Pulitzer Prize–winning author Herman Wouk wrote, “The will not to believe. It is simple human nature. When the mind cannot grasp or face up to a horrible fact it turns away, as though refusing credence will conjure away the reality” (War and Remembrance, chapter 18). Evidence of this is readily apparent in people’s reaction to acts of genocide, in people’s response to thousands of species going extinct, and in companies’ reaction to the threat of cybercrime.
Individuals and organizations refuse to believe that they are truly at risk. Worse, they believe that their IT organizations will protect them, thus relieving them of the responsibility of actively handling their own cybersecurity. The dramatic consequences of cybercrime belie their beliefs:
- 81% of all cybercrime is directly due to employee behavior.
- Despite application of the best technology tools, cyber-crime continues to grow approximately 42% year over year.
- Ransomware attacks are exploding, occurring every 12 seconds in the United States alone.
How do auditors move those unwilling to believe these facts? There may not be one simple answer to that question, but it does not remove the obligation to try. How businesses try will better predict the efficacy of their efforts.
Making the Case
An old adage in the legal profession says, “If the attorney has the facts, pound the facts. If the attorney does not have the facts but has the law, pound the law. If the attorney has neither facts nor the law, pound the table.” Auditors are left with similar challenges in dealing with the threat of cybercrime.
First, there are the facts. As an auditor, one should continually pound the facts (Exhibit 1) of cybercrime in front of anyone in the organization with the power to make change: the CEO, the board of directors, the CFO, the general counsel. The risks from these facts are real and measurable. As the fact broker, a CPA’s first responsibility is to define the risk for a client or employer.
- Employee behavior, not technology, drives cybercrime
- The most frequent vectors of attack are—
- e-mail with embedded links or attachments, and
- websites that covertly download malware to a connected device.
- Cybercrime at the end of 2018 stood at $3.2 trillion worldwide
- At current rates, cybercrime will be $6 trillion worldwide by 2021
- Ransomware, which dropped in 2018, is exploding in 2019
- Ransomware attacks occur every 12 seconds in the United States and are accelerating
- Paying ransomware has only a 30% chance of success in unencrypting files
- Small and midsized businesses are the largest targets of ransomware attacks; state and local governments are the second largest
- State and local governments are beginning to create cybersecurity taxes to help pay for cyberinsurance and the cost of recovering from cyberattacks; Albany, Atlanta, Baltimore, 23 towns and cities in Texas, court systems in Georgia, and Long Island and Florida towns are among the victims in 2019 alone
- Small to midsized medical practices have been major targets in 2019, including hospitals in rural areas, disrupting medical care significantly
Second, there is the law. Numerous regulations in both the domestic and foreign markets govern cybersecurity behavior and define the penalties for bad cybersecurity practices that help engender cybercrime (Exhibit 2). Ignoring the regulatory space is never a good idea, and doing so can result in substantial financial liability for a business. In some cases, even more severe penalties are involved.
- In New York, 23 NYCRR 500 is fully in force
- In California, the California Consumer Privacy Act will be fully in force as of July 1, 2020; it can and will have an impact on New York–based companies
- In the EU, the Cybersecurity Act applies to non-EU organizations if they possess EU-residents’ data (up to 70% of New York–based institutions may be affected)
- Gramm-Leach-Bliley Act (GLBA)
- Payment Card Industry Data Security Standard (PCI-DSS)
- The Privacy Act of 1974—United States Personally Identifiable Information (U.S. PII)
- The Federal Information Security Management Act of 2002 (FISMA)
Third, there is advocacy. Auditors have an obligation to continually “pound the table” to remind executives of the risks they face (Exhibit 3). Risk advisors need to continually educate about these risks in the corporate space. Even when faced with a reluctance to listen, it is vital to continue to urge that every part of the enterprise understand the complex business issues represented by cybercrime.
- The cacophony of cyberattack reports in the news
- The frequent spam, spoofing, and phishing phone calls
- The daily spoofing and phishing e-mails on all e-mail accounts
- The phishing and spoofing text messages on smartphones
- The breach notification emails and letters received monthly from firms that are hit
- The numbers (see Exhibit 1)
- The lack of preparedness
A Matter of Survival
Businesses cannot afford to ignore the inconvenient facts. Ignoring the problem will never create solutions; it will only create economic instability that could make the 2008 recession look like a garden party. Clients, and sometimes CPAs, continually react to the threat of cybercrime by transferring the responsibility to IT organizations. This burden needs to be on everyone. The most fundamental risk faced by an organization is an unwillingness to recognize that cybercrime is fundamentally a business problem, not an IT problem. If CPAs make that their mantra, they will succeed in creating an environment that enables every business to survive the attacks it will inevitably face. If not, the profession has only itself to blame.