Why Professional Services Are Being Singled Out by Cyber Threat Actors

Phil Muncaster investigates why an industry that deals in knowledge is particularly exposed to info theft and extortion

Professional services are the glue that holds the knowledge economy together. By outsourcing accounting, finance, legal and other functions, enterprises can focus more clearly on their core business. However, as a strategically critical sector built on providing non-physical services, it is also at an elevated risk of information theft and extortion. In January, professional services suffered more incidents than any other vertical, according to Kroll.

CISOs operating within professional services organisations and those who manage them as third-party suppliers would do well to understand where cyber risk is most concentrated.

A British success story

Professional services could include anything from legal and accounting to business consultancy, payroll and finance, and even IT services. It’s no exaggeration to say the UK is a world leader in providing such services. According to the government, it is the world’s second-largest exporter of business services and home to five of the top 15 global law firms and three of the “Big Four” accounting and consulting giants. Around 600,000 businesses provide more than a tenth of the UK’s gross value added (GVA), generating over £270bn turnover and employing more than five million people.

Such success has not gone unnoticed. According to one estimate, the volume of reported data breaches at law firms alone surged 36% between 2021/22 and 2022/23. Kroll claims over a quarter (27%) of the incidents it investigated in January were at professional services firms, with business services (17%) accounting for the majority. In fact, professional services have consistently been the most impacted sector of the past six months, accounting for more than a fifth – and in some cases over a quarter – of incident response investigations. It was also the second-most impacted by ransomware in the first month of 2023.

Why are they singled out?

It’s no surprise to hear why these organisations are increasingly targeted by threat actors. Put simply, they have access to their clients’ ‘crown jewels’, according to Sonia Blizzard, managing director of ISP Beaming, which counts many such companies among its clients.

“Legal firms are particularly vulnerable. They are frequently targeted with invoice fraud” Sonia Blizzard

“They become trusted partners, with access to their core business functions and to large amounts of data moving between different businesses and locations that criminals could leverage for financial gain or other malicious purposes,” she tells Assured Intelligence.

“Professional services are also sectors where partners and employees have adopted different working practices, such as hybrid or remote working, and use technologies that generate more entry points to exploit and more complexity for cybersecurity protection.”

However, the different services they offer and the data they store can expose specific types of professional service providers more than others.

“While different professional services – insurance or legal, for example –handle money, attack forms can be subtly different,” Blizzard continues. “Legal firms are particularly vulnerable. They are frequently targeted with invoice fraud due to the amount of money they may hold on behalf of clients, and legal activity tends to be more sensitive to the risk of data breaches.”

Keeper Security VP of security and compliance, Patrick Tiquet, agrees that there are nuances in risk exposure.

“Law firms make attractive targets for cyber criminals looking to exploit sensitive data for reputational harm or financial gain due to the highly confidential client information they handle,” he tells Assured Intelligence. “Other organisations, like insurance companies, deal with large amounts of personal or financial data, drawing attacks aimed at accessing policyholder information or financial records.”

Nick Gumbley, senior director of professional services consulting at Synopsys, also cites the legal sector as a major target.

“In my experience, legal firms have many legacy systems built on manual processes. This makes them particularly susceptible to cybersecurity risks as they strive to modernise and evolve processes,” he tells Assured Intelligence.

Depending on their specific business type, many professional service providers are also likely to be highly regulated, but this too can play into the hands of canny cyber criminals, says Beaming’s Blizzard.

“These sectors work under compliance regimes, which does make them more vulnerable to the blackmail of a ransomware attack,” she argues. “They often build personal relationships with clients and have frank and extremely commercially sensitive conversations, so the reputational risk is huge. One cybersecurity slip can undermine the trust in a client relationship built over decades.”

How are they targeted?

According to Kroll, email compromise was the top threat impacting the sector in January, with threats most commonly involving phishing attachments and account takeover via the use of known credentials. This implies that negligent users lie at the heart of the security challenge for many organisations – both in falling for social engineering to open malicious attachments and potentially by reusing passwords exposed in third-party breaches.

“Several times we have switched professional services vendors due to them not demonstrating adequate cyber controls” Brian Jack

KnowBe4 CISO, Brian Jack, also warns about the risk from external suppliers, especially if the professional services firm is an SMB with fewer IT resources and no dedicated risk management/due diligence process.

“Several times in the past few years, we have switched professional services vendors due to them not demonstrating adequate cyber controls during our regular vendor reviews,” he explains. “We trust these small businesses to handle and process some of our more sensitive employee data, but most of them are not equipped to meet the required security standards we have come to expect when evaluating other vendors.”

He adds that if these professional services companies outsource IT, there’s often a lack of security culture or proper oversight and training in data handling. This can introduce compliance risk, not just for the professional services provider but also for their clients.

“If a healthcare insurance broker stores employee data in a third-party outsourced application, you would need to ensure something like mandatory multi-factor authentication is being used at both the insurance broker and their downstream app provider, or there is a risk of compliance failure,” Jack warns.

Time for CISOs to take back control

This kind of ‘fourth-party risk’ can be mitigated with better due diligence.

“I would hope that more customers will perform proper diligence on these professional services firms in the same way they evaluate technology vendors, given they could be storing and processing the same categories of data,” says Jack. “Customers should know where their data will be stored and who will have access to it, ensure proper agreements are in place to govern how the data will be handled and be sure that the company they are contracting with can fulfil the security and privacy obligations in the contracts.”

Keeper Security’s Tiquet adds that professional services CISOs should aspire to a zero-trust security approach—no matter how small the organisation.

“A zero-trust security model in conjunction with least-privilege access, role-based access controls, a single sign-on solution and appropriate password security can greatly decrease the likelihood of a successful attack and stymie the threat actor’s access,” he explains. “Leaders will then be in a stronger position to not only identify and react to attacks on their organisation but also mitigate any potential damage.”

Beaming’s Blizzard argues that for security to be effective, it must be seen as everyone’s responsibility – starting with the board.

“The biggest mistake most firms make is leaving cybersecurity strategy entirely to the IT team. This needs to be part of overall business goals, developed and practised by business leaders and communicated across the whole organisation,” she concludes.

“Professional service firms hire intelligent people dedicated to getting the work done for their clients, but they may not buy into the cybersecurity measures or simply get complacent if it is unclear why these systems need to be in place. Strategy can’t be a tick-box exercise. It needs to continually evolve to keep up with changing threats.”