Almost from the outset of the pandemic, financial services organizations found themselves near the top of hackers’ hit lists. And, at least in a few crucial respects, it’s not so hard to see why. Reams of personal and financial data. Intimate institutional connections, often to much larger fish in the ecosystem. Comparatively immature IT infrastructures. Limited overall threat awareness. From the other end of the periscope, we must have looked like sitting ducks.
The good news is the extent to which that narrative is no longer true. The range of responses from financial services companies of all kinds, and the swiftness with which many have made changes to bolster both IT and accounting practices in the name of security, has been truly awe-inspiring to watch. But there’s still a lot of work to be done.
In this blog, I want to first briefly recap the latest cybersecurity numbers for financial services organizations and CPA firms specifically. Next, having effectively set the stage, I’ll call out a set of evolving competencies that should be top of mind for finance firms, and walk through a few ways for finance pros to action them today.
Take a — Gulp! — Good Look at the Numbers
Just how bad is the situation with cybersecurity right now? What are the latest numbers in the context of financial services organizations generally, and CPA practices specifically? Let’s start with the numbers.
- Data breaches at CPA firms have risen by more than 80 percent in recent years — and they’ve also changed in kind. For example, more than 40 percent of those breaches now represent attacks involving ransomware and/or extortion.
- Small to medium-sized accounting firms have been identified as particularly compelling targets for cybercriminals. Why? They have access to sensitive client data, they often serve as connectors or gateways to larger, more prominent organizations and they seldom have the advanced IT infrastructure of banks and larger firms. It’s a combination that has global cybercriminals licking their chops.
- Despite the clear and present danger, not to mention the increasing frequency of cyber attacks, however, it is the exception to the rule for cybercrime to result in arrest and prosecution. In the context of identity theft, for example, only one identity thief is convicted for every 20,750 victims, according to analysts.
Why the seeming leniency on the part of law enforcement? The fact is, many of these criminals are based overseas. While the U.S. has extradition treaties with many countries, there are almost an equally large number — more than 76 countries, including China and Russia — with which we do not. Put two and two together and the baseline obstacles to successful prosecution aren’t difficult to spot.
None of which in any way lets organizations off the hook, of course. (If anything, the effect is just the opposite.) Given that reality, however inconsistent it may seem to potential industry targets, what can financial services firms do to shore up their capabilities going forward? That’s the topic I’ll turn to next.
Evolve Your Capabilities
In light of the latest developments, this may be at the dawn of an entirely new breed of finance professional: the finance-IT hybrid. These professionals will bring to the table overlapping yet separate competencies, with skill sets that intersect and cross-pollinate between accounting and IT.
Yet, while the need for such skilled professionals is clearly quite pronounced, as we have just discussed, where are hiring managers to find them? They aren’t exactly out there in droves, a point which brings me to two recommendations.
First, in the interim, close collaboration between these two departments — finance and IT — is going to remain essential for best-in-class risk and threat mitigation practices today. Organizationally, this should be a focus area.
Second, there are exciting opportunities for seasoned finance professionals to start evolving these capabilities on their own, and CPA-specific training programs are one route to get there. The American Institute of Certified Public Accountants (AICPA) already offers several, for example.
What can you do with this sort of training? What does it look like in practice?
- Audit and assess the end-to-end state of an organization’s existing cybersecurity risk management program, identifying any gaps and probing for weaknesses.
- Build out more robust controls across the finance function.
- Develop and implement advanced training to increase the organization’s overall cybersecurity readiness.
- Create threat detection and response protocols, thereby empowering key stakeholders to take action and mitigate losses in the event of a potential breach.
- Work consultatively with other business heads, providing advisory services and ensuring strategic alignment across all areas of the organization.
And that’s just the tip of the iceberg. As these training programs continue to evolve and become more sophisticated, I’m excited to see how CPA practices and other financial services organizations grow and change in turn.
CPA practices, accounting firms and financial services organizations are increasingly wise to the ways of cybercriminals. They’re proactively partnering with IT and business leaders to take preventative action, mitigate risk and avoid costly breaches.
In that vein, they would also be wise to view the latest developments in cybersecurity as not only an emerging threat but also an emerging opportunity. Those that are able to demonstrate advanced technical capabilities as part of their core accounting function should stand to gain a distinct competitive advantage — in fact, it could position them head and shoulders above the rest.
With more than 22 years’ experience in the staffing industry, Jodi Chavez is president of Tatum, where she oversees the field organization and provides direction. Jodi is responsible for continuing to transform Tatum into a data-driven organizational search and consulting firm helping clients select the key financial talent they need to execute their business strategies.
See inside March 2021
Security for a Work-From-Home World
If you didn’t begin 2020 relying on cloud-based technology to allow you to work from anywhere, you almost certainly ended it that way. With a global pandemic forcing us to avoid group gatherings, some offices went remote for the whole of the year and ...