风险咨询服务:网络安全

资讯科技风险咨询服务

网络安全基线风险 & 控制评估

BRC has developed a cybersecurity practice that can help our clients identify, 评估, 测量, 管理网络安全风险.  As potentially damaging cyberattacks continue to affect more organizations, 还有关于网络安全的新闻, 黑客, ransomware, 数据泄露也在增加, you may have found yourself wondering about your organization’s susceptibility. 问自己以下问题:

• 我的IT环境和安全性与同行相比如何?
• Are my IT policies, procedures and controls meeting the industry 最佳实践?
• Am I taking the proper steps to secure my critical data and/or the personally identifiable information (PII) that has been entrusted to my company?
• 是否有关于我的关键数据/ PII所在位置的清单?
• 我的系统是否得到适当的修补和更新?
• 我的网络安全职能部门是否有足够的资源?

如果你对这些问题的答案感到不舒服, or if you have customers and vendors who are asking these questions about your organization, BRC can help you gain confidence about your organization’s cybersecurity posture, and help you make well-informed decisions about how best to address your security risks.

Our team can help you understand where you are now and give you the information needed to manage your cybersecurity resources to get the most protection for your critical data.

网络安全风险 & 管制评估服务

• Gain an understanding of the current IT environment and the critical data to scope assessment.
• 检讨现时的资讯科技政策、程序及实务.
• Review the current IT controls and correlate them with an Industry control framework such as the National Institute of Standards and Technology (NIST) 网络安全 control framework, 或ISO 27002资讯保安标准.
• 查看当前系统配置.
• Prepare a comprehensive report of suggested items to change to meet the cybersecurity industry 最佳实践 and items that are already being performed well.

网络安全用户培训概述

网络钓鱼, 社会工程, 鱼叉式网络钓鱼, Business Email Compromise……whatever the term you use or are most familiar with this type of attack is “behind 90% of successful cyberattacks”. ¹网络钓鱼 takes advantage of the idea that the human user is still the weakest link in the data security chain.  Despite the increased press and awareness of successful attacks (Mecklenburg County, 2017年12月), Verizon’s 2017 Data Breach Investigations Report found that roughly 7% of people will automatically click on any attachment or link they receive – and 25% of them were tricked into clicking more than once.  The same Verizon report found that two-thirds of all malware (malicious software) attacked the computer systems via email attachments.  While only 7% of users would automatically click on an attachment, an Intel Security survey in 2015 found that 97% of users could NOT tell the difference between an authentic email and a well-done fake one.

这不是会不会发生的问题，而是何时发生的问题. However, with proper training users can avoid falling for the phishing scheme. 用户也可以通过训练来识别错误的发生, how to respond and who to call as soon as the mistake happens to mitigate the damage. A culture of security can be developed in your company, and BRC can help.

BRC网络安全用户培训服务

• Launch an effective awareness campaign across the organization to help keep the potential of phishing on the employee’s minds by providing recurring and visual reminders about common risks, 最佳实践, 以及安全对组织的重要性.
• Provide on-site or online role-based training to users across the organization, 从最高管理层到会计部门, HR, IT人员, administrative workers and every other group to ensure that each employee understands the risks, 他们在特定角色中的潜在暴露, 以及如果他们怀疑有问题该如何回应.
• 进行月度, 季度, or semi-annual simulated social engineering phishing attacks to 评估 the employee’s susceptibility to such tactics. 你可以决定频率.
• 审查/帮助制定明确的安全政策和程序. 促进与所有员工的沟通.
• Have the employees sign a document outlining their own responsibility to uphold those standards on the company’s network, 基础设施和设备.
• Encourage the use of two-factor authentication to mitigate the misuse of stolen passwords.

对客户的好处  

• 网络安全成为一个业务流程.
• 增加安全. 网络钓鱼 simulation provides quantifiable results that can be 测量d. 这些度量允许识别和跟踪改进.
• 可见性. With the comprehensive reporting, key stakeholders can understand the security weaknesses. This reporting helps obtain executive management buy-in for current and future security initiatives.
• 证明责任. 作为负责任的组织, you need to demonstrate to your stakeholders that you understand the current threat environment and are taking steps to reduce risk. 通过忽视来自社会工程攻击的威胁, 你们可能会被起诉.
• 提高培训留存率. 员工可以接受培训，了解该做什么和该避免什么, 但在员工亲身体验之前, 他们的行为是未知的. After seeing what is capable, employees understand and are more security conscious. 这一事实将有助于提高培训的留存率.
• 净减少培训成本. 通过找出更容易受影响的员工, 例如通过重复失败报告, additional training can be provided to those employees without the cost and burden to other employees.
• 较低的网络保险保费. The stronger your cybersecurity posture and the better trained your users, 你的网络保险费就会越低.

BRC has created a multi-faceted, risk-based, scalable approach to your cybersecurity concerns.

让我们从今天开始!

凯尔乔鲁姆 合伙人，注册会计师，CFE

凯尔乔鲁姆 is a Partner with BRC and is the leader of the Firm’s 咨询服务 practice, which includes a variety of different types of engagements including: 网络安全 Due diligence for mergers and acquisitions Fraud and Forensic Investigations Agreed upon procedures Internal control reviews and analysis Outsource CFO and Controller duties Litigation support 分享holder […]

• 让我们联系!
• 我们能帮什么忙??

1. 前代表. 迈克·罗杰斯，密歇根州共和党.他曾担任美国联邦储备委员会主席.S House Intelligence Committee from 2011 to 2015, speaking at the U.S. 2015年底的美国商会网络安全峰会.