Classifying cybersecurity as an IT issue. Although IT has a support role involving intrusion detection and prevention, cybersecurity involves much more than IT. Today’s hackers increasingly focus their attacks on human rather than technical vulnerabilities. Cybersecurity is an enterprise risk management (ERM) issue. With some specialized training, CPAs are uniquely qualified to systematically assess and report on cybersecurity risks and implement controls to mitigate those risks.
Dismissing cybersecurity as a large organization problem. Breaches at large organizations make the evening news, but 60% of all targeted attacks in 2014 hit small- and medium-sized organizations, according to Symantec’s 2015 Internet Security Threat Report. You want to be sure your small and medium-sized business clients or employer know the gravity of the threat and are taking appropriate measures to protect themselves. In many cases you may need to refer them to a firm that specializes in cybersecurity.
Looking for a silver bullet to fix the problem. There is no single cybersecurity solution. Products are components of a cybersecurity program—not a program in themselves. Many of the most effective components of cybersecurity involve process improvements and staff training. This is where the CPA skillset provides value. CPAs who specialize in cybersecurity can serve in an advisory role helping companies build sound cybersecurity risk management programs. The AICPA is also developing guidance for cybersecurity assurance engagements.
Relying on static solutions to dynamic threats. “We’ve taken care of it” is the most dangerous attitude any organization can take toward cybersecurity. Attackers are constantly developing new strategies and techniques. Business processes also change. Cybersecurity controls need to be implemented and updated regularly in response to changes in business processes and emerging threats. Once controls are in place, an assurance engagement by a qualified CPA firm can help management and board members with the risk management process. MORE
