PureCyber

View Original

An Industry in the Firing Line? - What are the Biggest Threats to the Professional Services Sector & How Can you Defend Against Them?

As organisations across various sectors continue to embrace digital transformation, the benefits of enhanced efficiency and convenience are accompanied by a significant risk: the evolving landscape of cyber threats. In 2023, the professional and business services industry emerged as the third most targeted sector, accounting for approximately 15% of all cyber-attacks*. This category includes a diverse range of entities, such as accountancy firms, law practices, marketing agencies, IT companies, and recruitment firms.

These businesses are prime targets for cyber criminals due to the sensitive data they handle, making them attractive for phishing and ransomware attacks. The National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) have consistently emphasised the importance of proactive measures in mitigating cyber risks, especially given that ransomware remains the most significant online threat facing the UK.

What Cyber Threats Exist in the Professional Services Sector?

Among the professional services, the legal sector stands out as a particular focus for cyber criminals. Legal organisations often manage highly sensitive client information, such as details related to ongoing criminal cases or corporate mergers and acquisitions. This data can be invaluable for criminals aiming to exploit insider trading opportunities, gain competitive advantages in negotiations, or even manipulate the course of justice. Legal practices also frequently handle substantial financial transactions, from mergers and acquisitions to property conveyancing. The inherent time pressures associated with these transactions create fertile ground for phishing schemes and business email compromise.

A stark illustration of the risks involved occurred in 2021 when a city law firm fell victim to a cyber-attack, resulting in a loss of client data. The market reacted swiftly, causing a nearly 8% drop in share value within an hour of the incident being reported.** This event reflects a broader trend of increasing cyber threats across the sector. Alarmingly, around three-quarters of the UK’s top 100 law firms reported being targeted by cyberattacks in the past year.*** Smaller firms, which often lack robust cyber security measures and dedicated IT support, are especially vulnerable to ransomware attacks, highlighting the urgent need for comprehensive cybersecurity strategies.

The legal sector isn't alone; recruitment, law, and marketing firms also face significant risks due to the high volume of client data they manage. As these industries are increasingly adopting automated practices and integrating AI technologies, the potential for cyber exploitation grows.

Within marketing departments, collaboration with IT and data teams is essential for ensuring data protection. In smaller organisations, where a dedicated Data Protection Officer may not exist, the Head of Marketing often assumes this role. Therefore, it is crucial for marketers to ensure that data handling complies with legal standards and local/global regulations. Marketing automation platforms must be reputable, and privacy policies regarding data collection and processing should be regularly updated.

What Cyber Threats are Most Prevalent Across the Sector?

Phishing: Phishing is a type of social engineering attack that aims to trick users into providing valuable, sensitive information or data via fraudulent emails, website links or SMS. Phishing is now one of the most common forms of cyber-attack globally. Most businesses have experienced an attempted phishing attack or fallen victim to one, with 84% of businesses reporting this type of attack.

Ransomware/Malware: Attackers attempt to gain access to your network, establishing control and installing malicious encryption software if successful. During this phase, they may also steal data and threaten to leak it. Once the malware is activated, it locks devices and encrypts data, making it inaccessible to the victim. Victims often receive an on-screen notification from the cyber-criminal detailing the ransom amount and instructions for payment, which is usually requested in cryptocurrency. This is a particular vulnerability for legal firms, when considering the volume of client data held.

Supply Chain Attacks: Supply chain cyberattacks are becoming increasingly prevalent, highlighting the urgent need for robust defences to prevent severe operational disruptions, financial losses, and data breaches. These attacks can take various forms, including physical supply chain incidents effecting on-site infrastructure and services. Digital supply chain attacks are also significant, with examples like the compromise of popular WordPress plugins and breaches in Java libraries that affected thousands of websites worldwide. Additionally, vulnerabilities in IT Managed Service Providers (ITMSPs) can lead to widespread impacts.

Bot Activity: Bots are prevalent on the internet, and your website likely receives a mix of organic and bot traffic. While some bots help improve SEO, others can be harmful, attempting to steal data or fraudulently engage with pay-per-click ads, which can waste your advertising budget without attracting real customers.

CRM System Attacks: CRM systems, while essential for enterprise communications, are prime targets for cyber-attacks, risking data leaks, loss, or ransom. To mitigate these risks, organisations should enhance cyber security awareness, restrict software installations, and implement strong backup systems. Prioritising the prevention of unauthorised access is crucial for protecting CRM data and supporting marketing strategies.

Compromised Third-Party Apps: A consideration for marketing companies in particular, is the potential security vulnerabilities associated with the range of third-party tools and apps that marketers often use. It’s essential to regularly review and update all software and applications to mitigate risks linked to third-party tools that the company hasn’t authorised.

Safeguarding Professional Services Firms

There are several measures that organisations in the professional services sector can take to safeguard their business and ensure that employees and customers remain safe from cyber threats. Some core examples of cyber security measures include:

  • Remote Working Data Protection - Many employees use their personal devices for work without their IT department's approval - understanding the best practices surrounding the BYOD landscape is crucial.

  • Implementation of Firewalls & Network Redundancies

  • Utilisation of Corporate VPN’s

  • Prioritising Data Backups - It’s important to maintain a high degree of ‘cyber hygiene’ and ensure the tried and tested cyber security basics are covered

  • Regular Updates of Software & Systems

  • Site Monitoring & Email Security

  • Regular Staff Cyber Security Training - Ensure staff are regularly updated on the latest threats and taught how to identify potentially harmful content online/via email - cyber vigilance is key

How can PureCyber Help?

Our dedicated team of cyber security and compliance experts are available to help secure your organisation and provide a bespoke, tailor-made cyber security service. Our service subscriptions offer a range of cyber security solutions for professional services firms of all scopes and sizes. From vulnerability scanning to penetration testing, incident response and active threat detection, our cyber solutions ensure you can operate safely and securely with reassurance that your business, employees and customers are safe from cyber threats.

Need a refresh? No matter what level of cyber security knowledge you have, it is always valuable to refresh your understanding of terms, topics and techniques. Our PureCyber glossary of terms is the perfect place to brush up on your understanding.

Links:

NCSC - Cyber Threat Report: UK Legal Sector

* Statista - Distribution of cyberattacks across worldwide industries in 2023

** The Law Society Gazette - Gateley Cyber Attack

*** The Law Society Gazette - Cyber Attacks in the Law Sector Statistics