Building A Cyber Resiliency Program

Current Status
Not Enrolled
Get Started


Target. eBay. Sony. Equifax. Anthem. CapitalOne. Marriott. Yahoo. That is just a partial list of enterprises that have suffered a major cyber event. The full list, however, pales in comparison to the hundreds of thousands of small- and mid-sized businesses (SMB’s) that have also suffered a significant cyber event; it’s just you rarely hear/read of these events. The lack of notoriety does not diminish the fact that these events have put many SMB’s out of business or done serious damage to their operational capabilities.

Cyberattacks against SMB’s are only increasing, so these businesses must better prepare for the inevitable. This is where accounting professionals can serve as a vital resource for their clients. The current state of cyber is no longer “an IT problem;” it’s squarely a business problem and must be approached as such. Accounting professionals are ideally positioned to help business owners and leaders understand the financial, legal, and reputational impacts of a cyber event, and provide them with a strong incentive to build a more resilient cyber program to address these risks.

The focus of this course is on the business side of cyber resiliency. While technology will play a crucial role in any resiliency plan, it is merely a piece of the program businesses should create in order to survive, and thrive, after a cyber event. The takeaways from this course are structured to address the business aspects of a cyber resiliency program; these can then be combined with a solid cybersecurity plan to form a cohesive prevention and response plan. It’s this business-first focus that gives accounting professionals a unique opportunity to positively direct their clients’ cyber efforts in a way most other professional service providers cannot.

NOTE: Cyber Laws & Regulations

Governments at all levels have recognized the growing dominance of technology in our daily work and personal lives. Their responses have been new laws, rules, and regulations. Some of these pertain to specific industries; most affect all businesses. This course will not directly address compliance requirements. While the steps presented in this course do comply with numerous requirements set out in regulations from around the world, it is up to businesses to engage qualified representation to determine what specific requirements they must meet. This, too, is an opportunity for accounting professionals to guide businesses toward a proactive response to the growing responsibilities around cyber systems and digital data.

Learning Outcomes

  • Identify cyber risks to a business
  • Determine client/customer data collected and how it’s utilized
  • Develop procedures for partnering with or using 3rd-party technology providers
  • Outline a response plan to cyber incidents
  • Determine potential regulatory obligations

The Course

The six key focuses of this course are:

  1. Cyber Policies
  2. Cyber Procedures
  3. Risk Assessment
  4. 3rd-Party Security
  5. Data Retention
  6. Incident Response

The course will serve as a guide for accounting professionals to highlight how SMB’s can minimize the negative financial impacts of cyber events by building and implementing a definitive cyber resiliency program. This course is not designed to build the program – as every business is different – but to provide the general framework any business can then customize to meet their own requirements.

Course Topics

  1. Cyber Policies

    No business can protect itself from the myriad of cyber threats without first establishing boundaries on how its technology can be utilized, by all employees of the company. C-level executives must follow the same standards as the head of IT or the newest intern. These parameters will limit the unintentional exposure of the business to cyberattacks. This course segment will discuss how to classify policy areas and determine parameters around each area.

  2. Cyber Procedures

    Even small companies face complex challenges when it comes to utilizing technology. Who has access to what data? What is the process of removing a user from the network? Where are the administrative passwords stored? Why do we have to meet certain regulatory requirements? How do we report a data breach? This course segment will review some of the more pertinent questions and offer baseline answers.

  3. Risk Assessment

    Most cyber risks are non-evident because networks and systems are configured with such disparate pieces of hardware and software. It’s virtually impossible for a company’s day-to-day IT team – whether in-house or outsourced – to identify most vulnerabilities since the team’s primary objective is just keeping the systems online. An independent evaluation of networks, systems, and protocols/procedures offers insight into immediate, near-term, and long-term IT planning. This course segment will outline how risk assessments are conducted and how remediation plans can be handled.

  4. 3rd-Party Security

    Unless your business is named Microsoft or Google or Apple of Dell, you’re using 3rd-party technology. Your business is probably also using cloud-based providers for technology services like data backup, or accounting, or a host of other functions. In an outsourced-heavy model such as this, exposure to risk is constant, so businesses must take steps to minimize that risk from partner entities. This course segment will offer insights on how to confirm security with 3rd-party vendors and limit liability.

  5. Data Retention

    Virtually all businesses are data hoarders. Nothing is ever fully deleted or forgotten. In some industries this is the result of legal or regulatory responsibilities; but in most, this is just a matter of out of sight out of mind. An ever-growing data cache increases potential liability for businesses with each new record. This course segment will offer retention guidelines that can help businesses offload unnecessary information without losing out on opportunities or running afoul of legal responsibilities.

  6. Incident Response

    No one’s interested in our data. We’re too small. We store nothing of value. It won’t happen to us. The excuses businesses put forth as to why they won’t prepare to be hacked are many, but none are true. In today’s interconnected world it’s now a matter of when, not if, a business will suffer a cyber event. How debilitating the event is for the business is a matter of how prepared it is to respond to the event. This course segment lays out the principal elements of a response plan and offers suggestions as to who should administer the plan.

NOTE: According to computer security expert Bruce Schneier,

“You can’t defend. You can’t prevent. The only thing you can do is detect and respond.”