Skip to the content


How to beat the hackers at their own game


By Ian Lavis on behalf of Praxity Global Alliance


Want to improve your cybersecurity?  Consider getting an accounting firm to hack into your system, fix the weak points and train your staff.

As cyberattacks become ever more widespread and increasingly devastating to a company’s bottom line, accounting firms are helping businesses sure up their defences with ‘ethical hacking’.

Many companies rely on simple penetration testing to identify weak points in their cybersecurity system, or vulnerability testing to identify known flaws that require patching.

Unfortunately, these tests do not identify the precise assets an attacker may be able to access once they have hacked into a system. Neither do they use the tools that a real attacker uses, such as malware, social engineering, and basic human persistence.

However, security-focused accounting firms are now beating hackers at their own game with full ‘digital attack simulation’, a far more rigorous approach to protecting a company’s assets against potentially huge losses in the event of an attack.


Protecting your assets

Digital attack simulation typically involves:

  • Emulating the actions of a hacker might take in the event of a cyberattack
  • Scenarios based on real-world threats
  • Exposing and patching up weak points
  • Helping companies update their systems
  • Training staff to defend against future attack

Rex Johnson, Director of Cybersecurity at independent accounting firm BKD CPAs & Advisors in the USA, says: “A lot of organisations are doing penetration testing quickly and not very thoroughly. This can be very dangerous.”

He adds: “Penetration tests are good but we also need to find the things that do not come up in the tests. We need to find the vulnerabilities and explain why they are bad and why companies need to do something about it.”


Red alert

To delve deeper into companies’ cybersecurity systems and provide greater levels of protection, BKD recently launched a digital attack simulation service called BKD Red Team, whereby ethical hackers ‘attack’ a client security system and the results are used in training sessions with the client’s IT department.

Traditional forms of penetration testing typically relay information on vulnerabilities via technical, often difficult to decipher reports. BKD’s Red Team conducts a more in-depth analysis of a client’s system to identify actual data that could be compromised. The team's cybersecurity experts then offer recommendations on how to better safeguard sensitive data and avoid costly breaches, and provide training on how to respond to a cyber incident more quickly.

Digital attack simulation is designed to demonstrate what an actual hacker can do once they penetrate a system. It helps companies identify which data stores are vulnerable.

Citing a recent example in which a team of BKD cyber professionals hacked into a client’s system in a controlled situation, Rex says: “We were able to demonstrate that the company’s patches were old, its systems needed updating and its defences were lacking. We captured sensitive information to include records with personal identifiable information (PII), classified technical documents, critical data stores, as well as passwords.”

In another example, ethical hackers discovered an external contractor was logged on to a guest wireless network with a weak password, exposing a serious vulnerability that could have resulted in a major data breach.


Not just a question of compliance

Rick Lucy, BKD’s director of IT Risk Services, adds: “Digital attack simulation takes cybersecurity out of the realm of compliance to become a security issue.” He explains that compliance is merely a snapshot in time, whereas security is an ongoing process which “continues to add value”.

Globally, the average cost of a data breach was $3.86 million in 2018, according to the Ponemon Institute. Worryingly, it takes organisations an average of 197 days to realise they’ve been breached.

Such is the growth of cybercrime that experts now believe there are two types of organisation:

  1. Those that have been attacked
  2. Those that will be attacked

Whether your organisation is a victim of cybercrime or not, the need for adequate cybersecurity is paramount to protect its most valuable assets. The chances are your company won’t be able to prevent an attack, but it can greatly reduce the impact of an attack.

In essence it’s about damage limitation. Rex explains: “We help the client understand that a hacker can get in, but this doesn’t necessarily mean they can gain full access to the system.”


Peace of mind

Digital attack simulation is becoming increasingly popular as a way to ‘out hack’ the hackers at their own game, but with more and more cybersecurity specialists offering various types of hacking service it is not always easy to know who to turn to for support.

This is where accounting firms can make a difference, not just in providing peace of mind, but also in terms of being able to offer a wider package of support. “I think it’s really important to be a trusted advisor,” Rick stresses. “Coming from an accounting firm we provide extra value from a business perspective.”

BKD CPAs & Advisors is a participant firm in Praxity Global Alliance – the world’s largest alliance of independent accounting and consulting firms, with more than 100 members worldwide. The Alliance facilitates the sharing of expertise on cybersecurity, accounting, audit and general business support among participant firms so that clients can work seamlessly across international borders.