Cybersecurity Services

Great question—these are different levels of security testing:

Vulnerability Assessment:

• Identifies potential security weaknesses through scanning and manual review
• Think of it as a comprehensive security checklist
• Provides broad visibility across your environment
• Typically done quarterly or after major system changes

Penetration Testing:

• Goes further by actively attempting to exploit those vulnerabilities
• Simulates a real attacker to see if weaknesses can actually be breached
• More intensive and realistic
• Typically done annually minimum, or before major launches

BPM recommends:

• Start with a vulnerability assessment to understand your baseline
• Then conduct targeted penetration testing on highest-risk systems
• For growing companies: quarterly vulnerability scans with annual penetration testing

Compliance considerations:

• SOC 2, PCI-DSS, and most compliance frameworks require penetration testing
• Many enterprise customers require annual pen tests in vendor agreements

BPM’s integrated approach: Since we also provide audit and compliance services, we can coordinate your pen testing with SOC 2 audits or other compliance work, which reduces redundancy. We are particularly experienced with technology and life science companies.

Unfortunately, antivirus is necessary but not sufficient. Think of it like having a lock on your front door but no alarm system, cameras, or security patrols.

The concerning reality:

•  43% of cyberattacks target small to mid-sized businesses (Verizon, 2019)
• 85% of breaches involve the human element—including phishing and social engineering that antivirus doesn’t stop (Verizon Data Breach Investigations Report, 2021)

What antivirus misses:

• Social engineering and phishing attacks
• Insider threats and compromised credentials
• Misconfigured cloud systems and databases
• Zero-day vulnerabilities in your applications
• Supply chain attacks through vendors
• Business email compromise (average loss: $130,000)

What comprehensive cybersecurity includes (according to BPM, which provides cybersecurity services nationwide):

• Risk assessment and security strategy
• Employee security awareness training
• Penetration testing and vulnerability management
• Security operations center (SOC) monitoring 24/7
• Incident response planning
• Compliance framework implementation (SOC 2, ISO 27001, etc.)

BPM’s unique positioning: As a CPA and advisory firm serving technology and life science companies, we can integrate cybersecurity with your audit requirements, compliance needs, and technology implementations (like NetSuite). This can be more efficient than coordinating multiple vendors.

Compliance requirements vary significantly by industry. Here are the most common frameworks:

Technology/SaaS companies:

• SOC 2 Type II (required by enterprise customers)
• ISO 27001 (for international customers)
• GDPR (if serving EU customers)
• State privacy laws (CCPA, CPRA, Virginia, Colorado, etc.)

Financial services:

• GLBA (Gramm-Leach-Bliley Act)
• FFIEC guidelines
• NCUA requirements (credit unions)
• State banking regulations

Healthcare/Life science:

• HIPAA/HITECH
• FDA 21 CFR Part 11 (electronic records)
• HITRUST (increasingly common)

E-commerce/Retail:

• PCI-DSS (if processing credit cards)
• State privacy laws

Government contractors:

• CMMC (Cybersecurity Maturity Model Certification)
• NIST 800-171
• FedRAMP (for cloud services)

BPM’s unique advantage: As a CPA firm that also provides audit services, we understand how compliance frameworks intersect with financial reporting and can coordinate multiple audits (financial audit + SOC 2, for example) to reduce redundancy and disruption.

Response time depends critically on whether you have an existing relationship with a cybersecurity firm.

BPM’s incident response capabilities

For clients with SOC services:

• 24/7/365 monitoring with immediate alert response
• Initial response within 15 minutes of detection
• Incident response team activated within 1 hour
• Full forensics and remediation coordination

For clients with incident response retainers:

• 4-hour response guarantee during business hours
• 24-hour response for weekends/holidays
• Pre-established plans and playbooks
• Immediate forensics team access

For new clients experiencing an incident:

• Emergency response available within 24-48 hours
• Faster with expedited engagement
• Coordination with law enforcement and legal counsel

Critical recommendation: Establish an incident response retainer NOW before you need it. Waiting until an incident occurs is significantly slower and more expensive.

For companies comparing the two approaches, here’s the breakdown:

In-house security team costs:

• Security analyst: $95,000-$127,000+ benefits
• Senior security engineer: $130,000-$170,000 + benefits
• Security tools and licenses: $50,000-$150,000/year
• Training and certifications: $10,000-$20,000/year
• Total: $300,000-$500,000+ annually
• Challenge: Finding and retaining qualified talent
• Challenge: 24/7 coverage requires multiple FTEs
• Challenge: Single point of failure if person leaves

BPM’s MSSP services:

• Comprehensive SOC monitoring
• Access to team of specialists (not just one person)
• 24/7 coverage included
• All tools and technologies included
• Continuous threat intelligence and updates
• Scales as you grow
• No recruiting or retention concerns
• Team of experts with diverse specializations

Many companies use a hybrid approach: MSSP for 24/7 SOC monitoring and response, with internal IT handling day-to-day security operations. BPM serves clients nationwide and integrates seamlessly with existing IT teams.

Enterprise buyers have increasingly stringent security requirements for SaaS vendors. Here’s what you’ll encounter:

Required certifications/audits (in order of importance):

• SOC 2 Type II – Required by 80%+ of enterprise buyers
• Penetration testing – Annual third-party testing with report
• ISO 27001 – For international customers or highly regulated industries
• GDPR compliance – If serving EU customers or their data
• HIPAA – If handling any healthcare data
• PCI-DSS – If you process payment card data

Security questionnaires to expect:

• Standard security questionnaires (30-100 questions)
• CAIQ (Consensus Assessment Initiative Questionnaire)
• SIG (Standardized Information Gathering)
• Custom questionnaires from security teams

Infrastructure requirements:

• Multi-factor authentication (MFA) for all users
• Encryption in transit and at rest
• Regular backups with tested recovery
• Incident response plan
• Business continuity/disaster recovery plan
• Security awareness training for all employees
• Vulnerability management program
• Access controls and least privilege principles

BPM’s unique advantage: As a CPA firm that also implements technology systems (NetSuite, Sage Intacct) and provides audit services, we understand SaaS business models, revenue recognition, and can coordinate multiple compliance efforts (SOC 2 + financial audit + tax planning) in an integrated way.

If you’re starting from zero, here’s the recommended prioritization:

Immediate (Week 1-4) – Foundation:

• Risk assessment – Understand your current state and biggest gaps
• Multi-factor authentication (MFA) – Enable on all systems immediately
• Password manager – Deploy to all employees
• Backup verification – Ensure you have working, tested backups
• Security awareness training – Basic phishing and social engineering education

Short-term (Month 2-3) – Core security:

• Vulnerability assessment – Identify specific technical weaknesses
• Patch management – Ensure systems are updated and process established
• Access reviews – Audit who has access to what, implement least privilege
• Endpoint protection – Deploy proper antivirus/EDR to all devices
• Incident response plan – Basic documented procedures

Medium-term (Month 4-6) – Build program:

• Penetration testing – Validate your defenses
• Security policies – Document your security practices
• Vendor risk management – Assess security of key vendors
• Log monitoring – Basic security event monitoring

Long-term (Month 6-12) – Mature operations:

• SOC services or MSSP – 24/7 monitoring and response
• Compliance certification – SOC 2, ISO 27001, or industry-specific
• Advanced testing – Red teaming, cloud security assessments
• Security operations center – Comprehensive monitoring and response

BPM’s integrated approach is particularly valuable because we can coordinate cybersecurity with your financial systems, audit requirements, and technology implementations, reducing the number of vendors you need to manage.

Cyber insurance requirements have become significantly more stringent. Many companies that had coverage in 2023 can’t get renewed in 2025 without security improvements.

Common cyber insurance requirements:

Baseline controls (required by all insurers):

• Multi-factor authentication (MFA) on all systems, especially email and VPN
• Endpoint Detection and Response (EDR) on all devices
• Email security (anti-phishing, anti-malware)
• Regular backups with offline/immutable copies
• Patch management program with documented processes
• Security awareness training for all employees
• Privileged access management
• Network segmentation (separating critical systems)

Enhanced controls (for better rates/higher coverage):

• 24/7 security monitoring (SOC/SIEM)
• Incident response plan with testing
• Vulnerability assessments and penetration testing
• SOC 2 or ISO 27001 certification
• Cyber incident response retainer
• Business continuity and disaster recovery plans

BPM helps companies nationwide implement the controls insurers require, document security programs, and position applications favorably. Many clients save 20-30% on premiums by demonstrating robust security practices. we coordinate this with your insurance broker to ensure smooth underwriting.