Cybersecurity
It’s a startling reality: a cyberattack occurs every 14 seconds,1 costing
an average of $3.92M per breach
in the U.S.2
The threat
of cybercrime
How finance and accounting
professionals can lead the way
Cybersecurity:
Why it matters
It’s a startling reality: a cyberattack occurs every 14 seconds,1 costing
an average of $3.92M per breach
in the U.S.2
Cybercrime disrupts businesses and governments, damages reputations and drains resources. Unfortunately, opportunities for cybercriminals have grown thanks to the open nature of the internet, increasing volumes of
e-commerce and the quick shift to remote working brought on by the COVID-19 pandemic.
What are you doing to protect your clients or organizations? There's a lot accounting and finance professionals can do in the fight for better cybersecurity.
Why should CPAs care about cybersecurity? This video explains.
Don’t assume cybersecurity is solely the job of IT professionals. Organizations are looking to protect their client, customer and financial data, and CPAs are uniquely suited to lead the charge.
With the right skills and training, you can be well-equipped to advise businesses on cybersecurity best practices, perform cybersecurity readiness assessments, and help them develop or strengthen their cybersecurity risk management programs.
Read on to learn more about the opportunities in cybersecurity and how you can hone your skills through our free CPE Digital Mindset Pack and other learning resources.
What is cybersecurity and what’s at stake?
Cybersecurity is the protection of computers, networks and information from theft, damage or unauthorized access.
Cyber thieves, or ‘bad actors,’ infiltrate a business’ systems and gain access to customer data to steal their financial details (or even their identity) and commit fraud.
Some common tools and techniques used by criminals include:
Malware (malicious software) attacks
Malware threatens a business’ ability to operate. Types of malware include:
- Worms — A standalone software takes control of business systems and equipment without the operator’s knowledge
- Viruses — A piece of code spread by an infected host file replicates itself and corrupts a computer’s system or deletes data
- Ransomware — A cyber thief blocks users’ access to files and demands a ransom to regain access
Information theft and fraud
Cyber thieves may also send scam emails to employees in hopes of gaining access to a person’s personal or financial data. Types of email scams include:
- Phishing — This scam dupes employees into thinking an email is from a trusted source so they click on an infected link that downloads malware.
- Whaling — A variation on phishing, which targets one big fish — often the CFO. The email might appear to come from the CEO or a regulator, looking like an urgent demand to pay a supplier or settle a fine.
Cyberattacks are bad business.
The implications of a data breach
can be long-lasting.
A cyberattack on a business can:
- Damage brand reputation
- Erode customer and stakeholder loyalty
and trust
- Slow productivity
- Cause significant financial loss
A large-scale cyberattack can cause even greater harm: massive economic damage, geopolitical tensions and widespread loss of trust in industries.
With so many potential threats, it’s vital that CPAs understand what cybersecurity is, the solutions available, and how to establish a strong security framework for mitigating risks and keeping information safe.
The rise of cybercrime and the opportunity
for CPAs
Cybercrime is the fastest growing crime in the U.S.3 and is estimated to cost $6T4 in damages by 2021. There are many reasons for this increase:
Accelerated digitalization
As people and businesses increasingly move their personal lives and business operations online, more opportunities are created for cybercriminals.
Move to remote work
Data breaches increased by 273% in the first quarter of 2020, compared to the same time last year.5 COVID-19 quickly forced employees to work remotely and introduced vulnerabilities, as staff logged into their work emails from unsecure home networks. Many employers also didn’t have cybersecurity risk measures in place and had not fully educated staff on best practices.
Complexity of supply chains
Today’s intertwined supply chains make an ideal breeding ground for cybercrime. In fact, 40% of security breaches are indirect attacks that target weak links in the supply chain.6
Sophistication of cyber attacks
Cyber thieves are finding new, innovative ways to hack into systems. Employees can unintentionally compromise data and systems by falling for sophisticated scams, such as phishing and whaling.
Benefits of a strong
cybersecurity program
Organizations need to make cybersecurity a strategic priority. Long-term consequences of cybercrime, such as large financial hits or a decline in customers’ trust, can take years from which to recover.
A strong cybersecurity program:
-
Protects client and customer information
-
Increases customer and stakeholder confidence
-
Improves productivity (viruses slow systems)
-
Prevents significant financial loss
-
Contributes to favorable brand reputation
CPAs’ role in
cybersecurity
As a CPA, you can play a critical role in protecting your organizations and clients with a strong cybersecurity risk management program. What makes you qualified to lead cybersecurity efforts?
-
Your expertise in risk management
-
Your knowledge of financial data flows
-
Your understanding of systems and controls
-
Your intelligence in IT and technology
-
Your experience using cybersecurity tools and frameworks
-
Your position as a trusted adviser
Protecting businesses from cybercrime
There are many things you can do to protect your company from cybercrime.
The following are some best practices for developing a cybersecurity roadmap and assembling a cross-functional team to prevent, detect, manage and mitigate cyber risks.
Plan
-
Seek executive buy-in. An informed and involved CEO is critical for a strong cybersecurity culture.
-
Conduct a risk assessment to identify weaknesses in systems and controls.
-
Conduct a pen test to take a look at your business from the perspective of a potential attacker.
-
Invest in tools to increase visibility into all applications, data and devices and how they are connected.
-
Explore the benefits of cyber insurance.
-
Appoint a head of cyber and data security with sufficient resources and budget.
Prepare
-
Give cyber-awareness training to all staff and carry out regular tests like phishing or fake invoices.
-
Create a comprehensive set of security policies and incident response plan
-
Perform continuous monitoring to comply with external regulation and internal polices
-
Ensure antivirus software is up to date and that trusted software patches or updates are installed.
-
Back up files securely and regularly.
-
Be prepared for the inevitable: from time to time, cyberattacks will get through.
Detect
-
Prioritize incidents based on business impact.
-
Monitor activity to identify risk events.
-
Consult with insurance carriers and legal (internal/external) specializing in data security regulatory requirements and state and federal law.
-
Perform necessary technical investigations (assessment, network, system and device forensics)
-
Identify initial cause (patient zero) and coordinate the required specialists to help restore operations.
-
Determine the likelihood of misuse and damage as a result of the data compromised.
-
Summarize threat analysis results and finalize the incident report.
Respond
-
Track, document and measure impact.
-
Focus on rapid and effective incident response.
-
Respond to all data breaches in a timely, transparent and cost-effective manner to maintain and restore customers’ trust.
-
Develop a corporate mindset that is open about mistakes, eager to learn, and quick to make changes.
-
Maintain transparency and report the incident to all appropriate parties.
Tools and best practices
Even with the right controls in place, every organization could experience a data breach at some point. Here are the basics that every organization should follow.
-
Conduct a risk assessment to identify weaknesses in systems and controls.
-
Create a comprehensive set of security policies.
-
Follow best practices including:
- Configuring systems to require strong passwords
- Regularly patching computer systems
- Implementing multi-factor authentication for
remote access
-
Conduct regular security awareness training for staff.
Hire a CPA firm
If your company doesn’t have the staff or expertise to adequately address all the steps required for a robust cybersecurity program, consider hiring an independent CPA firm. Whether your organization is designing a new cybersecurity program or needs an assurance report on one already in place — CPAs skilled in information management and technology can assist.
For more guidance and quick tips, watch this collection of short cybersecurity videos.
Tool ▶
AICPA cybersecurity risk management reporting framework
Use our risk framework to help you communicate and report on the effectiveness of your organization or clients’ cybersecurity programs. The framework provides a common language for organizations to describe their cybersecurity risk management efforts (in the description) and for CPAs to report on those efforts.
How CPAs can
help with clients’ cybersecurity needs
The cybersecurity market is
expected to grow to $248 billion
by 2023.7 Boards of directors and audit committees want greater assurance and transparency that the companies they serve are establishing effective cybersecurity risk management programs.
Regardless of your firm’s cybersecurity expertise, you can play a role in protecting your clients from cybersecurity threats.
Firms with limited
cybersecurity knowledge
If your practice is not yet ready to make cybersecurity a key practice area, you can still show concern for your clients by asking about what kinds of protections they have in place, staff training programs, privacy and security policies, response plans and other controls that help mitigate risks. You can also connect them with experts who can help them put together an effective cybersecurity risk management program. If your firm is looking to grow its knowledge of cybersecurity, consider upskilling staff or partnering with a firm that has this expertise.
Firms with knowledge and experience in cybersecurity
If your firm specializes in information technology, you may be well-equipped to step in and provide advisory services including:
- Readiness assessments and gap analysis
- Cybersecurity or information security risk assessments
- Vulnerability assessments and penetration testing
- Application security and database security assessments
- Information security policy development
- Data classification process design and consulting
- User life cycle management consulting
- Social engineering and awareness training
- Security incident response program development and testing
- Disaster recovery plan consulting
Cybersecurity Assurance Services
If your firm is already offering advisory services or other third-party reporting examinations, offering SOC for cybersecurity examination services would be a next step.
Using the AICPA’s SOC for Cybersecurity framework, you can provide assurance over the effectiveness of controls over an organization’s cybersecurity risk management program, helping build trust and transparency for customers, investors and leadership.
Benefits of a SOC for cybersecurity examination include that it:
- Provides an independent, entity-wide assessment of an organization’s cybersecurity risk management program
- Helps reduce uncertainty and build resilient organizations by evaluating the effectiveness of existing cybersecurity processes and controls
- Permits flexibility by not constraining management to a particular security management framework or control framework
- Results in general use report
Strong cybersecurity and transparency about how data is used go a long way toward customer loyalty and trust. CPAs can help their organizations and clients get their cybersecurity on track for a more secure future. For more resources to help you get started on the path to learning all things cybersecurity, check out the resources and tools on the next page.
Chartered Global Management
Accountant® (CGMA®)
CGMA is the most widely held management accounting designation in the world. It distinguishes more than 150,000 accounting and finance professionals who have advanced proficiency in finance, operations, strategy and management. In the United States, the vast majority also are CPAs. The CGMA designation is underpinned by extensive global research to maintain the highest relevance with employers and develop competencies most in demand. CGMA designation holders qualify through rigorous education, exam and experience requirements. They must commit to lifelong education and adhere to a stringent code of ethical conduct. Businesses, governments and not-for-profits around the world trust CGMAs to guide critical decisions that drive strong performance.
cgma.org
Association of International Certified
Professional Accountants
The Association of International Certified Professional Accountants® (the Association) is the most influential body of professional accountants, combining the strengths of the American Institute of CPAs® (AICPA®) and the Chartered Institute of Management Accountants® (CIMA®) to power opportunity, trust and prosperity for people, businesses and economies worldwide. It represents 650,000 members and students in public and management accounting and advocates for the public interest and business sustainability on current and emerging issues. With broad reach, rigor and resources, the Association advances the reputation, employability and quality of CPAs, CGMA designation holders and accounting and finance professionals globally.
aicpa-cima.com
Association of International Certified Professional Accountants
aicpa.org
aicpa-cima.com
cgma.org
cimaglobal.com
For information about obtaining permission to use this material other than for personal use, please email mary.walter@aicpa-cima.com. All other rights are hereby expressly reserved. The information provided in this publication is general and may not apply in a specific situation. Legal advice should always be sought before taking any legal action based on the information provided. Although the information provided is believed to be correct as of the publication date, be advised that this is a developing area. The Association, AICPA, and CIMA cannot accept responsibility for the consequences of its use for other purposes or other contexts.
The information and any opinions expressed in this material do not represent official pronouncements of or on behalf of the AICPA, CIMA or the Association of International Certified Professional Accountants. This material is offered with the understanding that it does not constitute legal, accounting or other professional services or advice. If legal advice or other expert assistance is required, the services of a competent professional should be sought.
The information contained herein is provided to assist the reader in developing a general understanding of the topics discussed but no attempt has been made to cover the subjects or issues exhaustively. While every attempt to verify the timeliness and accuracy of the information herein as of the date of issuance has been made, no guarantee is or can be given regarding the applicability of the information found within to any given set of facts and circumstances.
Founded by AICPA and CIMA, the Association of International Certified Professional Accountants powers leaders in accounting and finance around the globe.
© 2020 Association of International Certified Professional Accountants. All rights reserved. AICPA and American Institute of CPAs are trademarks of the American Institute of Certified Public Accountants and are registered in the US, the EU and other countries. The Globe Design is a trademark of the Association of International Certified Professional Accountants and licensed to the AICPA. 2006-20126
Footnotes:
1 Cybersecurity Ventures 2019 Cybersecurity Market Report
2 IBM and Ponemon Institute The Cost of a Data Breach, 2019
3 Protect against the fastest-growing crime: cyber attacks
4 Cybercrime Damages $6 Trillion By 2021
5 Cybercrime ramps up amid coronavirus chaos, costing companies billions
6 Lessons from leaders to master cybersecurity execution
7 Cybersecurity Market worth $248.3 billion by 2023