Cybercrimes are nothing new, yet business owners still find themselves behind the curve in maintaining proper security for their businesses. Cybercrime is a costly experience, too. In 2021, cyber breaches cost American businesses an average of $4.24 million dollars after calculating downtime, reconstruction and lost revenue.
Worse yet, there is a misconception in the business community that cybersecurity is a technology problem. In fact, according to Tech Republic, 67% of all security breaches are caused by human error. “It is important to understand that cybersecurity is a business issue, not an IT issue,” notes Thomas J. DeMayo, principal, cybersecurity and privacy advisory at CPA firm PKF O’Connor Davies. As a leader in the firm’s client-facing cybersecurity advisory practice, DeMayo spends his days educating and consulting clients on how cyber threats impact business. He also serves on an internal IT committee that advises the firm’s CIO and executive committee on potential threats and issues of concern.
As CPA firms have become savvy in dealing with their internal data security processes, they have also grown to become trusted advisors to their clients on matters of cybersecurity.
According to Henry Rinder, CPA, ABV, CFF, CFE, CGMA, who is a member of Smolin Lupin, the accounting industry has become more proactive about data security as an outgrowth of risk management issues in the financial audit process. In particular, when the American Institute of Certified Public Accountants (AICPA) adopted System and Organization Controls (SOC) reporting, they established standards for security and supply chain integrity.
“Since the advent of SOC 1, SOC 2, and SOC 3, auditors must verify that client and vendor information and processes are reliable,” Henry notes. Today, CPA firms are consulting on cybersecurity issues far beyond agreed-upon procedures.
“Cybersecurity holds the capacity to make or break any organization regardless of its size,” adds Gurjit Singh, chief information officer at Prager Metis CPAs LLC. Like PKF O’Connor Davies, Prager Metis has a client-facing consulting arm that focuses on identifying and mitigating cybersecurity issues.
Singh, siding with published research, concurs that, “Breaches almost always stem from people within the organization disobeying company’s established security standards.” Gurjit adds that the consequences of a security breach can range from identity theft, legal issues, and significant loss of business. As a result, his team is busy providing the tools needed to help clients survive ongoing threats.
“As our clients’ trusted advisors, we help clients with risk assessments, providing penetration testing, and creating documents for security awareness training. We also share with them best practices, such as methods for secure transfer of records between organizations,” he says.
“It boils down to the three pillars: people, processes and technology,” adds PKF O’Connor’s DeMayo. “Incidents start because of social engineering. An employee gets tricked by an email or visits a social media platform with weak security settings. We help them develop the tools and processes to cope with these weaknesses.”
Inside New Jersey’s CPA firms, approaches to security vary in their levels of sophistication. However, every firm takes data security seriously. For example, most firms use encryption software and multi-factor password authentication (requiring both a password and a random code sent to your cell phone to verify your ID) to access digital files.
“We rely on our IT department and our Microsoft-trained engineers to oversee our internal security processes,” notes Henry Rinder of Smolin Lupin. Rinder is also the firm’s lead on risk management issues, keeping up daily on cyber mitigation issues. To protect his firm and client data, his team has multiple levels of security. “We use file-sharing to receive and send client files, we back up and test our servers routinely and use third-party screening to filter email for phishing and malware,” he says. In addition, the firm periodically hires an outside professional to perform penetration testing on its systems, stressing the system to identify weaknesses and potential problems to ensure their data is clean.
“Security is an ongoing investment,” Gurjit Singh says. “It is absolutely not a one-and-done deal.” For this reason, Singh suggests that, regardless of the size of the organization, a proactive approach to cybersecurity is the only way to stay ahead of ongoing threats. This ultimately means developing a blend of forensic tasks with predictive policies and procedures.
Beyond technology, employee education seems to be the key. “We do lots of thought leadership,” notes DeMayo. “We hold seminars, publish articles, and update everyone when new threats emerge.”
When it comes to processes, however, the question is: How restrictive does a company get? Smolin’s Rinder prefers blocking employees from social sites and shopping, as well as quarantining emails from certain foreign countries known for cybercrimes.
Singh, on the other hand, stresses the need for balance. “You don’t want to cripple your workplace,” he says.
DeMayo also puts the issue into perspective, noting that, “Technology has to support the business, not the other way around.”
He suggests that cybersecurity planning is a process that looks at every system to answer three important matters: Business continuity, disaster recovery, and incidence response. In other words, how do we respond to a threat once it is detected? What do we need to have in place to keep the lights on while we work through the problem? Finally, what resources do we need in reserve to rebuild and recover from a breach?
“Clients need to educate themselves about the risks of cybercrime and their business,” Rinder says. Now that businesses are so dependent on the internet, he suggests that, “Owners should think of cyberspace as if they are walking down a dark alley at night. … You’ve got to watch your back!”
To access more business news, visit NJB News Now.Related Articles: