As foreign threats intensify, BDO urges firms to take stock of supply chains

As the risk environment intensifies and AI empowers malicious actors, BDO risk advisory partner Luke Eason is urging professional services firms to review and mitigate their foreign interference risks.

“Accounting firms and professional services firms of all sorts hold an awful lot of confidential information about clients,” Eason told Accounting Times.

“To me, it's not at all a stretch to imagine that an adversary could use a professional services provider as a step into another organisation as part of the overall surveillance information gathering.”

Foreign interference could bring numerous consequences for firms, including the compromise of sensitive or competitive information, reputational damage, system interruption, workforce psychosocial impacts and the costs of investigating and remediating breaches.

Eason said the risk of foreign interference had grown in the past few years amid heightened geopolitical tensions and the explosion of AI usage.

“With everything that's happened in the world in the last two to three years, this is absolutely an area of rising risk,” he said.

“The first six months of this year, there's been a flurry of activity in terms of the publications and guidance that's been put out from the various departments in government.”

The growing uptake of AI tools also made it easier for adversaries to infiltrate supply chains and process data gained from cyber attacks.

“If an attack is successful and gets a huge amount of data, then AI tools can allow whoever gets that data to go through it and use it nefariously, much more quickly,” Eason said.

“Some of the AI tools now, they're phenomenally capable in terms of helping from a fraud or impersonation aspect. The quality of the deepfakes; the images, the videos, the voices they can make; is improving every day, and getting harder to pick up without specialised monitoring.”

He warned that seemingly ‘low-risk’ organisations could serve as a convenient stepping stone to infiltrate higher-risk sectors.

“A small software firm supplying code to a defence contractor can be just as attractive a target as the contractor itself,” he wrote for BDO.

Smaller firms were typically less aware of foreign interference threats and made easier, more trusting targets for foreign actors.

“Smaller companies across all industry sectors, not just professional services, are probably a little bit more inclined to trust the technology than perhaps someone larger,” Eason said.

Eason encouraged businesses to familiarise themselves with government guidance on foreign threats and boost staff awareness of risks.

“The number one thing you can do tomorrow to reduce this risk, and any cyber risk, is to invest in making your employees really aware of the risk, and make that a safe conversation.”

“A lot of firms will use outsourced providers. Making sure that you understand what their supply chain looks like, and if you follow the chain of who provides IT services, tech services and data services into your organisation.”

He also urged professional services firms, large and small, to take stock of their supply chains in order to identify any high-risk clients or contractors.

“There's value in everybody stepping back and saying, who are my customers, what data do I hold about them, and what services am I providing to them.”

“If you're dealing with somebody whose ultimate client is somebody in research, somebody in defence, somebody in critical infrastructure, you may not be the most obvious target initially, but when you step back, you’re an essential part in the chain.”