How Professional Services Organizations Can Protect Themselves Against Rising CyberRisk

Cybersecurity has long been an important area for professional services companies to address, but the upheaval of the COVID-19 pandemic has provided even more opportunities for cybercriminals. Amid the widespread shift to remote and hybrid workplaces, there are more vulnerabilities to exploit than ever. Companies in law, architecture, engineering, public relations, and other professional services sectors are prime targets because their systems serve as repositories for large volumes of sensitive data.


To defend against increasingly sophisticated cyber threats, professional services companies can adhere to best practices for cybersecurity and data protection. They can develop detailed risk assessment and incident response plans to safeguard their business and keep pace with evolving compliance regulations.


Even before the increased use of remote and hybrid work models, cyberattacks were already growing in number and sophistication. Cybercriminals continuously adapt their tactics to circumvent security measures and evade detection. Robust cybersecurity measures and mature data governance can help mitigate risk, but that requires continuous monitoring, routine staff training, and thorough preparedness against many different threats.


Phishing and other social engineering attacks
In a social engineering attack, a cybercriminal may pose as a colleague or trusted vendor to deceive an employee and obtain their user credentials or access sensitive files. With business email compromise (a type of phishing), the hacker may use a seemingly legitimate email address and even imitate previously sent emails to manipulate the employee. Often, the deceit involves an urgent request from a superior (such as “CEO fraud” spear-phishing) demanding information or even a payment.


United Nations officials noted a 600% increase in malicious emails during the early months of the pandemic, and recent studies show no signs of this trend slowing down. A Webroot report revealed a 440% increase in phishing during May 2021 alone.


Victims of social engineering may also be embarrassed their naivete harmed the company. They may be hesitant to report the incident, especially in a remote working environment where an employee’s activity is not as closely monitored. The longer an IT department is unaware of the incident, the more time cybercriminals have to access sensitive information, compromise systems and harm the organization.


Malware has also become pervasive. Businesses face various types of malware, including keyloggers, rootkits, worms, trojans, spyware, adware, and ransomware. The proliferation of Internet of Things (IoT) devices has also coincided with an uptick in denial of service (DoS) and distributed denial of service (DDoS) attacks, which often use malware to target poorly secured devices.


Supply chain attacks are another malicious cyber threat that often use malware to exploit third-party software and managed service providers. Supply chain breaches can come in the form of a compromised software update that infects systems and mines data from multiple companies simultaneously.


Alternatively, a hacked application at a file-sharing service provider can expose terabytes of confidential information, and affected companies may not even be aware of the breach until the service provider notifies them.


Ransomware has become the most troubling type of malware because of its rapid rise and its paralyzing effect by locking access to systems and files until a ransom is paid. Ransomware use increased by 62% globally and by 158% in North America between 2019 and 2020, and its frequency is projected to rise even further.


The costs of a ransomware incident have spiked as well. The average requested ransom fee increased from $5,000 in 2018 to about $200,000 in 2020, and total reported ransomware payments surpassed $350 million in 2020, a 311% rise from 2019. Though the full scale of ransomware is unknown, as many hacks may not be reported, the total cost of ransomware attacks was estimated at $20 billion in 2020.


These hacks often target organizations that would suffer the most from restricted access to sensitive data. Also, the advent of “ransomware as a service” enables relatively unsophisticated cybercriminals to purchase and deploy malicious software, which has further fueled the growth of such incidents. As regulators scrutinize how companies report and respond to ransomware, preparedness and resilience are vital.


Protecting data against the consequences of a breach
Clients trust firms in the professional services sector with sensitive information, and one breach can negate years of work invested in gaining customer trust. Data breaches make headlines when they happen to large companies, and the reputational damage can be severe. Smaller companies are also frequent data breach targets, as cyber criminals know those companies are less likely to have robust security protections in place.


While these incidents may not attract as much media attention as breaches at large companies, the consequences can be even more devastating. An estimated 60% of small and medium-sized businesses close for good within six months of data breach. Firms that manage to survive a breach must counteract the reputational damage that often comes with a breach.


Whether the result of malicious hacking, a compromised third-party vendor, or simply human error, a breach can have severe ripple effects throughout the entire organization. Therefore, data protection is a key component of business continuity. Ideally, there should be multiple layers of redundancy for cybersecurity and data protection, but that can impede accessibility.


Firms with limited resources can prioritize the security of high-value data and focus their efforts on protecting the most likely targets of a cyberattack. They can also engage in robust and consistent risk assessment and mitigation measures. If a breach does occur, it’s critical to take swift and transparent steps toward resolution. Companies can provide those affected with timely updates that accurately reflect the nature and extent of the data breach. Misleading statements and disclosures can result in additional regulatory enforcement.


It’s critical to operate on a foundation of modern technology and data architecture. Using legacy systems and poor data governance significantly increase enterprise risk. Internal policies might address a range of factors, including:

  • Data proportionality
  • Adequacy
  • Minimization
  • Purpose limitation
  • Use limitation
  • Storage limitation
  • Accuracy
  • Completeness
  • Security
  • Confidentiality
  • Integrity
  • Accessibility


Businesses can also securely dispose of old or unnecessary data (e.g., information on old prospects, former clients, et al.) and avoid collecting unstructured or “dark” data that expose the company to unnecessary risk. Using a privacy-by-design strategy puts data protection as the default setting in processes for collecting, storing, and using personal data. This user-centric approach increases transparency and helps protect personal data across the full lifecycle.


Mature data governance also provides operational benefits that extend beyond protection against a breach. A clear view of what data you have, how it’s used and where it’s stored helps to perform accurate data analysis that yields actionable insights. It also helps to communicate data collection, use, retention, and disposal policies to customers and key stakeholders.


Stay ahead of evolving compliance requirements
Strong data privacy practices can help increase customer confidence and mitigate risk. Depending on the jurisdiction(s) you operate in (customer location is often a determining factor), there likely are legal requirements related to data protection. To mitigate the increased volume of cyber threats and help protect consumers’ privacy, many governments — including in the European Union, Brazil, and multiple U.S. states, particularly California — have recently enacted strong data privacy laws. Though specific aspects vary, noncompliance can result in significant financial penalties, including class action lawsuits.


Data privacy legislation has bipartisan support in the U.S. at the national level, and it’s only a matter of time before a federal law is passed. Biometric data collection (i.e., facial and fingerprint recognition) has come under scrutiny as it grows more widespread. Companies that take proactive steps to protect their data will be better equipped to comply with evolving regulations.


A proactive approach to data protection can also help protect your bottom line. As the rate of cyberattacks continues to rise and regulatory requirements expand, qualified cybersecurity professionals are in high demand. Any delay in improving your company’s cybersecurity and data protection measures will likely prove costlier in the long term.


How to protect your organization
From customer data to operations to finance, cyberattacks endanger your entire organization. A firmwide threat requires a holistic defense and response. Preparation is key. Fortunately, there are proactive steps your company can take to guard against ransomware and other threats and hone your rapid response capabilities, including:

    • Develop incident response and resiliency plans. Cyber risk continues to evolve. So can your reaction. Assess, test, and periodically update policies and procedures for incident response and resiliency.
    • Build operational resilience. Who would you call if a cyber incident occurred? It’s important to identify potential scenarios that could disrupt operations and develop recovery strategies for each. Implement policies, procedures, and process controls based on requirements and tolerances.
    • Increase awareness and implement training. It only takes one employee to open a phishing email and potentially compromise your entire system. You can ensure everyone at your organization is aware of the risks and best practices by developing and holding regular training sessions for staff on cybersecurity protocols.
    • Review access management. Build a comprehensive user access management program with clearly defined policies and procedures.
    • Bolster perimeter security. Leverage email traffic monitoring and analytics and advanced intrusion detection and prevention solutions to secure your network.
    • Practice vulnerability scanning and patch management. Find and resolve vulnerabilities before cybercriminals can exploit them. Consider using a third-party IT or cybersecurity firm to perform an audit.

Now more than ever, it’s imperative to prioritize cybersecurity to help protect enterprise data, mitigate risk, ensure regulatory compliance, and encourage lasting confidence among customers and stakeholders.