4 Cybersecurity Pitfalls to Avoid
You might break out in a cold sweat at just the thought of criminals on the other side of the world stealing your clients’ or customers’ account information. After all, if some of the largest corporations and agencies of the federal government can’t prevent their systems from being breached, what can a Main Street CPA firm or medium-sized business possibly do against such a threat?
Reality is that as a CPA you can probably do more than you think. At a minimum, as a trusted business adviser, you should help your clients or employer avoid these common pitfalls:
- Classifying cybersecurity as an IT issue. Although IT has a support role involving intrusion detection and prevention, cybersecurity involves much more than IT. Today’s hackers increasingly focus their attacks on human rather than technical vulnerabilities. Cybersecurity is an enterprise risk management (ERM) issue. With some specialized training, CPAs are uniquely qualified to systematically assess and report on cybersecurity risks and implement controls to mitigate those risks.
- Dismissing cybersecurity as a large organization problem. Breaches at large organizations make the evening news, but 60% of all targeted attacks in 2014 hit small- and medium-sized organizations, according to Symantec’s 2015 Internet Security Threat Report. You want to be sure your small and medium-sized business clients or employer know the gravity of the threat and are taking appropriate measures to protect themselves. In many cases you may need to refer them to a firm that specializes in cybersecurity.
- Looking for a silver bullet to fix the problem. There is no single cybersecurity solution. Products are components of a cybersecurity program—not a program in themselves. Many of the most effective components of cybersecurity involve process improvements and staff training. This is where the CPA skillset provides value. CPAs who specialize in cybersecurity can serve in an advisory role helping companies build sound cybersecurity risk management programs. The AICPA is also developing guidance for cybersecurity assurance engagements.
- Relying on static solutions to dynamic threats. “We’ve taken care of it” is the most dangerous attitude any organization can take toward cybersecurity. Attackers are constantly developing new strategies and techniques. Business processes also change. Cybersecurity controls need to be implemented and updated regularly in response to changes in business processes and emerging threats. Once controls are in place, an assurance engagement by a qualified CPA firm can help management and board members with the risk management process.
Learn more about cybersecurity opportunities for CPAs at the new AICPA resource center. You’ll find news and information about protecting client information, and starting advisory and assurance services related to cybersecurity. You can also learn more by attending the AICPA’s Cybersecurity Webcast Series produced with Ridge Global. The first webcast, Understanding Cybersecurity, will be held May 12 at 2:00 PM ET.
Like other practice areas, CPAs should not accept an engagement until fully competent in the subject matter.
Jeffrey Streif, CPA, CISA, PCI-QSA, CFE, heads the cybersecurity consulting and assurance practice for the St. Louis office of UHY LLP.
Bruce Sussman, CPA, CISA, CIPT, CISSP, is PCI Global Executive for AIG in New York. Streif is a member of and Sussman is co-chair of the AICPA’s Information Management and Technology Assurance Section’s Cybersecurity Task Force.
Hacker courtesy of Shutterstock.