Cybersecurity starts with process, then wins with practice

“Proactive professional services firms will have built a strong cybersecurity governance model and structure.”

John Pearce

Grant Thornton Cyber Risk Advisory Services Principal

“Proactive professional services firms will have built a strong cybersecurity governance model and structure,” said Grant Thornton Cyber Risk Advisory Services Principal John Pearce. “They have applicable data security models to handle sensitive data, and they have implemented and tested detection response and recovery capabilities overall.”

Governance processes do not prevent cyberattacks, but well-designed governance can minimize both the risks and the damage of such attacks. Services firms need to start by establishing and evaluating effective cybersecurity processes. Then, they need to put their processes into practice.

Put process into practice

“When professional services companies get it right, they not only plan for the bad day before it happens — they practice for it, as well,” Lee said. Putting your processes into practice isn’t just a tagline; it’s literal advice. You need to conduct actual practice drills. Testing the execution of cybersecurity response programs is the only realistic basis for assurance that the organization can deliver a swift and comprehensive response to a real incident.

“When companies practice their cybersecurity processes, do simulation work, bring in their third parties, and make sure simulations are reasonable and tailored to their risk profile — that’s when they become truly resilient.”

Johnny Lee

Grant Thornton Forensic Advisory Services Principal

“When companies practice their cybersecurity processes, do simulation work, bring in their third parties, and make sure simulations are reasonable and tailored to their risk profile — that’s when they become truly resilient,” Lee said.

Your digital environment can have a lot of players, including on-site and remote employees, software providers, vendors and cloud computing companies. Each group needs to know its responsibility in an incident response posture, to help ensure their actions are both immediate and appropriate to the situation. These groups must fulfill their roles correctly for the team to succeed, and the only way to ensure this is through simulation and practice.

For unprepared or underfunded teams, a cybersecurity incident often introduces protracted and messy clean-up efforts that require significant work and cost — along with the reputational damage. Yet, it can be difficult to coordinate processes and practices across a large community, especially on the “shoestring and duct tape kind of back-office budget” that Pearce said he has seen at many professional services firms.

Your data, and your client data, are worth protecting.

Understand the risks

A compromise of the data with which your organization was entrusted, especially data protected by privacy regulations, can lead to two important types of consequences for professional services firms.

First, the reputational harm is “very hard to quantify, has a very long tail chronologically, and is sometimes even insurmountable, causing existential damage to an organization” Lee said. Reputational harm can lead to a loss of customers, drop in stock price, loss of intellectual property or an outright closure of the business.

Second, Lee said, “There's also very significant legal and regulatory exposure, with civil liability as well.” These fines, fees and lawsuits can grow in response to the attack. The cost of addressing a significant compromise in a reactive mode can quickly eclipse the cost of having proactive processes in practice, which is why cybersecurity has become more than an issue of business continuity.

Kobe Bryant’s workout regimen must have seemed relentless at times. But the payoff was massive. Professional services firms must adopt a similar mindset, relentlessly practicing sound processes to minimize both the risks and the impacts of an inevitable cyberattack.