When news broke a few years ago that roughly 143 million people could have been affected by a hack at credit monitoring agency Equifax, it was just the latest report of a significant data breach. As concerns about cybersecurity mount, CPAs are in an excellent position to help strengthen the cybersecurity risk management programs for all organizations, whether they are doing it within their own firms or organizations or for a client. Specifically, there are three ways that CPAs can use their skills and resources to guard against cyberattacks.
1. Keep Your Organization on Course
What’s one critical first step you can take? Recognizing the threat in the first place. In a recent cybersecurity risk survey conducted by the Association of International Certified Professional Accountants (the Association), an alarming 49% of respondents report that their organizations have experienced a cyberattack within the previous two years.
That means that neither firms nor their clients should neglect the importance of cybersecurity. Any business, and a CPA firm in particular, may be subject to cyber threats. For CPA firms, the danger is enhanced by the fact that they store large amounts of confidential client and employee data, which is contained in a variety of often easily hackable laptops, servers or emails. To combat the problem, experts recommend training to staff, maintaining your firewall, keeping up to date on new threats and solutions and emphasizing the importance of security when working remotely.
2. Start Client Conversations
Not every CPA firm is equipped to tackle clients’ cybersecurity concerns, but it’s still important to broach the topic. With businesses of all sizes facing an increase in cybersecurity risks, you can help clients identify and understand those risks. Ask about what kinds of protections they have in place, staff training programs, privacy and security policies, response plans and other controls that help mitigate risks and/or manage the aftermath of security incidents. Connect clients to experts who can help them put together an effective cybersecurity risk management program. Even if you cannot solve cybersecurity challenges outright, by demonstrating concern for their business’s wellbeing, you’ll strengthen client relationships. The American Institute of CPAs’ (AICPA) Private Companies Practice Section (PCPS) Building a Cybersecurity Practice Toolkit can help you begin those critical discussions.
3. Help Clients Navigate Threats
Results of the AICPA's cybersecurity survey indicate that nearly 45% of respondents have sought third-party assistance for their organizations on cybersecurity risk management. Firms that specialize in information technology may be well-equipped to step in and provide advisory services that help companies spot cybersecurity weaknesses, identify potential risks and offer advice on how to safeguard information and systems. According to the Service Opportunity Grid in the PCPS Building a Cybersecurity Practice Toolkit, engagements that CPAs can perform might include:
Assessment services, which evaluate how well an organization’s approaches match with a given framework.
Security consulting, which encompasses a range of engagements, such as technical vulnerability assessments, attack and penetration testing and disaster recovery plan consulting.
CPAs providing these services, and their clients, may find the AICPA’s cybersecurity risk management reporting framework helpful. For example, the description criteria developed as part of the framework presents a common language—or criteria—for organizations to develop and describe their cybersecurity risk management programs and practitioners to evaluate the descriptions.
Stay One Step Ahead
The rise of cybersecurity threats seems daunting, but fortunately CPAs can offer valuable solutions. To get started, turn to a variety of tools and information in the Cybersecurity Resource Center that can help you keep your organization and your clients one step ahead of the next cybersecurity threat.