November 8, 2017

Globe and Mail: How to tackle ‘the thorny issue’ of cybersecurity

Manjit Bagri, CPA, CGA, is vice-president of financial planning and analysis at Toronto-based Herjavec Group Inc., a global cybersecurity services firm.
What is the downside of digitization in terms of cybersecurity?

A recent Gartner report indicates we are connecting 5.5 million new devices to the Internet each and every day. This connectivity increases productivity, provides real-time data instantly and efficiently, and ultimately improves the bottom line. But it also entails risk.

With the rise of Internet-connected smart devices that can send and receive data and the anonymous nature of online activity, security threats associated with the Internet of Things [IoT] will continue to grow in corporate environments. According to a Cybersecurity Ventures report, costs associated with cybercrime are expected to increase to $6-trillion (U.S.) by 2021.

What form can cyberattacks take?

There has been a rise in ransomware, where data is held ransom until some form of cryptocurrency is paid out. Other attacks take the form of “phishing” e-mails from credible sources aimed at collecting sensitive information.

What kind of impact can cyberattacks have on organizations?

In the last few years, we’ve seen multiple data breaches with far-reaching consequences for the organizations involved. When Target was breached, hackers stole data from up to 40 million individual customers’ credit and debit cards. And during a 2014 Sony attack, a group of cybercriminals took over the corporate network and leaked e-mails and files of unreleased films. More recently, the Equifax breach affected millions of people – putting their sensitive personal information in the hands of wrongdoers.

These attacks affect people’s trust in an organization and can even have a direct effect on stock prices. Recently, CEOs and CIOs are also increasingly being held responsible for data breaches and are being terminated as a result. In future, we can expect to see more legislative requirements that hold senior executives personally liable.

How can I protect my organization from cyberattacks?

Begin by educating employees through blogs, training and lunch-and-learns. Most organizations are aware of the need to have a safe and secure infrastructure, but that message should be relayed across the board as employees are one of the weakest links in the cybersecurity chain. Simple fixes such as two-factor verification and implementing access controls for key data can also reduce risk.

Companies also need to purchase or allocate a budget for the security tools and products needed to protect the organization, and that includes having a team or a cybersecurity services provider to monitor infrastructure 24/7 for unusual activity. Hackers don’t just work 9 to 5. It can happen any time.

Do you think that a lot of smaller companies believe they’ll be spared from cyberattacks?

Small-business owners often believe their companies are too insignificant to catch the eye of hackers, but they are not immune to data breaches. In fact, hackers sometimes specifically target them because they are more vulnerable.

What role can Chartered Professional Accountants play in ensuring their companies are protected?

Cybersecurity is not just an information technology [IT] concern, it’s a business issue and one that affects all departments. Given that CPAs have a moral obligation to secure our organizations’ financial data, we need to have a seat at the table when it comes to assessing and mitigating cybersecurity risks.

CPAs also bring plenty of skills to bear on the thorny issue of cybersecurity. First, we can push for a budget for cybersecurity by working with IT departments to assess the potential costs to our organizations of failing to prevent, detect and respond to cybersecurity threats. Second, with our knowledge of analytics, we can help identify problem areas and weigh in on the costs and benefits of cybersecurity investments. Finally, if an organization’s data does somehow get leaked, CPAs are well qualified to come up with a mitigation plan.

Originally posted on theglobeandmail.com