Understanding Cybersecurity Breaches at Consulting Firms
March 29, 2017
Cybersecurity threats are affecting consulting and professional service firms causing substantial losses. Kayne McGladrey (@kaynemcgladrey), an IEEE Member and professional services director, weighed in on how consulting firms can mitigate threats, keep client data safe and learn from current breaches.
IEEE Transmitter: What are some breaches that consulting and professional service firms should learn from, what are the key takeaways/lessons?
McGladrey: Two recent news articles come to mind. In Washington State, the Lake Kennedy McCulloch, CPA firm was breached. They are a tiny firm with 10 CPAs, but they had to notify their clients that their 2016 tax returns were filed fraudulently due to a breach and that the “bad guys” also had stolen tax returns from 2015. The other story is about a 200-person law firm in Chicago that had been pre-emptively sued in the case of Jason Shore and Coinabul, LLC et al. v. Johnson & Bell. The basis of the suit was that the firm’s security systems allegedly were not up to industry standards and that there was a risk that client data could potentially be breached.
What’s similar here is that these are both small firms grappling with cybersecurity and keeping up to date with reasonable protection for their client data. Neither firm is a security firm, but they face the very real risk of irreparable harm to their reputation from cybersecurity threats. If we look to Cisco’s 2017 Annual Cybersecurity Report, 40% of businesses that suffered a breach lost business opportunities, and 25% said those were substantial. Most professional service firms can’t suffer a substantial loss to their sales pipeline or key accounts without a reduction in force.
IEEE Transmitter: How can a consulting firm mitigate cyber threats effectively, either in preparation before one takes place or after one strikes?
McGladrey: The most common threats today require a compromised user account for bad actors to make a beachhead. Companies need to protect users’ identities and ensure that users have privileges to only the resources they need to perform their role. A CPA or an attorney should have access to their client’s files, not all the files or sales lists in the firm. We also need to validate that the user is who they claim to be, and a password is an inadequate security control for that purpose.
The most resilient companies deploy an Identity and Access Management (IAM) program with a form of multi-factor authentication (MFA). Consider if a managing partner logs into Wi-Fi at a coffee shop on her way to work in Chicago to review her email. She then walks to work and logs in to get a presentation. At the same time, she logs in from Australia. An IAM strategy is going to see that’s physically impossible and challenge the user in Australia via MFA for a fingerprint or to type in a code to continue, and the “bad guy” is going to move on to the next soft target.
IEEE Transmitter: Are business members doing enough to keep up with cyber risks and taking reasonable steps to secure client information as part of the practitioner’s ethical obligation? If not, how can they do better?
McGladrey: Not uniformly. If you look at Intel Security’s February 2017 report called, “Tilting the Playing Field,” only 49% of companies reported their cybersecurity strategy is fully implemented across their organization. That’s a target-rich environment for criminals. Companies that aren’t in the cybersecurity consulting business need their leadership to commit to a pragmatic approach to identity and access management – because if the villains can’t use stolen credentials, they cannot exfiltrate client data.
IEEE Transmitter: What statistics, assessments and reports should business leaders and security analysts be looking for and tracking to stay ahead of a data breach?
McGladrey: There are dozens of reports out there, and I’m in the habit of tweeting two security statistics during the work week, as I read the reports. The reports I look forward to are the Insider Threats reports by Carnegie Mellon and CERT, Verizon’s annual Breach Report, and AT&T’s Cybersecurity Insights series. Businesses that aren’t in the cybersecurity space should talk to their IT provider to find a reputable expert firm that can help make sense of the threats and provide actionable, personalized guidance. You want to work with someone who’s done this before because the good guys must be right a hundred percent of the time. “Bad guys” can just be right once and still cause immense damage.
Kayne McGladrey is an IEEE Member and professional services director at Integral Partners with 20+ years of experience, including 10 years cultivating and building best practices within professional services organizations. Kayne has presented on cybersecurity to IEEE-USA and created the first industry-recognized online class about the fundamentals for professional services management.
Impact of Technology in 2024
Emerging AI Cybersecurity Challenges and Solutions
The Skies are Unlimited
Smart Cities 2030: How Tech is Reshaping Urbanscapes
Impact of Technology 2023
Cybersecurity for Life-Changing Innovations
Smarter Wearables Healthier Life
Infrastructure In Motion
The Impact of Tech in 2022 and Beyond
Cybersecurity, Technology and Protecting Our World
How Technology Helps us Understand Our Health and Wellness
The Resilience of Humanity
Harnessing and Sustaining our Natural Resources
Creating Healthy Spaces Through Technology
Exceptional Infrastructure Challenges, Technology and Humanity
The Global Impact of IEEE's 802 Standards
Scenes of our Cyber Lives: The Security Threats and Technology Solutions Protecting Us
How Millennial Parents are Embracing Health and Wellness Technologies for Their Generation Alpha Kids
Space Exploration, Technology and Our Lives
Global Innovation and the Environment
How Technology, Privacy and Security are Changing Each Other (And Us)
Find us in booth 31506, LVCC South Hall 3 and experience the Technology Moon Walk
Virtual and Mixed Reality
How Robots are Improving our Health
IEEE Experts and the Robots They are Teaching
See how millennial parents around the world see AI impacting the lives of their tech-infused offspring
Take the journey from farm to table and learn how IoT will help us reach the rising demand for food production
Watch technical experts discuss the latest cyber threats
Explore how researchers, teachers, explorers, healthcare and medical professionals use immersive technologies
Follow the timeline to see how Generation AI will be impacted by technology
Learn how your IoT data can be used by experiencing a day in a connected life
Listen to technical experts discuss the biggest security threats today
See how tech has influenced and evolved with the Games
Enter our virtual home to explore the IoT (Internet of Things) technologies
Explore an interactive map showcasing exciting innovations in robotics
Interactively explore A.I. in recent Hollywood movies
Get immersed in technologies that will improve patients' lives