Good Business Cybersecurity Should Involve the Work of CPAs
By David E. Hubler
Contributor, In Cyber Defense
We don’t often think of certified public accountants (CPAs) as being stalwarts in corporate cybersecurity. But in today’s world everyone needs to be involved in keeping their systems safe from cyberattacks.
Get started on your cybersecurity degree at American Military University.
A recent survey by the Virginia Society of Certified Public Accountants (VSCPA) and Virginia Business magazine found that 78 percent of respondents rated cybersecurity a significant concern. In addition, 19 percent acknowledged that their organization was a victim of a cyberattack in the last year.
A Lot of the Work CPAs Do Is Related to Financial Security
“CPAs are tuned into cybersecurity because of their clients,” said Stephanie Peters, president and CEO of the VSCPA. “A lot of the work they do is related to financial security,” she explained. “They have a heightened awareness of the risks that are out there for anyone.”
In fact, malicious hackers attack computers and networks every 39 seconds, according to a Clark Study at the University of Maryland.
“Our data provide quantifiable evidence that attacks are happening all the time to computers with Internet connections,” said the study’s creator, assistant professor of mechanical engineering Michael Cukier. “The computers in our study were attacked, on average, 2,244 times a day,” he added.
Cyberattacks and Attempted Cyber Breaches Are Increasing
“We have seen an increase in cyberattacks and attempted cyberbreaches,” said Bartosz Wojszczyk, co-founder and CEO of SPARQ Global, a Virginia Beach-based cybersecurity firm. He told Virginia Business that damages from cybercrimes worldwide amounted to $600 billion in 2017. That number is expected to reach $6 trillion by 2021.
“There is a growing intensity of cybercrime, and the resultant damages to companies and institutions, both private and public, will only escalate,” Wojszczyk warned.
Ransomware attacks and phishing attempts are also increasing, said Joe DePlano, co-founder at CTO of Bluestone Analytics in Charlottesville, Virginia. He cited a ransomware attack earlier this year that forced a mid-Atlantic organization to shut down its network for several weeks while it was being held hostage. “They had to rebuild from scratch,” he said. “You can imagine the cost.”
DePlano explained that the company didn’t have a dedicated security team or a user base with training. “They didn’t realize the risks from a security perspective. They didn’t follow best practices,” he said.
VSCPA Performed an Internal Cybersecurity Probe and Made Many Changes
Perhaps with such statistics in mind, the VSCPA performed an internal cybersecurity probe that examined all of the organization’s processes.
“We made so many changes to how we do remote work,” Peters said. “Now when we go into the network, we use multifactor authentication security. We have at least two additional levels of security to get into our data.”
Peters told Virginia Business that VSCPA members are “doing more to advise customers of these risks. “CPA firms can also go in and audit a company’s cybersecurity and risk management program,” she pointed out.
Executives interviewed by the magazine offered seven tips to protect company systems:
- Businesses need to be proactive about cybersecurity. Don’t skimp or save on cybersecurity protection.
- Establish cybersecurity protocols and enforce the rules that are put in place.
- Clean up your network using sophisticated antivirus and cybersecurity monitoring software.
- All businesses should train their employees on cybersecurity and follow best practices.
- Have a centralized logging location that logs what is going on throughout the system. So if your security team is trying to determine a point of detection it has everything in one place.
- Perform daily or weekly systems’ backups to a secure offsite server. The best defense against ransomware is a robust backup system.
- Be cognizant of the legal obligations regarding evolving cybersecurity laws. You might be required to report an incident that you didn’t know you were required to report.