Prevent Cyber Threats from Derailing Your Momentum

Today’s most extreme threats to organizational stability often come in the form of digital dangers. Data breaches and other cyber crimes pose a substantial risk to the successful operation and profitability of your business, as well as, the clients you serve and the professionals you employ. Protecting your data and your business from cyber threats has never been more critical.

Small and middle market businesses and non-profits often think they are immune to these threats, but nothing could be further from the truth.

These organizations are often targeted and, in fact, may be at even greater risk than larger entities. If your organization has an online presence or uses the internet for any business-related need, it is imperative that you identify imminent threats and vulnerabilities, create a comprehensive risk management plan to safeguard your key data assets and operations and rigorously control access to sensitive information.

“PBMares brings the knowledge and industry experience necessary to thoroughly evaluate Service and Organizational Controls (SOC). They successfully advised our company on control measures needed to satisfactorily comply with SOC audit requirements. PBMares’ professional services have proven to be a huge enhancement to our compliance program as well as a positive marketing tool for new prospective clients.”

~ Christopher A. Plyler, CPA, Chief Financial Officer, CREDIT CONTROL CORPORATION
Are you PCI DSS compliant?

PBMares is a PCI SSC Qualified Security Assessor and an Approved Scanning Vendor.

Merchants and service providers that store, process, and transmit credit card information must achieve and demonstrate data security compliance. Our cybersecurity team achieved certification after rigorous training and testing and is well equipped to support payment card industry members as they work to comply with the multifaceted PCI DSS.

Don’t become the next victim. Let us help protect your business from cyber criminals.
View our comprehensive list of services below.

PBMares provides a complete assessment of your organization’s cyber risks, as well as, a comprehensive cybersecurity plan to minimize vulnerabilities and manage strategic threats.

AICPA Cybersecurity Advisory Services CertificateOur experienced cyber risk professionals have been performing IT audits and risk assessments for 15 years, and unlike standard IT providers, as CPAs and consultants, we have an intimate understanding of your organization’s unique processes and operations. You can rely on us for complete cybersecurity services and solutions tailored to your risk profile and network, rather than a standard model that may not reflect vulnerabilities that are individual to your situation.

Your engagement includes a:

  • Customized data map to assess your unique technology environment. By working with your team, key data assets and their supporting technology layers will be identified. This helps pinpoint what data resides where and what needs to be protected based on the threat level, risks and potential impact to those assets.
  • Strategy designed specifically for your technology environment that will identify weak security controls and cyber risks. In addition, it will assist you in managing those risks by recommending sustainable solutions that will lay the foundation for a strong cybersecurity footprint as your company continues to grow.

Our Services

The PBMares Cyber & Control Risk Services Team is pleased to offer a wide range of tailored cybersecurity consulting services including:

Business Continuity and Disaster Recovery Plan Consulting

From security breaches at large retailers and hospital systems to Category 5 hurricanes, rogue employees and wild forest fires, the past few years have made us aware that disruption cannot be planned. What can be planned is our response.

That means it is not enough to have a Business Continuity and Disaster Recovery plan sitting on a shelf somewhere; the plan needs to be reviewed and tested periodically. PBMares can help. By reviewing your plan, making sure your assets are well-protected and your employees have clearly defined roles even under the most trying circumstances, you can keep disruption to a minimum.

Cyber Risk Assessments

A cyber breach can have a significant negative impact on your organization. To help reduce this risk, you need a cyber risk assessment. This should include looking at your security framework to identify situations that could pose a threat to your network, systems, data or cybersecurity posture. Our cyber specialists apply a deep understanding of key IT controls and cybersecurity threats to evaluate critical applications and supporting technology layers within your organization where sensitive data exists.

Learn more on how you can bridge the gap between exposure and protection.

PCI Qualified Security Assessor LogoPCI DSS Compliance Services

Achieve and maintain compliance with PCI DSS and enhance security surrounding cardholder data with scoping assessments, readiness assessments, and on-site validations.

Learn more about compliance and schedule your risk assessment.

Data Classification Process Design and Consulting

Understanding the criticality of data in your organization’s environment and where it lives is crucial to protecting it. Our cyber team will identify the nature and type of sensitive data in your organization, establish sensitivity levels for different types of data and assign the applicable sensitivity level to the data and label the data accordingly.

Specifically, this includes:

  • Identifying business obligations
  • Identifying and documenting sensitive data that is stored, processed or transmitted through the organization
  • Reviewing existing data classification policy and update as necessary
  • Identifying and documenting the systems where sensitive data is stored, processed or transmitted
  • Understanding flows of data to, thru and from the organization
  • Documenting data classifications
  • Training users to identify and protect sensitive data in accordance with company requirements

HIPAA Security Assessment

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for the protection and management of sensitive patient data. All companies that deal with protected health information (PHI) must be in compliance with standards regarding physical, network and process security measures. The goals of the HIPAA security assessment are to ensure the privacy and security of PHI and to focus on administrative, technical and physical safeguards. The HIPAA Security Rule requires that organizations conduct a cybersecurity risk assessment periodically. You can depend on PBMares’ cyber team to perform an initial gap analysis of your organization based on the NIST CSF framework to identify a list of any gaps between current practices and HIPAA requirements and provide recommendations for remediation, and prepare a HIPAA security assessment report.

Information Security Awareness Training

According to recent statistics, more than 90 percent of data breaches are caused by human error. Computer users are often referred to as the “weakest link” in information security. An important component to mitigate this risk through cybersecurity risk management includes security awareness training. Your staff needs to be aware that they have an integral role in protecting your company’s digital security. Allow our team to provide security awareness training or assist you in developing a comprehensive security awareness training program.

Review of Information Security (InfoSec) Program Policies and Procedures

Use of the cloud, social media and the internet have opened companies of all kinds to different kinds of threats. Having policies and procedures in place to thwart them is key. Information Security policies can help ensure cybersecurity risk is minimized and that any security incidents are effectively responded to. Security policies should:

  • Protect people and information
  • Set expectations
  • Authorize security personnel to monitor, probe and investigate
  • Define consequences of violations
  • Establish a baseline stance on security
  • Minimize risk
  • Ensure compliance with regulations and legislation

You can depend on PBMares’ cybersecurity experts to review and assist you with developing comprehensive policies to address your organizational needs.

Security Incident Response Planning

No matter how secure you think your systems are, the potential is there for someone to breach your controls. If that happens, you need a plan in place so you can respond quickly. Our experts have the expertise to develop or improve incident response policies and procedures, and ensure the incident response team contains the correct roles and responsibilities that will quickly neutralize the threat.

Service Organization Control (SOC) Audits

In recent years, it has become increasingly popular for institutions to outsource business support, system operations and IT activities to service organizations. With that trend came new standards for reporting on service organization controls. PBMares will help you satisfy any assurance requirements and assess the effectiveness and risks of your third-party’s controls.

Read more on the levels of SOC and how to protect your company from risk.

Technical Vulnerability Assessment (External and Internal Vulnerability Scanning)

When it comes to your company’s vulnerability to cyberattacks, there are two kinds of vulnerabilities, internal and external. There are hundreds, if not thousands of new vulnerabilities identified every day. A vulnerability scan is designed to assess computers, computer systems, networks or applications for known weaknesses. The scan identifies and detects vulnerabilities relating to misconfigured assets or flawed software that resides on a network-based asset such as a firewall, router, web server, application server, etc.

By performing routine vulnerability scans, you can continuously assess your network against the most commonly utilized attacks and identify potential security weaknesses in your computer systems and networks. Using advanced software to uncover vulnerabilities and weak points in your network configuration, our team is equipped and trained to perform vulnerability scanning and analyze your information technology environment, tools and processes. Our cyber team is skilled at assigning a criticality rating to potential security weaknesses and providing perspective on technical security posture. Vulnerability assessment results are often key inputs into an information security cyber risk assessment.

User Life Cycle Management (Identity Management) Consulting

Controlling access to sensitive information is crucial to protecting the data. This process starts with user provisioning of new users and modifications in user access, but also applies to employee transfers within the organization, and ultimately ends with user deprovisioning. Key policies and procedures include a strong user access security policy and standard, as well as policies and procedures for provisioning and deprovisioning users. You can depend on PBMares’ cyber team to review existing user access control policy and standards, conduct a walkthrough of the user access rights process, understand the technologies in use for user rights management, document privileged user roles, document common job roles and associated access rights, review segregation of duties conflicts and establish periodic management review of access rights for key systems and applications. PBMares will help review and assist you with the following:

  • Developing a comprehensive user access security policy and standards and policies and procedures for provisioning and deprovisioning users
  • Identifying user attributes
  • Identifying data resources to which access should be granted
  • Associating users based on job needs to access rights, privileges and restrictions
  • Providing recommendations for enhancing user access reviews

Protect Your Company from Risk

Certain industries, like financial institutions, are a natural fit for cybersecurity and other risk control services. However, the need for this type of help spans virtually every business including those in construction, government contracting, state and local governmenthospitality and not-for-profit.

pbmares case study cyber risk and nfp


Not-for-Profit Overcomes a Financial Hack and Comes Back Stronger

A small Virginia nonprofit thought they were doing all the right things in terms of cybersecurity, cyber insurance and safety. They found out the hard way that it wasn’t enough to avoid the damage from a hacker that knew how to manipulate their weak points.


Antonina K. McAvoy, CISA, CISM, QSA, PCIP

Senior Manager, Cybersecurity & Control Risk Services Team Leader