Is Your Firm Serious About Security?
(Originally published in CPA Practice Advisor,January 2017)
This digital world in which we live is an exciting one with opportunities to connect, share and collaborate in ways we never imagined. Technology impacts almost everything we do in our personal and professional lives in some way. Most of those impacts are positive.
At the same time, today’s environment can be quite scary. It seems that every time we look at the news, there is another major security breach. And what we see in the media is backed up by data. According to a report released by the Identity Theft Resource Center and Cyberscout, the number of tracked U.S. data breaches hit a record high of 1,093 – a 40 percent increase over 2015. So it’s no surprise that most firms list security as a top priority. But is their behavior consistent with what they say? In my opinion, not as much as it should be.
Investment is increasing
On the positive side, more and more firms are investing in the technology, training and processes to protect the sensitive data they possess. Whether it’s intrusion detection software, bringing in an outside party to conduct a security assessment or implementing a security awareness and training program, firms are investing in a lot of the right things to create a more secure firm.
As I wrote in a previous column, whether it’s securing a perimeter in a war zone or an accounting firm, the strength of the defense is only as robust as the front lines. In your firm, the front line is your people who are handling sensitive client data on a daily basis. An informed and diligent workforce is your best protection against an attack.
It takes commitment
Unfortunately, when it comes to personal sacrifices required to take security initiatives to the finish line, there is often push-back. “The training takes too long!” “I can’t remember my password when I have to change it all the time!” “Why can’t I just email that tax return to the client?” These are just a few examples of the resistant comments and questions that confront the technology team.
Technology leadership should approach this as an opportunity rather than dismissing it as just another complaint from end-users. It is a chance to learn where the pain points are and to meet the challenge head on by finding solutions that make it less complex while still protecting the firm. It’s also an opportunity to align with firm leadership to ensure the business problem is clearly communicated when talking about a security initiative or solution. Otherwise, it’s easy to discount it as “just another technology project.”
Change starts at the top
The biggest pushback often comes from leadership. And most firms have one or more people on their team who think they are above the law. They simply choose to ignore training and look for ways to bypass security measures. It’s the responsibility of the leadership team to support the firm’s security initiatives not only through words and investment but also behavioral changes. In other words, leadership must walk-the-walk. And they must hold everyone accountable, especially those few that make no attempt to change their behavior or increase their security savviness.
The only way to gain buy-in and compliance from the rest of the team is for them to see modeling behavior coming from their leadership. So while it’s easy to say that security is a top priority, it’s more difficult to change behaviors that will take the security initiative beyond words and turn it into results. All progress starts with the truth. So ask yourself, is your firm serious about security? If not, start making changes today. There is no better place to start than with yourself.