If you answered “NO” to at least one of these questions, then turn the page to learn how to shift the odds in your favor.

Q7 Has an independent, credentialed firm conducted an annual review of your cybersecurity controls?

Q6Have you implemented ongoing scenario-based training on cybersecurity policies and procedures, including best practices for recognizing and responding to the most common social engineering (i.e., attempting to trick someone into divulging sensitive information such as a password) techniques like email phishing?

Q5 Do you have a cybersecurity incident response and recovery plan in place?

Q4Has your company obtained independent verification (such as through a SOC 1 or SOC 2 report) of the security controls of the service providers that have access to, or use, your data?

Q3 Are you aware of the various ways in which the actions of your employees and business partners can compromise your most valuable digital assets?

Q2 Has your company identified every touch point where those digital assets are in use, at rest, or in transit?

Q1 Has your company identified and prioritized digital assets according to their value to the organization?

When it comes to protecting an organization from cyber risks, effective leaders often engage in risk analysis similar to that of expert gamblers. First, they know the rules, odds, and the stakes of the game. Plus, they know their weaknesses and strengths – as well as those of their opponents. Then, they synthesize that information to put a solid game plan in play.

To shift the odds of the game in your favor, answer the following questions about your cybersecurity posture so that you have an accurate idea of your current hand.

IS YOUR DATA SECURITY A SURE BET?answer these 7 questions to gauge your cybersecurity posture

yes/no

yes/no

yes/no

yes/no

yes/no

yes/no

yes/no

Q1: Has your company identified and prioritized digital assets according to their value to the organization?

Why your cards in your current hand matter: We protect what we value. Consider this: Your patio furniture is probably sitting outside, but your jewelry is inside – and perhaps even in a safe. Similar to these personal assets, it makes sense that you would also assess and protect your business assets according to their value. Likewise, you may have to establish stronger protective measures over some assets, as high security for all data is likely cost prohibitive. By prioritizing digital assets according to their value, you are in a much better position to allocate cybersecurity resources effectively.

Q2: Has your company identified every touch point where those digital assets are in use, at rest, or in transit?

Why your cards in your current hand matter: Knowing where data is stored, how it is accessed, and who is using it can highlight potential areas of vulnerability and help prevent or mitigate a costly breach. Each of these touch points could represent one or more threats that put your digital assets at risk. Only after tracing this data flow can you take the next step: assessing risks.

Q3: Are you aware of the various ways in which the actions of your employees and business partners can compromise your most valuable digital assets?

Why your cards in your current hand matter: When it comes to valuable digital assets, threats can be internal (i.e., caused by humans or technology within the organization) or external (i.e., caused by financially motivated hackers or competitors). Internal threats are often the most pervasive and insidious. They range from malicious attempts by employees to steal valuable information to unintentional errors such as clicking a phishing link. No matter how much money your business spends on firewalls and other perimeter defenses, one employee who falls victim to a social engineering attack can bring down that entire defense system.

Q4: Has your company obtained independent verification (such as through a SOC 1 or SOC 2 report) of the security controls of the service providers that have access to, or use, your data?

Why your cards in your current hand matter: Business partnerships thrive on trust. When it comes to the protection of valuable data

disclosed to third-party service providers, that trust should be based on independent verification of the vendor’s controls.

Q5: Do you have a cybersecurity incident response and recovery plan in place?

Why your cards in your current hand matter: Many “first identifiers” of cybersecurity incidents do not know what they should do when they see that suspicious message or alert. Unfortunately, in those first vital moments, the incident can grow from a minor inconvenience into a major catastrophe. Given that 100% cybersecurity protection is impossible – or, at least, unrealistic – everyone in the organization needs to know how to respond to and recover from a cybersecurity event.

Q6: Have you implemented ongoing scenario-based training on cybersecurity policies and procedures, including best practices for recognizing and responding to the most common social engineering techniques?

Why your cards in your current hand matter: Regular scenario-based training is a critical component of a strong cybersecurity program. Cybersecurity training should include what to do if a breach is suspected or discovered, as well as competency-based testing to verify that participants learned the key lessons.

Q7: Has an independent, credentialed firm conducted an annual review of your cybersecurity controls?

Why your cards in your current hand matter: Cybersecurity is not a one-and-done exercise. Persistent threats – both external and internal – require constant vigilance through internal monitoring and independent review and testing. Organizations that invest time and money in regularly monitoring and testing controls evolve their protection and detection measures as they uncover potential holes in their systems and/or processes. Also, they illustrate to their employees and partners that long-term security trumps short-term convenience.

HOW PREPARED IS YOUR BUSINESS FOR A CYBER ATTACK?When it comes to cybersecurity preparedness, most organizations have room for improvement. Each of these questions represents an essential page in your cybersecurity playbook, and even one “no” equals an opportunity to tighten your game strategy and strengthen your cyber defenses.

CRInsight: CRI can help you develop a cybersecurity training program. Learn more about what this program should include.

next steps Learn more about how to execute a winning game strategy by downloading our CRInsight, Do You Know Your Odds? 6 Key Ways to Strengthening Your Cybersecurity Posture. Additionally, contact CRI’s cybersecurity specialists to discuss how your organization can uncover its true risks through a cybersecurity risk assessment. CRIcpa.com