COMPANIES AND THEIR CUSTOMER data are proven targets of sophisticated cyberattacks. As cybercrime is on the rise, draining about $500 billion a year from businesses, accounting firms are coming to the rescue. Here are some case studies that showcase how clients are upgrading their defenses, thanks to CPA firm cyber professionals.
By Tom R. Wojcinski, CISA, CRISC, CCSK, CCSFP, Principal, Cybersecurity & IT Risk Practice
A major retailer had not developed a comprehensive cybersecurity management program, functioning instead with a disparate set of disconnected security elements not aligned to a comprehensive framework. Baker Tilly cybersecurity professionals used a recognized and vetted cybersecurity framework (e.g., NIST, CSC) to assess the company’s current security profile, what the company was doing well, where there were issues or gaps, and built a three-year roadmap with remediation activities to help the company improve security and build and maintain a sustainable cybersecurity management program. The company is currently using the recommended remediation plans to further enhance its cybersecurity posture overall.
BDO USA, LLP
By Gregory Garrett, CISSP, PMP, CPCM, Head, U.S. and International Cybersecurity
Our client—a leading U.S. hospital association—needed an extensive review of its information security policies, plans, procedures and vulnerabilities to test its cyber readiness for a malicious attempt to harm the association. To accomplish this goal, we first conducted a cyber risk assessment of the association’s current policies and procedures against U.S. healthcare industry requirements. Second, we performed a cyber vulnerability assessment and network penetration test. Last, we delivered a customized cybersecurity awareness education and training program for the board of directors, senior leadership and membership of 5,600 hospital CEOs nationwide. These assessments helped to identify where the association had vulnerabilities and the kinds of threats that could critically undermine its systems, assets and reputation—insights which guided cyber investment priorities for the organization going forward.
By Michael Camacho, CPA, CIA, Partner, Cybersecurity Practice Co-Leader
Data breaches are at an all-time high, with daily headlines reporting large-scale breaches. Our cybersecurity team recently provided breach response services to a client that had fallen prey to a cyber attack that crippled their ability to do business. Minutes after being informed of the attack, our team of specialists executed a plan of action to stop the attack from inflicting any additional damage, assess who carried out the attack, learn what was compromised and deploy the proper defenses to mitigate the chance of a future attack. Within days, the IT environment was fully secured, and the client’s operations were back at full capacity. As a preemptive service, we perform simulated spear phishing campaigns for clients in order to reduce their susceptibility to becoming victims of actual spear phishing attacks.
By Shahryar Shaghaghi, MSc, Principal and National Director of Cybersecurity
A comprehensive risk assessment is the first step in developing an effective cybersecurity risk management program. When we first met with a mid-market construction company, they felt that a firewall and antivirus software was all they needed to protect themselves from cyber threats. When their ERP system was hit with ransomware, they realized what they had was inadequate. Our risk assessment uncovered gaps in their cybersecurity, including ad-hoc policies and procedures and minimal technical controls. By utilizing the Center for Internet Security’s Top 20 Critical Security Controls as their framework, we elevated their cybersecurity maturity level through an enterprise security strategy that integrates with their business and is fully focused on incident prevention, detection and response.
Friedman CyZen LLC
By Jacob Lehmann, Managing Director
Our cybersecurity experts recently helped mitigate a breach against the municipal government of a U.S. county. This municipality fell victim to malware introduced through “spear phishing,” possibly exposing critical data. Our team conducted a threat assessment to evaluate the scope of damage and then, as part of the incident response process, performed a deep dive into the infected devices using computer forensics. Once the threat was eradicated, the team boosted the municipality’s overall security posture to prevent future attacks. Our process is unique, and our experts make a point of explaining their technical methodology to clients in a way they can understand and work as a force multiplier with client IT teams—ultimately giving clients the peace of mind that comes with knowing their valuable assets are safe.
Grassi & Co.
By Karl Kispert, Principal, Cyber and Information Security Practice
Our client, a real estate development firm, was the victim of phishing attacks, network malware, computers freezing, and compromised sensitive information and server access; the CEO and CFO realized that action had to take place immediately. We did not overwhelm the client with the fix all at once; rather we proceeded with a comprehensive technical assessment, then developed a strategic roadmap to strengthen them and reduce their cyber and information security risk. Some of the key areas we addressed include a risk and compliance management plan; third-party vendor risk; policies and procedures; business continuity and disaster recovery; security awareness and phishing; physical and environmental security, and penetration testing.
By Mark Jensen, Director of Technology
A non-profit client approached us for help with technology issues and inefficiencies they were experiencing. After performing a needs assessment and subsequent discussions with the client, we determined they needed to improve security and technological inefficiencies across their network. We migrated them from an on-premise e-mail solution to a cloud solution that would not only reduce costly and complex ongoing maintenance but would increase security and improve mobility. Then we implemented next-generation Firewall/UTM devices with daily reporting, cloud-based endpoint protection, group policies limiting the use of externally connected USB devices and disabling any unnecessary protocols within the internal network. This organization now has annual penetration tests performed externally and internally to continually test for current vulnerabilities and to help safeguard the client from future threats.
PKF O’Connor Davies, LLP
By Thomas J. DeMayo, CISSP, CISA, CIPP/US, CRISC, CEH, CHFI, CCFE, Principal, Cyber Risk Management
We were engaged by a school district to identify its cyber risks. We discovered two critical weaknesses: the district viewed information security as solely an IT responsibility, and it lacked an overarching information security strategy across schools and business offices. Working closely with the administration, we illustrated the need for a districtwide information risk management strategy and then identified and trained all the key stakeholders. Once we resolved the governance concern, we re-engineered a program focused on three key tenets: people, process and technology. The district fully embraced our work; existing technologies were complemented by new tools for a minimal capital expenditure.
Sax Technology Advisors
By Matthew Hahn, Chief Technology Officer
We recommend an in-depth defense approach for our clients to combat the growing presence of cyber threats. For the best protection, we typically provide a fundamental security toolkit, which includes internal security awareness training geared toward educating staff on how best to protect themselves and the company’s data and systems. It also includes a network assessment to determine whether the technology solutions currently in place are appropriate and identify where enhancements can be made. There is often a need to implement a Security Operations Center—a facility where a company’s IT environment is monitored 24/7—to gain deeper insight as to what’s happening both inside and outside of a client’s network. A combination of all three solutions can mitigate many of the internal and external threats that businesses now face.
Sobel & Co., LLC
By Kim Miller, Ph.D., CFE, Cyber Practice Leader
A due diligence investigation—a background check on a company and its principal—was performed for a client who utilizes e-commerce vendors. While none of the results on their own was necessarily cause for alarm, the presence of two or more issues raised suspicions. Our investigation noted that the principal had three criminal charges for drug dealing and several monetary theft charges. The owner had changed the company name right after he was charged with the offenses, showing that he did not want clients to know about his criminal charges. The vendor had financial issues also. This investigation protected the client from any internal threats by ending the relationship and any potential hacking that a social engineering hacker could launch to get an internal user to provide sensitive credential information.
By Joe Riccie, CPA, Partner, Cybersecurity Practice Leader
A client had a phishing attempt made with an e-mail impersonating the CFO to the controller instructing a wire transfer. The controller was not fooled, and the client’s IT performed an internal investigation. Withum was then hired do additional digital forensics work, double checking the security posture. We found that the CFO had fallen for a previous phish months prior, which captured his e-mail, username and password, allowing the hacker to track his e-mails for months. We fixed the issue and checked the logs to ensure no other accounts were compromised. In addition, Withum performed a detailed internal and external penetration test, simulating an attack on the client’s systems to evaluate the system security, and ran phishing tests. We also provided education for the employees to prevent future attempts.