Professional services firms are the victims of cyber attacks at a disproportionate rate. Making up 14% of the US economy, professional services firms are subject to 25% of the attacks on small businesses in the United States.
Frankly, it makes sense that attackers target these businesses.
Often generating substantial revenues with small staffs, small and medium professional services firms frequently rely on internal team members to manage IT or outsource specific issues to Managed Service Providers (MSPs). Despite sophisticated operations, these firms aren’t running equally sophisticated security solutions.
In fact, security is often an afterthought.
Professional Services Firms: Key Players in the Small Business Economy
Research produced by Coveware indicates that 70% of ransomware incidents impact companies with fewer than 1,000 employees. Sixty percent of these companies report revenues of less than $50 million.
The fact that 25% of small businesses impacted by ransomware attacks are in the Professional Services sector is notable.
Why Attack Professional Services Firms?
The era of random attacks has long passed. Cyber attackers are measured in selecting their targets. In the case of Professional Services Firms, there’s a number of factors to consider.
First, there’s the matter of mobility. Professional Services firms are paid to deliver timely advice. Many often operate on the client’s site. Think of the Accountant conducting an onsite audit, or the Management Consultant assessing supply chain capacity in a manufacturing facility. These firms rely on individuals operating remotely to conduct core business processes. In many cases, the IT focus is on access to resources. If the remote worker is unable to access resources on the corporate network, they may also be unable to fulfill their duties. Instead of working, they’d spend hours troubleshooting with an IT resource. So, some firms chose to remove or bypass security controls. In many cases, firms may not even be aware of security controls. It simply isn’t the focus of the business. Whatever the case, the focus on mobility and ease of access makes professional services firm vulnerable to cyber attack.
Second, there’s the issue of business continuity and disaster recovery planning. In smaller Professional Services firms, the focus is on productivity. Many firms do not believe they have the time or resources to plan for a disaster. Backups may be done on an individual basis, but as an organization, no company-wide backup strategy may exist. When this one-off approach is taken in a firm, individual computers or devices can be left exposed. If wiped out, there is no backup copy or recovery option available. Cyber attackers know that small and medium firms are focused on productivity, and look for opportunities to exploit vulnerabilities. When a firm’s IT resources are wiped out and have no option for recovery, it’s the firm that pays the price. Between fines for exposing user data and the cost of recovery, that often means the firm ceases to operate.
Third, there’s the concept of perceived risk. This is all about mentality. A Professional Services firm, like other small businesses, may not consider themselves a target for a cyberattack. Afterall, the media focuses on attacks in large institutions – like the Canadian Government or SolarWinds. That can lull small and mid-sized businesses into a false sense of security, and delay them in planning or putting measures in place to safeguard their IT operations. This is a pretty significant oversight in an era when the FBI reports over 4,000 cyberattacks a day. As demonstrated by reams of data, small and medium businesses are also the targets of attack these days.
Make no mistake: every single device (computer, mobile device, server, application) relying on the Internet for connectivity presents an opportunity for attack. Especially when devices are out of date and vulnerabilities are easy to detect.
How are Breaches Different in 2021?
Recovering from a cyberattack is complex and time consuming. The process can be so taxing that 60% of small businesses do not recover from a cyberattack and are forced to shut their doors.
That’s because ransomware attacks not only present risk to the company under attack, but also to the company’s partners and clients. Once data from a company has been breached, it can be used to build spearphishing campaigns, business email compromise scams, and other types of fraudulent activity. As quickly as the breach happens, the stolen data is available for sale.
Case Studies: Professional Services Firms Impacted by Cyber Attacks
Case Study: Accounting, Tax and Business Consulting
In April 2020, an Accounting, Tax and Business Consultancy experienced a crippling ransomware attack.
While the firm’s workstations were locked down, an array of highly sensitive data was highjacked. This included expense forms from one of the firm’s partners, personal and institutional banking credentials (including answers to security questions), a Goods and Services worksheet belonging to a client, and hundreds of folders copied from company computers.
The attackers quickly put the data up for auction on a site known to be run by the REvil/Sodinokibi threat group in an effort to pressure them to pay a ransom. Reports indicate that it took a matter of days to get systems back up and running; staff were unable to work during this time.
Case Study: Commercial Real Estate
Colliers International experienced a cyberattack in November 2020 at the hands of the Netfilim threat group.
While Colliers is definitively not on the ‘small and medium’ scale (the firm employed approximately 15,000 people in 2019), this professional services firm faced the same challenges as any other organization after a cyber attack. According to a listing on the Netfilim website, multiple files related to the Colliers breach were made available for sale. Despite this public listing, the company did not wish to disclose which files had been copied and what parties had been compromised.
Colliers conducted a thorough investigation to identify the source and outcome of the breach, and to identify the impacted data. The business was back up and running quickly, thanks to a fast acting IT team and a solid business continuity plan.
With the company providing a variety of real estate management services, one can only speculate about the status of the thousands of devices operating on their networks – and the opportunities they present to potential attackers.
Case Study: Architecture
Over the course of 2020, architecture firms experienced 2-3 times the usual number of ransomware attacks and attempted breaches. These firms saw a significant spike in attempted phishing attacks. The attempts to build relationships with employees in a quest for personal information presents a unique risk in architecture firms.
The hypothetical attack could access sensitive client data, especially on industrial projects. This would range from the layout of a new building, ventilation plans, and physical security. Access to these plans could put human lives at risk – not just expose the business to an attack.
That’s why many architecture firms prioritize the use of secure cloud platforms, frequently updated network security, and integration of machine learning defences to their technology stacks.
Cybersecurity Guidance for Professional Service Firms
To be sure, cyberattacks are impacting professional services firms at a disproportionate rate.
For the most part, these firms are easy targets for cyber criminals because of their lax approach to cybersecurity. In under 12 hours, attackers can extract enough data to bankroll their entire operations.
There are, however, steps to be taken:
- Keep applications and devices up-to-date
- Ensure all devices are equipped with antivirus software
- Invest in a corporate VPN and firewall
- Rely on multifactor authentication for network access
- Support staff awareness of cybersecurity and recent attacks.
- Phishing is the most common method hackers use to infiltrate a network
- Source an end-point detection & response solution that relies on expert cybersecurity analysts
Does your professional services firm need support in planning your cybersecurity tactics? Get in touch! We offer a free 30-day-proof of value.