When do most people install burglar alarms? Right after their house has been broken into, of course — in much the same way that so many of us only take Vitamin C after we’ve caught a cold, or only begin to take steps to protect our identities after they’ve been stolen.
By then, though, it’s too late.
Closing the barn door after the horse has gone may be a natural human reaction, but we’d all be far better served by being proactive, rather than reactive, by favoring prevention over the cure. There are few better examples of this than in cybersecurity, where the accounting profession has plenty of work to do on its own account — and an opportunity to benefit from everyone else’s tendency to think, “It can’t happen here.”
If news of hacks at big organizations like Target or even the Internal Revenue Service haven’t convinced you of the seriousness of cybersecurity issues, then hopefully the recent news of a malware attack on the CCH products of Wolters Kluwer, which left thousands of CPAs, accountants and tax pros without access to important tools on the eve of a major filing deadline (see “Three seconds,” page 22), will bring home the fact that everyone needs to address these issues. (If you think you’re immune because your firm is small, think again — the cost to launch these cyberattacks is negligible, and small organizations are just as likely as large ones to be targeted by ransomware, malware, phishing attacks and the like.)
And if you won’t take proactive measures for yourself, take them for your clients — and the profits your firm can make by doing so. As much as accountants need to take precautions, so do all your business clients, who can ill afford to have their data held hostage or their systems hijacked. They are subject to exactly the same risks as you, and many would gladly pay for advice on how to protect themselves.
You may argue that you’re not an IT person, or that you’re not running a technology consultancy, but the most common cybersecurity services that accountants offer look a great deal like compliance services — testing processes, policies and systems against an established framework (like the American Institute of CPAs’ cybersecurity risk management reporting framework). And with more and more states and jurisdictions mandating data privacy and breach-response requirements (think of the European Union’s recently promulgated GDPR regime, which is affecting businesses around the world), cybersecurity is becoming more and more of a regulatory compliance issue.
That’s not to say you can’t explore much more technology-intensive services — getting into penetration testing and “ethical hacking” on your clients’ behalf, for instance, or recommending or installing security software, systems and so on — but you don’t have to go that deep to help your clients.
Whatever you decide to do, you should probably do it fast. For one thing, other firms are already getting deeply involved. All of the accountants quoted in our feature on cybersecurity this month have cyber practices (see page 22), and IT and data-security services were one of the most popular niches for our 2019 Top 100 Firms, with more than 70 percent reporting growth there, and seeing it as a great way to move up to more value-added services.
For another, hackers never rest: The sooner you get busy in cybersecurity, the more of your clients you’ll be able to protect — and you’ll learn how to protect yourself at the same time. Don’t wait until it happens to you!