Major cyberattacks are habitual reminders to most business owners that cybersecurity is vitally important.
The feeling is especially acute among accountants, who often maintain highly sensitive information for individuals, families and businesses.
“We’re dealing with personal information all the time, so it’s a major concern for us,” said Grafton “Cap” Willey IV, managing director at CBIZ Tofias Inc., an accounting, tax and business consulting firm in Providence.
“Security is becoming one of the huge issues facing the industry, especially since Equifax,” he added.
Equifax Inc., one of the three major consumer-credit reporting agencies, earlier this year reported a cyberattack that likely affected 145.5 million people in the United States and millions more in the United Kingdom.
The breach wasn’t the first major cyberattack in United States history, but it was somewhat different from others because of the type of information that was compromised, such as Social Security numbers and birthdays.
“Those two pieces of information are going to be the same today, tomorrow and 10 years from now. They don’t change, but they are key pieces of information if you want to get a loan or open a credit card,” said Jeffrey Ziplow, partner at BlumShapiro, who heads the firm’s cybersecurity risk-assessment team.
Accountants, who are custodians of similar types of information for both consumers and businesses, are sensitive to the fact they are facing similar threats. That reality was underscored in September with the hack of Deloitte, a global accounting firm, which affected up to 350 clients.
“The Deloitte and Equifax hacks [are] certainly starting to cause and create a stir in the industry to think about and question how we are protecting our client information,” Ziplow said.
The Association of Chartered Certified Accounts, a global trade group, called for the need to be vigilant in a 2015 report called “Cyberwarriors with Calculators.”
“Accounting professionals remain at the center of the threat because it is they who work with the data, the personal identifiable information that is a target for cybercriminals,” according to the report.
The looming threat of cyberattacks, however, has been both good and bad for accountants.
On one hand, cyberattacks result in increased client demand for more highly specialized accounting, tax and risk-mitigation services. That’s overall good news if that’s your business.
Indeed, as Providence Business News reported in September, rising demand for cybersecurity services, including risk assessments, program development and security audits, at Kahn, Litwin, Renza & Co. Ltd. helped fuel 23 percent – or $8.2 million – revenue growth from 2014 to 2016.
The Providence-based company this year was named the third-fastest-growing company among all Rhode Island companies with $25 million to $75 million in annual revenue, according to PBN research.
But the need to protect against cyberattacks is also costing accounting firms, leaving executives to grapple with unexpected overhead costs related to compliance and the need for skilled workers.
“More of our work is being done online, or in the cloud, and everything is connected by computers,” Willey said. “You need full-time staff in the computer arena and those people are costly and in demand, so you have to work to keep them.”
There’s also the need for cutting-edge technology, which Willey said results in an onslaught of technology offerings and software updates that firms must sort through to determine what’s worth the cost.
The rising costs are happening at the same time technology impacts accounting firms in other ways, including the rise of automated accounting services. The services hurt smaller firms once dependent on revenue realized from in-house bookkeeping services.
“The software today for businesses is very good, so I think a lot of companies are [keeping their books] in more efficient ways,” Willey said.
Added to the ever-changing nature of cybersecurity and regulatory compliance, the accounting industry is likely far from over its ongoing transformation into becoming a more multifaceted and complicated business-services model.
To stand still, Ziplow added, is a bad idea.
“The one thing I’ve learned in this business is that assuming that you have a good security posture is a very pendulous situation to be in,” he said. “You really need to test and push and validate.”
Doug White, chair of cybersecurity and networking at Roger Williams University, agrees, saying major cyberattacks will continue, especially without greater regulatory action.
“Security is not just a one-shot fix or an annual review, it requires layers, persistence and continuity if it is going to be effective,” White told PBN following the Equifax breach. “The first bank robbery occurred in 1831, but we still have them today. Cybersecurity is no different.”