CPA Practice Advisor - 19

FEATURE

IN THE WORLD of accounting and finance, it's not if we will reconcile accounts, it's when
we will reconcile accounts. Likewise, it's not if we will experience a cyber attack, it's
when we will experience a cyber attack. It's bound to happen. As accountants, one of
our key responsibilities is to highlight business risks. Because cyber-based systems and
activities are here to stay, our understanding of cyber risk implications to the business
is paramount. Below we outline essential measures for the accounting and finance
community's adoption to protect and recover from cyber attacks.
* Gain a strong cultural understanding of the cyber threat landscape as
it blends with business operations.
In addition, maintain awareness of
current events and the implications
to business and the assurance
provided to clients and customers.
This knowledge will help identify
and prioritize potential risks and
remedies to inform the development
of a risk response that also reflects
the risk appetite of the business.
Implementing relevant protective
measures should help secure
the business, but not hinder nor
obstruct it. Continued awareness
and knowledge gathering are critical
to the ongoing strengthening of an
organization's security posture.
* Educate ourselves and our team
members on risks and threats.
Human error and negligence are
the most common reasons viruses
and hackers enter an environment.
Complacency cannot exist. The
more employees are aware that a
cyber attack is not 100% avoidable,
the more cautious they can be when
working with data, whether from
the office, from their home or the
local coffee shop. Ownership of a
security practice as custodianship of
data should be discussed to increase
that vigilance. Employees often have
a lower level of awareness when
working remotely due to distractions
and environments not experienced in
the office. Cyberattacks can place a
business at risk of closing, especially
if the organization does not have a

response plan and cannot recover.
Therefore, employees' jobs are placed
at risk as well.
* Enforce a review process (whether
formal, automated, or manual) for
any critical financial changes. When
parties request an urgent ACH,
account change, etc. that modifies
an established process of financial
activity, a verification process should
be completed to validate the change/
request. This acts as an added level
of security should a false request slip
by other means of protection.
* Develop, implement, and regularly
improve upon an incident response
plan, which is a playbook for when
a security incident occurs. These
actions will help to limit exposure
and ensure timely recovery from a
data breach. Processes must include
the roles and responsibilities, and
immediate steps for communicating
to all potential stakeholders during a
breach. Therefore, the list of potential
stakeholders must be kept current.
* Restrict user access. Advanced
per missions within networks,
systems and buildings can prevent
or enable access based on role, level
of permissions, time, and/or status.
Organizations may not be fully
leveraging all permission settings
that will provide heightened security.
Connect with system vendors, IT
teams, and facilities management
to understand the options available
and if best-in-breed capabilities are
enabled.
* Prioritize assets. Identify and map

the data that is most sensitive or
critical and that requires the greatest
protection according to the impact
if compromised, or any mandates.
Safety and recovery measures should
be tailored for these assets.
* Assess systems and data classification levels. These systems include
those on-prem, hosted by others, and
by vendors' systems. System owners
are responsible for ensuring patches
and upgrades are completed in a
timely manner according to patch
criticality. Scanning and monitoring
should be regularly performed to
identify vulnerabilities. Firewall
security configurations should be
continuously reviewed, updated
and adjusted on a regular basis.
The landscape of systems includes
printers, scanners, telephony, and
those that traditionally support
business processes (e.g., ERP, CPM,
CRM, ATS).
* Move to the cloud. Cloud systems are
continuously updated to address and
correct security issues. Modernizing
systems increases the 'hardening'
of architecture. Budgeting for cloud
migration should include security
such as a Cloud Access Security Broker (CASB) for heightened protection
appropriate for cloud environments
and specific business operations.
This is especially important if a cloud
provider does not offer one as an
add-on service. In addition, consider
outsourcing certain cybersecurity
aspects, such as monitoring, to allow
more focus on business growth. 24/7

DECEMBER 2020 ■

monitoring by a Managed Security
Service Provider (MSSP) is almost a
must for businesses that do not have
their own Security Operations Center
(SOC). Additional services may also
include data redaction in platforms
where sensitive information is not
necessary for processing.
* Enforce a password strength policy.
Use Multi-Factor Authentication
(MFA) anywhere it is available. The
best policies require passwords
(combination of letters, numbers,
and special characters) different than
those used by employees for their
personal accounts and, furthermore,
encourage the use of a companyapproved password manager tool for
each employee.
Ultimately, we need to stay vigilant of the potential cyber threats to
our business and the training, technology and best-in-class processes
that are available to heighten our
ability to safeguard information and
our business' operations. Whether
we own a company or work within
an organization, we, as finance
and accounting professionals, are
in a strong position to question
the practices and systems used by
our internal and external security
experts to protect our business. ■
Pete Schile is the Managing Director of
the Global Cybersecurity Professional
Services practice at MorganFranklin.
Schile has 25 years of experience in technology and cybersecurity, and has been
with Vaco, and now MorganFranklin,
since 2012.

www.CPAPracticeAdvisor.com

19
http://www.CPAPracticeAdvisor.com
CPA Practice Advisor

Table of Contents for the Digital Edition of CPA Practice Advisor
