David Sun is almost always in the middle of a security breach.
Or, at least, that was the half-joking apology the advisory principal at CohnReznick gave for being a few minutes late to an interview — though his colleague, Bhavesh Vadhani, a partner and the global leader of the cybersecurity, technology risk and privacy practice, confirmed that it's truer than Sun's playful tone suggested.
Sun and his team are indeed very busy, working out of the digital forensics lab facility the Top 25 Firm built outside of Washington, D.C., in mid-2023. The lab was opened in response to the firm expanding its cybersecurity capabilities, according to Sun, and functions as a central location where the firm can help clients identify cyber incidents, collect and keep digital evidence, and guide them in safeguarding against future attacks and breaches.
"It acts as a state-of-the-art digital forensic lab which serves almost like a nerve center for us, for all kinds of cybersecurity engagements, but predominantly focused on cyber incident response, digital forensics, preserving digital evidence, and then helping clients building resilience against future threats," explained Vadhani. "Part of what David and team do, they go and they analyze, from a digital forensic standpoint, a root-cause analysis standpoint, they go through all these exercises to eventually make sure of whatever they learn from that, not only supporting the clients that they're engaged with right now during the incident or the digital forensics, but they take those lessons learned and apply them to all the other clients that we have to make them future-ready. That's the whole purpose of this."
The latest cyber risks
Cyberthreats are constantly evolving for the security incident response and recovery services and computer forensic and litigation support services practices that Sun leads, as well as CohnReznick's wider cybersecurity practice. Sun's team of approximately 10 professionals and the larger cybersecurity practice of 50 to 70 full-time employees, plus contract employees and staff in India, are offering an ever-wider range of services for the roughly 250 to 300 client engagements the cybersecurity team handles per year.
"Historically, as with many accounting firms, the cybersecurity practice was on the proactive side of things," Sun explained. "The firm saw a strategic benefit in becoming a more full-spectrum cybersecurity practice, more end to end. Beyond proactive [services] we started handling the reactive side."
In other words, CohnReznick's cybersecurity practice handles both end of those services — arming clients with proactive strategies to prevent attacks before they happen, and also working with clients after incidents have occurred, though, as Sun said, lately his team is focusing more on that incident response phase.
And while many clients hire CohnReznick after an attack, they quickly learn the value in being prepared for future incidents. "What we find is that on the proactive side, we tend to have singular engagements more so, not saying exclusively, but then what we find is on the reactive side is the one where we often get multiple engagements," he said. "So it starts with the reactive, and then that usually spawns off to two or three additional [engagements of] 'OK, how do we keep this from happening?'"
"As you can imagine in the last 10 years, over the last decade, technology has evolved, right?" Vadhani added. "Our businesses have evolved. We are in a digital economy. So in the midmarket, and the larger firms, as we are providing services in cybersecurity, we quickly realized that we needed to provide full-spectrum services. Just providing proactive services alone was not a solution enough for our clients. They were looking for folks who could provide an end-to-end spectrum of services and we had an advantage there where we had in the middle market, especially in many of our industry verticals, deep knowledge and industry expertise so that we could help clients solve business issues from a cybersecurity perspective and that allowed us to then identify a niche there that many of our competitors don't have. So for us, it came as a niche play and a strategic play, and getting David on board was one of those strategic initiatives for us, so that he could lead that practice and then eventually build the forensic lab."
Sun joined the firm when the lab opened in mid-2023, bringing 25 years of advanced cybersecurity and digital forensics experience and an eye for schemes that have been around just as long.
"The niche entails a range of proactive cyber services," he said. "So in today's day and age, a lot of the things that you see in the news of cyberattacks, ransomware, things like that, those are happening with more and more frequency. And it's not just large organizations, but every organization, mom-and-pop shops, they're all being targeted also in different ways, whether it's a ransomware attack or a wire-transfer fraud, a business email compromise. There's just a number of [types of attacks] that many companies are still very susceptible to. So we see a lot of that, and that coupled with historically what's been happening for 20-plus years and continues to happen."
"For 25 years I've been doing this, and ransomware has only been around for eight or so years," Sun continued. "But what has always been around, and continues to be still a huge piece that nobody talks about, is what I call insider threat, which is, you know, Bob in accounting, Joe in sales, Jane in HR, whatever. And that can be things like people in the accounting department stealing money and misdirecting it for themselves. Or it could be departing employees taking intellectual property rights and/or clients. And again, it's 20-plus years I've been doing this and it still hasn't stopped."
But in terms of newer threats, Sun and Vadhani identified a few, including the "North Korean fake employee scam" where the country gains access to company data and money by impersonating a remote U.S. employee, and deep-fake scams where, using artificial intelligence, someone's likeness is stolen to fool targets on a video or audio call to exchange information.
"We are seeing a lot of those threats surging, especially when organizations just go after the shiny new object, which is AI, without truly understanding the repercussions and the risks associated with it," Vadhani said. "So there are quite a bit of lessons learned there for many organizations who fall prey to it. It's things that the companies have to start thinking about beyond just 'It's a technology issue, my IT guy will solve it.' Deep fake is not a technology issue your IT person is going to be able to solve. It's more training, it's more vigilance, it's more coming up with nontechnical ways of validating whether it's [the real person] or not."
A helping of 'special sauce'
CohnReznick's holistic, proactive cybersecurity offerings are far beyond the capabilities of many IT departments — and they can also involve a learning curve for its clients.
"A challenge we still see, especially in the middle-market companies, is they still don't consider cyber as a business issue," Vadhani explained. "They still think cyber is a technical issue, and because of that, they don't allocate adequate resources towards what should be done, to have an adequate cybersecurity posture program, strategy and technical configurations and resources applied to this so that IT can enable your business. They still think about this as, 'I've given IT a budget. My IT guys should be figuring this out,' when in reality this is broader than just IT, right? It impacts the business at the heart of it. Somebody clicking a link is not an IT issue. So that's the kind of thing you still see as common challenges and sometimes clients have varied opinions of that."
The CohnReznick cybersecurity practice's broad scope, meanwhile, includes working on investigations for clients as unique as U.S. state attorney generals. The team then brings those lessons to other clients, which span a variety of industry verticals — all which are susceptible to cyberthreats, Vadhani emphasized.
"We use our forensic lab for many of those investigations and whatever we learn through that, because at the end of the day, the state attorney generals are then investigating organizations who had data breaches impacting their constituents," Vadhani explained. "We understand from the settlement terms or legal enforceable actions, what are the things that our clients should be proactively thinking about as they design their cybersecurity strategy and program and how they set up their entire teams and technical configurations. So we essentially bring all these different elements that organizations need to think about, or may have thought about, but they're not enhancing it on a regular basis. We bring all of that together and then help them mature their overall program and their posture."
One recent improvement had universal applications — and could have even prevented the recent Chinese attacks on Microsoft, according to Sun.
"What is very, very popular is our Microsoft 365 security assessment," he said. "This is, I would say, an industry-leading service that we have. So Microsoft 365 — great cloud platform, but unfortunately it has lots of problems with how it's launched by default. As a result, there's a tremendous number of business email compromises that occur within Microsoft 365 and we've responded to hundreds, maybe even thousands of these at this point. And what we found is the same commonalities between all our clients who've had an incident, the same issues. And so what we did was we created a highly focused, highly targeted Microsoft 365 assessment, and with that we examine all of the security settings in Microsoft 365 and talk to clients and point out where they are not meeting industry benchmarks that have been established."
Based on this, the firm has developed "what we refer to as the CohnReznick special sauce," Sun continued. "That CohnReznick special sauce is about 13 to 25 settings that even the industry's standard benchmark people don't talk about or know about, but that we have seen through all our forensic responses."
"Microsoft actually had an incident eight months ago where the Chinese hacked into Microsoft 365, and Microsoft did the full forensic analysis and issued a report about what the vulnerability was that the Chinese exploited," he explained. "Well, that vulnerability we have been including in our CohnReznick special sauce for over a year, because we had seen that in other places also. So, if Microsoft had gotten our service, they might not have gotten hacked by the Chinese."
Depth and breadth
The same level of precision is brought to the firm's wider client engagements, according to Vadhani. "If their organization is looking at a cybersecurity governance or strategy or program, things that we learn generally during our forensics and security response recovery engagement — it's not just technical issues, it's a combination of everything. Including if your governance documents were not updated, or your roles and responsibilities that we identified through the investigations were outdated. Your board was not informed, the communication plan was not in place — so there are many things."
CohnReznick's holistic assessment and services include AI's ever-expanding reach, for which Vadhani offers some general tips to firms utilizing the technology.
"AI governance is very important. Transparency and accountability within AI is very important," he explained. "Sure, nobody's saying don't use AI, but understand what you're doing, why you're doing it. Have transparency in it. Make sure everybody understands what the tool is supposed to do and what the outputs are supposed to be. Make sure there's adequate guardrails and governance in place. Train your employees on how to detect anomalies or patterns, or how do you detect if AI is going rogue on you? Because you're training AI on something, it's supposed to do a set of activities. How do you know it's not doing activities plus something else that you're not aware of? So there's a lot of aspects to this where you need to train your AI properly. You need to train your people properly so that you're keeping the human in the loop and making sure AI does not go rogue. Along with that, making sure that there is enough transparency and accountability in the entire process, and that there's no bias, there's no ethical dilemmas that you're creating using AI. Because all of those can be exploited and will be exploited."
CohnReznick's cybersecurity practice also provides an essential service to audit clients, Sun said, vetting any cybersecurity incidents impacting their financial statements "to help make sure that we can then be comfortable attesting to the organization, to the financials going forward."
"And again, I think that's part of what makes us a little more special," Sun continued, "because I don't think any other accounting firm has that level of expertise, when it comes to that component of a financial audit."
Despite the breadth of the cybersecurity team's offerings, Sun laments, "Unfortunately a lot of clients are still asking, 'Hey, I've just been attacked, please come help me.'"
But Sun is optimistic about the tide starting to turn.
"What we're seeing though, is for the clients that are a little smarter or a little more proactive, a little more willing to get ahead of it, they're doing the security assessments and all the types of protective measures," he shared. "But then they're also saying, 'OK, we're going to do everything we can to protect ourselves, but what happens is we still get attacked anyway. How can we be the most prepared and ready for it?' So it's [making] sure you're going to do everything you can to prevent the house from burning down. But let's do some fire drills anyways, just in case. So everybody knows when or if a fire alarm gets pulled, you know where the nearest exit is. How do you get out? Where do you regroup? All those types of things, right?... And so we're seeing more — not enough, but more — clients get into that, make a concerted effort to get smarter and be more rehearsed in those areas."
