Data Security Button-Up



Multiple reports in 2021 are revealing a business world more susceptible than ever to data security risks. While this should come as no surprise, given the harried shift to remote operations last year, Harvard Business Review reports that employees are now 85% more likely to leak or lose files containing intellectual property than they were in pre-pandemic times. Considering the majority of risky behavior responsible for these vulnerabilities are resultant from everyday productivity and collaboration, companies cannot reasonably circumvent every risk1.

As cyber-attacks become more frequent and costly, company boards of directors (BODs) have cybersecurity at the fore. According to McKinsey, it is among the top four concerns of global BODs and for good reason. John Noble, former director of the United Kingdom’s National Cyber Security Centre and a board member of National Health Service (NHS) Digital, explained, “Cybercrime is becoming industrialized. Vulnerabilities are identified by one set of groups that then share the information with criminal groups. Those criminal groups can, in effect, lease the ransomware in exchange for a percentage of the profits and employ it against victims. That has enabled a massive increase in both the volume of attacks and their sophistication. Ransomware can not only affect the availability of your systems but also result in the release of sensitive data2.”

That said, even though 85% of U.S. CFOs report formal discussions on the topic of increased cybersecurity, according to CNBC, directors are not always asking the right questions. Senior vice president of the Strategic Technologies Program at the Center for Strategic and International Studies Jim Lewis advises, “Cyber security needs to be managed like any other risk. The dilemma is that boards don’t know what the standards are, what’s risky and what isn’t.3

BODs and executive leadership will need to have a critical conversation, according to Wolf Richter, CEO of Wolf Street Corp. “The board’s responsibility is to make sure that the executive team has a plan…” he explains, “The question is not whether the attack is going to happen and how to prevent it. The real questions are, when will it come? Is the organization prepared to detect it? Is it prepared to stop it? Can it mitigate the effects and get back to normal operations as quickly as possible?2

Circling back to the matter of insider risk, Harvard Business Review reports that savvy board members understand that a responsive, cloud-powered, collaborative culture is key to positioning companies for success in the evolving business world. BODs should acknowledge that this success hinges the company’s ability to manage growing insider risk and CPAs, being one of the most sought-after candidates for boards of directors, can prepare to leverage their unique abilities to see what others might miss. Finally, when it comes to asking the right questions, boards should focus on becoming familiar with the external and internal landscape of that risk, readiness in the occurrence of an event, and understanding the potential impacts of an event1.

Want to explore this topic further? Take your thoughts and questions to MICPA Connect

  1. Questions Every Board Should Be Asking About Insider Cybersecurity Risks.” Harvard Business Review. 25 Jun 2021. Accessed on 15 Jul 2021.
  2. Podcast. “Boards and Cybersecurity.McKinsey. 2 Feb 2021. Accessed on 15 Jul 2021.
  3. Caminiti, Susan. “Talking to Your Board About Ransome Payments? Here’s How.CNBC. 7 Jul 2021. Accessed on 15 Jul 2021.


Source: MICPA

 Back to List