On average, organizations take 204 days to identify and an additional 73 days to contain a data breach, which threatens their reputation and finances. As professional services firms cultivate tech-forward cultures to scale their businesses and better integrate with their clients, the risk of cyberattacks rises.
Larger firms are more likely to have robust security budgets, but many professional services firms may not have the resources to invest in advanced security measures.
While automation tools are increasingly valuable when growing your business, it is equally important to have the proper data protection measures in place to mitigate risk, particularly when dealing with sensitive client data. Data protection is critical when using software with artificial intelligence (AI) and machine learning (ML) features or integrations.
To address budding security concerns, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) maintains the ISO 42001 (artificial intelligence) and ISO 27001 (information security) standards to provide additional safeguards against cybersecurity attacks and data breaches, as well as better reliance on technologies utilizing AI. Both large and small firms can use these frameworks to enhance their cybersecurity measures and refine incident planning.
Artificial Intelligence: ISO 42001 Defined
ISO/IEC 42001 is the first international AI governance standard that provides specific requirements for implementing, maintaining and improving organizations’ AI management systems. It also includes requirements for the responsible use and development of AI technologies. Key controls in this international standard include:
- Implementing processes to identify and monitor risks
- Conducting impact assessments across AI systems
- Managing all aspects of AI system development, including planning and testing
- Improving the effectiveness of AI on a continual basis
- Ensuring suppliers are aligned with an organization’s AI approach
Firms that comply with these standards can benefit from improved external trust when a firm’s services are heavily relied upon by clients, as well as enhanced risk mitigation for AI-specific issues, such as biased or incorrect outputs. Additionally, internal parties can leverage AI governance to more quickly adopt the use of large language models (LLM) to enhance the delivery of client services without sacrificing information security controls.
Information Security: ISO 27001 Defined
While ISO 42001 deals specifically with AI, ISO 27001 is the international standard intended to help organizations effectively establish information security management systems. The framework provides requirements for implementing, maintaining and improving these systems to better protect companies’ valuable information.
Key controls in the standard are divided into four themes: organizational, people, physical and technological. The controls cover a wide variety of risk categories and actions, including:
- Strengthening security policies
- Defining security rules across the organization
- Reviewing credentials and how information is accessed
- Developing effective incident management plans
- Complying with information security laws and regulations
Earning ISO 27001 certification helps streamline security standards and provides an additional safeguard against data breaches, such as ransomware attacks or supply chain attacks.
Benefits of ISO 42001 and ISO 27001
Merging the ISO 42001 and ISO 27001 frameworks provide firms with cohesive strategies for strengthening their risk management program and processes. Both standards share similarities in the key governance requirements (i.e., management system clauses), making it easy for organizations to capitalize on these commonalities and achieve conformity.
Firms that adhere to these standards also benefit from:
- Improved risk management
- Enhanced data security
- Regulatory compliance
- Increased credibility and customer trust
- Operational efficiency
- Competitive advantages and adaptiveness to market changes
Integrating these two standards allows organizations to simplify their risk management processes and benefit from a comprehensive approach that maximizes security against cyber threats.
Potential Cyber Threats to Professional Service Firms
Professional services firms, architectural and engineering (A&E), accounting and consulting firms, and law firms, are particularly vulnerable to cyber threats due to the large amounts of confidential commercial and client information they handle. Professional services firms are part of an increasing trend in cybersecurity threats referred to as “third-party” or “supply-chain” attacks, whereby a firm is targeted to gain access to confidential data or unauthorized access to the firm’s clients.
Cyberespionage accounts for 52% of cybercrimes committed against professional services firms, according to the Verizon Data Breach Report.
As automation technologies become more advanced, so do the methods hackers use to access sensitive data. With the rapid digital evolution, professional services firms should be aware of the latest trends and potential threats to their systems, including ransomware attacks, business email compromise and supply-chain attacks.
Effective cybersecurity risk management protocols are crucial for organizational success. Our previous article on ISO standards outlines the steps to achieve standard accreditation and certification.
Ransomware Attacks
Ransomware attacks attempt to compromise a system through phishing campaigns or credential attacks and are often perpetrated through a business email compromise. Once the hacker gains access to a system, they will encrypt sensitive data and hold it for ransom.
“In many cases, the hacker will be demanding payment, but if the company feels that their system resiliency and continuity measures are good enough that they can recover, the second option for the attacker is to threaten to put the information they’ve stolen up on the public domain, said Steve Ursillo, Partner, Information Assurance & Cybersecurity. “Then the company will have to pay for it to be removed.”
Business Email Compromise
Often perpetrated through phishing, business email compromise often happens when employee credentials are stolen. This allows attackers to gain access to a system to impersonate someone via email and facilitate fraudulent transactions, leading to corporate account takeovers or the redirection of payments to illicit accounts.
AI-driven phishing attacks also pose risks, as generative AI can create realistic, highly personalized emails and messages to gain system access.
Supply Chain Attacks
Supply chain attacks occur when suppliers or third parties are compromised. The hackers then gain access to a company’s network and move laterally into other organizations to steal data. This is an area of heightened risk for professional services firms, who often have access to highly sensitive and critical client data, as a part of providing their services.
Deepfakes
Hackers may use deepfakes, or AI-generated audio files, images or videos, to mimic business leaders or clients to transfer funds, change passwords or gain system access.
Solutions for Mitigating Risks
To reduce these risks, companies should adopt strong cybersecurity strategies and be able to validate or report on their cybersecurity resilience using known criteria, such as ISO 42001 and ISO 27001. This involves safeguarding confidential information by using data encryption and access controls. Access controls must be implemented to restrict data access according to individual roles and duties.
Ongoing training for employees is crucial for enabling them to identify and react to cyber threats. Furthermore, routine risk assessments guarantee that security protocols are consistently reviewed and adjusted to tackle new challenges.
Implementation of Standards
To begin implementing ISO 42001, firms should:
- Understand the requirements of the standard
- Evaluate risk management frameworks and programs
- Communicate key controls with stakeholders
- Evaluate existing AI practices with a readiness assessment
- Perform relevant AI system impact assessments
- Develop an implementation plan
- Address gaps in compliance
- Execute a second-party or third-party internal audit
- Engage an accredited certification body
To begin implementing ISO 27001, firms should:
- Create both policies and procedures applicable to information systems
- Perform a risk assessment and develop risk treatment plans
- Put controls in place to mitigate risk, such as firewalls or encryption
- Execute a second-party or third-party internal audit
- Engage an accredited certification body
With the unique risks posed by AI, complying with ISO 42001 displays a commitment to the responsible use of AI and machine learning, from monitoring for bias to maintaining client privacy. When implemented together, ISO 42001 and ISO 27001 offer a comprehensive framework to safeguard against a broad range of information security risks.
Your Guide Forward
Cherry Bekaert’s Risk & Cybersecurity practice offers customized strategies to help organizations manage unforeseen and emerging threats. Our professionals take a comprehensive, proactive approach to help your firm implement effective risk management controls and ensure compliance with regulatory requirements.
Our experienced team helps identify areas for improvement, mitigate risks, ensure regulatory compliance and strengthen your company's reputation and competitive position in the market.
Cherry Bekaert has partnered with Mastermind, a certification body that employs only full-time lead auditors residing within the United States and holds notable distinctions, including issuing the world’s first accredited ISO 42001 certification for an AI management system (AIMS). Mastermind maintains an accreditation scope for all ISO standards, as registered with the International Accreditation Service.
Related Insights
- Article: Ways to Effectively Manage Cyber Risk for Professional Services Firms
- Podcast: Securing Your Firm: How To Manage Cyber Risk in the Professional Services Industry
- Article: Getting Started With ISO Certifications: Definition, Process Steps & FAQs
- Article: How To Craft a Proactive Generative AI Strategy To Manage Cybersecurity Risks
- Article: How To Protect Your Law Firm’s Digital Transformation Initiatives
