Could your business recover from an abrupt loss of $82,000 to 256,000? That’s how much a single cybersecurity breach could cost a small business, according to an analysis by Tech Republic.
For federal government contractors, the stakes are even higher. DFARS 252.204.7008 (Compliance Safeguarding and Covered Defense Information Controls), and 252.204.7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) requires Department of Defense contractors to fully implement required controls on covered contractor information by December 31, 2017.
Failure to comply could result in losing a contract or in having to stop work until you can demonstrate compliance with all 14 categories and 110 specific items of the NIST 800-171 R1 controls. For details about covered items and practical steps you can take to achieve compliance, see our earlier blog posts on the Answers Blog.
With the deadline fast approaching, a wide variety of technology and consulting companies are pitching cybersecurity services to small business contractors. Some require you to make costly investments in their technology or offer a one-size-fits-all solution. Here are a few reasons to consider engaging a CPA with government contracting experience to advise on cybersecurity compliance.
Humans are at the core of cybersecurity protection – and humans are fallible.
Not long ago, most companies relegated anything “cyber” to the IT department. However, technology alone will not protect your company from phishing, hacking and other cybersecurity breaches.
Your biggest vulnerability may not involve software or hardware, but the people operating your systems. Are they consistent and thorough in following cybersecurity best practices? Do they use and protect strong passwords? Do they avoid phishing emails? If not, the most sophisticated technology can and will fail to protect your company and its data.
Today’s cybersecurity best practices touch on personnel practices, supply chain management, and operational decisions. Nearly all areas of your business require strict policies for managing, storing and transmitting information. These must be applied consistently for effective protection.
Trusted Advisors and Compliance Experts.
As discussed above, technology is only a part of cybersecurity. Best practices require evaluating risks, implementing procedures to mitigate the risks, training employees to follow policies and continually monitoring adherence to those policies.
Most companies invest in control systems to ensure compliance with laws and regulations surrounding financial reporting, tax reporting, labor relations, environmental impacts and many other aspects of business. CPAs set up, manage and audit the majority of such systems.
CPAs have earned a unique advisory role based on their understanding of business and adherence to core values of independence, objectivity and skepticism. To maintain their credentials, they must complete appropriate continuing education and comply with a strict code of ethics. Their work also is subject to rigorous external quality reviews.
A CPA who understands cybersecurity as well as the needs of small businesses and government contractors is an ideal partner to help you comply with government regulations – including those governing cybersecurity.
CPAs Offer Multidisciplinary Knowledge.
In addition to core education in business and accounting, many CPAs have expertise in business continuity and disaster recovery. Some hold additional credentials specifically related to IT and security. These include Certified Information Systems Security Professionals (CISSP), Certified Information Systems Auditors (CISA) and Certified Information Technology Professionals (CITP).
Moreover, the American Institute of CPAs has established a Cybersecurity Risk Management Reporting Framework for companies to use in designing cybersecurity programs and reporting them to stakeholders – including boards of directors, senior managers, investors and government compliance officers. This framework also includes descriptive criteria, controls and an attestation guide to help CPAs report on cybersecurity.
As more businesses implement the AICPA framework, it is becoming a common denominator in talking about cybersecurity in the business world.
Preparing for Audit and Reporting Security Breaches
For government contractors, compliance requires more than establishing a cybersecurity framework. You must be able to demonstrate compliance and have systems in place to report security breaches.
Although no formal audit process has been established for compliance with the NIST 800-171 framework, it is wise to develop your systems with audits in mind. With extensive training and experience in both consultative and audit engagements, a CPA who understands cybersecurity and government contract compliance has an edge in helping you prepare.
In addition to preparing for audit, you must have systems in place for reporting security breaches. FAR 52.204-21 has no reporting requirement, but other FAR clauses around Personally Identifiable Information and related items do have separate reporting requirements. Depending on where your business is located, you may have state reporting requirements in addition to any federal contract reporting requirements.
Many companies don’t understand the need for solid cybersecurity controls until they have suffered a breach. For example, an attorney friend tells a story about a Human Resources professional who received an email from the president of her company requesting a list of all employees and their social security numbers. She prepared the list and responded to his email. A few minutes later, she bumped into the president and told him, “I just sent the list of information you requested.”
He responded, “What information?”
The HR professional immediately realized what had happened, but the damage was done. While this happened at a relative small company, its 115 employees resided in 32 states, requiring notification to each of the states. Since state laws are not synchronized, the company had to employ a national law firm.
Chances are, if a CPA had been involved in developing the company’s cybersecurity policies, there would have been a clear prohibition against sending sensitive employee information via email – no matter who made the request.
Questions about cybersecurity and government contracting? We’re here to help! Please call or email Robert E. Jones at (614) 556-4415 or firstname.lastname@example.org.