BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Security - A Balancing Act for Accounting Firms

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 17 Apr 2015 13:11:51 -0600
http://www.cpapracticeadvisor.com/article/12056011/security-a-balancing-act-for-accounting-firms

Security has been a top priority for firms for years. It has consistently
ranked at or near the top of the AICPA’s annual top technology initiatives.
So why does it seem there is more chatter now on the topic than in recent
years? The fact is, we can’t read today’s headlines without regularly
coming across another breaking story about the latest major security
breach. Add in social media and we feel like we are under constant attack.
So what can you do about it?

Risk Based Approach
Gartner lists Risk-Based Security and Self-Protection in its Top 10
Strategic Technology Trends for 2015 and states, “Organizations will
increasingly recognize that it is not possible to provide a 100 percent
secured environment.” This indicates we need to think differently about
security than we have in the past. Traditionally, organizations have spent
most (if not all) of their security budget on the goal of risk elimination.
In today’s environment, you have to adjust to more of a risk management
approach and broaden the focus beyond simply prevention.

A Balancing Act
IT is charged with keeping the firm’s systems and data safe and that
responsibility continues to become more challenging as they are
increasingly being asked to perform a balancing act. The first balance area
is between prevention and mitigation/response. More and more CIOs are
recognizing that as Gartner predicts, it is becoming more and more
difficult (if not impossible) to ensure that we don’t fall victim to a
cyber-attack. As such, firms are being forced to allocate their limited
resources between keeping hackers out and developing a rapid response plan
in the event the do get in.

Second, IT is being asked to walk the tight rope in finding the right
equilibrium between the firm’s security requirements and end user’s
demands. While fielding demands for greater firm security, IT is also being
pushed to increase convenience and ease of use of the technology tools.
Often, these two are polar opposites and with the increased consumerization
of IT and growing BYOD policies, the exposure to easy to use consumer
products is strengthening the demand for the same in the workplace. Often
times at the expense of the security of the firm’s data.

For both of these balancing acts, there is no magic formula for the right
allocation of focus and resources. The split will need to be determined by
each firm on an individual basis depending on the level of risk the firm
and IT are willing to assume. The level of preparedness to appropriately
handle an incident will also play into this decision.

Less Likely to Be a Target
A lot of security criticism today centers on the cloud and the fact that
they are a bigger target. This is primarily driven by the amount of
coverage that cloud breaches receive in the media. The reality is that we
are at high risk whether our firm is in the cloud or remains On-Premise.
Take the recent examples of Target and Home Depot, both of these massive
breaches happened with in-house systems and data.

The other argument I hear often is that we are less likely to be a target
because we are a much smaller organization than the major corporations that
are regularly getting hit. To this I would submit that small organizations
are also getting targeted as much (if not more) than the big guys. They
just don’t make the headlines. While they aren’t the badge of honor that a
Microsoft or Google would be to hackers, small firms often present a less
sophisticated security system and take longer to detect a breach. This
widens the window of opportunity for which sensitive data can be siphoned
from the organization before it is discovered.

Conclusion
While it may appear that it is all doom and gloom around security these
days, the fact is that we can start taking steps to better plan and prepare
ourselves. By approaching the challenge from a risk-management perspective,
we can prioritize our investments in prevention and also start to allocate
resources to prepare for mitigation and response. It simply requires a
change in thinking about the problem.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: