In the latest episode of Cherry Bekaert’s Professional Services podcast, we discuss the importance of cybersecurity, privacy and data security within the professional services industry. Scott Duda, Professional Services Industry Leader, is joined by Steve Ursillo, a Partner with Cherry Bekaert’s Information Assurance & Cybersecurity practice, as they explore the top cyber threats facing the industry.
Listen to learn more about:
- The top cyber threats facing the professional services industry
- Why managing cyber risk is important for professional service organizations
- How cyber threats affect the overall well-being and operational integrity of professional service firms
- What measures professional services firms should implement to reduce their exposure to cyber threats
- How Cherry Bekaert’s team assists professional service organizations to help manage the threat landscape
Professional services firms can benefit from expert assistance to effectively manage their cybersecurity threats to better ensure compliance, protect client data and maintain operational integrity.
Cherry Bekaert’s Information Assurance & Cybersecurity practice offers a full range of cybersecurity, privacy, attest and risk mitigation services to help protect your information systems, data and people from cyber threats. Our team can assist in identifying relevant cyber and privacy risks to create practical solutions and plans to reduce the likelihood and impact of any potential system or data breaches. Don’t wait until it’s too late to protect your firm from cyber threats. Contact us today to collaborate with our professionals and tailor a flexible and scalable solution to meet a variety of cyber, privacy and risk needs.
Related Insights
- Alert: Reducing Vulnerability: Strategies for Managing Cybersecurity Risks in IT Supply Chains
- Article: Third-Party Risk Management (TPRM): Top Strategies for Managing Vendor Risks
- Webinar Recording: CMMC Compliance: Navigating 48 CFR Updates and Assessment Challenges
- Article: The Imperative of Cybersecurity Vigilance to Safeguard Critical Assets in Light of Nation-State Threats
View All Professional Services Podcasts
SCOTT DUDO: Welcome to the next in our Professional Services industry podcast series. I am Scott Dudo, an audit partner with Cherry Bekaert.
I lead our Professional Services Industry Group, and we are here today to talk about cybersecurity in professional service firms. Joining me is Steve Urillo to discuss some of the trends we have been seeing in this space. Welcome, Steve.
STEVE URILLO: Thanks, Scott. Thanks for having me; it is a pleasure to be here.
As Scott mentioned, my name is Steve Urillo. I am a partner here at Cherry Bekaert within the Risk Accounting Advisory group.
I am specifically involved in the information assurance and cybersecurity group. I am one of the leaders and head up the information assurance practice area as well as the offensive security practice area.
We provide an array of different services, from information assurance, SOC, HITRUST, and HIPAA compliance to CMMC, NIST, and ISO. There is a lot of "alphabet soup" as it pertains to your cyber and privacy governance risk objectives.
In addition to other privacy and data management security attestations or certifications, we also provide cyber and privacy risk management advisory services. We help organizations build and design their governance and risk management programs.
We help them evaluate those programs and provide technical advisory services to help them fulfill those initiatives. It is all part of what we do for a comprehensive offering.
SCOTT DUDO: Steve, we have heard a lot in the news recently about various significant hacks. From a client perspective, we have had many people bring us in—some preemptively and some after the fact. What are some of the current threats people are seeing in the professional services industry?
STEVE URILLO: The persistent rise in sophisticated cyber threats continues to draw attention from business owners, professional advisors, regulators, investors, and other key stakeholders.
Attacks like ransomware, business email compromise, corporate account takeovers, credential attacks, supply chain attacks, and distributed denial-of-service attacks are consistently highlighted in the media.
Cyber threat adversaries are persistently exploring new and creative ways to monetize data, execute financial fraud, and disrupt business commitments or service level agreements.
Unfortunately, defending against these attacks is not a trivial task, even for organizations with a mature cyber defensive program. It is definitely not "set and forget."
Organizations must continue to evolve, stay on top of emerging threats, and mitigate their risks. Regarding deeper dives, ransomware attacks are quite significant.
When data is encrypted by adversaries and held for ransom, it disrupts operations and makes it difficult to provide services to clients. There is also the threat of disclosing data on the public domain if the ransom is not paid.
If organizations consider paying—which is not the recommended route but a business decision—there could be implications. Certain countries may be restricted because they are considered national threats.
We are also seeing many attacks through phishing and social engineering. Attackers find ways to trick people into clicking malicious URLs.
With emerging AI technologies, deepfakes and other types of audio and video fakes make it even harder for people to evaluate what is real.
We also see credential attacks, such as brute force attacks or password spraying. They might use malware for keyloggers or take credentials from the dark net.
There are also insider threats, including individuals with malicious intent or those who inadvertently give up information through a mistake or lack of training.
Supply chain attacks are a concern because of the trusted expectations between third parties, customers, and vendors. If a system is interconnected and a partner is attacked, the threat can traverse into other environments.
As organizations adopt cloud technologies, they may have misconfigured systems allowing improper data access. Organizations must incorporate risks from emerging technologies like AI, the Internet of Things, and blockchain into their risk assessments.
SCOTT DUDO: A lot of what you discussed is applicable across many industries, but why is managing cybersecurity risk so important for professional service organizations in particular?
STEVE URILLO: Cybersecurity does not discriminate; it is industry-agnostic. However, most professional service organizations are trusted advisors.
They provide services that combine people, process, and technology. They have access to sensitive personal information and have a fiduciary responsibility to protect it.
There are legal and regulatory consequences if there is a breach. Safeguarding information preserves the reputation of the business and the work done on behalf of clients.
In many cases, the quality and timeliness of the information you provide is critical to a client's business objectives. Maintaining continuity of operations is essential for financial stability and competitive advantage.
SCOTT DUDO: So these cyber threats can affect the overall well-being and operational integrity of professional services firms?
STEVE URILLO: Absolutely. Reputation is vital, and a significant breach could lead to financial loss, reputational damage, and legal repercussions.
Organizations must factor this into their risk assessment process, considering the providers they work with and the timeliness of disclosure requirements.
SCOTT DUDO: What types of measures should professional service firms implement to reduce their risk?
STEVE URILLO: Organizations should consider an effective cyber risk management program to protect information and ensure compliance. There is no one "magic bullet"; it requires a combination of defense in depth.
They should establish a strong cyber governance program with appropriate policies and procedures. This is reinforced by a good risk assessment that considers inherent cyber risks.
They need to understand what type of data they have and what protection it requires. Protection expectations differ for private data, confidential data, Controlled Unclassified Information (CUI), or healthcare data.
You must understand where data resides within your technology systems, third parties, or cloud providers. If you do not know what you have, you cannot protect it.
You should design your program with proper safeguards to protect assets at the appropriate level. It is also important to monitor the effectiveness of the program on a regular basis.
This ensures the program meets leadership's risk appetite and fiduciary responsibilities. Key considerations include employee training, implementation of security policies, and threat detection.
An incident response program is also critical. You must be prepared for a breach and able to respond within the timetable expected by regulatory and legal authorities.
SCOTT DUDO: Where do you and your team step in throughout that journey? How do you help professional services organizations identify improvements and implement these steps?
STEVE URILLO: Our information assurance and cybersecurity group is involved in many areas of protecting and safeguarding data. We are often brought in to provide assurance for organizations that are already executing these tasks operationally.
We perform certifications and attestations to provide assurance to stakeholders, boards of directors, or third parties through SOC reports. This gives third parties comfort regarding vendor risk management processes.
On the advisory side, organizations hire us to evaluate their programs or help in a managed service capacity. We help build, design, and evaluate programs.
We conduct or monitor risk assessment processes and assist with technical execution. Our teams provide vulnerability and penetration testing services, otherwise known as "red teaming."
We engage to try to circumvent controls and then present effective ways to manage the risk of an actual adversary doing the same.
We also help organizations build their incident response programs and provide breach coaching. Reporting timelines are stringent, requiring prescriptive runbooks and exercises.
Our team also assists with cyber diligence. When our transaction advisory teams are involved in due diligence, we complement their work by looking at the cybersecurity footprint of a target.
This ensures investors understand if the cybersecurity measures are where they need to be or if they present additional risk to the transaction.
Additionally, we handle third-party risk management, supply chain evaluations, and security awareness training. If an organization is short on resources, we offer managed service offerings to help augment their teams.
SCOTT DUDO: It is obvious how important a comprehensive approach to cybersecurity is. With the improvements in artificial intelligence, these threats will only become more challenging to identify.
I appreciate the expert assistance you and your team provide to our clients. For those listening, our contact information can be accessed where you found the podcast. We look forward to becoming your guide forward.
