Waypoints: Ideas and Insights to Navigate Enterprise Complexity

The AICPA has issued a much-anticipated standard on cyber security. The new guidance, referred to as the “Cyber SOC,” creates a process that CPA’s can use to review and report on a company’s cyber security. In the past, organizations relied on various consultants, internal resources, and sometimes just plain luck, to identify and mitigate cyber risks. The Cyber SOC fundamentally changes how cyber threats are evaluated and managed. It allows for an independent, objective look at an organization’s processes, policies and controls around cyber risks. 

As we continue in our series, Top Middle Market CFO Challenges for 2017, the growing threat of cybercrime is becoming top of mind for today’s CFOs. Cyberattacks are on the rise. In 2016, the number of US data breaches increased 40%—an all-time record high according to the Identity Theft Resource Center.

It may be easy to assume that the responsibility for addressing cyber risks rests with your IT department, because after all, these appear to be mostly IT-related risks. However, what may be less obvious are the very significant financial risks involved with a cyber breach. This should be keeping most CFOs up at night. 

Watch the news—cybersecurity is the hot topic in the business world today. With all this attention, it’s no surprise that more service providers are adding cybersecurity to their service menu. Offense-oriented services, like penetration testing, can be a cost-effective way to identify vulnerabilities. Executives, senior management, and boards of directors are keen to find their own weaknesses, as they are the ones that will be held accountable in a breach.

Forbes just reported that “the average cost of a data breach has reached $4 million, up 30% from 2013.” The article shows that time is of the essence when measuring the costs a breach may inflict. For example, if the breach is identified in less than 100 days, the cost is averages a mere $3.23 million while those that were undiscovered until after 100 days could cost an average of $4.38 million for repairs and reparations. What a difference a few days can make when it comes to controlling the costs associated with repairing the damage of a data breach.

If I had to guess, I’d say you are reading this on your iPhone, iPad, Galaxy or some other mobile device. I’m not clairvoyant; research shows more than half of all emails are opened on mobile devices.

I’m sure you’ve heard the saying, “Hope for the best, but expect the worst.” I’d like to offer the IT incident response version, “Hope for the best, but plan for the worst.”

How secure is your business data?

If you’re like many CEOs and CFOs, you hope it’s safe, but you have other, more pressing issues to address. I’ve heard many business leaders explain the reasons hackers wouldn’t be interested in their data: they’re too small, they don’t handle medical records, they don’t process credit cards, or they don’t sell anything over the Internet.