Firm Management
Security – A Balancing Act for Accounting Firms
Security has been a top priority for firms for years. It has consistently ranked at or near the top of the AICPA’s annual top technology initiatives. So why does it seem there is more chatter now on the topic than in recent years?
Apr. 17, 2015
Security has been a top priority for firms for years. It has consistently ranked at or near the top of the AICPA’s annual top technology initiatives. So why does it seem there is more chatter now on the topic than in recent years? The fact is, we can’t read today’s headlines without regularly coming across another breaking story about the latest major security breach. Add in social media and we feel like we are under constant attack. So what can you do about it?
Risk Based Approach
Gartner lists Risk-Based Security and Self-Protection in its Top 10 Strategic Technology Trends for 2015 and states, “Organizations will increasingly recognize that it is not possible to provide a 100 percent secured environment.” This indicates we need to think differently about security than we have in the past. Traditionally, organizations have spent most (if not all) of their security budget on the goal of risk elimination. In today’s environment, you have to adjust to more of a risk management approach and broaden the focus beyond simply prevention.
A Balancing Act
IT is charged with keeping the firm’s systems and data safe and that responsibility continues to become more challenging as they are increasingly being asked to perform a balancing act. The first balance area is between prevention and mitigation/response. More and more CIOs are recognizing that as Gartner predicts, it is becoming more and more difficult (if not impossible) to ensure that we don’t fall victim to a cyber-attack. As such, firms are being forced to allocate their limited resources between keeping hackers out and developing a rapid response plan in the event the do get in.
Second, IT is being asked to walk the tight rope in finding the right equilibrium between the firm’s security requirements and end user’s demands. While fielding demands for greater firm security, IT is also being pushed to increase convenience and ease of use of the technology tools. Often, these two are polar opposites and with the increased consumerization of IT and growing BYOD policies, the exposure to easy to use consumer products is strengthening the demand for the same in the workplace. Often times at the expense of the security of the firm’s data.
For both of these balancing acts, there is no magic formula for the right allocation of focus and resources. The split will need to be determined by each firm on an individual basis depending on the level of risk the firm and IT are willing to assume. The level of preparedness to appropriately handle an incident will also play into this decision.
Less Likely to Be a Target
A lot of security criticism today centers on the cloud and the fact that they are a bigger target. This is primarily driven by the amount of coverage that cloud breaches receive in the media. The reality is that we are at high risk whether our firm is in the cloud or remains On-Premise. Take the recent examples of Target and Home Depot, both of these massive breaches happened with in-house systems and data.
The other argument I hear often is that we are less likely to be a target because we are a much smaller organization than the major corporations that are regularly getting hit. To this I would submit that small organizations are also getting targeted as much (if not more) than the big guys. They just don’t make the headlines. While they aren’t the badge of honor that a Microsoft or Google would be to hackers, small firms often present a less sophisticated security system and take longer to detect a breach. This widens the window of opportunity for which sensitive data can be siphoned from the organization before it is discovered.
Conclusion
While it may appear that it is all doom and gloom around security these days, the fact is that we can start taking steps to better plan and prepare ourselves. By approaching the challenge from a risk-management perspective, we can prioritize our investments in prevention and also start to allocate resources to prepare for mitigation and response. It simply requires a change in thinking about the problem.