Hackers may use professional services to gain access to their ultimate targets.

Hackers may use professional services to gain access to their ultimate targets.

In today's digital age, the importance of robust cybersecurity measures cannot be overstated, particularly for professional services organizations that handle valuable and confidential information. Some companies are being selectively targeted due to perceived weaknesses in their security, leaving clients increasingly vulnerable to attacks.

Professional services providers with strong security credentials have an opportunity to differentiate themselves from those with weak security measures. The failure to tackle online security is a growing concern, and a good indicator of a service provider's commitment to security is their use of strong two-factor and network access authentication, including at the partner level.

Larger professional firms typically have robust security and large IT security teams. However, many mid-range and boutique professional services organizations are struggling to catch up with security measures. This leaves them vulnerable to targeted attacks, as hackers often target professional services organizations for their valuable and confidential information, as well as potential access to clients' systems.

Professional bodies such as The Law Society and ICAEW recognize the cyber threat to professional organizations and offer advice and education to their members. There is an increased awareness and call for action against cyber threats, with US Wall Street banks and law firms collaborating to share security information. Edward Snowden urged professionals with a duty to protect confidential information to upgrade security in the wake of spy surveillance revelations, emphasizing the importance of encrypted communications.

Law enforcement agencies are concerned over the vulnerability of US law firms to online corporate espionage due to their repository of company secrets, business strategies, and intellectual property. The one thing that can be certain in security is that by the time something becomes a topic of awareness and discussion, it has trickled down from high-end, individual, focused attacks to a much more mass-attack route.

To protect against targeted cyber attacks, professional services organizations should implement several specific security measures. These include:

1. Comprehensive asset inventory: Knowing what devices, software, and data you own is essential to managing and securing them effectively.
2. Multi-factor authentication (MFA): Enforcing MFA on all user logins adds a strong layer of protection against unauthorized access.
3. Patch management: Keeping all operating systems, applications, and firmware updated promptly closes vulnerabilities that attackers exploit.
4. Network security hardening: Changing default passwords on network hardware, enabling strong encryption, disabling unnecessary services and ports, separating guest from business networks, and limiting remote access to trusted IP addresses strengthen network security.
5. Role-based access control: Applying least privilege by giving employees minimum necessary access reduces insider threat risks.
6. Data encryption: Protecting sensitive information both in transit and at rest with strong encryption prevents data interception or theft.
7. Automated, offline backups: Maintaining regular offline backup copies ensures data availability and quick recovery from ransomware or other destructive attacks.
8. Security awareness training: Training staff to identify phishing and social engineering attempts, as well as how to respond to suspected incidents, is crucial.
9. Incident response planning: Developing, documenting, and rehearsing ransomware and downtime playbooks, and clearly communicating emergency contacts internally and with vendors, is essential.
10. Endpoint security solutions: Deploying antivirus, anti-malware, and advanced endpoint protection across all laptops, desktops, and mobile devices strengthens overall security.

These practices form a layered defense strategy to address common and sophisticated targeted cyber threats often aimed at professional services firms. Partnering with managed security service providers (MSSPs) can provide continuous monitoring, incident detection, and rapid response to evolving threats.

Given the increasing risk of IT system attacks, it's a good time to review the levels of security of professional advisers, especially if the data provided is market-critical or highly confidential. Many service organizations with responsibility for securing confidential supplier information do not have the levels of protection to deal with concerted cyber-targeting. Banks are demanding law firms harden their cyber attack defenses, with concerns about the inadequate security measures in place in the UK. Some professional services firms are not subject to the same depth of compliance as their clients, making it essential for them to take proactive steps to protect their clients' data.

1. Professional services organizations, including those in the finance, industry, and technology sectors, need to prioritize cybersecurity to protect valuable and confidential information, as their systems are increasingly being targeted by hackers.
2. In today's digital age, it's crucial for professional services providers to invest in strong two-factor and network access authentication, including at the partner level, as failing to do so can indicate a lack of commitment to security and leave them vulnerable to cyber threats.

Read also: