Cybersecurity Tool

CGMA
Cybersecurity Tool
Risk, Response and
Remediation Strategies 2023
About the Association
The Association of International Certified Professional Accountants (the Association) is the most influential body of professional
®

accountants, combining the strengths of the American Institute of CPAs (AICPA ) and The Chartered Institute of Management
® ®

Accountants (CIMA ) to power trust, opportunity and prosperity for people, businesses and economies worldwide. It represents
® ®

650,000 members and students in public and management accounting and advocates for the public interest and business
sustainability on current and emerging issues. With broad reach, rigor and resources, the Association advances the reputation,
employability and quality of CPAs, CGMA designation holders and accounting and finance professionals globally.
®

Disclaimer: For information about obtaining permission to use this material other than for personal use, please email
copyright-permissions@aicpa-cima.com. All other rights are hereby expressly reserved. The information provided in this
publication is general and may not apply in a specific situation. Legal advice should always be sought before taking any legal
action based on the information provided. Although the information provided is believed to be correct as of the publication
date, be advised that this is a developing area. The Association, AICPA and CIMA cannot accept responsibility for the
consequences
of its use for other purposes or other contexts.

The information and any opinions expressed in this material do not represent official pronouncements of or on behalf of
the AICPA, CIMA or the Association of International Certified Professional Accountants. This material is offered with the
understanding that it does not constitute legal, accounting, or other professional services or advice. If legal advice or other
expert assistance is required, the services of a competent professional should be sought.

The information contained herein is provided to assist the reader in developing a general understanding of the topics
discussed but no attempt has been made to cover the subjects or issues exhaustively. While every attempt to verify the
timeliness and accuracy of the information herein as of the date of issuance has been made, no guarantee is or can be given
regarding the applicability of the information found within any given set of facts and circumstances.

ii CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023

Contents

2 Introduction 22 
Appendix I:
Cybersecurity insurance
4 Understanding cybersecurity
23 
Appendix II:
6 Cybersecurity objectives Cybersecurity risk management
reporting framework

7 Cybersecurity controls
24 
Appendix III:
Center for Internet Security —
10 Applied cybersecurity
CIS Controls v8

13 Advanced topics
29 
Appendix IV:
CISA MS-ISAC Ransomware Guide –
15 Recent trends in cybersecurity Part 2: Ransomware Response Checklist

18 Cybersecurity and small business 32 Additional reading and resources

20 Cybersecurity governance, 33 Endnotes

risk and reporting

1
 Introduction
Although digital transformation was on the agenda for many businesses prior to the COVID-19
pandemic, the pandemic unquestionably accelerated the timeline. Not only did sophisticated
forecasting platforms become essential to predict customer demand and address the impacts
of supply chain disruption, but both large and small businesses created new digital business
models to meet consumers’ needs.
The AICPA & CIMA Future of Finance Leadership Group (FFLAG), a group of senior finance
executives committed to transforming the accounting profession, has consistently identified
digital transformation as one of their top challenges. While the trend towards digital
transformation yields many benefits, there is an accompanying increase in business complexity.
That complexity has driven cyber risk to a new level, impacting not only businesses and their
customers and employees, but also critical industries and the public sector.
Cybersecurity risk has become a strategic imperative not only for business but for government
as well. In March 2023, the U.S. government released a new National Cybersecurity Strategy that
emphasises working with international partners to counter threats, build resilience and defend
critical infrastructure, and create schemes to promote investment in secure infrastructure.1
The strategy calls for ‘robust collaboration’ to rebalance the burden of responsibility away from
individuals and small businesses and onto public and private organisations best placed to
address this challenge.2
On the global level, the 2023 World Economic Forum Global Risks Report ranks the impact and
severity of ‘widespread cybercrime and cyber insecurity’ as number eight out of 10 global risks
in terms of both the two-year near-term horizon and the longer-term 10-year horizon.3 When
looking at the source of these rankings and comparing government and business respondents,
businesses ranked the severity of cybercrime and cyber insecurity as the fourth most prominent
risk over the short-term.
In addition to the specific risk of cybercrime, there is also the risk of disruption to technology-
driven resources and services, including agriculture and water, energy, transportation, public
security, and so on. Related technology risks identified in the 2023 World Economic Forum
report along with their global, short-term rankings include:
• 24 — Breakdown of critical information infrastructure
• 29 — Digital power concentration
• 31 — Digital inequality and lack of access to digital services
• 32 — Adverse outcomes of frontier technologies4
One global response to this ever-present global risk is the World Economic Forum’s Centre for
Cybersecurity, an independent and impartial global platform committed to fostering international
dialogues and collaboration between the global cybersecurity community in both the public and
private sectors.

2 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023

The centre has the following objectives:
• Building cyber resilience. Enhance cyber resilience
by developing and scaling forward-looking solutions
and promoting effective practices across digital
ecosystems.
• S trengthening global cooperation. Increase global
cooperation between public and private stakeholders
by fostering a collective response to key cybercrimes
and jointly addressing key security challenges.
• Navigating cyber frontiers. Identify and explain future
cybersecurity challenges and opportunities related
to Fourth Industrial Revolution technologies and
envision solutions which help build trust.5
Some recent centre initiatives include resilience-
building projects in the oil and gas, manufacturing,
and electricity industry sectors. Broader approaches
include efforts to increase public-private cooperation
and addressing the global cybersecurity skills
gap. More forward-looking endeavours include the
Cybersecurity Futures 2030 scenario-planning exercise
to inform cybersecurity strategic plans.6
2023 highlights
The following highlights from the IBM Security® and
Ponenom Institute Cost of a Data Breach Report 2023
reflect the increasingly complex and more prevalent
cybersecurity threat landscape. The highlights also
reflect increasingly sophisticated technologies and
approaches being leveraged to confront this risk.
• Average cost of a data breach
— $ 4.45 million (up 2.3% from 2022 and 15.3%
from 2020)
• Ransomware attacks
— 24% of breaches
— $5.13 million average cost (excluding the
ransom itself)
• Cloud data
— 82% of breaches
— $4.75 million average cost
• Detection and escalation costs
— Largest category of breach costs, highlighting the
complexity of breach investigations.
• Incident response planning and testing
— $1.49 million saved on average by organisations
with high levels of incident response planning and
testing compared with those having low levels
— One of the leading cost-mitigating strategies
• DevSecOps (development security and operations)
— $1.68 million in savings to those with high levels
of adoption
• Security artificial intelligence (AI) and automation
— $1.8 million cost savings for those using AI
and automation
— Time to identify and contain breach improved by
more than 100 days7
Against this background, the CGMA Cybersecurity
Tool provides insights and recommendations for
management accounting and finance professionals
facing the ever-changing complexities and risks in our
increasingly digital business environment.
3
Understanding cybersecurity
Understanding cybersecurity in today’s complex digital
world begins with knowing the most common threats,
the potential ‘bad actors’, and what we can do to shore
up our defences.
What problems do we face today?
The most common threats to cybersecurity include
malware (including ransomware and botnets),
malvertising, phishing and application attacks.
• Malware is the term used for malicious software
intended to do any number of things ranging from
stealing credentials, other information, or money to the
general wreaking of havoc, or denial of service. Some
of the more typical types of malware include:
— Ransomware. A type of malicious software designed
to block access to a computer system until a sum of
money is paid.
— Botnets. Networks of interconnected computers that
are infected with a ʻbotnet agentʼ designed to do the
attacker’s bidding.
• Malvertising involves injecting malicious or
malware-laden advertisements into legitimate online
advertising networks and web pages. Malvertising is a
serious threat that requires little or no user interaction.
• Phishing usually involves an email designed to
lure the reader into doing something ill-advised by
masquerading as a trustworthy source or legitimate
enterprise. Phishing requests to execute an email
attachment or click on a link are designed to install
malware on the user’s computer, generally for the
purpose of stealing money. Phishing can also involve
more direct requests to provide private information
such as passwords, credit card account details or
other sensitive data.
4 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023
• Application attacks, such as SQL injections, are
increasingly common in today’s complex environment.
While varied in nature and design, application attacks
usually have the same intents and purposes as
malware attacks — stealing data from database
servers, running attack scripts on other users’
computers, stealing user credentials, etc.
Cost of doing business in the
digital age
$4.45 million — Average cost of a data breach,
up 2.3% from 2022, up 15.3% from 2020
$5.13 million — Average cost of a ransomware
attack, not including the cost of ransom itself;
24% of breaches were ransomware attacks
82% of breaches involved data stored in the
cloud — public, private or multiple environments;
39% spanned multiple environments with a
$4.75 million average cost
Detection and escalation costs have
surpassed lost business costs as the largest
category of breach costs, highlighting the
complexity of breach investigations.
— Ponemon Institute and IBM Security®,
Cost of a Data Breach Report 2023
 Understanding cybersecurity

Who are the bad actors? Whatever the cause, when exploited, these
While hacker may have originated as a term describing vulnerabilities can be costly and result in:
especially talented computer programmers and • Down time. Loss of business production or
systems designers, and may still include those revenue-generation opportunities
considered ‘curious’ hackers, the term has become
• Tarnished reputation. Negatively affected company
much more widely used to describe computer intruders
and brand value
or criminals. In addition to basic thieves, these ‘bad
actors’ can be outsiders, such as business competitors • Customer flight. Loss of customers, especially critical
or nation-states. They can also be insiders, such as with increasing level of e-commerce
disgruntled, or otherwise malicious, employees. • Legal consequences. Fines, lawsuit costs and
settlements, which can be staggering
Risk of security vulnerabilities
Cybersecurity vulnerabilities can be technical in nature • Industry consequences. Exploiting vulnerabilities
or procedural. Technical deficiencies, including software across an entire sector; healthcare records breaches
defects and the failure to use security protections such have been extensive
as encryption adequately, expose sensitive functionality
or information. Procedural deficiencies can be IT related,
including system-configuration mistakes, or failure to
keep up with software security updates. However, many
procedural deficiencies are user related, such as poorly
chosen passwords.

5
Cybersecurity objectives
Businesses must address these risks and implement
security measures to protect their information assets
and ensure their enterprises’ ongoing viability.
Management objectives
As outlined in appendix II, the AICPA developed a
cybersecurity reporting framework that organisations
can use to demonstrate the extent and effectiveness
of an entity’s cybersecurity risk management
programme to key stakeholders. A critical element of
any cybersecurity risk management programme is
management’s formulation of objectives.
Management establishes cybersecurity objectives
addressing cybersecurity risks that could affect
achievement of the entity’s overall business objectives
(including compliance, reporting and operational
objectives). Cybersecurity objectives vary depending on
the environment in which the entity operates, the entity’s
mission and vision, management’s established overall
business objectives, risk appetite and other factors.
Key cybersecurity objectives outlined in the framework
resource Description Criteria for Management’s
Description of the Entity’s Cybersecurity Risk
Management Program include:
• Availability. Enabling timely, reliable, and continuous
access to, and use of, information and systems
• Confidentiality. Protecting information from
unauthorised access and disclosure, including means
for protecting proprietary information and personal
information subject to privacy requirements
• Integrity of data. Guarding against improper capture,
modification or destruction of information
• Integrity of processing. Guarding against the improper
use, modification or destruction of systems8
6 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023
Data backup objectives
Data backup objectives are commonly referred to as
the CIA of cybersecurity — confidentiality, integrity,
and availability. In this era with an extensive market
for personal information on the dark web, along with
the proliferation of ransomware attacks, ensuring data
availability is key. Although you may not be able to
totally prevent a breach, if you back up your data, you
may not have to consider paying a ransom. Because
breaches can sometimes go undetected for quite
some time, it is important to have multiple versions of
backups, with some backups being stored offsite to
preclude ransomware attackers from encrypting backup
files as well as currently active files.
One common method for maintaining data backup files
is the 3-2-1 model. This model suggests that you need
three copies of your data, two of which are back-ups on
different media, with one being stored offsite.
See appendix IV for a summary of key steps to take
in the event of a ransomware attack, which include
immediately isolating infected systems to minimize
the impact.
Data backup 3-2-1
3 — Production copy plus two backups
2 — Backup copies on two different media
1 — Backup copy offsite
Cybersecurity controls
To achieve these objectives and mitigate these
cybersecurity risks, security mechanisms need to
be implemented with the objectives of protecting
information assets, detecting malicious activity
when (not if) it occurs, and responding effectively
to that malicious activity to minimise the impact on
the business.

Different controls need to be implemented at different

levels of the software, across the spectrum of
components outlined below:

Protection
First and foremost, we try to protect our information
assets and systems against attack. Protection
strategies are our first line of defence, and breaches are
often a failure of protection strategies.

Protective controls include the following measures:

• Identification. To have confidence in accountability
for users, whether individuals or interactive system
components, we need to have identification, Things we protect
e.g., usernames. Servers
• Authentication. We also need to be able to Desktops
authenticate that identification, e.g., passwords,
fingerprints, etc. Multifactor authentication is a core Mobile devices
feature of identity and access management (IAM). Networks
• Authorisation. In addition to authentication, we need to Data storage
make sure a user is authorised to conduct transactions
Business applications
— verification of the user’s level of authority for
particular types of access or transactions.
• Protecting secrets. We need to ensure sensitive data is How we protect them
unrecognizable, e.g., encryption of credit card or other
Policies and policy management
sensitive information:
Software updates
— At rest — while being stored
— In process – while being processed
Configurations

— In transit — while being transmitted Security products

Application software controls

7
Cybersecurity controls

Certificates have public and private halves. It is

Strong identification
Common methods of identification and
authentication that are easily implemented:
• Something you know, such as passwords;
quality of passwords is increasingly important.
• Something you have, such as tokens that are
sent to you via text message.
• Something you are, such as biometrics:
fingerprint, facial scan, palm print scans.
• Multifactor or two-factor authentication (2FA),
such as the combination of a password and
token, is increasingly in use today.
Certificates are a significant underpinning of security
systems, especially where payments or particularly
sensitive information is involved. Certificates are
used for all kinds of practical applications, including
the transmission of confidential information and the
digital signing of documents.
critical that the private half of the certificate be kept
secure and not passed between parties. Within an
organisation, certificates can be centrally managed
to enable users to access the public certificate for
someone to whom they want to send encrypted
information. For external use, public certificates are
issued by third-party certificate authorities that verify
the identification of parties using them.
Man-in-the-middle attacks
Certificates are essential for circumventing
man-in-the-middle (MitM) attacks. MitM is the
term used for attacks in which the attacker
independently makes connections with
the victims and relays messages between
them to create the impression that they are
communicating with each other when, in fact,
the attacker is controlling the conversation.

Certificates are used in what is referred to as a

‘handshaking’ procedure to verify the identity of
the sender, enable the transmission of encrypted
confidential information privately, and also enable the
receiver to know whether the information has been
tampered with via the use of tamper-evident seals.

8 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023

 Cybersecurity controls

Detection
In addition to protective or preventive strategies, it is
also essential that entities employ detection strategies Breach identification
to identify when threats occur — essentially the and containment
computer equivalent of the security camera.
The time to identify and time to contain a data
Common detection strategies include: breach have not varied much in recent years.
• Event monitoring. Documentation of events logged into
files can be reviewed for unusual patterns of activity. 277 days — Average time to detect and contain
a data breach
• Intrusion detection and prevention systems.
Sophisticated applications are available that enable 320 days — Average time to detect and
ongoing monitoring. contain a data breach by a malicious attacker
• Threat monitoring. The security community can (ransomware)
study the tools and techniques attackers use in order
to develop ‘threat intelligence’ that can inform the $1.02 milion — Average cost savings of
development of new controls. containing a breach in less than 200 days
vs. more than 200 days
• User reports. User reports can also be helpful in
identifying unusual activity. — Ponemon Institute and IBM Security®,
Response
Cost of a Data Breach Report 2023
Part of the evolution of cybersecurity is the advent of
‘computer incident response teams’ (CIRTs), sometimes
referred to as computer security incident response
teams (CSIRTS).

The primary functions of the response team are to:

• Reduce losses
• Help the business get back into business quickly
• Support investigations when necessary — law
enforcement, forensic
• Provide decision support during incident — plan of
action, informed decisions
• Facilitate crisis communications — customers, law
enforcement, media, etc.

9
Applied cybersecurity
Centralisation is an important element of
cybersecurity with respect to implementing
preventive and detective controls and responding
to cyber breaches, especially when considering
enterprise-level systems with huge numbers of
desktop computers, laptops and mobile devices.
Centralised device management
Desktops. Modern operating systems are fortunately
feature-rich in terms of security features. Centralised
management is a key way to control and orchestrate key
security features. The ability to ‘push’ security protocols,
software updates and security update ‘patches’ to
remote users enables the scalability of security for large
enterprise-level systems. Centralisation also provides the
ability to maintain a directory of user profiles that enables
users to access their information from multiple locations.
Laptops. While many security features are common
between desktop and laptop computers, the inherent
mobility of laptops, especially the risk of lost or stolen
devices, presents some unique challenges. Whole-disk
encryption, whether a feature of the operating system
or an endpoint product, is an essential feature to ensure
the security of data on laptop products.
Mobile devices. There are third-party mobile device
management (MDM) products to facilitate centralised
management of such devices. Some companies
consider it important to have company-owned devices
and will implement a configuration profile that prohibits
the download of non-company applications.
Many companies now have bring-your-own-device
(BYOD) programmes. To ensure security for these
employee-owned devices, companies require
employees to submit those devices for company-wide
management, similar to laptops. To allow flexibility in
the implementation of security policies, companies
can create different configuration profiles for different
classes of users for their mobile devices.
10 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023
Removable media and backup storage. A common
cyber threat is the infection of removable media such
as USB flash drives and thumb drives. Removable
media can also include external hard drives and tape
drives used for back-ups. Strategies to mitigate this
risk include preventing their use, installing anti-virus/
anti-malware tools that will actively scan for issues
whenever removable media are used, and encrypting all
media and devices.
IoT sensors. In recent years, internet of things (IoT)
applications have not only become essential in many
industry sectors, but also in smart home devices,
medical devices, and more. Accordingly, IoT sensors
should be included in enterprise cybersecurity policies
and centralisation strategies, in addition to the more
common endpoints of computers and devices.
Container applications: Creating
a ‘world within a world’
Containerisation is useful for securing data
on mobile devices. It involves encapsulating
an application in a container with its own
operating environment.
Containers allow you to isolate software
written for your company environment so
employees do not need to use the device
applications for company data. The container
is entirely encrypted so you can keep your
company data in the enclave and keep
personal data out. These are popular for
enterprise deployments, especially for basic
services such as exchange email, calendar
sharing and so on.
 Applied cybersecurity

Network configuration Zero-trust architectures. Rather than assuming that

Another critical component companies use to
enforce policies across the spectrum of corporate
networks, including desktops, laptops and mobile
devices, is network configuration. The value of these
network-level controls is that they are exceedingly
difficult to circumvent.
Network firewalls. Pre-defined policies about who
can access what can restrict access to social media
or other categories of websites. Access control lists
implemented at the network level can provide people with
access to sites that may not be allowed to others. The
communications team, for example, may be authorised to
have access to social media sites for company purposes.
Application firewalls. In addition to firewalls for network
data while activity is occurring (intended to restrict
access to authorised individuals), application firewalls
can also be used.
Antivirus and endpoint products. In addition to
centralised security-feature management, ‘endpoint
products’ also are commonly used by most
organisations to augment the features the operating
system provides. Endpoint products are especially
valuable in ensuring security in enterprise-level
systems accessed by multiple users, from multiple
locations, with multiple devices. These products can
ensure compliance with the organisation’s policies
and standards in addition to verifying the integrity of
application products and detecting viruses, blocking
activity if issues are found.
everything behind the firewall is safe, the zero-trust
assumption is that a breach has already occurred.
Therefore, each user, device, application and transaction
are subject to continual verification as though it
originated from an open network.
One zero-trust model is the Center for Internet Security
(CISA) Zero Trust Maturity Model which encompasses
the following five pillars that span four stages —
traditional, initial, advanced and optimal:
• Identity
• Devices
• Networks
• Applications and workloads
• Data9
The CISA model also includes the following capabilities
that support integration and interoperability of functions
across the pillars: visibility and analytics, automation
and orchestration, and governance.
Zero-trust fundamental principles:
• Never trust
• Always verify

Network segmentation. Many companies are

implementing network segmentation which divides a
broader IT network into smaller, distinct sub-networks,
which can have their own specific policies and security
requirements. Examples of this include the creation of
a secure guest network, work-from-home access, and
isolating IoT devices.

11
Applied cybersecurity

Centralised monitoring
Fortunately, as enterprise systems with hundreds or
even thousands of laptops have become the norm for Incident response (IR) planning
organisations, centralised monitoring of systems activity and testing
has also evolved. Important components of centralised
$1.49 million — Savings by organisations with
monitoring include:
high levels of IR planning and testing in 2023
• Event logging and aggregation. All modern computer over those with low levels
operating systems keep a ledger of their activity: Who
logged in? What programmes did they run? What — Ponemon Institute and IBM Security®,
files were accessed? What were the failures as well Cost of a Data Breach Report 2023
as the successes? Operating systems’ event logging
is largely superficial. However, it is still essential for
administrative and accountability purposes as well as
potential forensic use.
• Security information and event management (SIEM). • Security orchestration and response (SOAR). SOAR
SIEM systems have been developed to make event systems are platforms that collect security data from
monitoring more effective. SIEMs analyse all the various sources, including SIEMs. SOAR systems
available data and look for specific patterns that might automate routine responses and help prioritise
suggest a possible attack or security compromise. incident response (IR) actions.
• Security operations centre (SOC) functions. SOC
functions have a number of components, including
incident response planning and testing, as well as
threat intelligence, which involves monitoring both
external trends and potential insider threats.

12 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023

Advanced topics
Prevention is the goal of any cybersecurity strategy,
along with timely detection and an effective response
to the inevitable intrusion. Equally important is
gaining a deep understanding of the attack and an
ongoing effort to continually improve your systems.
Forensic analysis
Forensic analysis, while using some of the same
means and methods as the incident response team,
has different objectives. In addition to determining
what happened, and how a particular breach might be
prevented in the future, forensic analysis is the process
of examining what is left behind that might be of value
to investigators.
The three primary elements of forensic analysis
include system-level analysis, storage analysis and
network analysis.
System-level analysis. If we know a system has been
breached, the first level of analysis would involve
examining the individual, compromised system for
ʽfootprints in the sandʼ to determine what changes
were made.
Storage analysis. The size of today’s databases and
the advent of cloud environments complicate storage
analysis greatly.
A particular complication of cloud environments with
respect to forensic analysis involves the external
ownership of the servers containing the data. While a
subpoena can be issued to the owner of a hard drive
containing data that you want to analyse, the data
that you may be interested in may have been deleted
and overwritten.
Network analysis. Collecting and analysing network
data ‘traffic’ provide different perspectives. While
network monitoring does not provide information about
the content of what is coming and going, it does provide
information about who is coming and going.
Malware analysis
If malware is located on the system, especially if the
malware is a piece of unauthorised software, it is
important to deeply understand what the malware does.
Reverse engineering. The first step is to reverse
engineer the piece of malware and determine how it
works and what it does.
Penetration testing
The purpose of penetration testing is to find the weak
points in your software before adversaries find them. If
weaknesses are found, it may be possible to fix them.
Otherwise, it may be possible to introduce a detection
mechanism to block an intrusion.
The first step for penetration testing is to identify all the
components on a network. This would include all the
‘smart’ devices that have IoT components, as well as
home computer system computers, printers, televisions
and other devices that might serve as points of access
for an intrusion.
Software security
Design review. This involves looking for design or
architectural weaknesses. Areas of sensitivity are
customer records, intellectual property and payment
information.
Code review. This includes looking at key areas of
sensitivity such as verification and authentication
processes and common areas of programming weakness.
Security testing. While penetration testing involves
testing the resilience against some set of known
software vulnerabilities, security testing is diving deeply
into software to verify that security requirements are
being properly performed.
13
Advanced topics
Development security and operations (DevSecOps)
In a traditional environment, developed software is
deployed according to a planned schedule that includes
testing protocols. Many organisations, especially
those in cloud-native environments, have adopted a
more continuous software development process. This
DevOps approach leverages the combined resources
of development and operations teams to speed up
development and deployment. While this approach
has advantages, especially with digital transformation
strategies and agile methodologies, these benefits are
not without accompanying risks.
DevSecOps is the practice of building a security layer
into the DevOps process. This DevSecOps security layer
is an automated process that can provide continuous
scanning to identify potential vulnerabilities or
misconfigurations that developers may not be aware of
so that remediation can take place prior to deployment.
14 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023
DevSecOps ROI
$1.68 million — savings by organisations with
high DevSecOps adoption in 2023
— Ponemon Institute and IBM Security®,
Cost of a Data Breach Report 2023
Extended detection and response
Extended detection and response, or XDR, technologies
and tools provide a more integrated, or holistic,
approach to security, threat protection and remediation
across an enterprise. By utilizing AI and machine
learning, XDR solutions examine and analyse large
quantities of data from multiple sources and devices.
This results in a better understanding of threat activity
and the ability to create profiles of suspicious behaviour,
enabling a more proactive and adaptive approach.
Recent trends in cybersecurity
Cyber actions and actors
Phishing and lost or stolen credentials continue to be
the most frequent, and two of the most expensive, initial
attack vectors for cybersecurity breaches, according to
the IBM Security® and Ponemon Institute Cost of a Data
Breach Report 2023.
The report cites customer and employee personally
identifiable information (PII) such as name and Social
Security number as ‘the costliest — and most common
— record compromised’.10 The report also tracked
intellectual property and other corporate data such as
customer lists. Phishing breaches, accounting for 16% of
breaches, had an average cost of $4.76 million. Stolen or
compromised credential breaches followed close behind
in terms of frequency at 15%, with an average cost of
$4.62 million.11
Attacks by malicious insiders, while less frequent at 11%
of breaches, were the most expensive, having a $4.90
million average cost. Other attack vectors included
cloud misconfiguration (11% of breaches) and business
email compromises (9% of breaches).12
Personally Identifiable
Information (PII)
• 52% of breaches — customer PII
• 40% of breaches — employee PII
• $183 per record — customer PII cost
• $181 per record — employee PII cost
— IBM Security®, Cost of a Data Breach
Report 2023
Data breach cost components
Cost of a Data Breach Report 2023 captures data
breach costs in four main categories. Lost business
costs encompass a range of impacts from business
disruption and downtime to acquiring new customers,
lost goodwill, and reputation damage. Other data breach
cost components include detection and escalation,
post-breach response and notification.13
Detection and escalation costs, which surpassed
lost business as the leading cost category last year,
continues to top the list this year, reflecting the
increasing level of commitment necessary to address
the pervasive nature of cybersecurity threats in today’s
environment.
The change in these cost components from 2022 to
2023 is summarised as follows:14
• Detection and escalation — $1.44 million to $1.58 million
• Lost business costs — $1.42 million to $1.30 million
• Post-breach response — $1.18 million to $1.20 million
• Notification costs — $0.31 million to $0.37 million
Data breach cost dynamics
The IBM Security® and Ponemon Institute report also
provides an analysis of the key factors that comprise the
cost of a data breach. The accompanying chart captures
the impact of both the most significant cost amplifiers
and the most effective cost mitigators on the overall
average data breach cost. Cost mitigators are associated
with a lower-than-average cost; cost amplifiers are
associated with a higher-than-average cost.
For 2023, the three most impactful amplifiers are
security system complexity, security skills shortage,
and noncompliance with regulations; the three most
significant mitigators are adopting a DevSecOps
approach, employee training, and IR planning and
testing, followed closely by AI and machine
learning–driven insights.
15
 Recent trends in cybersecurity

Impact
Figure of keyoffactors
1: Impact on total
key factors cost cost
on total of a data breach
of a data breach (Measured in USD)

DevSecOps approach -$249,278

Employee training -$232,867
IR plan and testing -$232,008
AI, machine learning–driven insights -$225,627
IR team -$221,794
Encryption -$221,593
Security information and event management (SIEM) -$202,347
SOAR tools -$202,232
Proactive threat hunting -$201,111
Threat intelligence -$196,936
e,
Insurance protection -$196,452
Offensive security testing -$187,703

Identity and access management (IAM) -$180,358

ge
EDR tools -$174,267
Data security and protection software -$170,412

n. Board-level oversight -$167,818

ASM tools -$162,278

CISO appointed -$130,086

MSSP -$73,082
Remote workforce $173,074
Supply chain breach $192,485
IoT or OT environment impacted $195,428

Third-party involvement $216,441

Migration to the cloud $218,362

Noncompliance with regulations $218,915
Security skills shortage $238,637
Security system complexity $240,889

-$300,000 -$200,000 -$100,000 Avg. cost $100,000 $200,000 $300,000

Figure
Source: IBM16. Measured
Security ®
and in USD Institute, Cost of a Data Breach Report 2023
Ponemon

28

16 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023

 Recent trends in cybersecurity

Security investment
Additional investment in security presents a mixed
picture. Only 51% of participants in the IBM Security®
and Ponemon Institute 2023 study indicated they
planned to make additional investments in security
following a breach. For those that did make investments,
IR planning and testing was the most common area
at 50%, followed closely by employee training at 46%.
Threat detection and response spending followed at
38%. Insurance spending following a breach was the
lowest category of additional investment at only 18%.15
Minimising financial and brand impacts
In the IBM Security® and Ponemon Institute report,
IBM Security provides steps that can help minimise
the financial and brand impacts of data breaches,
summarised as follows:16
3. U
 se security AI and automation to increase speed
and accuracy. Organisations can benefit greatly by
embedding security AI and automation throughout
the tool sets they use. Using new technologies
not only improves threat detection and response
capabilities, but it can also drive a more proactive
security posture.
4. S
 trengthen resiliency by knowing your attack
surface and practicing IR. Understand your
exposure to the attacks most relevant to your
industry, implement network segmentation practices
to limit the spread of attacks, and put in place IR
planning and testing protocols — one of the
top-three cost mitigators.

1. B
 uild security into every stage of software
development and deployment — and test regularly. Adopt the principle ʻsecure by design and
Taking a DevSecOps approach, the top cost- secure by defaultʼ for all digital transformation
mitigating strategy, will be essential to building projects and cloud environments.
security into any tools or platforms the enterprise
relies upon. — IBM Security® and Ponemon, Institute Cost
of a Data Breach Report 2023
2. M
 odernise data protection across hybrid cloud.
Gaining visibility and control of data spread across
hybrid cloud environments should be a top priority
for organisations of all types and should include a
focus on strong encryption, data security and data
access policies.

17
Cybersecurity and small business
Small business incidents and impacts
Unfortunately, another notable trend is that data breaches
and cyberattacks involving small and medium-sized
business are on the rise, and addressing this risk is no
longer an option.
In 2019, the Ponemon Institute published 2019 Global
State of Cybersecurity in Small and Medium-Sized
Businesses, sponsored by Keeper Security, Inc. The
report identifies two ‘key takeaways’: a ‘significant
increase in SMBs [small and medium-sized businesses]
experiencing data breaches’ and that ‘66% of
respondents said their organization experienced a
cyberattack in the past 12 months’.17
Clearly SMBs struggle to maintain an effective security
posture. When asked to identify the top three challenges
that keep their security posture from being fully
effective, responses yielded the following results:22
• 77% — Insufficient personnel
• 55% — Insufficient budget
• 45% — No understanding of how to protect
against cyberattacks
• 36% — Insufficient enabling security technologies
• 35% — Lack of in-house expertise

The financial impact of these events is severe. In 2019,

Having to deal with passwords being stolen
damage or theft of IT assets and infrastructure cost
or compromised and employees using weak
these SMBs $1.24 million; the average cost of business
passwords are the biggest pain points.
disruption added another $1.9 million.18

In terms of the type of attacks, 53% of respondents

— Ponemon Institute, 2019 Global State
experienced phishing/social engineering attacks, of Cybersecurity in Small and
followed by web-based attacks at 50%. General malware Medium-Sized Businesses
(39%) and compromised or stolen devices (37%) were
also quite common.19

Laptops (56%) and mobile devices (56%) were the

Other challenges included a lack of leadership,
most vulnerable endpoints or entry points, followed
management not seeing cybersecurity attacks as
by IoT devices (45%), cloud systems (45%), and smart
a significant risk, or it not being a priority. Lack of
phones (41%). This is reflected in the finding that 49% of
collaboration with other departments was also cited, as
respondents felt that the use of mobile devices to access
was leadership in determining IT security priorities.23
business-critical applications and IT infrastructure
diminishes their organisation’s security posture.20 In the 2023 IBM Security® and Ponemon Institute report,
smaller organisations reported higher breach costs than
Almost half (47%) of SMBs had suffered an attack
in 2022, as follows:
involving the compromise of employees’ passwords.
The average cost of each attack was $384,598. • < 500 employees — $2.29 million to $3.31 million
Unfortunately, while password policies can be very • 500–1,000 employees — $2.71 million to $3.29 million
effective in mitigating this risk, 56% of respondents
• 1,001–5,000 employees — $4.06 million to
indicated their companies either did not have or
$4.87 million24
respondents were unsure of such a policy.21

18 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023


Small business resources
Appendix III provides a summary of the global Center for
Internet Security, Inc. (CIS®) framework of cybersecurity
controls. The structure of this framework includes
identification of controls by different implementation
groups (IGs), with IG1 being enterprises that are ‘small to
medium-sized with limited IT and cybersecurity expertise
to dedicate towards protecting IT assets and personnel’.
In addition to the CIS framework, there are other
resources targeted to this audience.
In the United States, the Cybersecurity and
Infrastructure Security Agency (CISA) developed a Cyber
Essentials Starter Kit: The Basics for Building a Culture
of Cyber Readiness. CISA’s Essentials Starter Kit is a
guide for leaders of small businesses and small and
local government agencies that is consistent with the
National Institute of Standards and Technology (NIST)
Cybersecurity Framework and can be used as a starting
point for cyber readiness.
According to the Essentials Starter Kit, building a culture
of cyber readiness has six essential elements:
• Yourself. Drive cybersecurity strategy, investment
and culture.
• Your staff. Develop security awareness and vigilance.
• Your systems. Protect critical assets and applications.
• Your surroundings. Ensure only those who belong on
your digital workplace have access.
• Your data. Make backups and avoid loss of information
critical to operations.
• Your crisis response. Limit damage and quicken
restoration of normal operations.25
Cybersecurity and small business
The Essentials Starter Kit also identifies ‘things to do
first’ including:
• Backup data. Employ a backup solution that
automatically and continuously backs up critical data
and system configurations.
• Multifactor authentication. Require multifactor
authentication (MFA) for accessing your systems
whenever possible.
• Patch and update management. Enable automatic
updates whenever possible. Replace unsupported
operating systems, applications and hardware. Test
and deploy patches quickly.26
The UK has a government-backed Cyber Essentials
certification program that has two levels. Cyber
Essentials is a self-assessment option. Cyber Essentials
Plus involves a hands-on technical verification.27
The following five technical control themes for the
certification program are outlined in the National Cyber
Security Centre guidance document Cyber Essentials:
Requirements for IT Infrastructure v3.1, updated in 2023:
• Firewalls
• Secure configuration
• Security update management
• User access control
• Malware protection28
Reducing your organisation’s cyber risks
requires a holistic approach.
19
Cybersecurity governance, risk
and reporting
Along with the ever-increasing frequency of breaches
and compromised data, regulatory requirements and
the demand for disclosure have also become part of
the cybersecurity landscape.
Privacy and cybersecurity regulation
On the regulatory front, perhaps most notably, there
have been significant ‘press worthy’ fines levied on
global organisations in connection with the EU GDPR
(General Data Protection Regulation). While there is
not a similar national regulation in the United States
protecting the privacy of data, a range of regulations
have resulted in fines levied on financial institutions,
healthcare providers and other enterprises for
cybersecurity breaches involving compromised data.
In September 2023, the UK Information
Commissioner and the Chief Executive of
the National Cyber Security Centre signed a
Memorandum of Understanding outlining
their collaborative efforts on privacy
and cybersecurity.
— Information Commissioner’s Office, ‘UK
Information Commissioner and NCSC
CEO sign Memorandum of Understanding’,
12 September 2023
‘It is the policy of my Administration that
the prevention, detection, assessment and
remediation of cyber incidents is a top priority
and essential to national and economic security.’
— The White House, ‘Executive Order on
Improving the Nation’s Cybersecurity’
In the United States, an ‘Executive Order on Improving
the Nation’s Cybersecurity’ was signed on May 12, 2021.
In addition to addressing cybersecurity in the federal
government, it also makes an appeal to the private
sector and includes provisions for the Secretary of
Commerce and Federal Trade Commission to explore
potential provisions for consumer labelling schemes.30
Under these new requirements, defence contractors and
subcontractors that make up the US Defense Industrial
Base will be required to demonstrate compliance with
Cybersecurity Maturity Model Certification (CMMC)
practices and policies.31 In the UK, the Cyber Essentials
certification has been a requirement for contractors
or subcontractors for any part of the UK central
government since 2014.32

With respect to cybersecurity regulation, in the

UK there is no overarching cybersecurity law.
However, there are several specific legislative
measures, including the Network and Information
Security Regulations (the NIS Regulations), which
require businesses to implement appropriate and
proportionate measures to manage risks associated
with the security of information systems.29

20 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023


Risk management, reporting and oversight
In addition to regulatory compliance risk, the business
risks associated with cybersecurity from business
interruption have escalated the level of concern on the
part of governing boards, their audit and risk committees,
investors, and customers and suppliers in the enterprise
value chain.
As summarized in appendix II, the AICPA has developed
a cybersecurity risk management reporting framework
as part of a collection of resources for both public
accounting and management accounting. One resource
available is the SOC for Cybersecurity Brochure, which
provides an overview of system and organisation
controls (SOC) assurance engagements.
With respect to governance and board oversight, the
Center for Audit Quality (CAQ), an autonomous public
policy organisation that is affiliated with the AICPA &
CIMA, has developed Cybersecurity Risk Management
Oversight: A Tool for Board Members.
This resource provides a range of guidance that
board members can use to discharge their
responsibilities with respect to cybersecurity risk. In
addition to providing questions to ask that can develop
understanding about the role of management and
the financial statement auditor, it covers how CPAs
can assist boards of directors in their oversight of
cybersecurity risk management.
It also provides information and questions for board
members to ask with respect to:
• their companies’ specific risk profile, particular
vulnerabilities, and management’s approach to
managing these risks.
Cybersecurity governance, risk and reporting
• the prioritisation of risk management practices,
including supply chain or third-party risks, in addition to
internal personnel policies, training, access controls, etc.
• incident response protocols, including thorough
analysis of events, reporting to relevant parties, and
potential disclosure requirements.
In July of 2023, the SEC adopted rules requiring current
disclosure of material cybersecurity incidents and
periodic disclosure about a company’s processes to
assess, identify, and manage material cybersecurity risks;
management’s role in assessing and managing material
cybersecurity risks; and the board of directors’ oversight
of cybersecurity risks. These rules impact companies
that have shares traded on US public markets.33
The AICPA & CIMA, in collaboration with the CAQ have
jointly developed What Management Needs to Know
About the New SEC Cybersecurity Disclosure Rules, which
provides guidance for complying with these new rules.34
Open lines of communication among the board,
management, and those responsible for managing
cybersecurity risks for the company will be increasingly
important in light of the new disclosure requirements, and
questions such as those described earlier may be useful.
New SEC rules
Require disclosure of material cybersecurity
incidents and information regarding
cybersecurity risk management, strategy
and governance.
21
Appendix I:
Cybersecurity insurance
Because most commercial insurance policies exclude
coverage for cybersecurity-related damages, a separate
policy, or rider, is required. This is especially true for
organisations that have significant customer or client
personally identifiable information (PII), that process
online credit card payments, or that are otherwise highly
dependent on the web to conduct their business.
In addition to insurance that covers losses relating to
damage to, or loss of information from, IT systems
and networks, policies generally include significant
assistance with and management of the incident itself,
which can be essential when faced with reputational
damage or regulatory enforcement.
The ’Cyber Insurance’ primer explains first- and third-party coverage as follows:36
First-party cyber coverage protects your data, including
employee and customer information. This coverage
typically includes your business’s costs related to:
• Legal counsel to determine your notification and
regulatory obligations
• Recovery and replacement of lost or stolen data
• Customer notification and call center services
• Lost income due to business interruption
• Crisis management and public relations
• Cyber extortion and fraud
• Forensic services to investigate the breach
• Fees, fines and penalties related to the cyber incident
22 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023
The National Association of Insurance Commissioners
has provided a primer for cyber insurance on the US
Federal Trade Commission resource page addressing
cybersecurity for small businesses. While this primer is
targeted to small businesses in the United States, the
concepts captured below are widely applicable.35
Insurance should cover cyberattacks on data held by
vendors or other third parties as well as attacks on your
own network. As noted, coverage should include theft of
personally identifiable information. It should also cover
terrorist attacks and attacks that occur anywhere in
the world. Other considerations include legal expenses,
excess coverage over any other applicable coverage,
and access to a breach hotline.
Third-party cyber coverage generally protects you from
liability if a third party brings claims against you. This
coverage typically includes:
• Payments to consumers affected by the breach
• Claims and settlement expenses relating to disputes
or lawsuits
• Losses related to defamation and copyright or
trademark infringement
• Costs for litigation and responding to
regulatory inquiries
• Other settlements, damages and judgments
• Accounting costs
While cybersecurity insurance is an important aspect
of an organisation’s strategy, it should not replace
best practices, policies and controls. In fact, insurance
provider underwriting requirements and fee structures
are increasingly dependent upon effective cybersecurity
policies and programs.
Appendix II:

Cybersecurity risk management

reporting framework
In response to the growing demand for information 3. T
 he practitioner’s opinion. The third component of
about the effectiveness of organisational efforts to the framework is the CPA’s opinion on the description
manage cybersecurity threats, the AICPA has developed and on the effectiveness of controls within the entity’s
a cybersecurity risk management reporting framework. cybersecurity program.
While there are many methods and frameworks
A key component of a new SOC for Cybersecurity
for developing cybersecurity risk management
attest engagement, the framework can also assist
programmes, this framework is a common language
organisations in demonstrating to analysts, investors and
for organisations to communicate about, and report on,
other external parties that they have effective processes
these efforts.
and controls in place to detect, respond to, mitigate and
The framework includes the following three recover from breaches and other security events.
components, as highlighted in the AICPA Cybersecurity
Fact Sheet:37 Benchmarks, which can be used by management
in describing their cybersecurity risk management
1. M
 anagement’s description. A narrative prepared by programme, are captured in the framework’s Description
management that describes the entity’s cybersecurity Criteria for Management’s Description of the Entity’s
program. This description provides the context that Cybersecurity Risk Management Program.
report users need about management’s process
An illustrative cybersecurity risk management report
for identifying its most sensitive information,
has also been developed to provide an example for how
implementing controls over that information, and
an entity might prepare and present a description of its
evaluating the effectiveness of those controls.
cybersecurity risk management programme.
2. M
 anagement’s assertion. This assertion relates
to the effectiveness of the controls put in place to
achieve the entity’s cybersecurity objectives and
whether the description is presented in accordance
with the description criteria (discussed below) and
whether the control objectives were based on control
criteria that are appropriate for an engagement in
accordance with the AICPA’s attestation standards.

23
Appendix II: Cybersecurity risk management reporting framework

The framework’s description criteria provide users
of the report with information that can help them
understand the entity’s cybersecurity risks and how it
manages those risks.
The description criteria are categorised into the
following sections:
• Nature of business and operations. Disclosures about
the nature of the entity’s business and operations.
• Nature of information at risk. Disclosures about the
principal types of sensitive information the entity
creates, collects, transmits, uses and stores that are
susceptible to cybersecurity risk.
• Cybersecurity risk management programme
objectives (cybersecurity objectives). Disclosures
about the entity’s principal cybersecurity objectives
related to availability, confidentiality, integrity of
data, and integrity of processing and the process for
establishing, maintaining and approving them.
• Factors that have a significant effect on inherent
cybersecurity risks. Disclosures about factors that
have a significant effect on the entity’s inherent
cybersecurity risks, including the
— characteristics of technologies, connection types,
use of service providers, and delivery channels used
by the entity;
— organisational and user characteristics; and
— environmental, technological, organisational and
other changes during the period covered by the
description, at the entity and in its environment.
• Cybersecurity risk governance structure. Disclosures
about the entity’s cybersecurity risk governance
structure, including the processes for establishing,
maintaining and communicating integrity and ethical
values, providing board oversight, establishing
accountability, and hiring and developing qualified
personnel.
• Cybersecurity risk assessment process. Disclosures
related to the entity’s process for
— identifying cybersecurity risks and environmental,
technological, organisational and other changes
that could have a significant effect on the entity’s
cybersecurity risk management programme;
— assessing the related risks to the achievement of the
entity’s cybersecurity objectives; and
— identifying, assessing, and managing the risks
associated with vendors and business partners.
• Cybersecurity communications and the quality of
cybersecurity information. Disclosures about the
entity’s process for communicating cybersecurity
objectives, expectations, responsibilities, and
related matters to both internal and external users,
including the thresholds for communicating identified
security events that are monitored, investigated,
and determined to be security incidents, requiring a
response, remediation or both.
• Monitoring of the cybersecurity risk management
programme. Disclosures related to the process the
entity uses to assess the effectiveness of controls
included in its cybersecurity risk management
programme, including information about the
corrective actions taken when security events, threats,
vulnerabilities and control deficiencies are identified.
• Cybersecurity control processes. Disclosures about
— the entity’s process for developing a response
to assessed risks, including the design and
implementation of control processes;
— the entity’s IT infrastructure and its network
architectural characteristics; and
— the key security policies and processes
implemented and operated to address the entity’s
cybersecurity risks.

24 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023

Appendix III:

Center for Internet Security —

CIS Controls v8
The Center for Internet Security, Inc. (CIS®) is a not-for- The controls applicable to IG1 are considered to be
profit organisation responsible for developing globally ‘basic cyber hygiene’ and are also applicable to IG2 and
recognised best practices for securing IT systems and IG3. Similarly, additional controls applicable to IG2 are
data. The CIS has become an international community also applicable to the IG3 group.
of experts having a mission ‘to create confidence in the
The presentation of controls in the guidance contain the
connected world’.38
following elements:
This appendix is a summary of CIS Controls, which • Overview. A brief description of the intent of the
have been updated and enhanced to keep pace with control and its utility as a defensive action
cloud-based and hybrid environments, virtualisation and
• Why is this control critical? A description of the
mobility, along with changing attacker tactics, and the
importance of this control in blocking, mitigating,
recent shift to work-from-home.
or identifying attacks, and an explanation of how
The CIS Controls have been mapped to a very wide attackers actively exploit the absence of this control
variety of formal risk management frameworks (like • Procedures and tools. A more technical description
those from the National Institute of Standards and of the processes and technologies that enable
Technology [NIST®], Federal Information Security implementation and automation of this control
Modernization Act (FISMA), International Organization
• Safeguard descriptions. A table of the specific actions
for Standardization (ISO), etc.).
that enterprises should take to implement the control
The CIS Controls have also been structured to provide
guidance according to self-assessed implementation
groups or IGs:
• An IG1 enterprise is small to medium-sized with limited
CIS Controls are a prioritised set of safeguards
IT and cybersecurity expertise to dedicate towards
to mitigate the most prevalent cyberattacks
protecting IT assets and personnel.
against systems and networks.
• An IG2 enterprise employs individuals responsible for
managing and protecting IT infrastructure.
• An IG3 enterprise employs security experts that
specialise in the different facets of cybersecurity
(e.g., risk management, penetration testing,
application security).

25
Appendix III: Center for Internet Security — CIS Controls v8
Overview descriptions of the 18 controls encompassed
in this framework, including the proportion of
safeguards for each control that are applicable to
IG1 are as follows:39
Control 01. Inventory and Control of Enterprise Assets
— IG1= 2/5
Actively manage (inventory, track, and correct) all
enterprise assets (end-user devices, including portable
and mobile; network devices; non-computing/Internet
of Things (IoT) devices; and servers) connected to
the infrastructure physically, virtually, remotely, and
those within cloud environments, to accurately know
the totality of assets that need to be monitored and
protected within the enterprise. This will also support
identifying unauthorized and unmanaged assets to
remove or remediate.
Enterprises cannot defend what they do not
know they have.
— Center for Internet Security, CIS Critical
Security Controls® v8: 7.
Control 02. Inventory and Control of Software Assets
— IG1= 3/7
Actively manage (inventory, track, and correct) all
software (operating systems and applications) on the
network so that only authorized software is installed
and can execute, and that unauthorized and unmanaged
software is found and prevented from installation or
execution.
Control 03. Data Protection — IG1= 6/14
Develop processes and technical controls to identify,
classify, securely handle, retain and dispose of data.
26 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023
Control 04. Secure Configuration of Enterprise Assets
and Software — IG1= 7/12
Establish and maintain the secure configuration of
enterprise assets (end-user devices, including portable
and mobile; network devices; non-computing/IoT
devices; and servers) and software (operating systems
and applications).
Default configurations for enterprise assets
and software are normally geared towards
ease-of-deployment and ease-of use rather
than security.
— Center for Internet Security, CIS Critical
Security Controls® v8: 16.
Control 05. Account Management — IG1= 4/6
Use processes and tools to assign and manage
authorization to credentials for user accounts, including
administrator accounts, as well as service accounts, to
enterprise assets and software.
Control 06. Access Control Management — IG1= 5/8
Use processes and tools to create, assign, manage,
and revoke access credentials and privileges for user,
administrator, and service accounts for enterprise
assets and software.
Control 07. Continuous Vulnerability Management —
IG1= 4/7
Develop a plan to continuously assess and track
vulnerabilities on all enterprise assets within the
enterprise’s infrastructure, in order to remediate, and
minimize, the window of opportunity for attackers.
Monitor public and private industry sources for new
threat and vulnerability information.
 Appendix III: Center for Internet Security — CIS Controls v8
Control 08. Audit Log Management — IG1= 3/12
Collect, alert, review, and retain audit logs of events
that could help detect, understand, or recover from an
attack.
Control 09. Email and Web Browser Protections
— IG1= 2/7
Improve protections and detections of threats from
email and web vectors, as these are opportunities for
attackers to manipulate human behavior through direct
engagement.
Since email and web are the main means that
users interact with external and untrusted
users and environments, these are prime
targets for both malicious code and social
engineering.
— Center for Internet Security, CIS Critical
Security Controls® v8: 28.
Control 10. Malware Defenses — IG1= 3/7
Prevent or control the installation, spread and
execution of malicious applications, code or scripts
on enterprise assets.
Control 11. Data Recovery — IG1= 4/5
Establish and maintain data recovery practices
sufficient to restore in-scope enterprise assets to
a pre-incident and trusted state.
Control 12. Network Infrastructure Management —
IG1= 1/8
Establish, implement, and actively manage (track,
report, correct) network devices, in order to prevent
attackers from exploiting vulnerable network services
and access points.
Control 13. Network Monitoring and Defense —
IG1= 0/11
Operate processes and tooling to establish and maintain
comprehensive network monitoring and defense
against security threats across the enterprise’s network
infrastructure and user base.
Control 14. Security Awareness and Skills Training —
IG1= 8/9
Establish and maintain a security awareness program to
influence behavior among the workforce to be security
conscious and properly skilled to reduce cybersecurity
risks to the enterprise.
An effective security awareness training
program should not just be a canned,
once-a-year training video coupled with
regular phishing testing.
— Center for Internet Security, CIS Critical
Security Controls® v8: 39.
27
Appendix III: Center for Internet Security — CIS Controls v8

Control 15. Service Provider Management — IG1= 1/7

Develop a process to evaluate service providers
Even if an enterprise does not have resources
who hold sensitive data, or are responsible for an
enterprise’s critical IT platforms or processes, to
to conduct incident response within an
ensure these providers are protecting those platforms enterprise, it is still critical to have a plan.
and data appropriately.
— Center for Internet Security, CIS Critical
Control 16. Application Software Security — IG1= 0/14 Security Controls® v8: 51.
Manage the security life cycle of in-house developed,
hosted, or acquired software to prevent, detect and
remediate security weaknesses before they can impact
Control 18. Penetration Testing — IG1= 0/5
the enterprise.
Test the effectiveness and resiliency of enterprise
Control 17. Incident Response Management — IG1= 3/9 assets through identifying and exploiting weaknesses
Establish a program to develop and maintain an incident in controls (people, processes, and technology), and
response capability (e.g., policies, plans, procedures, simulating the objectives and actions of an attacker.
defined roles, training and communications) to prepare,
detect and quickly respond to an attack.

28 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023

Appendix IV:

CISA MS-ISAC Ransomware Guide – Part 2:

Ransomware Response Checklist
CISA, the Cybersecurity & Infrastructure Security This updated guidance includes additional
Agency, is a US federal agency with Department of recommendations for preventing common initial
Homeland Security (DHS) oversight. The Multi-State infection vectors, recommendations to address
Information Sharing & Analysis Center (MS-ISAC) is a cloud backups and zero trust architecture, and added
voluntary, collaborative effort designated by the DHS to threat-hunting tips for detection and analysis.41
provide cyber threat services for state, local, tribal and
Following is an excerpt of the steps in the
territorial governments (SLTTs). The CIS (see appendix
#StopRansomware Guide that address detection
III) is home to MS-ISAC.
and analysis of impacted systems in the event of
The #StopRansomware Guide ‘is an update of the CISA a ransomware attack.42
MS-ISAC Ransomware Guide released in September
2020. This Guide includes two primary resources:
• Part 1: Ransomware and Data Extortion Best Practices
• Part 2: Ransomware and Data Extortion
Response Checklist’40

Detection and analysis

Refer to the best practices and references below to help manage the risk posed by ransomware and support your
organization’s coordinated and efficient response to a ransomware incident. Apply these practices to the greatest
extent possible based on availability of organizational resources.

1. Determine which systems were impacted, and
immediately isolate them.
• If several systems or subnets appear impacted,
take the network offline at the switch level. It may
not be feasible to disconnect individual systems
during an incident.
• Prioritize isolating critical systems that are essential
to daily operations.
• If taking the network temporarily offline is not
immediately possible, locate the network cable
(e.g., ethernet) and unplug affected devices from
the network or remove them from Wi-Fi to contain
the infection.
• For cloud resources, take a snapshot of volumes
to get a point in time copy for reviewing later for
forensic investigation.
• After an initial compromise, malicious actors
may monitor your organization’s activity or
communications to understand if their actions have
been detected. Isolate systems in a coordinated
manner and use out-of-band communication
methods such as phone calls to avoid tipping off
actors that they have been discovered and that
mitigation actions are being undertaken. Not doing
so could cause actors to move laterally to preserve
their access or deploy ransomware widely prior to
networks being taken offline.

29
Appendix IV: CISA MS-ISAC Ransomware Guide –
Part 2: Ransomware Response Checklist
2. Power down devices if you are unable to disconnect
them from the network to avoid further spread of the
ransomware infection.
• Note: This step will prevent your organization from
maintaining ransomware infection artifacts and
potential evidence stored in volatile memory. It
should be carried out only if it is not possible to
temporarily shut down the network or disconnect
affected hosts from the network using other means.
3. T
 riage impacted systems for restoration and
recovery.
• Identify and prioritize critical systems for restoration
on a clean network and confirm the nature of data
housed on impacted systems.
— Prioritize restoration and recovery based on
a predefined critical asset list that includes
information systems critical for health and safety,
revenue generation, or other critical services, as
well as systems they depend on.
• Keep track of systems and devices that are
not perceived to be impacted so they can be
deprioritized for restoration and recovery. This
enables your organization to get back to business in
a more efficient manner.
4. E
 xamine existing organizational detection or
prevention systems (e.g., antivirus, EDR, IDS,
Intrusion Prevention System) and logs. Doing so can
highlight evidence of additional systems or malware
involved in earlier stages of the attack.
• Look for evidence of precursor ʻdropperʼ malware,
such as Bumblebee, Dridex, Emotet, QakBot or
Anchor. A ransomware event may be evidence of a
previous, unresolved network compromise.
30 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023
— Operators of these advanced malware variants
will often sell access to a network. Malicious
actors will sometimes use this access to exfiltrate
data and then threaten to release the data publicly
before ransoming the network to further extort
the victim and pressure them into paying.
— Malicious actors often drop ransomware variants
to obscure post-compromise activity. Care must
be taken to identify such dropper malware before
rebuilding from backups to prevent continuing
compromises.
5. Confer with your team to develop and document an
initial understanding of what has occurred based on
initial analysis.
6. Initiate threat hunting activities.
• For enterprise environments, check for:
— Newly created AD accounts or accounts with
escalated privileges and recent activity related to
privileged accounts such as Domain Admins.
— Anomalous VPN device logins or other
suspicious logins.
— Endpoint modifications that may impair
backups, shadow copy, disk journaling, or boot
configurations. Look for anomalous usage of
built-in Windows tools such as bcdedit.exe, fsutil.
exe (deletejournal), vssadmin.exe, wbadmin.exe,
and wmic.exe (shadowcopy or shadowstorage).
Misuse of these tools is a common ransomware
technique to inhibit system recovery.

— Signs of the presence of Cobalt Strike
beacon/client. Cobalt Strike is a commercial
penetration testing software suite. Malicious
actors often name Cobalt Strike Windows
processes with the same names as legitimate
Windows processes to obfuscate their presence
and complicate investigations.
— Signs of any unexpected usage of remote
monitoring and management (RMM) software
• For cloud environments:
(including portable executables that are not
installed). RMM software is commonly used by
malicious actors to maintain persistence.
— Any unexpected PowerShell execution or use of
PsTools suite.
— Signs of enumeration of AD and/or LSASS
credentials being dumped (e.g., Mimikatz or
NTDSutil.exe).
— Signs of unexpected endpoint-to-endpoint
(including servers) communications.
The remaining sections in the Checklist address issues
related to Reporting and Notification, Containment and
Eradication, and Recovery and Post-Incident Response
Activity. The Reporting and Notification section refers
users to contact information at the end of the guide. It
also suggests you consider requesting assistance from
CISA, the FBI or your local U.S. Secret Service field office.
Appendix IV: CISA MS-ISAC Ransomware Guide –
Part 2: Ransomware Response Checklist
— Potential signs of data being exfiltrated from
the network. Common tools for data exfiltration
include Rclone, Rsync, various web-based file
storage services (also used by threat actors to
implant malware/tools on the affected network),
and FTP/SFTP.
— Newly created services, unexpected scheduled
tasks, unexpected software installed, etc.
— Enable tools to detect and prevent modifications to
IAM, network security, and data protection resources.
— Use automation to detect common issues (e.g.,
disabling features, introduction of new firewall
rules) and take automated actions as soon as they
occur. For example, if a new firewall rule is created
that allows open traffic (0.0.0.0/0), an automated
action can be taken to disable or delete this rule
and send notifications to the user that created it
as well as the security team for awareness. This
will help avoid alert fatigue and allow security
personnel to focus on critical issues.
Remember: Paying ransom will not ensure
your data is decrypted or that your systems
or data will no longer be compromised. CISA,
MS-ISAC, and federal law enforcement do not
recommend paying ransom.
— Cybersecurity & Infrastructure Security
Agency and Multi-State Information Sharing
& Analysis Center (MS-ISAC), September
2020, Ransomware Guide
31
Additional reading and resources
AICPA & CIMA SOC for Cybersecurity
CAQ 2022 Audit Committee Transparency Barometer
Center for Internet Security
World Economic Forum Centre for Cybersecurity
Journal of Accountancy articles and podcasts:
‘Bots Emerge as Cyber Threat for Accounting Firms’
‘Cybersecurity Risk: Constant Vigilance Required’
‘Tech Roundtable: Getting Your Data in Order’ [podcast]
32 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023
FM magazine articles:
‘5 Signs There Could Be IP Theft in Your Supply Chain’
‘Cyberattacks Stemming From Software on the Rise’
‘How to Prepare for Cyberattacks at a Time of
Heightened Threat’
‘Organisations Ill-Prepared for the Stress of
Complex Cyberattacks’
Endnotes
The White House, March 2023, National
1 18
Ibid, 3.
Cybersecurity Strategy
19
Ibid, 2.
2
The White House, National Cybersecurity Strategy, 1.
20
Ibid, 5–6.
3
World Economic Forum, 2023, The Global Risks Report
2023, 18th Edition: 6.
21
Ibid, 12.

4
World Economic Forum, The Global Risks Report 2023,
22
Ibid, 7.
11. 23
Ibid, 7.
5
‘Our community’s priorities’, World Economic Forum 24
Ponemon Institute and IBM Security®, Cost of a Data
Centre for Cybersecurity, accessed September 13, 2023. Breach Report 2023.
‘Our Initiatives’, World Economic Forum Centre for
6
25
 ybersecurity and Infrastructure Security Agency,
C
Cybersecurity, accessed September 13, 2023. Spring 2021, Cyber Essentials Starter Kit: The Basics
7
IBM Security® and Ponemon Institute, 2023, Cost of a for Building a Culture of Cyber Readiness: 1
Data Breach Report 2023: 5–7, 31. 26
 ybersecurity and Infrastructure Security Agency,
C
8
AICPA, 2017, Description Criteria for Management’s Cyber Essentials Starter Kit, 2.
Description of the Entity’s Cybersecurity Risk 27
‘About Cyber Essentials’, National Cyber Security
Management Program: 9–10. Centre, accessed September 13, 2023.
9
 ybersecurity and Infrastructure Security Agency, April
C 28
 ational Cyber Security Centre, 2023, Cyber Essentials:
N
2023, Zero Trust Maturity Model (Ver. 2.0): 6. Requirements for IT infrastructure v3.1: 3.
10
IBM Security® and Ponemon Institute, 2023, Cost of a 29
Information Commissioner’s Office, 2018, Regulatory
Data Breach Report 2023: 18. Action Policy.
11
Ibid, 20. 30
The White House, May 12, 2021, ‘Executive Order on
12
Ibid, 20. Improving the Nation’s Cybersecurity’.

13
Ibid, 72.
31
‘About CMMC’, Chief Information Officer, U.S.
Department of Defense.
14
Ibid, 15.
32
‘Procurement Policy Note 09/14: Cyber Essentials
15
Ibid, 49–50. scheme certification’, Cabinet Office.
16
Ibid, 62–66. 33
‘SEC Adopts Rules on Cybersecurity Risk Management,
Strategy, Governance, and Incident Disclosure by
17
Ponemon Institute, 2019, 2019 Global State of
Public Companies’ [press release], 26 July 2023,
Cybersecurity in Small and Medium-Sized Businesses.
Securities and Exchange Commission; Public Company
Cybersecurity Disclosures; Final Rules [fact sheet],
Securities and Exchange Commission.

33
Endnotes

34
AICPA & CIMA and Center for Audit Quality, September
2023, What Management Needs to Know About the
New SEC Cybersecurity Disclosure Rules.
35
‘Cyber Insurance’, Federal Trade Commission
and National Association of Insurance
40
 ybersecurity and Infrastructure Security Agency
C
(CISA) and Multi-State Information Sharing & Analysis
Center (MS-ISAC) and Joint Ransomware Task Force,
May 2023, ‘Introduction’, #StopRansomware Guide: 3.
Cybersecurity and Infrastructure Security Agency
41

Commissioners (NAIC). (CISA) and Multi-State Information Sharing & Analysis

Center (MS-ISAC) and Joint Ransomware Task Force,
36
Ibid. May 2023, ‘What’s new’, #StopRansomware Guide: 4.
American Institute of CPAs, 2021, Cybersecurity risk
37
42
‘Detection and Analysis’, #StopRansomware Guide,
management reporting: fact sheet: 2. Cybersecurity and Infrastructure Security Agency
38
‘Who We Are’, Center for Internet Security. (CISA) and Multi-State Information Sharing & Analysis
Center (MS-ISAC) and Joint Ransomware Task Force.
39
‘CIS Critical Security Controls’, Center for
Internet Security.

34 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023

About AICPA & CIMA
The Association of International Certified Professional Accountants® (the Association) represents AICPA® & CIMA®
and works to power opportunity, trust and prosperity for people, businesses and economies worldwide. It represents
689,000 members, students and engaged professionals in public and management accounting and advocates
for the public interest and business sustainability on current and emerging issues. With broad reach, rigor and
resources, the Association advances the reputation, employability and quality of CPAs, CGMA® designation holders
and accounting and financial professionals globally.

Acknowledgements
Ken Witt, CPA, CGMA, and Carrie Kostelec, CPA, of the AICPA & CIMA prepared the update of this tool. The original
tool was based on a webcast series that Kenneth R. van Wyk, President and Principal Consultant of KRvW
Associates LLC presented for AICPA & CIMA members.

35
Founded by AICPA and CIMA, the Association of International Certified Professional Accountants powers leaders in accounting and finance around the globe.

© 2023 Association of International Certified Professional Accountants. All rights reserved. AICPA and CIMA are trademarks of the American Institute of CPAs and The Chartered Institute
of Management Accountants, respectively, and are registered in the US, the EU, the UK and other countries. The Globe Design is a trademark of the Association of International Certified
Professional Accountants. 2309-555467

36 CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023