One in five data breaches are attempts to extract personal information

With a total value of US$250 billion, consulting is one of the largest and the most mature sectors in the professional services industry. Lawyers, consultants, analysts and other employees work with sensitive clients’ data, meaning their companies are top targets for cybercrime. 

The criminal group behind REvil (Sodinokibi) ransomware notably extorted a New York-based law firm, asking for a US$42 million ransom and threatening to publish private details of the company’s celebrity clients. Those include superstars like Lady Gaga, Madonna, Bruce Springsteen and other famous entertainment industry names.

It is a risk prevalent to the whole industry of professional services, as clients entrust consulting firms with their financial reports, employee data and classified information. Even before the pandemic, the sector had a relatively distributed and remote workforce, regularly meeting with clients internationally. With most of the operations happening online, cybersecurity negligence tends to be rather costly.

Research by RSM indicates that professional services were the prominent target in 2014 to 2019, suffering 21.5% of reported incidents. Each data breach costs companies around US$4.23 million —10% higher than the total average. With a record of Personal Identifiable Information (PII) valued at US$175, expenses grow exponentially if the victim company has thousands of clients. 

Malicious users primarily target web applications, with Verizon indicating this attack pattern in 33% of breaches. However, to obtain login credentials and get a foothold on victim’s systems, they frequently utilise social engineering schemes. Spear-phishing was accountable for 95% of breaches in enterprise networks, so consulting firms should be vigilant using their digital tools.

“The most valuable asset consulting companies work with is data. While cyberattacks are unlikely to disrupt normal service for most, like the information technology or retail industries, customer PII loss will result in financial and reputational damage. Enterprises should have an employee-centred approach and implement smart cybersecurity tools to manage distributed and remote teams,” – says Juta Gurinaviciute, the Chief Technology Officer at NordVPN Teams. 

Most SMEs underestimate cybersecurity vulnerabilities

Even though larger organisations maintain more extensive client databases and often have more valuable assets to protect, cybercriminals primarily aim at smaller scale companies. 96% of cybersecurity insurance claims come from small and medium enterprises (SMEs), whereas large firms comprise the remaining 4%. 

Cybercriminals see SMEs as a ‘soft target.’ Their larger counterparts usually have people and resources to establish and maintain robust digital protection. A lack of an extensive cybersecurity team or a strong perimeter shouldn’t discourage investing. A transition to edge computing opens new perspectives and the availability of scalable and accessible cyber protection tools. 

“Before opting for cloud access security brokers (CASB) and other tools, enterprises should evaluate their needs and complete a data audit. They have to comply with legal regulations and only keep client information that is necessary for operating. Also, consider building separate data sets for every department, so employees only access the information needed for their tasks,” comments Gurinaviciute.

Businesses should also take a further step in limiting the attack surface area. They can establish IP whitelisting (also called ‘allow list’), which permits devices and apps based on their IP address. If the IP is on the predefined list, the user can access the internal network and applications.

While establishing and maintaining an IP whitelist manually can be an expensive burden to carry, a small-scale business can opt for third-party solutions. They should consider scalability and user experience as main incentives and intuitive features like a centralised Control Panel lets admins add or remove users on demand. 

To further strengthen their networks, consulting and professional services companies can implement the Zero Trust Access model. Once users are permitted to enter the system, they will only reach the resources needed for a specific task and for a limited time only. Managing user privileges lowers the risk of cyberattacks considerably and increases visibility for IT teams.