Shark Tank star Robert Herjavec’s experiences while traveling are a good indicator of how cyberattacks have emerged as a concern for businesses and individuals.
Herjavec, a cybersecurity professional for more than 30 years, appeared Wednesday on a webcast with Barry Melancon, CPA, CGMA, the CEO of the Association of International Certified Professional Accountants. The archived webcast is available on the Association’s website.
Five years ago, Herjavec said, he had difficulty getting meetings with CEOs unless they were fans of Shark Tank, the ABC television show on which he serves as a judge of entrepreneurs’ budding business ideas.
This dynamic has now changed. “Fifty percent of my time now is spent with boards and senior executives,” Herjavec said. “This tells me that cyber is not a technology issue; it’s a risk issue. The more senior someone is in an organization, the less they care about technology and the more they care about cyber risk. They all want to know if they’re doing the right things.”
Not just C-level executives express this interest. “When I first got on TV, I’d go to these fancy Hollywood parties and would tell people, ‘I’m in cybersecurity,’ and they’d look at me for about 10 seconds and then exclaim, ‘You’re the guy on Shark Tank!’ ” Herjavec said. “Today when I go to these parties, they say ‘Hey, I want to talk to you about cybersecurity.’ ”
One thing hasn’t changed: Once he passes on his advice, they still request a selfie.
Nary a week passes without another large organization suffering the brunt of a data breach damaging its revenues, reputation, and business prospects. With big data proliferating, information has become many organizations’ most critical asset.
Herjavec and Melancon discussed the distressing spate of recent data breaches and ransomware attacks such as WannaCry and Petya. They also talked about the changes in the attack vector, composed of traditional hackers along with criminal organizations, nation-states, and terrorist groups. Herjavec echoed a comment he heard recently that summed up the state of cyber readiness in the global business world. “There are two types of companies—those that have been hacked and those that don’t know they’ve been hacked,” he said.
Prior to joining Melancon on the webcast, Herjavec reviewed the AICPA’s recently issued cybersecurity risk management reporting framework, which can be used by an entity’s management in describing its cybersecurity risk management program and by CPAs in reporting thereon.
The framework, available at aicpa.com/cybersecurityriskmanagement, serves as a common language for management to use in reporting to its board, audit committee, and other key stakeholders. It also can be used by CPAs in performing cybersecurity consulting engagements known as “readiness assessments,” as well as System and Organization Controls (SOC) for Cybersecurity examination engagements.
Herjavec found value in the framework, including for small and medium-size businesses (SMBs), many of which are constrained by tight budgets, Herjavec said. “To get the guidance they require, a starting point is to go to people they trust,” he said. “… To me, it makes sense to consider their accounting firm. They’re trusted advisers, without an underlying vested interest in selling you something else. … A CPA adviser is a logical progression for SMBs to get advice around cyber risk and how to manage it.”
Herjavec’s tips for cybersecurity for all businesses include:
- Focus on detection and response. “If you look at some of the recent, large-scale breaches, the blame from consumers and regulators isn’t so much on the fact that you got breached,” he said. “The blame is, did you have the right systems and controls in place to mitigate that risk and that loss.”
- Guard against malware and phishing attacks. It’s common for hackers to impersonate banks in an email and ask for account numbers and personal identification numbers (PINs). Don’t be fooled by this scam. “A bank or financial institution will never ask you for your PIN … via email,” Herjavec said. “But if you look at the modern phishing attacks, they look like your bank statements.”
- The cloud can provide some protection. Herjavec said the cloud can provide some important security infrastructure. “It doesn’t absolve you of the risk of that data,” Herjavec said. He said when using the cloud, small businesses still need to understand their own data issues and how to safely connect with their suppliers. Asking cloud providers where and how data will be stored, whether data will be encrypted, whether data you delete will be removed entirely from the cloud, and what the provider’s security procedures entail can lead to a more secure scenario in the cloud.
- Protect the crown jewels. No matter what the business, cybersecurity needs to protect the core functions, Herjavec said. “At its core, every business provides some value,” he said. “Whether it’s dry cleaning, whether it’s dog grooming, that core value has to continue to function no matter what the risk is. …You’ve got to look at what you need and how to get those tools [to protect the core].”
—Russ Banham is a Pulitzer Prize-nominated business journalist and author who writes frequently about cybersecurity. Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com), a JofA editorial director, also contributed to this article.