By David J. Rosenbaum, Citrin Cooperman & Co.

Why is an article on cybersecurity appearing in a blog and newsletter on energy and environmental matters? Because this is a situation of grave concern to all companies, municipalities, etc. As engineers, we are involved in compiling and managing data, mainly through complex computer systems. However, data is now at risk of being stolen, altered or deleted, and this can have mammoth impacts on all kinds of firms.

Who is at risk? Any entity…
• connected to the Internet
• storing data electronically or in the Cloud
• involved with the Internet of Things (IoT).
Who may pose the threat to you and your data? Hackers, like you read about in the news. But employees, clients, and regulators, too.

What must cybersecurity protect?
• “Computers”, such as desktops, laptops, tablets, smart phones
• Networks, such as servers, firewalls, peripheral devices, IoT
• Data at rest (on computer hard drives, removeable media, in the Cloud)
• Data in motion (email, the web, wifi, phones)

What are the objectives of cybersecurity?
• Confidentiality: safeguarding records and information
• Integrity: protecting data from unauthorized access, change, or destruction
• Availability: ensuring that data is available to those authorized to view it.

Whether you are a big firm or a one-person shop, your data is vulnerable. Cybersecurity does not/cannot prevent a breach; it enables you to manage the risk. If you think spending money on cybersecurity is an issue, think of the costs of a breach including forensics, technology expenditures, notification, legal, system downtime, fines and penalties, and reputational.

A key to cybersecurity is employees. Users, often, unknowingly introduce threats by opening emails or clicking on links. Therefore, training is important.

To begin a cybersecurity assessment, the entity must understand:
• What information is maintained that needs to be protected
• Which systems maintain the information and who controls it
• How the information is currently protected
• Which rules/standards apply to data in question (i.e., HIPAA, PCI, privacy, etc.)

National Institute of Standards and Technology (NIST) framework for improving critical infrastructure cybersecurity. Core:
• Identify. Develop organizational understanding to manage cybersecurity risk
• Protect. Develop and implement appropriate safeguards of infrastructure
• Detect. Develop and implement appropriate activities to detect an event
• Respond. Develop and implement appropriate actions once event detected
• Recover. Develop and implement appropriate activities to restore capabilities.

Cybersecurity Best Practices:
• Assess your risk
• Determine applicable rules/standards to comply with
• Develop written cybersecurity policies. Must be written.
• Implement Best Practices (i.e., complex passwords, firewalls, antivirus, backups)
• Train employees to be aware and alert and implement best practices
• Audit, test, and upgrade policies, practices, and security

Yes, cybersecurity is another responsibility and headache for managers already overwhelmed with responsibilities. But given the costs listed earlier, this needs to be done. Remember, it is not a matter of if, but when you’ll be subject to a cyber attack.

Citrin Cooperman’s Technology Consulting group has a practice focused on cybersecurity. Its TRAC Cybersecurity Services include risk assessment, penetration testing services, and remediation strategy. Contact David Rosenbaum at 914-693-7000 or at drosenbaum@citrincooperman.com.