KNOXVILLE – “We will get attacked,” said Dr. Phyllis Schneck, Deputy Under Secretary for Cybersecurity and Communications at the National Association of State Chief Information Officers (NASCIO) annual conference, which was held in Nashville last week. In the wake of the many high-profile data breaches announced in 2014, Schneck urged organizations to prepare for the continued importance of cyber security programs and controls.

“You will turn on the news every morning and see probably another big name that says they’ve had a breach. The point is, can we continue to run while under attack, [and] can we minimize the harm that it does to us”?

LBMC Security & Risk Services, a division of LBMC, is shedding light on the serious issue of cyber security for the 11th annual National Cyber Security Awareness Month (NCSAM), which is coordinated and led each year by NCSA and the U.S. Department of Homeland Security. LBMC Security and Risk Services provides a wide range of services including Compliance, Security Consulting Services and Managed Security Services for organizations of all sizes.

Mark Burnette, a Partner in LBMC’s Security & Risk Services practice, provides the following tips for companies to reduce the risk of data theft and help keep IT systems and sensitive information protected from compromise:

First, companies should determine WHAT sensitive data they have. To do this, take the time to identify and catalogue sensitive data within your organization. Once you have a list of the types of sensitive data and where it is stored, processed, and transmitted within the company, you can determine the threats to that data and make sure you have the controls and protections in place to help secure it.

Once organizations have identified what data to protect, they need to determine HOW susceptible it is to compromise. A penetration test can help you determine the technical vulnerability of your IT environment (and sensitive data) to compromise. This type of test helps to validate the security measures that a company may already have in place and to identify the remaining holes that could lead to data compromise.

Make sure that company personnel understand their responsibility to protect sensitive information. Many compromises occur because a well-meaning employee sends sensitive data via unencrypted e-mail or clicks on a link in a phishing scam. Take a few minutes this month to send a companywide e-mail to remind employees to be vigilant when receiving unexpected messages and inquiries and to be aware of the company's policies regarding the handling of sensitive data when their job duties require them to store, process, or transmit such information. Also, be sure that your company's internal training includes a module on protecting sensitive data and complying with security policies. Once training has occurred, companies should periodically evaluate the effectiveness of the training by performing "social engineering tests" to assess the awareness and vigilance of personnel, and adjust training programs based on the results of the tests.

Most organizations have a limited amount of money and people resources to dedicate to information security and data protection. Before you spend a dollar of your organization's money on security tools or products, make sure it is going to address the areas that present the highest risk to the company. That approach ensures that all money spent on security is justifiable and appropriate.

LBMC Security & Risk Services, a member of The LBMC Family of Companies, is a world-class firm and leading service provider for information security. For more information on LBMC, visit its Web site at www.lbmc.com.

Published October 8, 2014