Editor’s note: This month, we introduce a new column dedicated to the current state of cybersecurity and how cybercrime affects CPAs and auditors. Each installment will cover a particular area of import and how to better identify risk both within both CPA firms and other businesses. Over time, this column will also answer specific questions coming from readers, to better aid in their efforts.
Willie Sutton, when asked, “Why do you rob banks?” is purported to have replied, “That’s where the money is.” Cybercriminals are no different; they are after the most valuable assets people have—their data. In 1990, Thomas Labrecque, then CEO of Chase, predicted that, over the next 25 years, the bank would earn more money from the data about the bank’s clients, than they would from their clients’ cash holdings—and he turned out to be correct.
A Wealth of Data
In 2018, there were 33 zettabytes of data worldwide (David Reinsel, John Gantz, and John Rydning, The Digitization of the World: From Edge to Core, IDC whitepaper, November 2018, http://bit.ly/2tpxtJa). A zettabyte represents 1021, or 1 trillion gigabytes, of data. These data have discrete monetary value. At the low end, a single page of data about an individual is worth .05 of a cent (Financial Times personal data calculator, https://ig.ft.com/how-much-is-your-personal-data-worth/); at the high end, as much as $7.00. Taking the low end, and recognizing that a one-page document is about 50,000 bytes of data, gives a total value for all the data in the world of $1.65 quintillion ($1.65 billion billion). And therein lies the rationale for cybercrime: Data represent the largest tangible financial asset in the world.
Data are also among the most poorly understood and poorly protected assets in the world. Accountants and auditors constantly examine and review balance sheets, ledgers, sources of funds, cash holdings, and other centers of value. But how often do they look at the data? If businesses are not protecting these critical assets, then they are there for the taking. In 2018, the total cost of cybercrime was approximately $3.1 trillion. While this may seem small compared to the value of all data shown above, it can still mean devastating results to the business that has been hacked.
These criminals are not geniuses; they are just smart enough to pay attention to what they find and harvest it for their own benefit. They are often aided and abetted by employee action or inaction; in fact, 61% of all cyberattacks are due to employee behaviors. Data repositories are often left wide open, metaphorically, for cybercriminals to loot at will. Worse, CPAs are often blissfully unaware; if challenged on the location of sensitive data, most will respond either, “I don’t know” or “Talk to IT.”
Assess and Defend
What can CPAs do to address these shortfalls? First, they must understand the data environment. The current state of a business must be assessed and analyzed to understand the scope of the potential risk and the size of the problem. This will not be an easy task; it requires state-of-the-art tools that connect to the entire enterprise and have the ability to examine various components of the data setup, understand the history of the data, and document any intrusions or exfiltration that may have occurred. Two documents from the National Institute of Standards and Technology (NIST), Special Publications 800-53 (http://bit.ly/2X3SN4T), and 800-171 (http://bit.ly/2X1NzGK), are available for use as a framework, depending on a business’s needs, to assist in developing the guideposts for a data assessment.
Second, CPAs must map the information obtained in the assessment phase against the areas of most critical data in the enterprise (a topic to be covered in greater detail in a future column). In addition, CPAs must audit the environment to understand how employee behavior can impact the situation.
Once these are complete, CPAs can help develop risk mitigation strategies to deal with the consequences of previous behaviors and a plan to make the enterprise more resilient against future attacks. This is not a one-time only exercise; this is a change in mindset that will require diligence and testing to help minimize future business impact. In doing so, the CPA becomes part of the enterprise defense system. In the long run, this will save a business an enormous amount of money and ensure its long-term survival.
An Ounce of Prevention
The median cost to recover from a cyber-attack for a small CPA firm (less than 30 seats) is $690,000. The median cost to recover from an attack on a midsized CPA firm (less than 100 seats) is $1.1 million. In 2017, there were approximately 218,000 small-to-midsize companies in the United States. Of these companies, 50% absorbed 70% of the cyberattacks; in this group, 60% failed six months after the cyberattack due to the irretrievable costs of the attack (Joe Galvin, “60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here’s How to Protect Yourself,” Inc.com, May 7, 2018, http://bit.ly/2BCtE87). Taking the steps above will help CPAs ensure that the businesses they advise do not meet the same fate.