13 minute read
Is Your Cybersecurity Strategy Still Relevant?
Organizations must continually update their risk management strategy to protect against the constantly evolving world of cybercrime. Here are some of the latest cyberthreats—and ways you can fight back.
BY NATALIE ROONEY
he cybersecurity landscape is always changing: Between 2019 and 2020, ransomware attacks rose by 180 percent in North America alone, according to a 2021 report by cybersecurity firm SonicWall. The total global cost of damages from ransomware attacks is projected to exceed $20 billion in 2021, and total global cybercrime damages are predicted to soon cost the world $6 trillion annually.
For organizations and individuals, creating protections against everevolving, ever-multiplying, faceless criminals that can steal your identity or shut down your business remains a challenge. The meteoric rise of ransomware attacks is just one part of the rapid proliferation of cybercrime in the pandemic era, creating an environment where even recently developed cybersecurity risk management strategies may already be outdated.
Charles Seets Jr., partner and principal with EY, says the cyberthreat landscape will never stop evolving. “If we’re connected to the internet, we’re vulnerable, and threat actors know that,” he notes. “They’re operating relatively anonymously and often outside the reach of the law. It’s a complicated environment in which to defend ourselves.”
For CPAs and finance professionals, the threat is especially ominous: You hold the key to troves of very important, very private financial data. It’s therefore essential to do all you can to stay ahead of the cybercriminals for as long as possible.
Your Cybercrime Guide
The first step toward protecting yourself and your organization is understanding what you’re up against. Here’s a glossary of some of the most common cyberattacks:
Malware: This terms stands for malicious software, which includes spyware, ransomware, and viruses. Malware breaches a network through a vulnerability, typically when a user clicks a dangerous link or opens an email attachment that opens the door. Once inside the system, malware can block access to key components of the network (ransomware), install malware or additional harmful software, covertly obtain information by transmitting data from the hard drive (spyware), disrupt certain components, and even render the entire system inoperable.
Phishing: Sending fraudulent communications that appear to come from a reputable source, usually through email. The goal is to steal sensitive data like credit card and login information or to install malware on the victim’s machine.
Man-in-the-middle (MitM) attack: Also known as eavesdropping attacks, MitMs occur when attackers insert themselves into a twoparty transaction. Once the attackers interrupt the traffic, they can steal data. Unsecured public Wi-Fi is a common point of entry.
Denial-of-service attack: This kind of attack floods systems, servers, or networks with traffic to exhaust resources and bandwidth. As a result, the system is unable to function normally. Attackers can also use multiple compromised devices to launch this attack; this is known as a distributed-denial-of-service attack.
Zero-day exploit: This attack hits after a network vulnerability is announced but before a patch or solution is implemented, targeting the disclosed vulnerability during this window of time.
“If you’re not following breaches in the news and then conducting case studies and tabletop exercises about those cybercrime strategies, you’re not getting crisis-ready,” says Jonathan Marks, CPA, CFF, CITP, CGMA, CFE, partner and firm practice leader of global forensic, compliance, and integrity services for Baker Tilly US LLP. “If the smoke is ultimately a fire, what do you do? What’s the plan and protocol? If you need remediation, who do you call? These are all keys to avoiding a business interruption.”
It Could Happen To You
One of the biggest risks in cybercrime is the common belief that it won’t happen to your organization—a mindset called “perfect place syndrome.” But from the smallest nonprofit organizations to the largest corporations, criminals aren’t discriminating.
“Our increasing dependence on networks and the growing pools of personal financial information being stored online exposes individuals to privacy violations and institutions to huge liabilities when a data breach occurs—that’s when a breach occurs, not if,” Marks emphasizes.
Smaller organizations in particular shouldn’t fall victim to perfect place syndrome and slack off on cybersecurity. “Small businesses might not be able to afford the best technology or an in-house IT team, but everyone can take certain steps and measures,” Marks says. “Outsource some of your infrastructure. Get someone to help you.”
“Experts have been saying for years that cyberattacks will increase in number and sophistication despite what we do to protect ourselves,” says Donny Shimamoto, CPA, CITP, CGMA, founder and managing director of IntrapriseTechKnowlogies LLC. “Advances in technology make it even easier for criminals. It’s going to continue to evolve.”
The only choice organizations have is to evolve faster.
The Layers Of Defense
There’s no single best cybersecurity strategy, but all organizations should shore up both their technological and human defenses. Shimamoto compares good cybersecurity strategy to an onion: multiple layers of protection that deter criminals as they encounter obstacle after obstacle. A firewall, the outermost layer, will check emails and attachments for phishing links and viruses. These days, antivirus software can actually detect if a virus is starting to encrypt files and if so, roll the virus back.
Too often, however, organizations rely solely or primarily on technological protections, incorrectly thinking a firewall and antivirus software are enough, while leaving the humans within the organization uneducated and unprepared.
One of the most critical layers to cybersecurity is training people to spot red flags. It sounds simple, and yet a survey of more than 1,000 IT professionals by automation company Ivanti revealed that 74 percent of companies have fallen prey to a phishing attack in the past year. More than one in three respondents said that a lack of technology and understanding among employees was the main cause for the increase in successful phishing attacks.
“Whether we want to admit it or not, our own employees are constantly and inadvertently opening the door to cyberthreats,” Seets says.
Even organizations that train employees on cybersecurity likely aren’t doing it frequently enough. Shimamoto notes that the rapid and constant evolution of cybercrime makes quarterly or even monthly mini-training sessions necessary to keep awareness high. After all, one of the most effective protective measures against cybercrime is not the latest technological gadget but training all employees to have good cyber hygiene.
Cyber hygiene is a term for our daily technological habits, from browsing Instagram on our phones to opening work emails in our offices. Having good cyber hygiene means following best practices for cybersecurity, paving the way for not only more secure information streams, but also a more effective response and recovery after a breach.
Good cyber hygiene practices for all organizations include:
• Knowing where critical data is stored and housed.
• Building and maintaining a secure network, including a firewall and strong password requirements.
• Encrypting data.
• Maintaining a vulnerability management program that includes regularly updating antivirus software and other types of preventive software.
• Utilizing controls to restrict data access based on roles and identification.
• Having an information and security policy that covers employees, contractors, and third parties.
• Implementing software patches and updates as soon as they’re released.
Organizations must use technological protections effectively while also keeping their employees educated on what cybercriminals’ latest schemes are. Balancing technology with the human element is the best way for organizations to keep their cybersecurity strategies relevant and effective.
Beyond It
If Shimamoto could offer one piece of advice, it would be to think about cybersecurity as a business issue rather than just an IT responsibility. “This is really about your business, your customers, and your employees,” he says. “The impact of a cyberbreach reaches far beyond the scope of IT.”
While there may be fines and regulatory matters to address after a breach, the biggest loss at stake is trust, Seets says: “Trust is fundamental to any organization regardless of size. We need to inspire trust in our customers, regulators, insurers, and employees. If we can’t trust each other, it’s going to be more difficult to do business going forward.”
Starting now, any new services or products should have a cybersecurity risk management approach built in from the outset. “Anything a company intends to do proactively, whether that’s a new product or service, entering a new market, executing a transaction, or upgrading technology, has to incorporate cybersecurity in development and buildout,” Seets explains. “It’s difficult to bolt cybersecurity on after the fact, and threat actors will take advantage of that. Those who can infuse security at the beginning stand a better chance of executing a successful rollout.”
As cybercrime continues to mature, and criminals become bolder, everyone must chip in to protect themselves and their organizations against cybercrime, and CPAs can play a special role in the cybersecurity world.
“This isn’t just about IT risk—it’s about enterprise risk, and all of us connected to the enterprise play a part,” Seets says. “CPAs understand systems, processes, and roles. We can lean into the conversation and contribute to corporate America raising its cybersecurity game in a collective effort to defend what we’ve created.”
The fallout of COVID-19 proved that the old ways of building and measuring business value are outdated. Four experts share their insights into what’s driving organizational value for CPA firms today.
BY KASIA WHITE
After a crisis, we often look back at the way things were before and find them … well, quaint. Looking back at the ways we measured performance and value before March 2020, they seem a little outdated. Historic drivers like scope, scale, and efficiency are rapidly being replaced by new and transformative value drivers like human capital, innovation, and strategic technological upgrades.
Holding onto the old value drivers for too long could be catastrophic for CPA firms and the businesses they advise. After all, measuring yourself against an outdated metric for success means you could be failing without realizing it. Updating and upgrading the way you view value is a valuable exercise for any leader or organization.
“Times of disruption, like the COVID-19 pandemic, present critical opportunities for organizations to innovate and become more resilient,” says Carlos Leal, senior manager of business transformation and innovation at EY Canada. “Navigating unprecedented challenges requires leaders to adopt a transformative mindset and a structured approach to embracing change, refocusing efforts, and empowering people to lead boldly.”
The new way to drive value for firms and their clients includes empowering people, intelligently investing in technology, and focusing on invisible factors like innovation and intellectual capital— and it starts with a fresh look at strategy.
Building a New Strategy
While strategy isn’t exactly a new value driver, determining your organization’s post-pandemic strategy necessarily precedes developing key performance indicators (KPIs) that will help you measure your organization’s—or your clients’—success.
“Developing new KPIs should always begin with understanding the organization’s business strategy,” says Mark Frigo, Ph.D., CPA, CMA, CGMA, founder of the Center for Strategy, Execution, and Valuation in the Kellstadt Graduate School of Business at DePaul University and lead instructor in the Illinois CPA Society’s new Strategy Academy. “Without a clear, articulated strategy, KPIs can become disconnected, irrelevant, and in some cases even work against value creation. During the pandemic I recommended CPA firms conduct KPI reviews with the express purpose of achieving better alignment with long-term value drivers.”
Leal notes that EY has developed a strategic framework to help leaders navigate their post-pandemic recovery and re-strategize for their imminent business revival. “This framework was informed by the efforts of business leaders across a variety of organizations with a focus on their abilities to pivot and adapt their business models in response to the disruptions created by the pandemic,” Leal says. Here are the four steps they identified:
1. Scenario plan your post-pandemic recovery: Define a few focal questions and construct relevant scenarios, data-driven analytic goalposts, and concrete resource allocation choices. “Prepare to move with or ahead of change,” Leal says.
2. Prioritize adaptability: In line with your scenario plan, prioritize the operational and market-facing tactics available to your organization as clients and businesses slowly return to prepandemic habits and activity levels.
3. Execute your reinvention: Despite the importance of agility and experimentation, the ability to create and successfully execute bold transformation initiatives are still essential to value creation, particularly in a changing environment.
4. Make reinvention a core competency: Change is constant and accelerating, but organizations can and should be resilient in the face of it. “We need to embed a culture of lifelong learning to ensure our teams and organizations continue to thrive and unlock long-term growth,” Leal notes.
Once the strategic framework is built, it’s time to look at the new value drivers.
Empowering People
People’s habits and expectations have changed since the pandemic. Months upon months of remote work and modified business practices have changed both employee and client behaviors. With such new and different expectations hitting businesses from both sides, fostering long-term human connection has become perhaps the most important of the new value drivers.
“The pandemic created major disruptions in supply chains, employee engagement, and—maybe most importantly—client needs, a primary value driver for every business,” Frigo explains.
“When client needs change, organizations must move quickly to fulfill those needs before competitors do. This requires understanding how what you offer actually creates value for your clients, since developing value for the client or customer is how you drive the value of your business.”
Traditional financial value drivers such as cash flow, revenue growth, profitability, and return on investment (ROI) are still valid but Frigo stresses the need to remember that these are driven by client value creation. “Let’s not forget that employees are the primary value creators in any company—companies who treat their employees as valued clients create greater long-term value,” Frigo says.
With workers quitting in record numbers as the economy rebounds, organizations that prioritize their employees and their needs will enjoy greater value, while those who fail to take worker demands seriously will likely end up seeing their long-term value plummet.
“Talent is at the forefront of our strategic plan,” says Brian Blaha, CPA, growth partner with Wipfli LLP and a member of the Illinois CPA Society’s board of directors. “When we focus on the individual and really care about them, we are able to work to accommodate both their needs and the needs of the firm. Because of this, we see turnover rates below industry averages.”
Post-pandemic, Wipfli is embracing the hybrid work schedule, allowing employees to choose between working at home or at the office without mandating how many days they should spend in either place. Blaha notes that even so, they have seen an uptick in the number of employees returning to the office. “The future of work will be a hybrid of in-person and remote, where in-office work will be encouraged when collaboration and face-to-face relationship building is required,” he says.
CPA firms and the businesses they advise must prioritize changing client needs and shifting employee demands if they hope to build long-term value. “At Wipfli, we emphasize seeing each associate, client, and referral source as the individual they are, focusing on our collective results versus strictly our own,” Blaha explains. “We really seek to focus on each person.”
Intelligently Investing in Technology
Resource allocation is the name of the game when it comes to the second new value driver: the intelligent deployment of technology. Technology is unavoidable, expensive, and can be a game changing value driver or value destroyer for any organization.
“By upgrading existing technology, CPA firms can not only increase efficiency and improve productivity, but also begin serving new groups that were either not geographically available to them before or that required additional resources,” says Matt DiLiberto, BDO USA’s modern workplace practice leader. “The pandemic showed us that by investing in technology that allows auditors to do their jobs remotely—like video conferencing services and online file sharing programs—you can serve clients from afar without spending money on travel. Technological tools are only going to keep growing in scope, so CPA firms that invest now will be ahead of the curve.”
Technology can also help firms retain employees by eliminating the annoying minutiae that often leads to burnout.
“Firms should continue to evaluate existing business processes to reduce inefficiencies, eliminate scenarios where employees are doing manual tasks, identify systems that are not accessible from all devices, and enhance tools and training that support the employee experience,” DiLiberto advises.
Blaha says he has seen huge improvements in the technologies available to supplement the employee experience, from leveraging social media for recruiting to utilizing digital channels and microlearning for employee development. “We are implementing many new technologies, participating in the AICPA’s dynamic audit system, utilizing robotic process automation, and investing in our data structure and enterprise systems for marketing, sales, finance, human capital, and customer service,” he says. “Many of the enterprise systems have AI components, and we are also researching other advanced technologies, such as blockchain and augmented and virtual reality.”
“We are seeing clients in the manufacturing space express interest in augmented reality tools, which can be useful for on-site inspections to capture information that may otherwise be missed,” DiLiberto notes. “Ultimately, adopting the right technologies and tools for your firm will allow your employees to focus on more complex, strategic problems. This can help the firm save time and money by increasing efficiencies and quality control and reducing administrative overhead and turnover.”
Only by keeping a finger on the pulse of technology and making strategic choices that support both employees and clients can firms innovate and build value moving forward.
Innovating for the Future
Innovation was a buzzword long before COVID-19 hit, but the pandemic made it clear: Organizations that cannot move quickly and imaginatively to new ways of doing business will not survive in a post-pandemic world.
“My fellow CPAs should recognize that the business environment today is changing at an accelerating rate of speed, and the pace of change will continue to accelerate,” Frigo says. “Strategic risktaking and strategic thinking are core competencies every firm needs to get better at. Look back and ask: What have I learned during the pandemic? How can those lessons drive my firm and my clients to greater value in the future—and greater resiliency when the next shock hits our economy?”
As we have seen, the firms that used the pandemic as an opportunity to learn how to move quickly and be open to experimentation saw the payoff in added business value.
“Try new things and learn to fail fast and adjust course,” Blaha exhorts.
Driving Value Now
COVID-19 spurred a great test run for innovation in a globalized world where climate change, shifting cultures and demographics, and constantly accelerating technological advances will make future disruptions increasingly common. For many firms and their clients, the pandemic shined a spotlight on the fault lines in the old ways of doing things—and the old value drivers. These three new value drivers—empowering people, using technology intelligently, and foregrounding innovation—are all interwoven and offer big lessons for both CPA firms and the business clients they advise. Starting to effectively focus on just one of these value drivers will likely soon begin to bear fruit in the other two areas.
“CPAs are equipped with the knowledge base and tools necessary to help spearhead the transformation of their own firms and their clients’ businesses,” Leal says. “As leaders with a pulse on organizations’ financial outcomes, CPAs must be part of this value transformation and provide leadership and support in projecting the different future scenarios and their implications; collaborating with functional area leaders to identify the relevant value drivers; and monitoring and regularly reporting on business performance as strategies are implemented.”
In other words, the CPAs who embrace the new value drivers will bring huge growth to the businesses they serve and also see exponential value growth at their own firms—long after March 2020 and COVID-19 are distant memories.
Kasia White is a freelance writer who specializes in profiling small businesses and leaders of global companies.
