How to Establish Effective Governance
Your firm needs an effective governance structure to ensure that your staff and everyone you work can conduct accurate, timely assessments to identify current and emerging vulnerabilities.
Cyber wellness is about taking preventive steps in multiple dimensions of cyber defense and enabling effective governance in addition to responding to threats and attacks.
The first step is to designate a senior partner who’s the responsible officer for firm-wide cybersecurity. In the day-to-day management of technology or in a crisis, it is far better to have a skillful leader rather than a subject matter expert. In choosing the right person, his or her leadership skills — communication and crisis management — are equally important.
Cyber risk is not managed in a silo. Discussions of cyber wellness should be part and parcel of all management processes, such as new product approvals, merger due diligence and third-party outsourcing arrangements. If you haven't done so already, you need to:
1. Perform Cybersecurity Audits
Internal audit in an accounting firm plays a critical role in helping organizations manage cyber threats by providing an independent assessment of existing and needed controls, as well as helping the firm’s senior management understand and address the many diverse risks in today’s digital world. Several factors are noteworthy as internal audit professionals consider and conduct a cybersecurity assessment:
• Involve people with the necessary experience and skills. It is critical to involve audit professionals with the appropriate depth of technical skills and knowledge of the current risk environment. A tech-oriented audit professional versed in the cyber world can be an indispensable resource.
• Evaluate the full cybersecurity framework rather than cherry picking items. This evaluation involves understanding the current state against framework characteristics, where the organization is going and the minimum expected cybersecurity practices across the industry or business sector. The initial assessment should inform further, more in-depth reviews. It is not intended to be an exhaustive analysis requiring extensive testing. Rather, the initial assessment should drive additional risk-based cybersecurity deep-dive reviews.
2. Develop Strong, Detailed Polices Backed with Ongoing Workforce Training and Development
Accounting firms need to ensure that employees understand the wide variety and ever-changing nature of cyber threats and how their own actions can help safeguard company assets. Research indicates that two-thirds of successful cyber attacks are directly attributable to the actions (or inactions) of employees.
Therefore, improving awareness of employees to risk exposures is critical in strengthening your organization’s overall cyber resilience. Any measurable improvement in employee awareness – through initiatives such as gamification and continuous training that is operational in nature – would be highly accretive to your organization’s capacity to protect and respond to a cyber incident.
Unfortunately, most employees aren’t interested in their own personal digital security, much less their company’s. Historically, anything having to do with IT security was kept away from users by IT teams. Is it any wonder, then, that users show no or little interest in their company’s cybersecurity? Therefore, changing your organization’s corporate culture to strengthen cybersecurity is very difficult. It requires a paradigm shift that keeps pace with evolving cyber threats.
If you think about it, users should be the front line of data security. After all, they are the ones who create and handle information. Therefore, they’re in the best position to understand its value.
Senior management should implement interactive training and accountability programs that engage with users. Modern game-based training – with follow-up monitoring to see how users and employees apply their training – can transform a company’s culture into one where cybersecurity is everyone’s job.
Cultivate and nurture a continuous learning environment – including relevant and memorable training and tools to support strong cyber-hygiene, ranging from password protocols to anti-phishing campaigns to “bring your own device” policies. In addition, it’s essential that you create a safe environment in which employees at all levels are encouraged to point out weaknesses and vulnerabilities, without worry that the messenger will be killed.
Employees need to know they are acknowledged and rewarded when they identify an unmitigated risk or emerging threat. You want them to bring you “bad news” – because you can’t prevent or fix vulnerabilities if you don’t know they exist. Praise and thank the messengers – don’t kill them.
3. Implement Management Processes for All Third-Party Vendors and Suppliers
Third parties can be impactful to an operating environment. However, accounting firms are not usually as attuned to cybersecurity risks from third parties as they are for their own businesses, even though third parties can create the same adverse, long-term effects.
For example, the sharing of data and communication between the accounting firm and its vendors is no longer fully in control of the internal operations of the firm, as these external parties create new entry points into a company’s technology environment, adding complexity and potential volatility to the operating environment.
Basics for a third-party program should include:
• third-party exposures prioritized based on risk (including cyber) to the organization,
• clear assessment tools in place for the onboarding of any new relationships,
• ongoing, risk-adjusted monitoring processes in place to assess adherence to contract terms and joint disaster recovery testing with primary service providers.
Legal and other practical considerations can (and should) be employed to partition and mitigate the risk. However, the risk – no matter where it originates – will rebound to the accounting firm in times of crisis or stress. Clients, both corporate and individual, will always look to the accounting firm with which they are doing business for explanations and relief when problems occur.
Feeling reasonably secure about your company’s cybersecurity program is not just a matter of being able to answer questions like: “Does our organization have the right governance structure?” Rather, it’s being able to answer bigger questions, such as: “Are we thinking about security the right way, and where is all this going?”
By being proactive in your approach to cyber-wellness, you'll keep yourself, your clients and your employees as safe as possible.
You might also be interested in
I am passionate about helping business leaders sleep better at night – by equipping them with critical cyber risk management tools that protect their enterprises while enhancing strategic business growth.
My career is grounded in managing risk – from cybersecurity to financial and operational risk. In addition to setting successful...