Cybersecurity starts with process, then wins with practice


NBA legend Kobe Bryant was famous for his workout regimen, ominously called the “666 routine” because he exercised for six hours a day, six days a week, for six months in the off season. It’s a solid process, but a process is only the start. Bryant had the dedication to put that process into practice — and that’s what helped him drive success.


To succeed at protecting client data, professional services firms need to start with solid processes. Then, they need to consistently put those processes into practice.


Firms that provide accounting, legal, architectural, consulting, and other professional services often have to handle critical data from their clients. Cybercriminals know when companies have large pools of valuable data — and often, services firms do not have adequate data protection.




Take control


Before you put cybersecurity processes into practice, you need to take control of the data you’re protecting. Before you can take control, you need to understand what data you possess, where sensitive data reside, how they are exchanged, and who owns or oversees the data.


Strong cybersecurity is built upon the premise of “defense in depth,” which can be thought of in terms of layers of defense and detection. In risk management, this is also known as compensating controls (controls that compensate for “upstream” failures to prevent or detect an unwanted outcome). Compensating controls provide fail-safes by establishing backup or parallel procedures to ensure that data remain stored and secured in a manner that minimizes risk. That way, if a system compromise occurs, there are layers of controls that mitigate the possible damage from it.


Compensating controls provide a key ingredient to protecting sensitive data from a cybersecurity incident. “The resilience quotient of an organization — the ability to bounce back from an incident — depends upon the nature and performance of compensating controls in your environment,” said Grant Thornton Forensic Advisory Services Principal Johnny Lee. “These compensating controls can originate in numerous areas of the organization: IT hygiene, HR hygiene, governance, risk management, legal, third-party specialization, third-party risk management and more … each of these represents a potentially potent category of compensating control.”




Establish the process


To form solid cybersecurity controls, start with governance that clearly spells out roles, responsibilities, procedures and expected outcomes.


John Pearce

“Proactive professional services firms will have built a strong cybersecurity governance model and structure.”

John Pearce

Grant Thornton Cyber Risk Advisory Services Principal

“Proactive professional services firms will have built a strong cybersecurity governance model and structure,” said Grant Thornton Cyber Risk Advisory Services Principal John Pearce. “They have applicable data security models to handle sensitive data, and they have implemented and tested detection response and recovery capabilities overall.”


Governance processes do not prevent cyberattacks, but well-designed governance can minimize both the risks and the damage of such attacks. Services firms need to start by establishing and evaluating effective cybersecurity processes. Then, they need to put their processes into practice.




Put process into practice


“When professional services companies get it right, they not only plan for the bad day before it happens — they practice for it, as well,” Lee said. Putting your processes into practice isn’t just a tagline; it’s literal advice. You need to conduct actual practice drills. Testing the execution of cybersecurity response programs is the only realistic basis for assurance that the organization can deliver a swift and comprehensive response to a real incident.


Johnny Lee

“When companies practice their cybersecurity processes, do simulation work, bring in their third parties, and make sure simulations are reasonable and tailored to their risk profile — that’s when they become truly resilient.”

Johnny Lee

Grant Thornton Forensic Advisory Services Principal

“When companies practice their cybersecurity processes, do simulation work, bring in their third parties, and make sure simulations are reasonable and tailored to their risk profile — that’s when they become truly resilient,” Lee said.


Your digital environment can have a lot of players, including on-site and remote employees, software providers, vendors and cloud computing companies. Each group needs to know its responsibility in an incident response posture, to help ensure their actions are both immediate and appropriate to the situation. These groups must fulfill their roles correctly for the team to succeed, and the only way to ensure this is through simulation and practice.


For unprepared or underfunded teams, a cybersecurity incident often introduces protracted and messy clean-up efforts that require significant work and cost — along with the reputational damage. Yet, it can be difficult to coordinate processes and practices across a large community, especially on the “shoestring and duct tape kind of back-office budget” that Pearce said he has seen at many professional services firms.


Your data, and your client data, are worth protecting.




Understand the risks


A compromise of the data with which your organization was entrusted, especially data protected by privacy regulations, can lead to two important types of consequences for professional services firms.


First, the reputational harm is “very hard to quantify, has a very long tail chronologically, and is sometimes even insurmountable, causing existential damage to an organization” Lee said. Reputational harm can lead to a loss of customers, drop in stock price, loss of intellectual property or an outright closure of the business.


Second, Lee said, “There's also very significant legal and regulatory exposure, with civil liability as well.” These fines, fees and lawsuits can grow in response to the attack. The cost of addressing a significant compromise in a reactive mode can quickly eclipse the cost of having proactive processes in practice, which is why cybersecurity has become more than an issue of business continuity.


Kobe Bryant’s workout regimen must have seemed relentless at times. But the payoff was massive. Professional services firms must adopt a similar mindset, relentlessly practicing sound processes to minimize both the risks and the impacts of an inevitable cyberattack.




Related resources












Our fresh thinking