This blog was updated as of 10/16/2019.
You might break out in a cold sweat at just the thought of criminals on the other side of the world stealing your clients’ or customers’ account information. After all, if some of the largest corporations and agencies of the federal government can’t prevent their systems from being breached, what can a Main Street CPA firm or medium-sized business possibly do against such a threat?
The reality is that as a CPA you can do more than you might think. At a minimum, as a trusted business adviser, you should help your clients or employer avoid these common pitfalls:
Classifying cybersecurity as an IT issue. Although IT has a support role involving intrusion detection and prevention, cybersecurity involves much more than IT. Today’s hackers increasingly focus their attacks on human rather than technical vulnerabilities. Cybersecurity is an enterprise risk management (ERM) issue. With some specialized training, CPAs are uniquely qualified to systematically assess and report on cybersecurity risks and implement controls to mitigate those risks.
Dismissing cybersecurity as a large organization problem. Cyberattacks targeting large organizations make the evening news, but 43% of all 2018 breaches occurred at small businesses, according to Verizon’s 2019 Data Breach Investigations Report. You want to be sure your small and medium-sized business clients or employer know the gravity of the threat and are taking appropriate measures to protect themselves. In many cases you may need to refer them to a firm that specializes in cybersecurity.
Looking for a silver bullet to fix the problem. There is no single cybersecurity solution. Products are components of a cybersecurity program—not a program in themselves. Many of the most effective components of cybersecurity involve process improvements and staff training. This is where the CPA skill set provides value. CPAs who specialize in cybersecurity can serve in an advisory role, helping companies build sound cybersecurity risk management programs. The AICPA is also developing guidance for cybersecurity assurance engagements.
Relying on static solutions to dynamic threats. “We’ve taken care of it” is the most dangerous attitude any organization can take toward cybersecurity. Attackers are constantly developing new strategies and techniques. Business processes also change. Cybersecurity controls need to be implemented and updated regularly in response to changes in business processes and emerging threats. Once controls are in place, an assurance engagement by a qualified CPA firm can help management and board members with the risk management process.
Learn more about cybersecurity opportunities for CPAs at the AICPA cybersecurity resource center. You’ll find news and information about protecting client information, and starting advisory and assurance services related to cybersecurity.
Jeffrey Streif, CPA, CISA, PCI-QSA, CFE, heads the cybersecurity consulting and assurance practice for the St. Louis office of UHY LLP.
Bruce Sussman, CPA, CISA, CIPT, CISSP, is PCI Global Executive for AIG in New York. Streif is a member of and Sussman is co-chair of the AICPA’s Information Management and Technology Assurance Section’s Cybersecurity Task Force.