« 5 Tips for Becoming a Firm of the Future | Main | Four Steps to a Happier, Successful “Business” Retirement »

3 Steps to Mitigate and Respond to a Security Breach in the Cloud

The AICPA is participating in National Cybersecurity Awareness Month with a series of blog posts to help CPAs understand the role they can play in addressing cybersecurity issues. This is our second post in this series. Our first post discussed low- and no-cost ways to protect data.

Cloud securityMuch like their counterparts who run growing companies in virtually every industry, many accounting firm executives have their heads in the cloud. They have implemented, or are considering, cloud computing options for everything from data storage and networking to task automation and product delivery. Some firm executives see an additional opportunity: offering consulting services to help clients understand and use the cloud.

It’s clear that cloud computing provides proven advantages over on-premises options, such as savings, convenience and flexibility. However, the cloud also presents some unique challenges, including often complex deployment options, operational issues and substantial security concerns. Below you’ll find three steps to take to address cloud computing security.

Step One: Know the Risks

The first way to mitigate a security breach is to understand and prioritize the risks related to using cloud services. For accounting firms and their clients that use a cloud service provider (CSP), cloud-based solutions present the same risks as traditional information security, plus the risks associated with managing and governing a third-party service provider.

Specific threats include data breaches, information loss and account hijacking. Additional risks include internet-based threats, such as denial-of-service attacks, or malicious actions by personnel at companies or subcontractors who steal information and sell it for personal profit. Systems may be more vulnerable if they contain insecure application protocol interfaces (APIs), established with improper access configurations within multi-tenancy environments.

Step Two: Work with Your Partner

You need to collaborate with your CSP to establish cloud-related security protections.

At the very least, a CSP should have a formal information security management program. Robust cloud security systems incorporate a number of well-known tools, including internal and perimeter defense and monitoring technologies, proper encryption, malware defenses, penetration testing, network and application vulnerability assessments, multi-factor authentication and access controls and layered network- and application-specific protections.

A good security program will incorporate technologies to secure the information environment, provide data backup and redundancy and ensure a rapid response to threats and incidents. A reliable CSP should also have documented methods for vetting, training and monitoring its personnel. In addition, the governance policy should address asset ownership and location, physical security, media and software management, disaster recovery, change control and service termination issues.

Step Three: Put it in Writing

Before finalizing a contract for cloud-oriented services, make sure the agreement includes detailed descriptions of how security measures will be established, managed and reported.

A cloud-oriented service contract should clearly define the management and governance issues described above, the ownership and location of all data, breach notification clauses, incident response obligations, the sharing of the appropriate Service Organization Control (SOC®) Report (SOC 1® or SOC 2® Reports) and the rights to audit and obtain assurances relating to cloud services.

What to Do When a Breach Occurs

Cloud technology makes sense for an accounting organization and for your clients, but working with a CSP presents unique challenges. Ultimately, the responsibility falls on you and the client to really understand the business and technical risks associated with the CSP’s services. Key to this is to ask the CSP any questions you need answered based on your own risk assessments in order to ensure their concerns are addressed.

It’s not a question of whether a breach will happen, but when it will happen, so the bottom line is to be prepared. Work with your providers to fulfill the federal, state, regulatory and industry-related requirements for incident-response handling and breach notification. In addition, make sure you understand what you can do to prepare for such an unfortunate circumstance.

Resources: Need help selecting the right cloud vendor? An AICPA Information Management and Technology Assurance Section webcast scheduled for Oct. 25 explores this issue. In addition, you can access other helpful resources from the AICPA, including a suite of SOC tools and reports, information from the Cybersecurity Resources Center and the AICPA-Ridge Global webcast series.

Finally, since cybersecurity is such a critical issue, I invite you to share your feedback on the AICPA’s recently released proposed criteria that companies can use to communicate, and CPAs can use to report on an entity’s cybersecurity risk management program. These criteria provide a way for businesses to demonstrate due care and build stakeholder confidence in their cybersecurity risk management programs. Comments are due Dec. 5, 2016.

Steven J. Ursillo, Jr., CPA.CITP, CGMA, Sparrow, Johnson & Ursillo, Inc. Steve Ursillo is a principal and director of Technology & Assurance Services for his firm in West Warwick, Rhode Island. He is co-chair of the AICPA’s IMTA Cybersecurity Task Force and a member of the AICPA’s IMTA SOC Task Force.

Cloud computing security courtesy of Shutterstock. 


Comments are moderated. Please review our Comment Policy before posting.


Subscribe in a reader

Enter your Email:

CPA Letter Daily