Professional services firms a prime target for cybersecurity attacks

27 August 2020 4 min. read

The threats posed by cyber criminals is impacting every conceivable sector, including the world of professional services. Ryan Duquette, a partner and cybersecurity expert at RSM, outlines how professional services firms can build their cyber resilience.

Proving once again that it’s always nice to have a little celebrity star power attached to a project, hackers demanded a $42 million ransom from a New York law firm in early May after breaching its systems and seizing more than 750 gigabytes worth of personal information on A-list clients such as Lady Gaga, Madonna, and Bruce Springsteen.

In a far less publicized event, two Manitoba law firms were also locked out of their computer systems and asked to pay an "enormous" ransom following a breach in April.    

While the two incidents highlight what has been a steep increase in online crime since the onset of the Covid-19 pandemic, they also reaffirm a trend that has held true for the past five years: professional services firms are increasingly being viewed as “soft targets” by cyber criminals.

According to RSM research, the professional services sector (i.e. law firms, accounting firms, architectural firms, etc.) was the number one target of cyber attackers from 2014 to 2019, suffering over a fifth (21.5%) of reported incidents, just ahead of the health care sector at 19.6%.

Professional services firms a prime target for cybersecurity attacks

What makes professional services companies so appetizing? First off, these firms are sitting on a treasure trove of sensitive client information, so hackers know if they can get into an organization, they can quickly spiderweb out.

Secondly, professional services firms are often small or mid-sized enterprises (SMEs), which have long been a preferred target of malicious actors because they don’t have resources to spend on large-scale cybersecurity initiatives. In fact, 96% of all cyber-incident insurance claims come from SMEs, compared to just 4% from large companies, according to a 2019 report by NetDiligence.   

Cyber attacks are crimes of opportunity and many professional service firms are sitting ducks. Still, there are simple steps these businesses can take to protect themselves and their clients.

As a company, it all starts with understanding the data you hold and its use. In this digital age of data proliferation, it’s common for firms to ingest great deals of data without ever knowing why they’re holding on to the information in the first place. 

When determining what data to keep, make sure to stay compliant with the federal and/or provincial regulations governing your industry. Then, ask yourself: what are the risks involved with holding on to the data and what are the risks if the firm is breached?  

It goes without saying that the more data you have the more you are at risk, so if you don’t need it, don’t store it. Remember, you can’t protect everything. You can't build a fortress around your entire organization without making your employees jump through security hoops and slowing operations to a halt.

Businesses should also build separate security measures for different data sets. Whether it’s financial or payment records, HR information or specific client files, everyone at your company shouldn’t have access to everything. It’s about making sure the right information is available to the right people in your organization at the right time.

Once you identify your firm’s “crown jewels,” the next step is to protect this valuable data with appropriate security procedures and processes that are realistic and sustainable.

By now, most businesses have introduced some level of security training for employees, but it’s important to keep the lines of communication open to ensure staff is aware of the latest tricks and techniques deployed by cyber criminals. You want your team members to have security on the brain, but you don’t want them to feel ashamed if they click the wrong link. Make sure they feel encouraged to come forward and report an incident as soon as possible. 

Companies should also conduct quarterly or bi-annual vulnerability assessments to ensure there are no gaping security holes that one could drive a truck through. Testing your environment is especially urgent if your firm recently implemented new technology or cloud-based tools that could have unknowingly opened a back door.     

If, and when, you suffer a breach, there are two things you’ll wish you had immediately. The first is a data backup. Earlier, I referenced two Manitoba law firms that were infected with ransomware – they were left without access to client lists, emails, accounting and financial information, and more. You can avoid the same fate and be back up and running in days if you maintain an up-to-date backup of your business operations.  

Second, you’ll want an incident response team comprising legal counsel, public relations professionals, and cyber security experts, as well as a formal plan already in place that you can activate on short notice so you aren’t left scrambling. Once a breach occurs, prompt and transparent communication is critical in an effort to minimize financial and reputational damage to your firm.

There is no foolproof way to secure your business from a cyberattack, but the right people using the right technology and following well-developed plans and procedures is your best protection.