Steven J. Ursillo Jr., CPA/CITP, CGMA


 Steven J. Ursillo Jr., CPA/CITP, CGMA
Steven J. Ursillo Jr., CPA/CITP, CGMA, is a partner and director of technology and assurance services for Sparrow, Johnson & Ursillo Inc. in West Warwick, R.I. (Photo by Josh Reynolds/AP Images)

'You need to be prepared for a breach'

No one is immune: Anybody can be a victim of a cyberattack. Some of the top security companies in the world have been breached. It just shows that you have to be humble, you have to be prepared, and you can never get overconfident.

Understand your data: Probably the most difficult thing in cybersecurity for most businesses is around data management, truly identifying your data, knowing where it resides, and understanding the state of your data throughout its life cycle from cradle to grave. It's essential to understand your own data and its location internally and with respect to your customer and vendor relationships, so that if there is a breach, you can understand what systems and parties may be impacted. Disregarding the responsibilities that come with proper data management puts you at a higher level of risk.

Controls and safeguards: You have to have the appropriate controls and safeguards around your data throughout its entire life cycle. You also must have controls that help you detect incidents in a timely manner, and you need a plan that will help you respond quickly and effectively when there is an incident, to minimize the cost and impact of a potential breach. Think of incident response as the way to identify, respond, and communicate an incident in order to manage the potentially exponential costs associated with a confirmed breach. When an incident occurs, identifying the root cause is a necessary step in reevaluating the design and effectiveness of the controls established to initially manage that risk.

Educate the leadership: Awareness is huge. A big push has been to educate and build transparency to executive management, stakeholders, and the board of directors, making sure that your board of directors and your leadership team are privy to statistics, facts, and measurement indicators in any of their ongoing regular meetings, so that they understand and can accurately measure the level of governance their organization needs to have in order to properly allocate resources. The leadership needs to know that allocating the appropriate resources around incident response and damage control is as important as the resources that need to be allocated to help prevent an incident in the first place.

Build a reasonable defense: It really comes down to having the appropriate resources allocated to develop a mature security governance program in order to manage cybsersecurity risks and adequately respond to potential incidents. Management has to identify an appropriate budget based on the overall risk to the organization and the cost of the assets that they're protecting.

—As told to Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com), a JofA editorial director.

SPONSORED REPORT

Tax reform complicates year-end tax planning

Get your clients ready for tax season with these year-end tax planning strategies, which address how to make the most of recent tax law changes, such as the new deduction for qualified business income and the cap on the deductibility of state and local taxes.

VIDEO

What RPA is and how it works

Robotic process automation is like an Excel macro that can work on multiple applications, says Danielle Supkis Cheek, CPA. RPA can complete routine, repetitive tasks such as data entry, freeing up employee time from lower-level chores.