Understanding Cybersecurity Breaches at Consulting Firms
Cybersecurity threats are affecting consulting and professional service firms causing substantial losses. Kayne McGladrey (@kaynemcgladrey), an IEEE Member and professional services director, weighed in on how consulting firms can mitigate threats, keep client data safe and learn from current breaches.
IEEE Transmitter: What are some breaches that consulting and professional service firms should learn from, what are the key takeaways/lessons?
McGladrey: Two recent news articles come to mind. In Washington State, the Lake Kennedy McCulloch, CPA firm was breached. They are a tiny firm with 10 CPAs, but they had to notify their clients that their 2016 tax returns were filed fraudulently due to a breach and that the “bad guys” also had stolen tax returns from 2015. The other story is about a 200-person law firm in Chicago that had been pre-emptively sued in the case of Jason Shore and Coinabul, LLC et al. v. Johnson & Bell. The basis of the suit was that the firm’s security systems allegedly were not up to industry standards and that there was a risk that client data could potentially be breached.
What’s similar here is that these are both small firms grappling with cybersecurity and keeping up to date with reasonable protection for their client data. Neither firm is a security firm, but they face the very real risk of irreparable harm to their reputation from cybersecurity threats. If we look to Cisco’s 2017 Annual Cybersecurity Report, 40% of businesses that suffered a breach lost business opportunities, and 25% said those were substantial. Most professional service firms can’t suffer a substantial loss to their sales pipeline or key accounts without a reduction in force.
IEEE Transmitter: How can a consulting firm mitigate cyber threats effectively, either in preparation before one takes place or after one strikes?
McGladrey: The most common threats today require a compromised user account for bad actors to make a beachhead. Companies need to protect users’ identities and ensure that users have privileges to only the resources they need to perform their role. A CPA or an attorney should have access to their client’s files, not all the files or sales lists in the firm. We also need to validate that the user is who they claim to be, and a password is an inadequate security control for that purpose.
The most resilient companies deploy an Identity and Access Management (IAM) program with a form of multi-factor authentication (MFA). Consider if a managing partner logs into Wi-Fi at a coffee shop on her way to work in Chicago to review her email. She then walks to work and logs in to get a presentation. At the same time, she logs in from Australia. An IAM strategy is going to see that’s physically impossible and challenge the user in Australia via MFA for a fingerprint or to type in a code to continue, and the “bad guy” is going to move on to the next soft target.
IEEE Transmitter: Are business members doing enough to keep up with cyber risks and taking reasonable steps to secure client information as part of the practitioner’s ethical obligation? If not, how can they do better?
McGladrey: Not uniformly. If you look at Intel Security’s February 2017 report called, “Tilting the Playing Field,” only 49% of companies reported their cybersecurity strategy is fully implemented across their organization. That’s a target-rich environment for criminals. Companies that aren’t in the cybersecurity consulting business need their leadership to commit to a pragmatic approach to identity and access management – because if the villains can’t use stolen credentials, they cannot exfiltrate client data.
IEEE Transmitter: What statistics, assessments and reports should business leaders and security analysts be looking for and tracking to stay ahead of a data breach?
McGladrey: There are dozens of reports out there, and I’m in the habit of tweeting two security statistics during the work week, as I read the reports. The reports I look forward to are the Insider Threats reports by Carnegie Mellon and CERT, Verizon’s annual Breach Report, and AT&T’s Cybersecurity Insights series. Businesses that aren’t in the cybersecurity space should talk to their IT provider to find a reputable expert firm that can help make sense of the threats and provide actionable, personalized guidance. You want to work with someone who’s done this before because the good guys must be right a hundred percent of the time. “Bad guys” can just be right once and still cause immense damage.