Technology has made it easier than ever for professional firms to work more efficiently, collaborate remotely, and serve clients effectively. However, convenience often comes with an unseen cost. As firms rely more heavily on digital tools, they may unintentionally increase exposure to cybersecurity and privacy risks.
In a recent episode of Risky Records, Paul Perry of Warren Averett joined McGowan Professional to discuss how everyday technology decisions can weaken security controls if firms are not intentional. His insights highlight a growing challenge for accounting and professional services firms: balancing operational efficiency with the responsibility to protect sensitive information.
Convenience can quietly increase risk
Most cybersecurity failures are not caused by broken technology. They stem from human behavior.
According to Perry, technology generally performs as designed. The problem arises when people prioritize speed over verification. Clicking links without review, reusing passwords, or bypassing safeguards to save time can create entry points for cyberattacks.
Over time, convenience becomes habit. Situational awareness declines as employees juggle multiple tasks and notifications. That environment creates opportunity for bad actors, who rely on distraction rather than technical brilliance to succeed.
Also read: The Rise of AI Ransomware: How Artificial Intelligence is Transforming Cybercrime
Remote work changed the control environment
The rapid shift to remote work reshaped how firms manage risk. Organizations that once operated from a single, secure location suddenly dispersed their workforce across dozens or hundreds of unsecured environments.
Firms with a written information security plan were better positioned to adapt. Those without one struggled to define expectations around device use, data access, and security protocols. Sensitive information moved outside office walls, increasing exposure without always increasing oversight.
Professional liability and cyber liability are now closely linked. Firms remain responsible not only for the services they provide, but also for the data they store, transmit, and protect.
Education must be continuous, not occasional
Many firms offer cybersecurity training. Far fewer reinforce it consistently.
Annual sessions or quarterly videos rarely change behavior. Habits are shaped by repetition, not reminders. Effective education requires ongoing engagement, leadership reinforcement, and real-world examples that keep risk at the forefront.
Perry emphasized that education should be frequent and visible. Sharing recent incidents, encouraging questions, and discussing how attacks actually happen help employees recognize warning signs before mistakes occur.
Risk assessments and controls require honesty
Risk management begins with understanding where weaknesses exist. That requires honest risk assessments and a willingness to document uncomfortable findings.
Ignoring vulnerabilities does not reduce exposure. It delays response. Firms that treat risk assessments as confidential or avoid sharing results miss an opportunity to improve controls and accountability.
User access controls also matter. Granting broad system access may feel efficient, especially in smaller firms. But limiting access based on role reduces internal risk and minimizes damage if credentials are compromised.
Vendor management presents similar challenges. Outsourcing services does not outsource responsibility. Third parties must meet defined security standards and undergo regular reviews.
Also read: What is Workplace Retaliation? How Employers and Employees Can Protect Themselves
Cyber insurance expectations have changed
Cyber liability insurance remains a critical part of risk management, but the underwriting process has evolved. Applications now require detailed disclosures about controls, training, and policies.
Providing inaccurate or overly optimistic responses creates risk. If a claim occurs and practices do not align with disclosures, coverage disputes may follow. Transparency enables carriers to assess risk accurately and helps firms pinpoint areas where improvement is needed. Insurance transfers risk, but it does not eliminate it. Strong internal controls and honest documentation remain essential.
AI increases efficiency and exposure
Artificial intelligence has rapidly integrated into professional workflows. While AI can improve efficiency, it also introduces new risks when used without oversight.
Perry noted that AI remains a tool shaped by human input. Bias, misinformation, and misuse can undermine decision-making if firms rely on outputs without verification. Clear policies and human review help ensure AI supports, rather than replaces, professional judgment.
As technology evolves faster than regulation or insurance history, firms must remain adaptable and cautious in adoption.
The takeaway for professional firms
Convenience and privacy are inseparable from modern risk management decisions. Firms that prioritize speed without verifying controls may increase exposure without realizing it. Ongoing education, documented processes, and situational awareness remain essential as technology and cyber threats continue to evolve.
Even strong controls cannot eliminate cyber risk entirely. Incidents still occur, and when they do, firms must be prepared to respond quickly and effectively. Cyber insurance plays a vital role by helping firms manage breach response, regulatory obligations, and the financial impact of cyber events.
For professional firms that handle sensitive client data, cyber insurance should be part of a broader risk strategy. McGowan Professional helps firms evaluate cyber exposures and align coverage with their real-world operations through its Cyber Insurance solutions.
Learn more about McGowan Professional’s Cyber Insurance and how it supports a proactive approach to managing cyber risk.