Steven J. Ursillo Jr., CPA/CITP, CGMA


 Steven J. Ursillo Jr., CPA/CITP, CGMA
Steven J. Ursillo Jr., CPA/CITP, CGMA, is a partner and director of technology and assurance services for Sparrow, Johnson & Ursillo Inc. in West Warwick, R.I. (Photo by Josh Reynolds/AP Images)

'You need to be prepared for a breach'

No one is immune: Anybody can be a victim of a cyberattack. Some of the top security companies in the world have been breached. It just shows that you have to be humble, you have to be prepared, and you can never get overconfident.

Understand your data: Probably the most difficult thing in cybersecurity for most businesses is around data management, truly identifying your data, knowing where it resides, and understanding the state of your data throughout its life cycle from cradle to grave. It's essential to understand your own data and its location internally and with respect to your customer and vendor relationships, so that if there is a breach, you can understand what systems and parties may be impacted. Disregarding the responsibilities that come with proper data management puts you at a higher level of risk.

Controls and safeguards: You have to have the appropriate controls and safeguards around your data throughout its entire life cycle. You also must have controls that help you detect incidents in a timely manner, and you need a plan that will help you respond quickly and effectively when there is an incident, to minimize the cost and impact of a potential breach. Think of incident response as the way to identify, respond, and communicate an incident in order to manage the potentially exponential costs associated with a confirmed breach. When an incident occurs, identifying the root cause is a necessary step in reevaluating the design and effectiveness of the controls established to initially manage that risk.

Educate the leadership: Awareness is huge. A big push has been to educate and build transparency to executive management, stakeholders, and the board of directors, making sure that your board of directors and your leadership team are privy to statistics, facts, and measurement indicators in any of their ongoing regular meetings, so that they understand and can accurately measure the level of governance their organization needs to have in order to properly allocate resources. The leadership needs to know that allocating the appropriate resources around incident response and damage control is as important as the resources that need to be allocated to help prevent an incident in the first place.

Build a reasonable defense: It really comes down to having the appropriate resources allocated to develop a mature security governance program in order to manage cybsersecurity risks and adequately respond to potential incidents. Management has to identify an appropriate budget based on the overall risk to the organization and the cost of the assets that they're protecting.

—As told to Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com), a JofA editorial director.

RESOURCES

Keeping you informed and prepared amid the coronavirus crisis

We’re gathering the latest news stories along with relevant columns, tips, podcasts, and videos on this page, along with curated items from our archives to help with uncertainty and disruption.

SPONSORED REPORT

Getting leases in line

ASC Topic 842 is a relatively simple standard that can mean profound changes for organizations with leases. This report examines what makes this standard challenging and describes new ways for CPAs to add value.