A recent survey found that less than 40% of US small businesses are somewhat or very concerned about being the victim of a cyberattack in the next 12 months. When asked to rank the biggest risk they face, only 5% of the businesses polled chose cybersecurity.
Those weren’t the only results from the second quarter CNBC|SurveyMonkey Small Business Index that raise a red flag over the cybersecurity of U.S. small businesses. It’s not just that the survey respondents are less worried about cyber threats than they are about inflation, supply chain disruptions and staffing shortages. The biggest danger is that too many small businesses that believe they are prepared to respond to a cyberattack have not taken the steps required to be ready.
Consider the following.
More than 60% those polled are somewhat or very confident in their ability to quickly resolve a cyberattack on their business
Only 34% of small businesses have a plan to respond to ransomware or another cyberattack.
Fewer than half have instituted even basic protections, such as installing antivirus software, backing up files on an external hard drive or strengthening passwords. And only a third have enabled automatic software updates or multi-factor authentication.
The failure to properly protect their computer networks and data poses great risks for many businesses. CPA firms should encourage their clients to mitigate these risks, which include more than just potential cyberattacks. Governments and regulators are taking an interest as well.
Here are three areas where practitioners can help clients meet the demands they’re facing.
New reporting expectations
There’s increasing interest in transparency when it comes to cybersecurity, potentially for private companies as well as public. In March, the US Securities and Exchange Commission proposed to amend its rules for public companies regarding the disclosure of information on cybersecurity risk management, strategy, governance, and incident reporting. Companies would be required, among other things, to report and provide updates on material cybersecurity incidents; disclose policies and procedures for spotting and managing cyber risks; and offer information on their boards’ cybersecurity expertise.
In addition, the recently enacted Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) mandates that certain organizations in a wide range of industries that are considered “critical infrastructure companies” must report cybersecurity incidents to the US Cybersecurity and Infrastructure Security Agency.
Private companies obviously would not be subject to the SEC rules and may not be required to follow the CIRCIA reporting rules. However, these businesses and their CPAs should be aware of the trends in this area.
CPAs have many ways to bring clients up to speed on cybersecurity concerns. Here are three of them:
Inform them of the dangers. CPAs can provide clients with a wake-up call about the dangers and the impact that a cyber incident can have on a company.
Encourage them to check their perimeter defenses. How often do your clients update their cybersecurity protocols and procedures? Many companies may not have revisited them since before the pandemic began. At the same time, the sudden shift to working from home in 2020 may have resulted in cybersecurity holes across a network perimeter still stretched today by remote employees and operations. In addition, more businesses are now setting up storefronts in the metaverse, in new online platforms that allow them to sell merchandise or products through a digital storefront using cryptocurrencies. All these developments could leave clients open to new threats that should be identified and incorporated into their cybersecurity risk management plans.
Help them take a big picture view. One reason for the focus on reporting is that more companies know they need to mitigate cyber risks not only within their own organizations, but also throughout their supply chain. When Target suffered a massive cyber hack back in 2013, the hackers gained access to their system through a third-party vendor. Facebook, on multiple occasions, and Home Depot have also been hit by third-party data breaches. According to an Identity Theft Resource Center (ITRC) report, data breaches through a third-party vendor affected 367 organizations and more than 4 million individuals during the first half of this year.
Companies are asking more questions about how well their business partners are protecting themselves, their customers or other stakeholders from cyberthreats. While these business partners may not be seeking SEC-level reporting, your clients should be prepared to tell a comprehensive and compelling story about their own cyber controls and oversight practices.
Clients, whether pitching for new business or communicating with existing customers, may find themselves being asked more questions about their cybersecurity efforts. Business partners may also request a SOC for Cybersecurity report, which is a cybersecurity risk management reporting framework that enables organizations to communicate about the effectiveness of their cybersecurity risk management programs.
Firms should tell clients that simply having established protocols is not enough. Clients may be called on to report their cybersecurity protocols and framework. External stakeholders will want reassurance that cyber-defense efforts are active and ongoing. CPAs are well positioned to assist clients in developing their cybersecurity frameworks and responses to the inquiries that clients receive.
Firms can begin conversations with clients about cybersecurity transparency by discussing their own internal cybersecurity efforts and any cybersecurity engagements they may have worked on with other clients. Let them know you want to understand where they stand and can help them understand and prepare for whatever questions they may face.
If your firm is just getting started in understanding cybersecurity issues or would like help in addressing them, the PCPS Cybersecurity Toolkit offers a variety of valuable tools to get you started. These include an introductory guide, learning matrix, service opportunity grid, and educational staff PowerPoint. There’s also a client FAQ you can use to educate the companies you work with and address some of their concerns. Firms may not necessarily perform cybersecurity services for clients, but they can offer information and advice and coordinate their work with outside cyber experts, if needed.
Carl Peterson, CPA, CGMA, is the Association’s vice president of small firm interests. Have questions for Carl? Contact him directly at email@example.com or 651-252-4618. And be sure to sign up for Carl’s Small Firm Update webcasts. The next one will take place on Dec. 8 from 2pm until 3pm ET.