Leadership Buy-In and Employee Awareness are Critical to Cybersecurity 


Sparrow, Johnson & Ursillo began in 1947 as a largely traditional full service accounting firm. I got my start with the firm in 1994 working in financial audit and compliance, which evolved into internal control and forensic accounting work. I also had some background in technology and was put in charge of managing that aspect of the practice as well. Forensic accounting requires a lot of data analysis and we were using different software to integrate with several data sources, so robust internal controls were necessary and our experience in that area developed naturally with this part of our practice.

In the mid-90s, I began to attend various security conferences and sought targeted training in that area, and that is really where my passion for security was cultivated. The firm started offering security reviews for clients and also built a book of business related to technology and risk management services. As these services developed, I got involved in networking and application penetration testing. In the early 2000s, security awareness became much more prevalent and the need for strict governance requirements arose. Our firm was on the forefront of offering those services and we have continued to grow that part of our practice as the need has increased and evolved over time. Currently, over half of our practice is focused on technology and technology risk management.
Practicing What We Preach
Because of the work that CPAs do and the breadth of clients they serve, firms have access to a significant amount of personal and confidential information, which makes firms prime targets for potential cybersecurity attacks. It is critical that firms recognize the importance of safeguarding client and firm information.

Many of our cybersecurity governance practices fall in the ISO27001 National Institute of Standards and Technology (NIST) Cybersecurity Framework. However, we are aware of other governance structures, and continue to adapt the technologies and fit them to our needs. We conduct our own risk assessments and from those, we can identify the technological and human capital resources that we need to put in place. Since we specialize in cybersecurity in our practice, we have several talented and knowledgeable people on hand and use a combination of both in-house and third party service providers to fulfill our cybersecurity objectives. In addition to giving us a level of transparency, utilizing our own employees also contributes to our resources for incident response and quickly determining the extent and magnitude of an issue should one surface. We do have clients that are highly regulated and cybersecurity is not one size fits all. We have to play within the confines and boundaries of our resources. When planning for cybersecurity, you have to think that it's not "if" but "when". Take all possible measures for prevention, but you also have to be prepared to respond when a breach occurs.

Our firm serves organizations of all sizes, and our internal practices for assessing security needs are similar to the work we do with our clients. We examine each organization to determine how cybersecurity is integrated, how mature they are in their cybersecurity practices, and the complexity of the environment. As part of our testing procedures, we conduct planned attacks against our own office and clients who engage us for these services. Deviating from existing protocols opens the organization up to vulnerabilities, so we use the results of these attack exercises as part of our organization’s cybersecurity user awareness training program. 

Cybersecurity is an Ongoing Process
There are several steps that firms can, and should, take to aid in protecting themselves and their clients. Obtaining insurance is often the first step that comes to mind when firms think about investing in cybersecurity. While that is certainly a step I would encourage, it’s also important that firms realize that getting insurance isn’t the only one they need to take. Insurance is a way to protect against the financial risk involved, but firms still need to have safeguards and response measures to prevent, mitigate and reduce that risk. 

In addition to obtaining insurance, it’s imperative that firm leadership values the importance of a formalized cybersecurity program and understands how risks translate to exposure. At our firm, we are constantly assessing structure to remain relevant. We continue to try to stay on top of the latest potential threats and protections and to make sure cybersecurity is a priority year-round, even during busy season. Firms that don’t have experience or internal resources should not hesitate to bring in a subject matter expert to aid in creating a formalized structure and program.

One of the most important factors in protecting your firm is employee awareness. Firms could have robust defenses in place, and all it takes is one employee who is not aware of risks or threats to potentially put the whole firm at risk. Firms should provide continued training throughout the year and maintain open communication with all employees regarding developments and updates. It’s imperative that people understand emerging threats so that they are better prepared to reduce the risk of an incident or breach.

Sparrow, Johnson & Ursillo, Inc. is a local firm based in West Warwick, RI. Steven J. Ursillo Jr., CPA, CIA, CGMA, CFE, CISA, CISM, CITP, CISSP, CGEIT, CRISC, CCSFP is a principal and director of Information Technology and Assurance Services.


© 2017 Association of International Certified Professional Accountants. All rights reserved.