm watching Cash in the Cyber Sheets.
You should too. Get your friends, get your family, get everybody to come into it. More the merrier and leave us some comments about things you like about the show, about opportunities, things you don't like, and also if there's things that you're having trouble with in your business, that you're having trouble in your information security program or things that you're trying to even communicate out that just aren't working.
Leave that in the comments. Happy to have a show on that to help get you through it. Uh, this is all about making all of us better, all of us more secure.
But shameless plug aside, we'll go ahead and jump into what I call the dirty 13. And again, these are the common issues that we see when performing audits on again, specifically CPA firms. Some of these are just common issues.
Some of these in here though are very, very serious and have the potential to cause your business and you personally a lot of harm if they're not addressed. So in no particular order, number one, which actually happens to be one of the most common, but all the others aren't in order, but number one, insufficient policies, uh, just not a good written information security program. Uh, this is the one we're going to jump in today.
Really dive deep into it. But the next one that actually goes with that is inadequate risk analysis. Not good for the business, not sufficient enough, just completely disconnected.
Another one that we see quite a bit as well is inadequate security awareness training for employees. Um, we need to have repeat information security training. Things are always changing.
And again, that's just something that a lot of companies could do a lot better at. This is one that we see almost consistently, and it could have serious adverse effects for your business, but is a poor incident response plan. You don't have a good plan.
Don't have good procedures in place. We'll dive into that one in depth in another episode. Burning through some of the others, uh, inadequate supplier and vendor management process, a lot of times non-existent, poor logging and monitoring, not collecting the audit logs well, not managing them well, uh, poor backups.
In some cases, we've seen companies that haven't backed up in over a year, that's staggering. Another one that goes with that, but it's really its own animal is lack of backup testing. Backups don't mean anything if you can't actually restore the data.
Poor password management. We could have seven episodes on that. We could have more, but we will at least have one.
Uh, another big one that we see is assuming that your outsourced IT or your MSP provider is providing all of the compliance requirements or managing all of the security requirements. It's not always the case. And even where they're doing a really great job of what they can do, they can't manage everything.
Your information security program has to come from top management down. Again, another episode, another big one. It's been around forever, but just not using MFA, you got to use MFA.
Inadequate data management is another where we're not classifying the data right, so we're not handling it correctly. And something surprising that we see a lot is, especially in the ones that are really focusing on things, is just neglected physical security. You've got all this focus on all of these other things on, on all this technical stuff and all of the policies, and you just forget to lock a door.
You forget to lock your screen. So those are again, just the repeat offenders. We're seeing it all the time when we do audits.
And that's why I wanted to build this series and some eBooks and articles, all kinds of resources that we'll have to help work you through these and show you how to not have these problems in your practice and your firm so that you don't get regulatory fines, you don't get lawsuits and all kinds of other issues. So today I want to focus on numero uno, insufficient WISP, not having a good written information security program, policy, however you want to say it. Depends on what type of SEO you're going for.
Now, this takes really kind of three main flavors. Number one is there's a lot of companies that just don't have any policies or procedures at all. There's, there's nothing.
And in some cases, that's an easier fix. We can bring in our policy set, easily do the tweaks to make it fit for that company, and they can be off to the races. The next flavor is that there are policies, there are some procedures, but they just, they're lacking.
There's a lot of things that are missing. There's a lot of things that aren't identified, that aren't well discussed. But what we see, even with companies that have, I hate to say a mature information security program, because if this is an issue, you really don't, but they have a fully written information security policy.
They've got all of their policies. They've got a lot of the procedures. But they're just collecting dust.
They were written, they were approved, and then they put on the shelf. We checked that box. We never need to do anything with it again.
And what happens is in most cases, when they're created that way, they don't match up to what the business is actually doing in the cases where they did. And they're just sitting there on a shelf forever. They're not getting updated.
So the business, how the business operates, what the business needs is actually, actually consistently drifting away from what those policies are. So you can have all of your policies and still not have all of your policies. So those are, those are the big, the big areas that we see with regarding information security policies.
That introduces a lot of risk. Some of the, I don't want to say flavors. I just use flavors.
The pillars, some of the big pillars of risk, write that down. Some of the different pillars are not having adequate information security policies, it opens you up to a lot of regulatory fines, a lot of regulatory issues, especially with things like the FTC safeguards rules. You have to have specific policies in place.
And if you don't, that could be a regulatory fine. And in some cases that could lead up to prison time, up to five years in prison for the member, for the top management. That's pretty serious just for not having some policies.
That would have to be, I would think pretty egregious, but it can be $10,000 in fines to each of the upper management. It can be a hundred thousand in fines to the business. And it's not just like, that's the limit.
There are ways that they can keep coming in and saying it's per issue. So the regulatory fines can, they can go absolutely bonkers. So you want to make sure you have the policies that meet regulatory requirements, so at least you can take that risk off the table.
The policy set that we have, the structure that we put in place, all effectively, it eliminates that regulatory risk. I definitely need to have a little asterisk there for legal. But for all intents and purposes, the way that they're structured helps eliminate that regulatory risk.
When you don't have your policies and procedures or they're not matching the business or you're not following them, that also opens you up to your insurance company denying any type of claims related to any type of information security, cybersecurity incident. If you're looking at your insurance policies, if you're looking at your renewal notices now, you probably notice that they're a lot more in depth than they were even one year ago, definitely more so than they were two, three, four, and five years ago. The insurance companies are actually really, really digging deep.
But what they're also really doing is when there's a claim, a lot of them are doing audits on the company to see, let's take a look at your policies. Let's see where you were following them. Show us evidence that you were doing the things that you said you were doing, the things that you were supposed to be doing.
And if you can't show us evidence of that, that's where we can deny the claim. So that can be a major, major impact to a business. If the claim gets denied, you were hoping for all of this money to be able to cover the cost of the forensics teams, of the recovery, of your lost business, of all the money that you need to pay out to those affected.
And so many different hands, and now that money's not coming because the insurance denied your claim, that can be a pretty major impact. It can also open you up to lawsuits. If you're not doing the things that you're supposed to be doing, especially if in any of your literature, in any of your contracts, you state that you are managing security, you're not doing those things that can quickly turn into lawsuits by clients, other partners, basically coming to you and saying, you said you were doing this, but you weren't, you misrepresented yourself.
I didn't have it written down here, but it should have. But for those that are public, you have stocks, you trade, people can buy shares. I don't know why that was so difficult to get out, but you're not a private company.
This can also lead to instances where the SEC can come in and say that you were manipulating your stock price. Had people known that you didn't really have information security policies, had people known that you weren't really following those, they wouldn't have thought your company was as valuable as it was, they wouldn't have invested. Ergo, you were manipulating the stock price.
That's a big time loss. And if you think that can't happen, that happened to SolarWinds, it's more than likely going to happen to CrowdStrike. So major, major issues for not having your security policies in place.
So we've talked about all this bad stuff. We've talked about the things that we've seen. How do you fix it? Number one, build your policies around your business needs.
That is hand in hand with your risk framework, uh, hand in hand with your risk assessment that we'll get into in another episode, but make sure the policies match what your business needs and make sure that your business is following what those policies state. What can help with this is choosing a framework. Now you're a CPA firm.
I would definitely recommend one, obviously following the FTC safeguards rule, but you can also use NIST CSF. Uh, you can use the CIS 20 anymore. It's now the CIS 18 controls, but you can use those different frameworks to give you a really good roadmap as far as what should we be looking at? What answers, what questions do we need to answer and to make sure that we're doing those.
If you want to make it really easy, you can also reach out to us. Our entire security program is built around making this easy to where it's essentially a compliance paint by numbers, where we walk you through questions so that you can easily tweak the policies to your business need. And then when you come out on the other end, you've got a full information security policy, all the written procedures, all the written forms, everything you need to keep that going, to get it implemented, to keep it running and to keep improving more than happy to have you on our site so that we can show you how to use that, but whatever solution you choose, make sure that your policies match your business need and that you're actually enforcing them.
So as I promised, trying to keep it a shorter, and I think that is a good place to stop on some of our upcoming episodes. I do want to talk about some of the other dirty 13, including inadequate risk assessments, risk analysis for the business, and really want to dive into the incident response plan, the poor, the poor issues that we see with a lot of companies that are leaving them all exposed. Thanks for listening to us on cash in the cyber sheets and I can't wait to see you next week.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.