In the most recent “North America Top Technology Initiatives Survey Results,” CPAs responding to the poll ranked “securing the IT environment” as the number-one priority, followed by “managing and retaining data,” “ensuring privacy,” “managing IT risks and compliance,” and “preventing and responding to computer fraud.” The top five poll results all relate to securing, managing or protecting the information entrusted to CPAs. The poll results are largely consistent with prior years and not particularly surprising in a world where data breaches routinely make national headlines, and CPAs receive and store large amounts of highly personal and confidential data. What is surprising and potentially alarming is the seemingly low levels of confidence the poll respondents had in their ability to protect data.
When it comes to addressing threats to the security of their IT environments, only 42 percent of the U.S. respondents said they had addressed all relevant threats; only 43 percent said they were confident they had properly protected smartphones, tablets and other devices from cyber attacks; and only 41 percent believed they could quickly detect and respond to a cyber attack. When asked about ensuring privacy, only 49 percent of the U.S. respondents believed they could quickly detect and respond to a privacy breach. On the topic of preventing and responding to computer fraud, only 54 percent of the U.S. respondents were confident they had the appropriate policies and internal controls needed to reduce the risk of IT-related fraud to an appropriate level, only 55 percent believed they knew what to do in the event of a computer fraud incident, and just 50 percent were confident they had the policies needed to detect and mitigate potential IT-related abuse.
These confidence levels are alarmingly low – especially when the potential cost of a data breach is considered. According to the Poneman “2014 Cost of Data Breach Study: Global Analysis,” which based its U.S. results on 61 case studies, the average total cost in the United States to notify victims (i.e., clients) of a data breach plus post-breach costs for items such as special investigations, remediation, identity protection and legal expenses was in excess of $2 million. Add in the reputational damage of a poorly executed breach response (which was more than $3 million on average in the 61 case studies), and the result of a data breach could be devastating.
The risks associated with poor data security and the resultant organizational cost and potential reputational damage of a data breach are so substantial that CPAs should manage their data security risk as if their lives, or at least their careers, depend on it. Simply put, if you don’t work toward managing your IT risk, you might just need to find somewhere else to work.