Accountants need to be at the forefront of cybersecurity to safeguard the sensitive personal and corporate financial information they handle, according to a new report.
ACCA USA, the U.S. arm of the Association of Chartered Certified Accountants, and Pace University issued a
The report was issued at the third annual cybercrime summit hosted by Pace and ACCA USA in New York. The event, “Cybercrime in the World Today 2015: Emerging Threats,” brought together business and law enforcement professionals, academics, students, and members of the public to discuss data breaches, hacking attacks, cloud-based security measures, and state-of-the-art risk management measures.
The new report—based on surveys of ACCA professionals, including CFOs, managing directors, senior vice presidents and practicing accountants—pointed to weak communication between line managers and senior managers about attacks and attempted attacks. The application of fundamental risk management cybersecurity practices needs to be applied more consistently throughout some firms, the report suggested.
“For accountants, measures must be taken to ensure that the sensitive personal and corporate financial information they handle is safe: accountants need to be at the forefront of cybersecurity,” said the report’s author, Dr. Jonathan Hill, interim dean at Pace’s Seidenberg School of Computer Science and Information Systems. “This is particularly true today, as clients and consumers are more aware than ever of the cyber vulnerability of all businesses.”
He noted that expediency is driving people not to be as safe as they might be, ignoring the possibility that hackers are trying to access their information through open Wi-Fi networks and other means.
“Nobody takes this more seriously than financial professionals because they are trusted with this information,” said Hill. “We’re at a point now with these huge break-ins that are so prevalent in the media. Barely a day goes by when we don’t learn of a Fortune 500 company or a government agency that has had some type of cyber break-in. State legislatures, for example, are driven to find someone to hold accountable, and they’re looking at those very same financial professionals.”
In the survey, ACCA members were asked about company policies and personal practices regarding cybersecurity, along with how evidence of cyberattacks is communicated within firms. The findings highlighted a number of weaknesses. Nearly 50 percent of the respondents indicated it was somewhat or very likely that consultants would be hired after a breach. Nearly 70 percent said they had a high or very high level of awareness of their company’s cyber risk management policies and procedures.
In addition, 57 percent said their IT systems were well-protected against cyber threats, while 32 percent of the respondents said they had no knowledge of company policy on data encryption in transit or in storage.
Auditors are more concerned about cybercrime now than a year ago (58 percent for auditors compared with 48 percent for accountants). Only 27 percent of accountants felt their firms adhered to Control Objectives for Information and Related Technologies (COBIT 5) standards, whereas 43 percent of auditors believed their firms followed the standards.
“This survey generated data that is reflective of a profession that is adapting to a serious external attack on its processes and systems,” said Warner Johnston, head of ACCA USA. “The responses and needs of the main stakeholder groups—the financial profession, the IT profession and concerned government regulatory and law enforcement bodies—are evolving in response to progressing, ever more sophisticated threats.”
He noted that cybercrime is an issue of real concern to ACCA members around the world. “My hope is that by shedding light on this ever-increasing criminal scourge, we can contribute to the dialogue as our government leaders and business industries strive to implement stronger controls and improve our security,” said Johnston.
The report pointed to several contradictions between the realities of day-to-day practice and the theory of cybersecurity best practices: “It is crucial that companies—and, especially, individual employees, begin to follow these practices.”
The survey indicated slight, but not insignificant differences in perception between practitioners in different parts of the world—differences centering around the perceived severity of the cybercrime threat and the security of the IT systems with which practitioners work.
Speakers at the symposium discussed some of the technologies, methods and origins behind threats to cybersecurity during a panel discussion moderated by Annika Pergament, anchor and reporter at Time Warner Cable’s New York 1 News.
In addition to Dr. Hill, the panelists included Col. Timothy Lunderman, National Guard Bureau advisor to the commander of U.S. Cyber Command and National Guard Bureau Cyber Division lead; Emily Mossburg, a principal in cyber risk services and resilient practice leader at Deloitte Advisory; and Lt. Col (Ret.) David Halla, director of operations for the Electricity Sector Information Sharing and Analysis Center.
Lunderman compared cybersecurity weaknesses to the improvised explosive devices he encountered while in Iraq, and warned that funds from cybercrime are helping fuel the activities of terrorist groups like ISIS.
Mossburg discussed how Deloitte is helping clients find security weaknesses and advised companies to go through simulations of cyberattack to discover vulnerabilities. “It’s not necessarily if you’re going to be attacked or have a cyber-incident, it’s when,” she said. “In many cases, the most important thing you can do is be prepared for that event.”
She is seeing a shift in the role of the information security officer to becoming more risk-based. Mossburg advises clients do more people training to help their employees protect their companies from cyberattacks. Deloitte also does on-site security assessments of clients’ third-party vendors to ensure they are following effective practices for protecting their computer systems.
Halla talked about his work in protecting the nation’s electricity infrastructure from cyber attacks. He recommended ensuring that all computer systems be updated with the latest software patches for known security vulnerabilities since hackers typically exploit those first. He also advised against revealing too much information on social media. “We teach kids not to talk to strangers, but we embrace it in the cyber world,” he noted.