DFARS Cyber Security for Small Business Contractors

In 1998, I listened to an IT staff member from a large contractor proceed to chew out the contractor’s accounting staff for ‘losing’ a folder stored on the company’s servers containing all of the year-end closing work. He proceeds to call the staff “idiots” and ignorant while glossing over the fact that the IT department’s backup of the critical data had failed the night before.

He noticed my smile and could not decide if I was agreeing with him or laughing at him, so he asked me what the F**K I was smiling about. I replied,

“I want to thank you. For years people have criticized accountants as being unresponsive to the company’s needs, speaking a language no one else understands, and not really caring about the success of the company. People now say this about IT people instead”.

A few weeks later a software consultant, with full access to all of the IT systems, destroyed the company’s general ledger by using direct access to the database to create new balances in 146 general ledger accounts. The consultant then spent months trying to fix the error while hiding it from the company. Nine months later, one of the company’s employees printed out a general ledger report that showed a WIP balance of a little over two million dollars while the subsidiary ledger showed an amount several times larger.

What saved us was the trial balance that I had printed out the day before the consultant screwed up the general ledger. I took the printout with me as a resource for my work for them with DCAA.

As a result of this lesson, and too many others, I started asking myself twenty years ago about the relationship between accounting and IT.  Part of my thinking can be seen in the name I chose for my later technology company: “Accountable Technologies”. I would love to say that Edward Snowden was the final nail in the coffin, but there are thousands of accidental and deliberate Snowdens scattered across American businesses, large and small.

I personally believe that IT personnel should have episodic access to the accounting system; not at will. Perhaps you do not agree with this, fine.

But, you should take advantage of the new cyber security requirements adopted by the Department of Defense to think about the issue, to develop your own policies and procedures.

DARPA put up an excellent guide for small business with links to expanded materials. Take a look and think about it.

https://www.darpa.mil/work-with-us/for-small-businesses/cybersecurity

By, the way, if you were wondering what happened to the missing folder, an employee visiting from another location to document procedures, had moved the folder to her personal files for future reference thinking she had copied it. We discovered this a couple of hours later when she wandered in to the office.

More at www.dcaacompliance.com