Dargallo is a Broker Cyber in Aon, Madrid. As part of the Certified Cyber Insurance Specialist (CCIS) course, she completed a complex assignment on cyber risk in the professional services industry.
In the digital age, even professional services firms are not immune to the threat of cyber attacks. Law firms, accounting firms, and consultancy firms all face a growing risk of cybercrime, with hackers targeting them for financial gain through the theft of confidential data or outright theft of funds.
As these firms become more reliant on technology, their attack surface increases, creating new vulnerabilities that cyber criminals can exploit. In this context, it is critical for these firms to implement robust cybersecurity measures to mitigate the risks and protect their sensitive information.)
Key Concerns For Cyber Risk In Professional Services Organizations:
Professional services firms face significant cyber risk exposures, due to the nature of their business, which involves managing sensitive information for clients. In today’s digital age, professional services organizations are heavily reliant on technology to manage and store this sensitive information. As a result, they are increasingly vulnerable to a wide range of cyber risks that can pose significant threats to their business operations, reputation, and financial wellbeing, including:
- Personally identifiable or corporate confidential information in their care being lost or stolen
- Increasingly strict privacy regulations prompting regulatory oversight that could result in fines and penalties
- Supply chain risk stemming from dependence on vendors, independent contractors or additional service providers
Given that reputational damage and financial consequences from cyber incidents can be especially severe for these firms, cyber insurance professionals must understand these areas of exposure to best advise their clients and assess their risk.
Internal Threats And Third Party Risks
Professional services businesses are at risk of internal cyber threats, including theft and potential release of sensitive information in their care. This threat is amplified when considering the intentional acts committed by rogue employees. Malware that prevents access to systems and causes business interruption is another significant threat, as it can lead to substantial financial loss. Social engineering is also a concern, as attackers can use this tactic to trick employees into divulging sensitive information or providing access to systems. Furthermore, insider access, defined as access granted to employees, contractors or partners, can pose a significant cybersecurity risk if individuals abuse their privileges or if their access is compromised through malicious activities.
Professional services businesses must also be aware of third-party risks, such as a cyber incident affecting a crucial outsourced service provider. Such incidents can lead to supply chain disruptions that can have a significant impact on the company’s operations. Additionally, vendors or partners that have access to sensitive data can also pose a risk if their security measures are not up to par. Ransomware attacks are also a growing concern, as they can result in significant financial loss and reputational damage. Therefore, it’s critical for professional services firms to carefully evaluate their third-party relationships and ensure that appropriate security measures are in place to mitigate these risks.
By being proactive and vigilant about both internal and external cyber threats, professional services businesses can protect their businesses and maintain the trust and confidence of their clients. Check out our recent article on proactive cyber insurance and what this involves.
Minimizing Cyber Risk In Professional Services Organizations
Outsourced security
There are two parallel trends in the overall enterprise cyber security landscape that relate to the outsourcing of security.
One is the increased demand for managed detection and response services, which provide customers with security capabilities they lack or cannot develop on their own. In other similar cases, more organizations will opt for automation, orchestration and artificial intelligence tools, which will act as support for security technicians. Meanwhile, businesses that find it very difficult to outsource security will opt to develop talent internally so as not to rely on external partners.
AI and MFA
Many companies, especially technology giants, are applying multi-factor authentication (MFA) to protect their customers’ logins. With other systems, cybercriminals have a much easier time spoofing identities, as they are becoming very effective at stealing user credentials, but MFA also has vulnerabilities, and criminals are having some success using bots to overcome these barriers. To fight fire with fire, organizations will begin to deploy AI-based security tools, which will be able to detect fraudulent login attempts more effectively than traditional technologies and human technicians.
Case Study: Cyber Risk In Professional Services Organizations
In July 2021, Campbell Conroy & O’Neil (Campbell), a US law firm with major technology companies as clients, reported a ransomware-type security incident against its IT network that prevented access to certain files on its systems.
The cyber-attack was detected on 27 February and allowed the perpetrator to gain access to certain personally identifiable information relating to individuals, the investigation concludes. In its communication to those affected, Campbell offered services to prevent fraud and identity theft.
Campbell didn’t reveal the identity of the ransomware group behind this attack or if the attackers stole the accessed data. However, over 20 different ransomware operations are known to steal sensitive files from victims’ servers before deploying payloads and encrypting their victims’ devices. The data stolen in these attacks is commonly used as leverage to force victims to pay ransoms under the threat of having their information gradually leaked online until the ransomware operators’ demands are met. Furthermore, in some cases, the ransomware gangs are also increasing the ransom bit-by-bit until all the stolen files are leaked on sites specifically designed for this purpose.
In conclusion, organizations will face new cybersecurity challenges and will need to get ahead of the curve to adequately protect against new threats. It is critical to implement a detection and response strategy, employing combinations of AI and machine learning to detect suspicious activity that indicates an attempted attack. Additionally, in an increasingly punitive legal and regulatory environment and with more frequent contractual requirements for cyber insurance, forward-thinking companies are taking proactive steps to explore and transfer cyber risk.
Want to read more about our CII-accredited Certified Cyber Insurance Specialist (CCIS) Course? Click here.