The Top 4 Risks Facing Your Company One need only to scan the headlines to know what happens when risks aren’t

managed correctly. Data breaches. Vendor disruptions. Productivity and quality issues. You can’t effectively reduce your company’s exposures, however, if you

don’t know your areas of vulnerability. A key step to managing your company’s risk and identifying your vulnerabilities is by conducting a comprehensive, enterprise-wide risk assessment. Your assessment should consider your organization’s objectives, operational and financial size and your risk tolerance. Your assessment should also identify and evaluate the particular events and circumstances relevant to your organization’s opportunities and risks. These risks may entail consideration of third-party vendors, information technology (IT), staffing and succession planning and emerging markets.

Third Party Vendors

As with other areas of your operations, your approach to managing third-party vendors should be based on the risk each vendor poses. A vendor that assists with your company’s payroll and billing, for example, may have more risk than a vendor that performs another operational function because the first vendor handles sensitive,

(Continued on page 2)

1-866-956-1983 | www.cbiz.com/ras© Copyright 2016. CBIZ, Inc. NYSE Listed: CBZ. All rights reserved.

IN THIS ISSUE:

CBIZ BizTipsVideos@cbiz

The Top 4 Risks Facing Your Company PAGE 1

Enhance Your Organization’s Cybersecurity Strategy

PAGE 3

5 Mistakes to Avoid When Business Continuity PlanningPAGE 6

Risk & Advisory Services

QuarterlyRisk AdvisorNOV. 2015 | 4TH QUARTER

With over 100 offices and 4,000 associates nationwide, CBIZ (NYSE: CBZ) delivers top-level financial and employee business services to organizations of all sizes, as well as individual clients, by providing national-caliber expertise combined with highly personalized service delivered at the local level.

Our national Risk & Advisory Services practice helps companies address unique risk factors through internal audit sourcing, SOX-404 and PCI DSS compliance programs, cybersecurity services, business continuity planning, and cost savings and recovery programs.

PAGE 21-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz

BRIAN GREGORYSenior Managing DirectorDenver, Colorado713.562.1154 | bgregory@cbiz.com

financial information.

The vendor’s location is an important consideration with the vendor’s risk. Some entities may have more regulatory risks because they’re multinational. Others may be in areas commonly affected by disruptive events, such as natural disasters, fires or labor strikes.

Past performance is also key. Vendors that have had cybersecurity attacks or other disruptive events may present a higher risk. Consider what triggered the initial incident and what has been done to prevent a similar event from occurring.

Your company should conduct a thorough, annual vendor risk assessment and perform the necessary due diligence with its third-party relationships to reduce its vendor risks. Due diligence can help you identify what the vendor might require in terms of controls and monitoring.

Information Technology

Your organization needs to be vigilant about protecting sensitive data that involves addresses, phone numbers, Social Security numbers and credit card information. Cybercriminals have shown they can get into a range of systems to access personally identifiable information.

Sensitive information should have multiple layers of protection, including strict limits on who has access to the systems. You may also consider whether this sensitive information needs to be encrypted. The U.S. Office of Personnel Management was recently criticized for failing to encrypt Social Security numbers. Formalized policies and user training about intrusion detection, IT security and incident response can also lower your IT risks.

To mitigate security risks, storing data in the cloud may be appealing, but it requires careful monitoring. Oftentimes, companies do not have control over where their data in the cloud are stored, and depending on the type of data involved, you may run the risk of regulatory noncompliance. For example, human resources information cannot be housed on computers overseas. Other data may be subject to state requirements, and what those are will vary by region. Before moving any information to a cloud system, do your research about what would be permissible and what should remain in data centers under your company’s control.

Your IT risks should be continually monitored and your systems updated to keep pace with the ever-evolving cyber threat environment.

Staff Management & Succession Planning

In all the focus on improving your profit margins or

your internal processes, you may have overlooked an essential element of your operations—your staff. Company leadership is essential to keeping your business running smoothly.

As your executives near retirement, you should be sure you have a process in place that can help you identify the right successors. You should evaluate which positions will need to be filled, from managers through chief executive officers and chief financial officers. As part of the evaluation, consider the position’s responsibilities. You may find that an executive retiring provides an opportunity to shift around responsibilities or reshape the role being vacated to better suit the current needs of your organization. Having a clear idea of what you need will help you pinpoint the right candidates and the right process to take to identify those personnel.

Emerging Markets

Working internationally can bring numerous benefits to your operations, but anytime you enter new territory, you’re also increasing your risks. Be sure you have an understanding of the rules and regulations you may face in the international market. A legitimate transaction in the United States might not be permitted in your new location.

Emerging markets may be particularly challenging, as fraud and corruption tend to be more prevalent. You’ll need processes in place that make sure you are not in violation of the Foreign Corrupt Practices Act of 1977 (FCPA), among other anti-corruption provisions.

A Proactive Approach is Key

Consideration of all your risks should also be part of an ongoing risk management process. Your risk environment is always in a state of flux. Only by periodically reviewing your areas of exposure can you keep up with those changes. For information on how you can set up a comprehensive risk management strategy, please contact us.

(Continued from page 1)

PAGE 31-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz

Data breaches affect all organizations, from small not-for-profit organizations to large commercial retailers. Should your organization fall victim to a cyber attack, the results could be devastating. The average cost of a data breach in 2014 was $3.5 million. Furthermore, threats to cybersecurity appear to be increasing both in quantity and in severity. Data breaches doubled from 2012 to 2013, and from 2013 to 2014, the average cost of data breaches went up by more than 15 percent.

Your traditional approach to risk management may involve information security measures such as processes to protect your physical data from unauthorized access, use or dissemination. Nevertheless, the current environment demands a risk approach that also protects your organization’s electronic data and processes. Smartphones, computers and their networks need protection from unauthorized access and disruption, too. Cybercriminals frequently use these sources as points of entry into your organization, which could have devastating financial, legal and reputational consequences.

Approaching information technology and cybersecurity as a function of your internal controls can help protect your organization’s key information. The Committee of Sponsoring Organizations of the Treadway Commission (COSO)’s 2013 internal controls framework provides a good foundation for how to monitor and mitigate your largest threats to cybersecurity. Data breaches will cause you to examine your control environment, cyber risks, control activities, internal and external communication strategies and your monitoring strategies. If you have a robust cyber risk management incorporated into your internal controls, your organization can be much more efficient in responding to and recovering from a security incident.

Control Environment

Everyone in your organization plays a role in minimizing your organization’s cybersecurity risk, and it’s up to your organization’s management and cybersecurity team to

communicate what that entails. Common sources of data loss offer a good indication of the types of policies and practices that should be part of your risk management culture. Misplaced or stolen electronic devices rank as the primary cause of data loss. Recommended practices for how to treat company equipment could reduce the number of these incidents within your organization. For example, you might want to require employees to take home or lock up any electronic devices at the end of the workday.

Hackers perpetuate roughly 18 percent of security incidents. They gain access to your organization’s networks through programs that trace the key strokes on your computer or through malware inserted into your system via vulnerable software or third-party plug-ins. Your staff should be on guard for suspicious emails or other unusual requests for information, as they might be cybersecurity breaches in disguise.

Risk Assessment

A cyber risk assessment helps prioritize your approach to cybersecurity. The first step is to consider your organization’s unique risk profile. Your industry and the kinds of information your organization collects are key predictors of which areas of your operations will be most at risk. Retailers have shown to be targets of hacks involving customers’ credit card information. Health care institutions are highly vulnerable to having their medical records compromised.

Consider the value of the information your organization collects, both for the hacker and for your organization. On average, health care records involved in a data breach cost companies $316 per record. Compromised financial information cost companies $236 per record. Value doesn’t exclusively mean records’ monetary price, either. Information that if compromised would have a significant effect on your company’s operations should command a larger share of your security resources.

Enhance Your Organization’s Cybersecurity Strategy

(Continued on page 4)

PAGE 41-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz

(Continued from page 3)

Part of the risk assessment may include an information technology audit. The multifaceted approach to your existing protocol helps identify the areas of vulnerability and risk. A network security assessment can turn up vulnerabilities in your external and internal networks and review firewall, intrusion prevention and network access control systems and policies and assess wireless networks to provide you a clearer picture of where your risks may lie. Network penetration testing should also be included in your information technology assessment, as this can give you a sense of how easily security incidents can be detected in your current operating environment. Testing can also give you an idea of the potential magnitude a cybersecurity breach would have on your organization.

Control Activities

Internal controls are essential to the effective operation of all organizations. They are the activities or procedures designed to provide reasonable assurance to management that operations are “going according to plan.” Without adequate internal controls, management has little assurance that its goals and objectives will be achieved. Properly designed and functioning controls reduce the likelihood that significant errors or fraud will occur and remain undetected. Internal controls help ensure that departments are performing as expected. Control activities are the policies and procedures designed by management to protect the organization’s objectives and goals from internal or external risks. Some common and important cyber risk control activities are logical security, change management, mobile devices and wireless, backups, monitoring of third party providers and cloud services.

Logical security controls help make sure that one person does not have too much power or influence over your organization’s cybersecurity. Consider segregating duties on your cyber risk team. Frequent password changes, limiting the system administrator function and logging and/or reviewing system administrator changes made in the financial accounting systems are recommended practices.

Change management controls can regulate updates and other modifications that go into production. Your organization should implement procedures that notify management of changes and allow management to approve any modifications prior to the work being done. Then, your organization should test the update using someone other than the developer. If satisfied that the modification works appropriately, there should be an approval process before the change goes into the production environment.

Mobile device and wireless access need controls to protect them from unauthorized access. Best practices include encrypting mobile devices and removable data, issuing unique user IDs and complex passwords and automatically wiping devices that are lost or stolen. The remote wiping of devices is especially important because as mentioned earlier, missing devices are the most common source of organizational data loss.

Controls should also be in place to protect your data back up. Your organization needs to know what is backed up and where it is being stored, be it a data center, third party provider or cloud provider. Back-up controls to implement include real-time notification and resolution of back-up failures, off-site back up and replication and periodic restores. Annual or semi-annual service organization control audits can help your organization manage your third party service providers. If no service organization control audit reports are available, then be sure your back-up controls include periodic visits to the third party provider or cloud provider offices and hosted data centers. You should also request and review monthly or quarterly provider reports that detail the significant events that took place, the people who accessed the third party provider or cloud provider site and planned outages by the third party or cloud provider.

Whenever you are working with a third-party service provider, you also need to make sure your organization is knowledgeable and involved in the provider’s disaster recovery plan. If an unplanned outage affects a provider, your organization should be prepared for the potential effect that would have on its operations.

Information and Communication

A breach rarely occurs because of one incident, which makes it imperative that your organization have the means to collect and analyze meaningful information about its cybersecurity. A system that aggregates data from different sources can identify patterns, which indicate whether your organization is facing a breach. Written communication plans that address what information is distributed to whom are highly recommended. Third parties involved with your organization’s IT security should be considered part of this communication plan, and your organization should be part of theirs, as data breaches on their end could affect your data. Depending on what is lost, you may be at risk for legal action by the affected parties. Your legal team should be involved to help minimize your liability exposure. They can also help you identify who needs to receive communication. Sometimes law enforcement, state attorneys general and even federal agencies may need to be included in the conversation about the breach.

(Continued on page 5)

PAGE 51-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz

(Continued from page 4)

CHRIS ROACHManaging DirectorHouston, Texas281.844.4239 | croach@cbiz.com

Monitoring Activities

The risk environment continues to change and evolve, and so, too, should your cyber risk management strategy. Organizations should regularly evaluate the effectiveness of their current strategy and that of any third parties that administer their information technology security. They should then present findings to key stakeholders for consideration. Periodic cyber risk assessments should be part of your monitoring activities as well so that you can see how your systems are holding up to internal and external risks in your operating environment. Planned changes, such as adding a new third party service provider or moving office locations are also good times to revisit and update your cyber risk strategy.

Protect Your Organization

Understanding your organization’s areas of vulnerability and the best practices to improve your strategy are key to protecting your organization from cyber-attack. If you have questions, concerns or comments related to your existing cybersecurity strategy, please contact CBIZ Risk & Advisory Services.

PAGE 61-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz

Natural disasters, supply chain disruptions, security breaches and even short power outages can paralyze a business. Almost 40 percent of small to mid-size businesses do not survive an initial catastrophic event. A business continuity plan can help a company ensure it will be in the 60 percent that survives. However, not all plans are created equal. Making one of the following five mistakes can be the difference between a company resuming profitable operations quickly or making headline news.

“My business continuity plan specifically targets my company’s primary natural disaster threats.”

Business disruptions have expanded. Companies that create plans targeting only natural disasters may be overlooking other harmful hazards to their day-to-day business operations, such as cyber-attacks or network outages. Business continuity plans that are simple yet holistic are most effective in addressing interruptions and maintaining business as usual.

“My CEO is prepared to lead our business if a disruption should occur.”

When disaster strikes, members of your senior management team may not be available or capable of making the critical decisions necessary to get your business back on track. Establishing a crisis management team comprised of individuals from departments such as information technology, finance, legal and human resources guarantees that there are multiple people prepared to respond and that core functional areas of your business are covered.

“I already have a business continuity plan. I am prepared for future disasters.”

Each executed contract should detail the reimbursable lDeveloping a business recovery strategy should be incorporated as an extension of your normal operations rather than a reactive project. Your organizational structure, vendors, clients and regulatory environments change over time. You don’t need to write a new plan every year, but you should factor in any of these changes that may occur and test your plan for viability and effectiveness.

“My employees are trained on our plan and capable of handling the process efficiently.”

Having a strong business continuity plan as the roadmap for working through an incident is not enough. Poor

communication with staff, clients and the general public is typically the largest pitfall that makes it difficult for companies to recover. Using emergency communication technology can aid your crisis management team in responding to the situation at hand and keep your employees informed about what to do next. Additionally, maintaining open lines of communication with your clients allows them to feel secure that you are handling the situation without compromising their account information.

“My third-party vendors can pitch in during our recovery to help us service clients.”

If you rely on third-party vendors to deliver products or services to your clients, then your business continuity plan is only as strong as these vendors. Not only should they be prepared to support you when an incident occurs, but you should also be informed of their strategy in case disaster strikes on their end. Including a list of back-up vendors that can provide similar services in your plan greatly increases the likelihood that your customers will not experience a loss of service during an emergency.

Situations that compromise the security or longevity of your business are inevitable and failing to have an effective response strategy in place can lead to devastating financial, legal and reputational consequences. However, a holistic business continuity plan paired with a properly trained crisis management team empowers your company to react and recover from disruptions quickly in a way that protects your data, customers and revenues.

5 Mistakes to Avoid When Business Continuity Planning

MARK MADARDirectorCleveland, Ohio216.525.1956 | mmadar@cbiz.com