July 16, 2018

How Controllers Can Step Up Their Cybersecurity Game

cybersecurity controllers accounting

There’s a good reason why cybersecurity is ranked extremely high on the priority list of Trey White, CPA, and other controllers and chief accounting officers in the healthcare sector.

According to a report from the Identity Theft Resource Center and CyberScout, 376 (34.4%) of the 1,093 data breach incidents reported in 2016 occurred in the healthcare/medical industry. And if that wasn’t bad enough, Becker’s Hospital Review crunched the report’s numbers and came up with these four eye-opening stats:

1. The healthcare sector exposed more Social Security numbers than each of the other four industries [business, education, finance, and government]. In 2016, the healthcare industry exposed a total of 10,486,900 Social Security numbers.

2. The healthcare industry had the highest number of patient records exposed due to employee error or negligence. Throughout 2016, employee error or negligence caused 1,183,893 healthcare records to be exposed.

3. Insider breaches had the biggest impact on the healthcare industry. In 2016, 43 healthcare insider breaches affected 167,263 records.

4. The healthcare industry saw the largest percentage of records exposed due to third party, contractor and business associate-related breaches. Approximately 4,014,923 healthcare records—or 11% of all the industries’ records—were exposed due to third party breaches in 2016.

“Protected health information can be very valuable to a criminal as it includes information such as a person’s Social Security number and address, as well as information about a patient’s recent visits to the doctor, which can be used by criminals to identify themselves as someone else,” said White, vice president, controller, and CAO at BlueCross BlueShield of Tennessee, the state’s largest health benefit plan company.

Five ways to mitigate cyberattacks

While the healthcare industry saw more than its fair share of cyber threats last year, the business sector reported the most data breach incidents in 2016, with 495 (45.3%), according to the ITRC report. In addition, financial losses in the United States due to cyberattacks totaled $1.33 billion in 2016, a 24% increase over the previous year, a report from the FBI’s Internet Crime Complaint Center revealed.

So, what steps have controllers and CAOs taken to prevent the bad guys and gals from winning? In my discussions with three leaders, a handful of key tactics emerged:

1. Have a good relationship with the IT team. The accounting and finance department needs to work closely with IT staff to develop security protocols and initiatives that protect their customers’ and company’s data, according to the controllers I spoke to.

“We rely on our information security team to assist us with security and ensure any and all decisions made from an IT solution standpoint are in compliance with our corporate policies,” White said.

Annette Ramsey, CPA, controller of Intelligent Retinal Imaging Systems, a Pensacola, Fla.-based provider of early detection systems for diabetic eye disease, also stressed the importance of the finance and IT departments being on the same page regarding information security policies.

“That agreement and understanding is the foundation for the right compliance practices to deal with data security and cybersecurity threats,” she said.

It’s also a good idea for controllers to meet with the company’s chief information security officer (CISO) on a regular basis, White recommended.

“The channels used by cybercriminals can change at a rapid pace, so it’s critical for the controller and the CISO to interact in order to ensure that risks are identified and proper security and controls are in place,” he said.

2. Form an enterprise security committee. BCBST’s enterprise security committee (ESC) includes representatives from each of the company’s major lines of business and support functions, according to White.

“The purpose of the ESC is to provide cross-functional oversight and direction of security-related risks,” he said. “The ESC also provides prioritization recommendations to the CISO for security projects and initiatives.”

3. Ongoing employee education is a must. White said his staff is required to complete training sessions on a quarterly basis that focus on IT security, such as common predatory tactics used by attackers and the employee’s role in preventing attacks from being successful.

“Security breaches can be very costly to an organization, so it’s important to ensure that every employee understands the role that they have in the protection of customer data,” White said.

As part of the onboarding process at Litera Microsystems, a Chicago-based document technology provider, new employees are required to read and sign off on IT policies, according to controller Elizabeth Pittelkow, CPA, CITP, CGMA. She also works with outside firms to provide cybersecurity training for her employees, such as live presentations and handouts, and participates in cybersecurity webinars with her team.

She also recommended that controllers and CAOs educate themselves by signing up for email alerts from cybersecurity experts, attending cybersecurity sessions while at conferences, and reading relevant articles.

4. Keep the discussion going internally and externally. How? Perform annual risk reviews, and have weekly conversations with your team about cybersecurity threats, according to Pittelkow.

“Ask vendors what they are doing to protect your data,” she said. “We have discussed cybersecurity with our vendors—banks, insurance company, and audit firm—and they know we care about it and have helped us design anti-fraud controls.”

One anti-fraud control she recommended is verbally confirming outgoing wires with the person who requested them. The FBI estimated that cyber wire fraud, also known as business email compromise and email account compromise, caused $5.3 billion in losses worldwide between October 2013 and December 2016.

“Put a control in place that multiple people need to be involved in approving and transmitting wires,” Pittelkow said.

5. Use technology to your advantage. “Integrate technology solutions, such as positive pay at your bank and phishing detection software at your company, to help prevent fraud and cybersecurity issues,” Pittelkow said. “Hire a firm to perform penetration and vulnerability testing to help identify ways to improve your processes. Also, keep software up-to-date, and install vendor software patches as they come out because they help to reduce vulnerabilities.”

Case in point: Had Equifax installed a patch that was available last March, 143 million people wouldn’t have needed to worry about their personal data being stolen by hackers two months later.

And if all else fails, Pittelkow has one more piece of advice for companies: carry cyber liability insurance.

“No business is immune to cybersecurity threats, but if you implement the right controls and culture in your business, you can significantly reduce your vulnerabilities,” she said.

Image: iStock/Vertigo3D

Related articles

Tracking Charitable Donations? Now There’s a CPA-Developed App for That

In more non-iPad, Apple-related news, we learned earlier this week about iDonatedIt, an iPhone app developed by BMG CPAs in Lincoln, Nebraska. The app is designed to track all non-cash charitable contributions whether it be clothes, furniture or family members (okay maybe not the last one). This will allow you to track all of our donations to Goodwill, Salvation Army, etc. rather than receiving that crappy receipt they give you that has nothing on it.

Being interested in all things accountant-ish, we got in touch with BMG to find out how this bit of ingenuity came about.

We spoke with Todd Blome, a partner at BMG who came up with the idea and he told us that as soon as he got an iPhone he was thinking of ideas for apps that would be useful for his clients. Since Todd is the tech-savvy partner at BMG, (he heads up their IT consulting services) he started kicking around ideas right away and eventually landed on the idea for iDonatedIt.


Todd told us that the development was fairly simple and that there were only two test versions prior to releasing the app.

“So far we’ve 100% positive feedback on iDonatedIt,” Todd told us, “We’re definitely looking for suggestions for improvements or add-ons.” The one idea that has been floated to Todd was adding a tax savings tool to the app so that a user could determine how much tax savings would be created by the donations. “That will probably be in version two,” he told us.

iDonatedIt retails for $2.99 at the app store and as Todd noted, “a donation of one item pays for the app.” A version for the Droid is currently in the works as well.

Todd and the rest of of his team at BMG are kicking around a few more ideas for apps but he said they want to make sure iDonatedIt is working as good as possible before committing to another project. Check out the demonstration below and jump over the firm’s website or follow them on Twitter to give them your feedback.

Non-Profits Are Feeling the Pain

WSJ has a Monday piece “Once-Robust Charity Sector Hit With Mergers, Closings” (the Recession Forces Nonprofits to Consolidate) that may be found here. It tells the story of a “homeless” woman with terminal lung cancer and a charity no longer able to afford to help her out. Sad.

When one charity’s COO says “we’ve had funding cut after funding cut, and we never know when the next shoe is going to drop,” that is a bad sign.

Hit by a drop in donations and government funding in the wake of a deep recession, nonprofits—from arts councils to food banks—are undergoing a painful restructuring, including mergers, acquisitions, collaborations, cutbacks and closings.

“Like in the animal kingdom, at some point, the weaker organizations will not be able to survive,” says Diana Aviv, chief executive of Independent Sector, a coalition of 600 nonprofits.

I saw that on the Discovery Channel and it wasn’t pretty.

Note: the Service says the value of your blood is not deductible as a charitable donation but cars are. As of 2005, cars are only deductible at FMV, not Blue Book. Damn you, fair value, foiled by the free market again!

Blame the Service for tightening its charitable donation rules at the worst possible time? Not sure on that one. While you’re reluctant to donate your $200 Toyota (ha) to charity because you could have claimed $2,000 under old rules, find some comfort in the fact that (alleged) terrorist “non profits” can not file for 2 years and somehow get away with it. You wonder why I advocate fixing the system from the ground up?

You can text $10 to Haiti but what about the “Economic Homeless” here in America? asks Young Money.

If this were a survey and you asked me “What do you think the IRS could do to encourage charitable donations?” I would answer “Tax breaks. It isn’t the Treasury’s job to distribute bailouts.” Yet they continue to behave as though it is their duty.

See the problem yet?