When it comes to cyber security, it’s no longer a question if your firm will be attacked – it’s a question of when. This article is a brief introduction to the concept of cyber-wellness for accounting firms.
Today’s business world is becoming ever more interconnected, bringing new opportunities and creating new vulnerabilities. New threats are emerging are emerging every day – not just from people, but from a widening attack surface and enhanced communications.
As an accounting professional, you and your staff have access to highly sensitive data. And unfortunately, bad actors have the ability to track people using their mobile phones and even their Fitbits. They can hack your laptop and your car, watch, TV and hearing aids. In short: Yes, increasing Internet connectivity is making life easier, but it's also creating more ways for criminals to get into your and your clients' information. And according to experts, instead of a cyber attack that deletes or releases stolen data, the next wave of attacks will merely change digital data to compromise its integrity so that, for example, all the tax return data in your systems are no longer correct.
To combat these frightening possibilities, a new approach is required: cyber wellness.
This plan of attack takes into account the fact that it is impossible to centrally control every connection with employees and clients. Everyone in the firm is responsible for the risks they undertake. It is an active process – just like physical wellness programs, in which the company takes an active approach to promoting and maintaining employees’ good health. With cyber wellness, proactive choices need to be made across multiple dimensions of cyber defense, response and governance.
How to Proactively Defend Yourself
Consider how predictive weather data enables coastal areas to initiate preventive measures before a tropical storm arrives. Cyber wellness functions the same way; it doesn't wait for an attack to happen. Intelligence and threat assessment data should be used to create active learning scenarios to deepen employee cyber knowledge/training – as well as to provide flashing updates.
These are the steps to take:
• Perform an initial vulnerabilities assessment, and create a prioritized cost/benefit remediation plan
• Determine if approach and security strategies meets best practices
• Evaluate your current spending relative to the value of the assets protected
• Map current and emerging threats
How to Respond to Being Hacked
Cybersecurity is an ongoing problem that needs to be managed by everyone in the firm so when bad events happen, employees at all levels are better prepared to deal with them. Accounting firms need to:
• Create security incident response plans that consider both practices and legal issues
• Perform penetration testing and tabletop exercises
• Have a public relations plan in place and legal counsel on board before an incident ever occurs
How to Enable Effective Governance
Your accounting firm needs an effective governance structure that ensures that the firm, affected employees and vendors make an assessment that identifies current and emerging vulnerabilities to specific breaches. If you haven't done so already, you need to:
• Perform cybersecurity audits
• Develop strong, detailed polices – backed with ongoing workforce training and development – to ensure that employees understand threats and how their actions can help safeguard company assets
• Implement management processes for all third-party vendors and suppliers
• Make considerations for insurance coverage, structuring and implementation
• Create an effective cybersecurity governance structure and training for all levels in the firm
By taking this comprehensive approach, you'll keep yourself, your clients and your staff members as safe as possible. Future articles will delve deeper into the details and ensure you are well informed about cyber security.
About David X. Martin
I am passionate about helping business leaders sleep better at night – by equipping them with critical cyber risk management tools that protect their enterprises while enhancing strategic business growth.
My career is grounded in managing risk – from cybersecurity to financial and operational risk. In addition to setting successful strategies as a senior executive at PwC, Citibank and AllianceBernstein, I also provide expert witness testimony in high level risk and cybersecurity cases, and work with government agencies.
I enjoy writing, speaking at conferences, and teaching, as well as serving on boards of directors. I published Risk and the Smart Investor (McGraw Hill, 2010) and The Nature of Risk (Amazon, 2012), and my articles for GARP, Institutional Investor and Oliver Wyman can be viewed through DavidXMartin.com.
I'm delighted to serve as a member of the Sanctions Subcommittee of the US Department of State’s Advisory Committee on International Economy Policy and as a Special Counselor to the Center for Financial Stability on emerging risks.