In 2017, Equifax reported a data breach affecting 145 million U.S. citizens, almost 44% of the country’s population. The breach compromised names, Social Security numbers, birth dates, home addresses, driver’s license numbers, and tax identification numbers. Incredibly, the company knew about the breach for five months before disclosure. During a congressional hearing investigating the breach in October 2017, the company’s former CEO Richard F. Smith attributed the incident to one employee’s failure to apply a software patch to fix a security vulnerability. The company also used the default ID and password “Admin” to access the portal used to manage credit disputes and failed to monitor its networks and systems to detect attacks. The company recently settled with the U.S. Federal Trade Commission and the Consumer Protection Bureau for $700 million. Sadly, lapses in data security like these aren’t even the hard stuff.
As U.S. Representative Greg Walden (R.-Ore.) said: “How does this happen when so much is at stake? I don’t think we can pass a law that, excuse me for saying this, fixes stupid. I can’t fix stupid.” Management accountants understand the value of their organization’s data. How can they help their organizations safeguard it from cyberattacks?
CYBERSECURITY AWARENESS CULTURE
Work with your IT department to create a cybersecurity awareness website to educate your employees about cybersecurity risks. Include your cybersecurity policy, explanations of issues, and recent press reports about cybersecurity breaches. Understanding the risk and the “wolf in sheep’s clothing” tactics used by hackers sharpens the user’s reflexes to quickly identify, react to, prevent, and shut down attacks. Time is money in the cyber war. Develop meaningful and effective training to develop cybersecurity-sophisticated employees.
Reinforce training with ongoing communication identifying current threats and how to respond. For example, University of Colorado Colorado Springs notifies its community by email when a spam or phishing email is detected and instructs users to delete the email immediately. Share strategies to identify and protect users from phishing emails such as encouraging staff to create strong and unique passwords and to immediately report suspicious emails to the IT department as well as discouraging both the sharing of passwords and the immediate providing of information upon request.
Many management accountants actively participate in their organization’s development, implementation, and monitoring of internal control using the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework. Organizations must broaden internal controls to combat cybersecurity threats with cybersecurity governance. The concepts and processes to apply a cybersecurity framework build on the skills and tools learned from implementing the COSO framework. Several widely used cybersecurity governance frameworks address cybersecurity risk, including the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF version 1.1) (bit.ly/36qUxsy) and ISO 27000.
The CSF framework includes three components: the core, profiles, and implementation tiers. The core includes clear, nontechnical cybersecurity outcomes that can be easily adapted to an organization: identify, protect, detect, respond, and recover. The profiles section addresses an organization’s specific requirements, objectives, risk appetite, and resources, while the implementation tiers section addresses how the organization manages cybersecurity risks comprised of three elements: confidentiality, integrity, and availability.
ISO 27000 is a family of information security standards providing a framework for an information security management system (ISMS). The ISO 27001 standard (bit.ly/2sj0Xv0) addresses developing, implementing, establishing, operating, monitoring, maintaining, and improving an ISMS. These standards can apply to all types of organizations—businesses, government, and nonprofits. It doesn’t matter which framework you use. Pick one (or the elements of several) that best suits your organization. Appoint a cross-functional team comprised of IT, cybersecurity, and accounting and business professionals. If your organization lacks expertise, engage a consultant.
SMALL BUSINESS VULNERABILITY
According to Maria Roat, chief information officer of the U.S. Small Business Administration (SBA), the average cost of a cyberattack on a small business is $500,000. Many go out of business within six months of an attack because they can’t recover. She advises small businesses address cybersecurity risk in their business plan. At a minimum, they should know where their data is stored, prohibit password sharing, and restrict employees’ access to websites on company computers. The SBA plans to develop a standardized cybersecurity program at its small business centers around the United States.
The NIST website features a Small Business Cybersecurity Corner (bit.ly/2t0ELpV). Its resources are tailored for small businesses, including Data Breach Response: A Guide for Small Business, Recovering from a Cybersecurity Incident, FraudSupport (guidance for responding to the most common types of incidents), and Cybersecurity for Small Business: The Fundamentals, a training presentation with speaker’s notes.
CHIEF INFORMATION SECURITY OFFICER
Organizations must actively manage cybersecurity risks and threats. Protecting an organization is a shared responsibility starting with the board of directors and permeating throughout the organization. If a breach occurs, the organization must be held accountable. Remember, cybersecurity risk isn’t just an IT department risk; every officer, manager, business partner, and employee owns the risk. Consider creating an office of the chief information security officer (CISO). Led by the CISO, a senior C-suite executive responsible for IT security ranging from cybersecurity risk identification to leading the response to a data breach, the office should include liaisons from IT, accounting and finance, operations, marketing, and sales.
Your organization’s data is a priceless asset. Failure to protect it jeopardizes competitive position, reputation, and operational sustainability. As Richard Clarke, former National Coordinator for Security, Infrastructure Protection, and Counterterrorism for the U.S., said, “If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.” Act today to safeguard your organization from cybersecurity risk.
The opinions included are those of the author and not necessarily those of the U.S. Air Force Academy, the U.S. Air Force, or any other federal agency.