Preventing Cyber Threats from Derailing Your Momentum

Today’s most extreme threats to organizational stability often come in the form of digital dangers. Data breaches and other cyber crimes pose a substantial risk to the successful operation and profitability of your business, as well as, the clients you serve and the professionals you employ. Protecting your data and your business from cyber threats has never been more critical.

Small and middle market businesses and non-profits often think they are immune to these threats, but nothing could be further from the truth. These organizations are often targeted and, in fact, may be at even greater risk than larger entities. If your organization has an online presence or uses the internet for any business-related need, it is imperative that you identify imminent threats and vulnerabilities, create a comprehensive risk management plan to safeguard your key data assets and operations and rigorously control access to sensitive information.

PBMares brings the knowledge and industry experience necessary to thoroughly evaluate Service and Organizational Controls (SOC). They successfully advised our company on control measures needed to satisfactorily comply with SOC audit requirements. PBMares’ professional services have proven to be a huge enhancement to our compliance program as well as a positive marketing tool for new prospective clients

Christopher A. Plyler, CPA, Chief Financial Officer, CREDIT CONTROL CORPORATION

Don’t become the next victim. Let us help protect your business from cyber criminals.

PBMares provides a complete assessment of your organization’s cyber risks, as well as, a comprehensive cybersecurity plan to minimize vulnerabilities and manage strategic threats.

AICPA Cybersecurity Advisory Services CertificateOur experienced cyber risk professionals have been performing IT audits and risk assessments for 15 years, and unlike standard IT providers, as CPAs and consultants, we have an intimate understanding of your organization’s unique processes and operations. You can rely on us for complete cybersecurity services and solutions tailored to your risk profile and network, rather than a standard model that may not reflect vulnerabilities that are individual to your situation.

Your engagement includes a:

  • Customized data map to assess your unique technology environment. By working with your team, key data assets and their supporting technology layers will be identified. This helps pinpoint what data resides where and what needs to be protected based on the threat level, risks and potential impact to those assets.
  • Strategy designed specifically for your technology environment that will identify weak security controls and cyber risks. In addition, it will assist you in managing those risks by recommending sustainable solutions that will lay the foundation for a strong cybersecurity footprint as your company continues to grow.

The PBMares Cyber & Control Risk Services Team is pleased to offer a wide range of tailored cybersecurity consulting services including:

From security breaches at large retailers and hospital systems to Category 5 hurricanes, rogue employees and wild forest fires, the past few years have made us aware that disruption cannot be planned. What can be planned is our response.

That means it is not enough to have a Business Continuity and Disaster Recovery plan sitting on a shelf somewhere; the plan needs to be reviewed and tested periodically. PBMares can help. By reviewing your plan, making sure your assets are well-protected and your employees have clearly defined roles even under the most trying circumstances, you can keep disruption to a minimum.

A cyber breach can have a significant negative impact on your organization. To help reduce this risk, you need a cyber risk assessment. This should include looking at your security framework to identify situations that could pose a threat to your network, systems, data or cybersecurity posture. Our cyber specialists apply a deep understanding of key IT controls and cybersecurity threats to evaluate critical applications and supporting technology layers within your organization where sensitive data exists.

These areas include your company’s IT security policies and procedures, business continuity plan, physical and environmental security, asset management, HR data security, security communications and operations management, security awareness training, third-party security, incident management, network security, malware protection, monitoring, removable media controls, access control and systems development life cycle (SDLC). During the assessment, our cyber team will work with you to:

  • Evaluate Overall Cyber Risk. Every business with an online presence faces the threat of a breach of their security. Alleviating the risk is critical, especially if your business processes, stores or transmits sensitive information such as credit card or health care information. Investing in an overall assessment of your cyber risk in these five key areas—operational, transactional, compliance, strategic and reputational—gives you a baseline against which you can measure the risk level. Once you have that, you can allocate recourses to counteract the risk.
  • Assess Risk Appetite and Preparedness. How much risk can you tolerate? Once you’ve determined that, you can decide on the steps you’re prepared to implement, as well as a budget and a timeline.
  • Review Alignment of Preparedness to Risk. Sometimes it is worth getting another opinion about the risks you are facing. You may find you are vulnerable in an area you haven’t thought about.
  • Determine Risk Management Practices and Controls. Having a set of policies and procedures in place to minimize exposure is critical to cybersecurity preparedness. In this era of mobile devices, strong and strategic internal controls are arguably the most effective way to prevent breaches.
  • Develop Corrective Action Plans. PBMares experts have the experience and expertise to develop, prioritize, and communicate a list of cybersecurity risks to key stakeholders in the organization, and assist your company’s leadership team throughout the process of exposing hidden risks and vulnerabilities to find workable solutions to help mitigate them.

Understanding the criticality of data in your organization’s environment and where it lives is crucial to protecting it. Our cyber team will identify the nature and type of sensitive data in your organization, establish sensitivity levels for different types of data and assign the applicable sensitivity level to the data and label the data accordingly.

Specifically, this includes:

  • Identifying business obligations
  • Identifying and documenting sensitive data that is stored, processed or transmitted through the organization
  • Reviewing existing data classification policy and update as necessary
  • Identifying and documenting the systems where sensitive data is stored, processed or transmitted
  • Understanding flows of data to, thru and from the organization
  • Documenting data classifications
  • Training users to identify and protect sensitive data in accordance with company requirements
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for the protection and management of sensitive patient data. All companies that deal with protected health information (PHI) must be in compliance with standards regarding physical, network and process security measures. The goals of the HIPAA security assessment are to ensure the privacy and security of PHI and to focus on administrative, technical and physical safeguards. The HIPAA Security Rule requires that organizations conduct a cybersecurity risk assessment periodically. You can depend on PBMares’ cyber team to perform an initial gap analysis of your organization based on the NIST CSF framework to identify a list of any gaps between current practices and HIPAA requirements and provide recommendations for remediation, and prepare a HIPAA security assessment report.
According to recent statistics, more than 90 percent of data breaches are caused by human error. Computer users are often referred to as the “weakest link” in information security. An important component to mitigate this risk through cybersecurity risk management includes security awareness training. Your staff needs to be aware that they have an integral role in protecting your company’s digital security. Allow our team to provide security awareness training or assist you in developing a comprehensive security awareness training program.
Use of the cloud, social media and the internet have opened companies of all kinds to different kinds of threats. Having policies and procedures in place to thwart them is key. Information Security policies can help ensure cybersecurity risk is minimized and that any security incidents are effectively responded to. Security policies should:

  • Protect people and information
  • Set expectations
  • Authorize security personnel to monitor, probe and investigate
  • Define consequences of violations
  • Establish a baseline stance on security
  • Minimize risk
  • Ensure compliance with regulations and legislation

You can depend on PBMares’ cybersecurity experts to review and assist you with developing comprehensive policies to address your organizational needs.

No matter how secure you think your systems are, the potential is there for someone to breach your controls. If that happens, you need a plan in place so you can respond quickly. Our experts have the expertise to develop or improve incident response policies and procedures, and ensure the incident response team contains the correct roles and responsibilities that will quickly neutralize the threat.
In recent years, it has become increasingly popular for institutions to outsource business support, system operations and IT activities to service organizations. With that trend came new standards for reporting on service organization controls. PBMares will help you satisfy any assurance requirements and assess the effectiveness and risks of your third-party’s controls through:

  • SOC 1

    Organizations across the board, including publicly traded companies, private companies and not-for-profits may require verification that the third-party data security experts who work on their financial statements operate under a strong set of internal controls. These verifications come in the form of various levels of System and Organization Controls (SOC) reports. The reports assure your clients and prospective clients that your internal controls are secure. Examples of service companies that may require such reports include data center companies, loan servicing companies, medical claims processors and payroll processors.

    SOC 1 reports, also known as the Statement on Standards for Attestation Engagements (SSAE) 18, focus on your organization’s business processes and IT controls. Any that are likely to be relevant to an audit of your customers’ financial statements are documented in the report.

    There are two types of SOC reports: Type 1 reports test the design of your organization’s controls as of a certain date. Type 2 reports test whether your controls are properly designed, in place and documented as well as an opinion on operating effectiveness over a set time period (usually 12 months).

  • SOC 2

    These reports concentrate on five Trust Services Principles: security, availability, processing integrity, confidentiality and privacy. SOC 2’s requirements allow data providers to decide how they want to meet the criteria. This flexibility means SOC 2 reports are unique to each company, and makes the choice of auditor particularly important. You need to choose an audit team with a deep understanding of SOC controls and best practices. SOC 2 reports may be shared under an NDA with the organization’s management, regulators or select other parties.

  • SOC 3

    Similar to SOC 2 reports in that they examine the same five Trust Services Principles, the results of the audit are publicly available.

  • SOC: Cybersecurity

    Organizations need to show they are managing the threat of security breaches by having processes and procedures in place to detect, respond to, mitigate and recover from any breaches. Using the AICPA’s cybersecurity risk management reporting framework, PBMares’ team will give you the credibility you need to communicate the effectiveness of your organizations’ cybersecurity risk management program.

  • SOC Readiness Assessments

    These assessments provide an overview of your organization’s preparedness for a successful SOC 1, 2, 3 or Cybersecurity audit. At the end of the assessment, our experts will let you know what control gaps or observations identified need to be addressed and remediated in order for your SOC audit to be successful.

When it comes to your company’s vulnerability to cyberattacks, there are two kinds of vulnerabilities, internal and external. There are hundreds, if not thousands of new vulnerabilities identified every day. A vulnerability scan is designed to assess computers, computer systems, networks or applications for known weaknesses. The scan identifies and detects vulnerabilities relating to misconfigured assets or flawed software that resides on a network-based asset such as a firewall, router, web server, application server, etc.

By performing routine vulnerability scans, you can continuously assess your network against the most commonly utilized attacks and identify potential security weaknesses in your computer systems and networks. Using advanced software to uncover vulnerabilities and weak points in your network configuration, our team is equipped and trained to perform vulnerability scanning and analyze your information technology environment, tools and processes. Our cyber team is skilled at assigning a criticality rating to potential security weaknesses and providing perspective on technical security posture. Vulnerability assessment results are often key inputs into an information security cyber risk assessment.

Controlling access to sensitive information is crucial to protecting the data. This process starts with user provisioning of new users and modifications in user access, but also applies to employee transfers within the organization, and ultimately ends with user de-provisioning. Key policies and procedures include a strong user access security policy and standard, as well as policies and procedures for provisioning and deprovisioning users. You can depend on PBMares’ cyber team to review existing user access control policy and standards, conduct a walkthrough of the user access rights process, understand the technologies in use for user rights management, document privileged user roles, document common job roles and associated access rights, review segregation of duties conflicts and establish periodic management review of access rights for key systems and applications. PBMares will help review and assist you with the following:

  • Developing a comprehensive user access security policy and standards and policies and procedures for provisioning and deprovisioning users
  • Identifying user attributes
  • Identifying data resources to which access should be granted
  • Associating users based on job needs to access rights, privileges and restrictions
  • Providing recommendations for enhancing user access reviews

Focusing on Protecting Your Company from Risk?

Certain industries, like financial institutions, are a natural fit for cybersecurity and other risk control services. However, the need for this type of help spans virtually every business including those in construction, government contracting, state and local governmenthospitality and not-for-profit.



Harvey L. Johnson, CPA, CGMA, CISA

Partner, Cybersecurity & Control Risk Services Team Leader

“How can I help you?”

  • Should be Empty:
(All fields are required)