why cybersecurity matters to accountants...cybersecurity and accountants. understand why...

48
Why Cybersecurity Matters to Accountants

Upload: others

Post on 07-Oct-2020

6 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Why Cybersecurity Matters to Accountants

Page 2: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Barry Melancon | AICPA President & CEO“If we think about systems broadly and the information that businesses produce, that information footprint is very big, and financial statements are just a piece of that…”

“If we can think about the totality of that system environment, and all the assurance needs in there, we can move into a position where we can serve the needs of more and more users of that information.”

- December 2019

Cybersecurity and Accountants

Page 3: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

AICPA | Cybersecurity Resource CenterCybersecurity and Accountants

Page 4: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

AICPA | Cybersecurity Resource CenterCybersecurity and Accountants

Page 5: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

AICPA | Cybersecurity Resource CenterCybersecurity and Accountants

Page 6: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

AICPA | Cybersecurity Resource CenterCybersecurity and Accountants

Page 7: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

AICPA | Cybersecurity Resource CenterCybersecurity and Accountants

Page 8: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Homeland SecurityCybersecurity and Accountants

Page 9: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Going Concern

Definition• An accounting term for a company that has the resources

needed to continue operating indefinitely until it provides evidence to the contrary. Refers to a company's ability to make enough money to stay afloat or avoid bankruptcy.

• How does cybersecurity play a role in this?

Cybersecurity and Accountants

Page 10: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Understand why Cybersecurity is a Concern in Today’s Society

What are the threats

Page 11: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Cybersecurity and Accountants

Technology is Changing

Business IntelligenceRobotic Process Automation (RPA)Artificial IntelligenceBlockchainDigital Wallets

Page 12: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

LET’S THRIVE TOGETHER

Cybersecurity is a people problem, not a technology problem.

Page 13: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Cybersecurity and Accountants

Human Factor (Error)According to the research, 99% of cyberattacks now rely on a person taking an action - clicking a link, opening an attachment, falling for a scam.

The instincts of curiosity and trust lead well-intentioned people to click, download, install, open, and send money or data

Instead of attacking systems and infrastructure, threat actors focused on people, their roles within an organization, the data to which they had access, and their likelihood to ‘click here’.

- Proofpoint

Page 14: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Cybersecurity and Accountants

IT Security Awareness Culture- Governance’s Role – Crucial for Buy-in- EVERYONE is responsible for IT Security Controls- Everything (and everyone) is vulnerable- Mobile devices and mobile apps are a primary

threat vector in today’s environment

Page 15: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

• Phishing Emails (Business Email Compromise) – attempts to deceive personnel into divulging information or clicking corrupt links• Not just emails - Phone Calls, Text Messages, etc.

• Keylogging Viruses – watching all keystrokes of a computer• Ransomware – attempts to lockup servers and data to

demand money for release

Cybersecurity and Accountants

Threat Actions

Page 16: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

• Denial of Service (DoS) – attempts to overwhelm services and interrupt business

• Insider Threats – attempts to steal valuable information from within the company (financial information, product or service information, etc)• employees, former employees, contractors, or anyone else

that may have access inside of your firewall, antivirus, and endpoint protection.

Cybersecurity and Accountants

Threat Actions

Page 17: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Cybersecurity and Accountants

FBI | IC3

Page 18: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

• Business Email Compromise (BEC) Stats – for 2019• 23,700+ Cases• $1.7 Billion lost (3x as much as next scheme)• Uptick in Payroll diversion schemes

• email appearing to be from an employee requesting to update their direct deposit

• new direct deposit information generally routes to a pre-paid card account.

Cybersecurity and Accountants

FBI | IC3 Website

Page 19: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Cybersecurity and Accountants

Phishing Attempt – Phone Call

Page 20: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Threats• Often begins with Phishing email• Triggered with clicking a link or opening an attachment• Encrypts all files by locking up servers and data

Preventative/Corrective Controls• Daily backups• Log review for unusual activity• No local admin rights [prevent running of .exe files]

Cybersecurity and Accountants

Ransomware

Page 21: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

IT Security Event vs IncidentCybersecurity and Accountants

Security Event vs Security Incident

Security Event Security Incident

Definition An identifiable occurrence that could

theoretically be relevant to information

security.

An event that is a viable risk or that

causes damage such as lost data or

operational disruptions.

Presenter
Presentation Notes
Page 22: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Breach Notification LawsCybersecurity and Accountants

- All 50 states have them

- Apply to residents of that state

- Contains common items- Security Measures that

should be in place- Fines for Non-compliance

related to a breach

- Expanding to Privacy Laws- CCPA

Presenter
Presentation Notes
Page 23: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Understanding Data Security and Applying Information Technology

General Controls (ITGCs)How to Combat the Threats

Page 24: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Tenet of Cybersecurity• An entity that operates in cyberspace is likely to experience

one or more security events or breaches at some point in time, regardless of the effectiveness of the entity’s cyber security controls.

• Understanding this tenet is essential to dispelling user misconceptions that an effective cyber security risk management program will prevent all security events from occurring.

Cybersecurity and Accountants

Page 25: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Tenet of Cybersecurity• Inherent limitations in a cyber security risk management program,

an entity may achieve reasonable, but not absolute, assurance that security events are prevented and, for those not prevented, that they are detected, responded to, mitigated against, and recovered from on a timely basis.

• An effective cyber security risk management program is one that enables the entity to detect security events on a timely basis and to respond to and recover from such events with minimal disruption to the entity's operations

Cybersecurity and Accountants

Page 26: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

GAAS RequirementsUnder AU 314, we are required to obtain an understanding of the entity and its controls to assess risk.

• An understanding of IT is required to understand related IT controls and to assess related IT risks (AU 314, paras. 81 - 87).

• Ineffective ITGCs by themselves do not cause misstatements; however, they may permit application controls to operate improperly (AU 314, para. 94).

Cybersecurity and Accountants

Page 27: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

1. STRUCTURE AND STRATEGYEvaluate if reasonable controls over the Company’s Information Technology structure are in place to determine if the IT Department is organized to properly meet the Company’s business objectives.

2. CHANGE MANAGEMENT Evaluate if reasonable controls are in place over change management relative to the operating systems and network environment to determine if standard maintenance changes (e.g. patches, fixes, upgrades, etc.) are identified, approved, and tested prior to installation.

IT General Control Review AreasCybersecurity and Accountants

Presenter
Presentation Notes
Page 28: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

3. VENDOR MANAGEMENTEvaluate if reasonable controls are in place over third‐party services to determine if third‐party services are secure, accurate and available, support processing integrity, and are defined in performance contracts.

4. SYSTEM & APPLICATION SECURITYEvaluate if reasonable controls are in place over system security, both logical and physical, to determine if software applications and the general network environment are reasonably secured to prevent unauthorized access and appropriate environmental controls are in place.

IT General Control Review AreasCybersecurity and Accountants

Presenter
Presentation Notes
Page 29: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

5. INCIDENT MANAGEMENTEvaluate if reasonable controls are in place over incident management to record, investigate, and resolve any user or system incidents and management monitoring of system incidents exists.

6. DATA MANAGEMENTEvaluate if reasonable controls are in place over the data management and storage process (backups and disaster recovery) and are being tested on a regular basis.

IT General Control Review AreasCybersecurity and Accountants

Presenter
Presentation Notes
Page 30: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

• Terminated employees still active in systems and the network• Lack of Security Awareness Training / Education• Lack of critical application and vendor lists

• no knowledge of vulnerabilities• Lack of vendor management program and no vendor risk

assessments• Lack of ongoing vulnerability monitoring - external

penetration testing and internal vulnerability scanning

Cybersecurity and Accountants

Common Deficiencies

Page 31: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

• Shared and/or generic administrator accounts without monitoring• Weak system password parameters

• No timeout• Not changed often• Not complex

• Lack of use of Multi-Factor Authentication for Logins• Lack of data backup testing• Lack of portable device policy and security

Cybersecurity and Accountants

Common Deficiencies

Page 32: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Cybersecurity and Accountants

Passwords

Page 33: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Cybersecurity and Accountants

Password Attacks – Brute Force

Page 34: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Risk Assessment and Risk Management

(Internal Risks)

Page 35: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Enterprise risk management enables management to effectively deal with uncertainty and associated risk

- Aligning risk appetite and strategy- Enhancing risk response decisions- Reducing operational surprises and losses- Identifying and managing multiple and cross-enterprise risks- Improving deployment of capital

Cybersecurity and Accountants

Risk Assessment

Page 36: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Cybersecurity and Accountants

Risk Assessment - continued# Responsibili

ty Risk / Threat

Risk TypeLikelihood of Occurrence Potential Damage to the Company

Control Objective Reference

Internal Controls, Policies, and ProceduresR=Reputation

alO=Operation

alL=Legal

S=Strategic

1 = Low5 = High

1 = Minimal5 = Major Key Controls

1 Information Technology

Sensitive data is transmitted unencrypted. R, L 3 4 CO 7

● ShareFile, a secured site, is used to receive and transmit client data.

● Security measures are in place to encrypt client and participant information transmitted via email (i.e., ShareFile Outlook add-on utility).

● Personnel are trained to never send participant information via email.

● The Employee Handbook prohibits the transmittal of sensitive data via an unsecured method.

2 Information Technology

Loss of portable media containing sensitive data or unauthorized access to systems utilizing lost or stolen laptops or portable media.

R, L, O 3 4 CO 7

● Use of the secure VPN is required to gain external access to sensitive data.

● All USB drives are encrypted.

● Portable devices such as laptops are encrypted and PDA's are password protected.

3 Information Technology

Virus infiltration negatively impacts system and/or data files. R, O 1 2 CO 7

● Microsoft System Center Endpoint anti-virus is installed on servers.

● IT personnel periodically review the Microsoft System Center Configuration Manager.

● Appropriate network and internet usage is addressed within the Personnel Manual.

● The Company has procedures in place to efficiently segment the affected area of the network.● Whitelisting applications.

Page 37: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Risk Assessment Questions• What keeps you up at night relative to managing your division? Ask this

question and sit back and listen.

• What are the top three risks in your area? (these may be the same as what keeps them up at night)?

• What is the worst thing that could happen in your division?

• What upcoming projects, endeavors, etc. are you planning? What are you anticipating as the greatest risk?

• How are you currently managing risk? Are all of your key people aware of your top risks?

Cybersecurity and Accountants

Risk Assessment - continued

Page 38: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Cybersecurity and Accountants

Risk Assessment - continued

Risk Category Risk ToleranceCurrent

Risk Levels

Comments

Financial Reporting Low Management rates risk as low given long-term people and defined processes. No prior audit issues.

Disbursement Processing Low Management rates risk as low. Audited last year with no issues and multiple signoffs required for processing.

New Client Setup Low Management rates risk as Low. Very defined processes and no major current client impact.

Information Technology MediumManagement rates risk as low. However, due to the inherent risk, this is a moderate area. There are well-defined controls and processes.

Data Security High The company recently had a cybersecurity breach.

Cash Procedures High Management ranks risk as high due to availability or access to cash of clients.

Comfortably within Risk Tolerance Nearing Boundaries of Risk Tolerance Exceeding Boundaries of Risk Tolerance

Page 39: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Cybersecurity and Accountants

Risk Assessment - continued

Page 40: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

VENDOR RISK ASSESSMENT

(External Influence)

Page 41: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Vendor Risk ManagementA Vendor Risk Assessment should be performed annually and include thefollowing:

A listing of all vendors used by the company, including a description ofthe services provided by the vendor, the contract period covered, whois assigned to manage accountability of the vendor relationship, and adetermination whether each vendor is a critical vendor.For critical vendors, need to evaluate the internal control structure andpotential risks to the company. Most companies require their criticalvendors to have an independent internal control report performed byan outside accountant or security specialist (such as a System andOrganization Controls report).

Cybersecurity and Accountants

Page 42: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Vendor Risk ManagementEach vendor should be assigned an overall risk rating. The riskrating will be based upon such items as the vendor internalcontrol report findings, any issues experienced with thevendor, any reputational issues the vendor has had, as well asany items that could potentially impact the security,confidentiality, or availability of company data. The vendor riskrating should be evaluated annually by management.A contingency plan should be in place for all critical vendorsrelative to the services provided by the vendor.

Cybersecurity and Accountants

Page 43: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Cyber liability Insurance

Page 44: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Cybersecurity and Accountants

Cyber liability Insurance

Page 45: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

• Increased regulatory attention (e.g., SEC) • Vendor/business associate risk • Insider threats • Exclusions in legacy coverages (e.g., CGL, D&O) • Cyber-criminal ingenuity, perseverance, and greed• Covered Costs

• Forensics • Legal and PR • Data Restoration • Lost Income

Cybersecurity and Accountants

Cyber liability Insurance

Page 47: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Websites/Groups for Additional InformationThe CyberSecurity HubTM (Linked-in resource)www.ISACA.orgwww.ic3.govwww.ISSA.orgwww.Infragard.orgwww.Sans.org

Cybersecurity and Accountants

Resources - continued

Page 48: Why Cybersecurity Matters to Accountants...Cybersecurity and Accountants. Understand why Cybersecurity is a Concern in Today’s Society What are the threats. Cybersecurity and Accountants

Questions?

Paul M. Perry, CISM, CITP, CPAMember | Security, Risk and Controls Practice [email protected](205) 769-3251

Connect on