BKD dons a white hat to hack clients
The BKD Red Team stands ready to embarrass their clients — but all in the name of security.
BKD Cyber, the cybersecurity arm of Springfield, Missouri-based Top 100 Firm BKD, has assembled what it’s calling its Red Team -- a digital attack simulation service that emulates the actions a hacker might take during a cyberattack. This service comes at a time when the accounting profession is on high alert for cybercrime, in the wake of several high-profile events.
BKD Cyber offers a number of cyber services including risk assessment, regulation compliance and incident response. The organization also offers penetration testing, where their professionals attempt to break into a business’ networks and assess their security strength; and “white hat” services, a colloquial term for “good hackers” that combat the activities of criminal hackers.
The Red Team, though, offers something different: It performs simulated digital attacks under controlled conditions using the same actions that actual cybercriminals would use to access and harvest data from an organization. They then use the results as a training opportunity for the business, showing them what information they were able to get and how, which firm partner and BKD Cyber team leader Cindy Boyle said is far more effective than run-of-the-mill video- and lecture-based training.
“We started noticing there was a missing element in our cyber training,” Boyle said. “When you get a pen test report it can be really technical. I can understand it, but not always, so company board members aren’t going to understand the technical details of that report. The Red Team functions more like a real-world hacker. We use techniques and tools and processes where we’re in someone’s system for a period of time, and we see how long we can creep around the system, what info we can find. It produces a report of examples of what we find, and that really resonated with the companies we’re working with. With the first one we did, they were thrilled, because a normal person could understand it and say, ‘Oh wow, you found that in our system?’ It drives home the point — rather than saying here’s the gap and the risk, it gets to what’s valuable or embarrassing to your company. It helps them visualize.”
Boyle drove home the point of comprehensibility — company board members may not all be cyber experts, but they have a fiduciary responsibility to their company to ask the right questions and make the right directives. A cyber report that shows, in black and white, what information a hacker can get, is much easier to understand and act on that a technical report of system vulnerabilities.
Reporting the news is not always easy. Showing a company their vulnerabilities, even in a white hat, controlled situation, can be embarrassing.
“Once, we did a pen test and we got the IT director’s password not once, but twice,” Boyle recalled. “Sometimes it’s awkward to share that information. But it’s the same thing as an audit. That’s what you’re there for — you’re the hired gun to find this before real hacker gets to it.”
BKD’s Red Team is made of staff of varied backgrounds. It includes former military personnel with IT training, for instance, and Boyle notes that the element of discipline from their background works “really well” in the team.
“Discipline is an asset because of the ability to keep trying things and having patience, because you’re not going to be successful getting into a system the first try,” she said. “You try one thing after another. Persistence, and an analytical mind, are important.”
The team is spread out in a couple of key locations in the U.S., and in the labs, they work with specialized equipment off the firm network. The team works very creatively, learning from each other the different tactics they find to get into different networks.
Retaining staff is a key consideration for cyber service providers of any kind, because cyber experts and white hat hackers are in extremely high demand worldwide, and there are far more open positions in the field than there are people to fill them. Boyle says the collaborative nature of BKD Cyber is attractive to creative thinkers like the hacker experts on their team.
“It is a challenge to find experts and keep them,” she said. “There are so many different places they can work, and an accounting firm is not the first thing a lot of them think of. There are boutique IT firms, for instance. We just do our best to recruit really good people, and try to make the work interesting — we give them a variety of work, and the opportunity to learn and work together.”
According to the Ponemon Institute 2018 Cost of a Data Breach study, the total cost of a data breach averaged $3.86 million, up almost $250,000 from the previous year. In addition, it takes organizations an average of 197 days to realize they’ve been breached. To learn more about BKD Red Team and the firm’s Cyber arm, visit www.bkd.com/services/cybersecurity-it-risk.