October marks Cybersecurity Awareness Month, a time to introduce or refresh cybersecurity knowledge and resources for professionals around the globe. This Cybersecurity Awareness Month, IFAC spoke to Jackie Oppenheim of IMA (Institute of Management Accountants), who leads IMA’s Education & Career Services department. Jackie spoke about the critical importance of cybersecurity training for today’s professional accountants to advise large and smaller organizations.
To start off: can you tell us a bit about why having an understanding of cybersecurity is critical for professional accountants? How common are cyberattacks?
Today, it’s not a matter of if your company will experience a cyberattack, it’s a matter of when, so you need to prepare appropriately. Accounting and finance professionals deal with sensitive and confidential information and knowing how to safeguard this information is key. They are also trusted business partners supporting risk mitigation across the organization. Knowledge of cybersecurity and data governance is essential for protecting the integrity of financial data and for safeguarding the reputation of the profession.
What skills do professional accountants already have that can help them in understanding cybersecurity concerns?
Management accountants have a head start with their skills toolkit, typically being adept at problem solving and troubleshooting which can help in recognizing and resolving vulnerabilities. Their strong analytical skills help to measure risks and their experience in collaborating as business partners enables a solid communication of effective internal control and efforts across the organization.
Can you give an example of a time when professional accountants’ cybersecurity knowledge prevented a data breach or helped protect information?
This brings us back to managing an effective system of internal control. Making sure that the proper controls are in place to detect and prevent cyber intrusions of any kind is part of the management accountant’s collaborative role with IT departments. In our complex business world, understanding cybersecurity and data security regulations on a global scale is an essential part of this collaboration. It’s important for all employees, not just management accountants, to understand the language of cybersecurity and data governance to facilitate productive dialogue across the organization.
One example that many organizations are experiencing lately is where several accounting and finance employees might receive an email from a malicious source who has designed the message to appear as though it was sent from the CEO of the organization. The initial message asks for the individual to send their cell number and it seems quite innocent, but if an organization has not trained staff to recognize phishing activities, an employee may respond, leading to further emails requesting to purchase gift cards, or change an account. Bad actors are constantly looking for vulnerabilities to exploit, and regular training, and reminders for all staff is critical, particularly in a world of high staff turnover.
Do you have any sense of how cybersecurity is taught to students in accounting programs globally? Are there things that professional accountants who have been practicing for years can learn from young professionals?
With the growth of data analytics in the accounting profession, academics have been working to prepare students for the new work environment. Thus, exposing students to these rapidly changing advances in technology and artificial intelligence, and the corresponding risks, is a high priority. Many universities are adding a data analytics track within their programs, which includes an increased emphasis on risk assessment and fraud. As the profession has undergone this rapid shift, workplaces are now multi-generational at an unprecedented level. Early career professionals may have more technical knowledge and more seasoned professionals may have more knowledge in risk management practices, and these constituents need collaboration and knowledge sharing to benefit the organization.
For accountants with little or no training in cybersecurity—how can they get started? Do you have any resources to help them understand the language of cybersecurity, and help them talk to cyber security teams?
Absolutely. IMA is proud to offer a new Cybersecurity & Data Practices Certificate™ program designed specifically for accounting and finance professionals. The program guides them through cybersecurity terms, techniques used in cybersecurity risk management, regulatory and legal considerations for assessing risks, and some basic understanding of cybersecurity systems and best practices. Given what’s at stake for anyone looking to protect company assets, information, and reputation, the IMA Cybersecurity & Data Practices Certificate™ program is an effective business course. Another resource is our Strategic Finance publication where we cover timely topics that affect accounting and finance professionals including cybersecurity and data governance.
How do the cybersecurity needs for small- and medium-sized entities differ from larger companies?
Often small or medium-sized businesses don’t have the technological expertise or resources afforded by larger companies. For them, the primary focus tends to be on cash flow and profitability measures. So, a smaller organization may not have dedicated IT staff and responsibilities for cybersecurity and data governance may fall to individual employees. Small- and medium-sized organizations should first assess their risks and vulnerabilities and then implement measures that fit with their needs and available resources. It may be as simple as implementing more stringent password controls and employee education rather than implementing expensive advanced detection systems. The IMA Cybersecurity & Data Practices Certificate program guides learners through this process and provides guidance on compliance factors associated with managing proprietary information.