How Professional Services Organizations Can Protect Themselves Against Rising Cyber Risk

March 2022

Cybersecurity has long been an important area for professional services companies to address, but the upheaval of the COVID-19 pandemic has provided even more opportunities for cybercriminals. Amid the widespread shift to remote and hybrid workplaces, there are more vulnerabilities to exploit than ever. Companies in law, architecture, engineering public relations and other professional services sectors are prime targets due to their systems serving as repositories for large volumes of sensitive data.

To defend against increasingly sophisticated cyber threats, professional services companies can adhere to best practices for cybersecurity and data protection. They can develop detailed plans for risk assessment and incident response to safeguard their business and keep pace with evolving compliance regulations.
 

Cyber incidents are growing more frequent and fearsome

Even before the increased use of remote and hybrid work models, cyberattacks were already growing in number and sophistication. Cybercriminals continuously adapt their tactics to circumvent security measures and evade detection. Robust cybersecurity measures and mature data governance can help mitigate risk, but that also requires continuous monitoring, routine staff training and thorough preparedness against a number of different threats.
 

Phishing and other social engineering attacks

In a social engineering attack, a cybercriminal may pose as a colleague or trusted vendor to deceive an employee and obtain their user credentials or access sensitive files. With business email compromise (a type of phishing), the hacker may use a seemingly legitimate email address and even imitate previously sent emails to manipulate the employee. Often, the deceit involves an urgent request from a superior (such as "CEO fraud" spear-phishing) demanding information or even a payment.

United Nations officials noted a 600% increase in malicious emails during the early months of the pandemic, and recent studies show no signs of this trend slowing down. A Webroot report revealed a 440% increase in phishing during May 2021 alone. Victims of social engineering may also be embarrassed that their naivete harmed the company. They may be hesitant to report the incident, especially in a remote working environment where an employee’s activity is not as closely monitored. The longer an IT department is unaware of the incident, the more time cybercriminals have to access sensitive information, compromise systems and harm the organization.
 

Malware

Malware has also become pervasive. Businesses face an array of different types of malware, including keyloggers, rootkits, worms, trojans, spyware, adware and ransomware. The proliferation of Internet of Things (IoT) devices has also coincided with an uptick in denial of service (DoS) and distributed denial of service (DDoS) attacks, which often use malware to target poorly secured devices.

Supply chain attacks are another malicious cyber threat that often use malware to exploit third-party software and managed service providers. Supply chain breaches can come in the form of a compromised software update that infects systems and mines data from multiple companies simultaneously. Alternatively, a hacked application at a file-sharing service provider can expose terabytes of confidential information, and affected companies may not even be aware of the breach until they’re notified by the service provider.
 

Ransomware

Ransomware has become the most troubling type of malware, both due to its rapid rise and the paralyzing effect it has by locking access to systems and files until a ransom is paid. Ransomware use increased by 62% globally and by 158% in North America from 2019 to 2020, and their frequency is projected to rise even further. The costs of a ransomware incident have spiked as well. The average requested ransom fee increased from $5,000 in 2018 to approximately $200,000 in 2020, and total reported ransomware payments surpassed $350 million in 2020, a 311% rise from 2019. Though the full scale of ransomware is unknown, as many hacks may not be reported, the total cost of ransomware attacks was estimated at $20 billion in 2020.

These hacks often aim for organizations that would suffer the most from restricted access to sensitive data. Also, the advent of “ransomware as a service” enables relatively unsophisticated cybercriminals to purchase and deploy malicious software, which has further fueled the growth of such incidents. As regulators scrutinize how companies report and respond to ransomware, preparedness and resilience are vital.
 

Protecting data against the devastating consequences of a breach

Clients trust firms in the professional services sector with sensitive information, and one breach can negate years of work invested in gaining customer trust. Data breaches make headlines when they happen to large companies, and the reputational damage can be severe. Smaller companies are also frequent data breach targets, as cybercriminals know that those companies are less likely to have robust security protections in place. While these incidents may not attract as much media attention as breaches at large companies, the consequences can be even more devastating. An estimated 60% of small and medium-sized businesses close for good within six months of data breach. Firms that manage to survive a breach must counteract the reputational damage that often comes with a breach.

Whether the result of malicious hacking, a compromised third-party vendor or simply human error, a breach can have severe ripple effects across the entire organization. Therefore, data protection is a key component of business continuity. Ideally, there should be multiple layers of redundancy for cybersecurity and data protection, but that can impede accessibility.

Firms with limited resources can prioritize the security of high-value data and focus their efforts on protecting the most likely targets of a cyberattack. They can also engage in robust and consistent measures for risk assessment and mitigation. If a breach does occur, it’s critical to take swift and transparent steps toward resolution. Companies can provide those affected with timely updates that accurately reflect the nature and extent of the data breach. Misleading statements and disclosures can result in additional regulatory enforcement.

It’s critical to operate on a foundation of modern technology and data architecture. Using legacy systems and poor data governance significantly increase enterprise risk. Internal policies might address a range of factors, including:
  • Data proportionality
  • Adequacy
  • Minimization
  • Purpose limitation
  • Use limitation
  • Storage limitation
  • Accuracy
  • Completeness
  • Security
  • Confidentiality
  • Integrity
  • Accessibility
Businesses can also securely dispose of old or unnecessary data (e.g., information on old prospects, former clients, et al.) and avoid collecting unstructured or “dark” data that exposes the company to unnecessary risk. Using a privacy-by-design strategy puts data protection as the default setting in processes for collecting, storing and using personal data. This user-centric approach increases transparency and helps protect personal data across the full lifecycle.

Mature data governance also provides operational benefits that extend beyond protection against a breach. A clear view of what data you have, how it’s used and where it’s stored helps to perform accurate data analysis that yields actionable insights. It helps to communicate data collection, use, retention and disposal policies to customers and key stakeholders as well.
 

Stay ahead of evolving compliance requirements

Strong data privacy practices can help increase customer confidence and mitigate risk. Depending on the jurisdiction(s) you operate in (customer location is often a determining factor), there are likely legal requirements related to data protection. To mitigate the increased volume of cyber threats and help protect consumers’ privacy, many governments — including in the European Union, Brazil and multiple U.S. states, particularly California — have recently enacted strong data privacy laws. Though specific aspects vary, noncompliance can result in significant financial penalties, including class action lawsuits.

Data privacy legislation has bipartisan support in the U.S. at the national level, and it’s only a matter of time before a federal law is passed. Biometric data collection (i.e., facial and fingerprint recognition) has come under scrutiny as it grows more widespread. Companies that take proactive steps to protect their data will be better equipped to comply with evolving regulations.

A proactive approach to data protection can also help protect your bottom line. As the rate of cyberattacks continues to rise and regulatory requirements expand, qualified cybersecurity professionals are in high demand. Any delay in improving your company’s cybersecurity and data protection measures will likely prove costlier in the long term.
 

How to protect your organization

From customer data to operations to finance, cyberattacks endanger your entire organization. A firmwide threat requires a holistic defense and response. Preparation is key. Fortunately, there are proactive steps your company can take to guard against ransomware and other threats and hone your rapid response capabilities, including:

1. Develop incident response and resiliency plans
Cyber risk continues to evolve. So can your reaction. Assess, test and periodically update policies and procedures for incident response and resiliency.

2. Build operational resilience
Who would you call if a cyber incident occurred? It’s important to identify potential scenarios that could disrupt operations and develop recovery strategies for each. Implement policies, procedures and process controls based on requirements and tolerances.

3. Increase awareness and implement training
It only takes one employee to open a phishing email and potentially compromise your entire system. You can ensure everyone at your organization is aware of the risks and best practices by developing and holding regular training sessions for staff on cybersecurity protocols.

4. Review access management
Build a comprehensive user access management program with clearly defined policies and procedures.

5. Bolster perimeter security
Leverage email traffic monitoring and analytics, as well as advanced intrusion detection and prevention solutions, to secure your network.

6. Practice vulnerability scanning and patch management
Find and resolve vulnerabilities before cybercriminals can exploit them. Consider using a third-party IT or cybersecurity firm to perform an audit.

Now more than ever, it's imperative to prioritize cybersecurity to help protect enterprise data, mitigate risk and ensure regulatory compliance, in addition to encouraging lasting confidence among customers and stakeholders.

BDO’s turnkey Managed Detection & Response (MDR) solution provides continuous detection, protection and feedback for organizations of all sizes. The technology allows companies to proactively detect and act on malicious activity and receive recommendations to improve their security posture.