By Jody Paterson – Founder and Executive Chairman. ERP Maestro
As if internal risks of fraud and data breaches were not high enough, enter in a year of new work environments and economic uncertainty that has also ushered in an even more risk-prone era. Before we even knew the word “COVID,” the frequency of fraud had tripled in the last four years, according to the Ponemon Institute’s 2020 Cost of Insider Threats report. By August of this year, a survey conducted by the Association of Certified Fraud Examiners (ACFE) revealed that 77 percent of responders said they had observed an increase in the overall level of fraud since the pandemic began, with one-third noting that the increase had been significant.
The near-term future doesn’t look better. In the same ACFE report, 92 percent expected fraud to increase in 2021. However, fraud isn’t the only concern. Data theft by employees also has risen and research firm Forrester expects to see data breaches caused by insiders to increase by 33 percent in the year ahead. The cause? More remote work, fear of unemployment and easier ways to access and remove data are the reasons cited.
At the same time, companies are reluctant to allocate more money for safeguards, even though the need for improved security is apparent. Yet, we know that leaving risks undetected can end up costing much more than the security solutions designed to prevent them. How, then, can companies get greater protection for business systems while also keeping costs down. The following 10 tips can help.
Establish a Security Control Baseline
When developing a strategy and cost-saving budget, start by establishing a security control baseline. A company’s security baseline is the minimum internal security controls needed to keep a system protected and the base objectives that must be met to achieve security goals.
Perform a Risk Assessment
Along with creating a security control baseline, determine your current risk level with an analysis of access risks by user, role and business process. This review will provide a deeper comprehension of key areas of risk and how to tackle them as cost-effectively as possible.
Calculate Your Risk Tolerance
Along with a risk assessment, a company should know exactly what its risk tolerance is – how much risk it can afford to have. While risk threshold determines how much risk is acceptable before action must be taken, risk tolerance gets into the dollars and cents of what a company can afford if an incident occurs. A company needs to weigh the potential cost of fraud, data breaches and mishaps by employees to determine if it can tolerate that amount of risk and loss.
Decrease Audit Deficiencies
Companies meeting audit compliance requirements for Sarbanes-Oxley have to think through the risks and costs of audit deficiencies and material weaknesses and add those to their probability of risks. Reducing risk – even audit risks – to begin with, can be the more cost-effective posture to take.
Reduce Risk Remediation
Cutting the cost of access risk remediation is another budget-saving strategy. By running a risk analysis more frequently, risks can be found promptly and remediation work can be performed as risks arise rather than accumulating a massive number of risks and creating an overwhelming amount of remediation work all at one time. Such a scenario may slow remediation processes and even let some remediation slide, thereby leaving a company open to a greater risk of damaging incidents.
Eliminate Complexity
Manual processes or risk analyses are more complex and harder to perform. Simplify processes as much as possible to reduce errors, time and cost. But also think about more simplicity in whatever technology you use to help control risks. Bear in mind that an intuitive user interface and risk reporting can drive greater adoption and use while reducing training, costs and risk in general.
Leverage Automation
Lowering risks, cutting audit deficiencies and reducing remediation work are easier to achieve with automated tools. Organizations can not only save hours and hours of time spent on manual work but also improve accuracy and remediate any risks faster.
Cloud Technology
Most companies today realize the value of automation, which can be achieved in both on-premise and cloud technology, but cloud technology can add advantages and savings not possible with on-premise solutions. Cloud technology can come with some significant cost-savings, from no-cost deployments, to an end to continual upgrades and maintenance, to extreme flexibility and long-term agility.
Rank Your Solution Needs
One way to be more cost-conscious in security spending is to rank the importance of features in internal security and access control tools. One way to break this down is to think about not only what you need today but also what you might need tomorrow and what features are nice-to-haves versus must-haves.
An important caveat here, however, is to not buy any unnecessary bells and whistles. Spending more doesn’t indicate that you have better cybersecurity readiness. Throwing more money at a problem isn’t the best approach. Research firm Gartner points out that a company may spend more money but invest in less-suitable solutions, therefore, inadvertently bloating budgets and making the business more susceptible to risk.
Employee Training
It may not be so obvious to include employee training when thinking about maximizing your budget. The truth is, however, that even with taking all of the measures you can with best practices and technology, insider attacks are attributed to employees of every rank. An all-inclusive security program should make training on internal risks, as well as external cyber threats, a priority.
In conclusion, cutting costs for internal security shouldn’t mean cutting necessary security solutions or not investing in new or better tools. There are ways using the tips above, however, to keep costs at a minimum while getting better risk protection.
About the Author
Jody Paterson is trusted governance, risk, and compliance advisor and thought leader who is a Certified Information Security Specialist (CISSP), a Certified Information Security Auditor (CISA), a former KPMG director, and Chairman and Founder of ERP Maestro.
Jody can be reached online at [email protected], on LinkedIn at https://www.linkedin.com/in/jodypaterson/ and via our company website http://www.erpmaestro.com