The Bleach Breach: How a Quality SOC 2 Audit Could Have Helped Clorox
Another day, another breach. There have been quite a few cybersecurity events breaking the news involving major companies lately—one of the notable events involving Clorox.
Back in August, the multibillion-dollar corporation discovered unauthorized activity in some of their IT systems. The organization enabled their business continuity plan (BCP), but was forced into processes that affected their production capacity. The product shortages resulted in the organization losing money each and every day. Because of this security incident, the company’s Q1 earnings suffered greatly. According to Forbes, processing delays and product outages reduced their quarterly profit by 23-28%, or over $500 million in lost revenue.
Here’s the catch: Clorox recently spent $500 million to help strengthen their IT posture and landed themselves a spot on the 2023 Forbes Most Cybersecure Companies list. So, what went wrong? One of our KirkpatrickPrice experts pointed out that companies can spend all the money in the world on fancy cybersecurity software, but nothing makes up for making sure you have quality policies, standards, and practices in place.
Even though Clorox seems to have a BCP in place, they were not able to recover from their security incident quickly, costing them millions of dollars in damages. While there are several ways Clorox might have been able to reduce damages from what appeared to be a ransomware attack, one major weakness stuck out to us here at KirkpatrickPrice: There are no cybersecurity experts on the board.
Unfortunately, this isn’t rare. Few companies value cybersecurity enough to include security experts on their board, even though it’s a requirement of information security compliance frameworks like the SOC 2 auditing framework.
The SOC 2 CC1.2 common criteria states that the board of an organization is required to define, maintain, and periodically evaluate the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action. The common criteria also states that the board needs to supplement its expertise relevant to security, availability, and processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants.
This boils down to making sure that your board includes and/or consults a security expert regularly and when needed. When the board has access to a security expert, they will know what the best plan of action is if a security event occurs and how to best prepare for the possibility of one.
What to Look for in Your SOC 2 Audit Firm
With so many auditing firms to choose from, it can feel overwhelming to know which firm is the best fit for your organization. We understand that the last thing you want is for an event like Clorox’s to happen to you. By choosing the right audit firm, you can stop worrying about your organization’s security posture and start focusing on growing your business and becoming unstoppable.
When choosing an audit partner, make sure you look for a firm that has experienced auditors that will take the time to work through all of the framework requirements so you can feel confident about your organization’s security.
Many audit firms on the market hire unexperienced auditors who don’t fully understand what to look for when checking to see if an organization is doing what they are supposed to be doing to keep their organization secure.
At KirkpatrickPrice, our auditors have an average of 25+ years of industry experience. They have walked in your shoes as CISOs and board members of successful organizations, so they understand what you want from an audit. They’ve seen it all and know exactly what to look for when assessing your organization’s security environment. Our auditors care about helping you reach your security goals.
Your auditor should care more about taking the time to make sure you’re actually doing what the framework requires rather than simply checking a box saying you’re doing the bare minimum. We get it, compliance can feel overwhelming, but when you’re working with an auditor who cares, they will help you understand why each part of the framework is important for the well-being of your organization.
Imagine if Clorox had worked with an auditor who thoroughly checked to make sure they had a security expert on the board or at least readily available to them. They may not have suffered as many damages or experienced such a long recovery time.
Learn from Clorox’s mistakes to avoid a cyber-nightmare.
Put the days of worrying if you’re next behind you. When you work with KirkpatrickPrice, you’re working with a real cybersecurity expert who will do everything they can to help you avoid attacks and breaches that could cost your organization millions. We want to partner with you from audit readiness to final report, no matter if you’ve never gone through one audit or if you’ve been through hundreds. We will be here for you every step of the way. If you have any questions or concerns about your organization’s security posture or if you’re ready to start your audit, connect with one of our experts today. We can’t wait to help you become unstoppable.