Article

Cybersecurity for professional services firms

Prevent costly data breaches

#
Risk consulting Cybersecurity consulting Professional services Cybersecurity

In the current environment, no organization is immune to hackers who seek to access information technology (IT) systems. While breaches at large enterprises tend to make headlines, the information held by professional services companies typically has a much higher value, and is becoming more of a focus for criminals as a result. Firms must take a closer look at their security protocol and approach to fully understand potential threats and vulnerabilities.

Along with the basic employee and client information that hackers always covet for resale on the black market, professional services firms also typically possess a wide range of valuable and confidential information that may be at risk. Examples include key intellectual property and strategies for both the firm and clients; any of this information could cause devastating financial and reputational damage if leaked or breached.

In addition, professional services firms are typically seen as soft targets by hackers. Larger organizations normally have extensive security budgets and resources to implement strong perimeter and internal defenses, but many professional service firms do not have the internal resources to commit that same level of investment into IT security.    

According to the Verizon Data Breach Report, 52 percent of cybercrime committed against professional services firms is cyberspying or cyber-espionage, 25 percent is committed through crimeware and 10 percent through miscellaneous errors. Ransomware, for example, can encrypt a firm’s data, making it inaccessible. Instead, users see a message on the screen informing them that it will be released only after the firm has paid a ransom, usually using Bitcoin, an online currency that is untraceable and can send funds to foreign countries, where hackers often reside.

Cybercrime occurs most prevalently through:

Hacking—A cybercriminal figures out how to breach a firm’s system, with current methods focusing on stealing data through a firm’s Web applications or browser plug-ins.

Malware—Hackers can obtain ransomware and other malware easily online. It can be undetectable by anti-virus software, which typically provides protection 80 percent of the time at best.

Social engineering—An experienced cybercriminal can sometimes get employees to do something they normally would not do. For example, sending a staff member an email citing details about the firm obtained on LinkedIn and including an invoice for a fictional project done overseas, which is then paid.

Physical loss—A lost or stolen laptop or device can be used to commit cybercrime. If the crime is committed by an employee, the device used to execute it mysteriously goes missing. This can be a rare occurrence but can have far-reaching effects.

Firms can combat cyberattacks by instituting security controls and tools in three areas. While professional services companies often pursue some of these controls, they rarely have all three; combined, these controls ensure the greatest security.

Preventative controls include vulnerability, patch and configuration management; access and authentication; intrusion prevention systems; and anti-virus blocking. It’s important to note that firewalls, and other software designed to protect networks, that are purchased at mass retailers are not as effective as those obtained from security advisors or custom-developed for a firm.

Detective controls include security information and event management; managed security service providers; intrusion detection systems; monitoring of database activity, compliance and operations; anti-virus hosts; and network alerts. These controls detect potential breaches and generate alarms that must be responded to in a timely fashion to be effective.

Corrective controls include incident response; forensics; anti-virus quarantine; system isolation; disaster recovery and business continuity plans; and administrative or legal actions. If a cybercrime occurs despite preventative and detective controls being in place, corrective controls can still minimize or repair the situation.

Incident scoping, evidence preservation and analysis

Even with controls in place, data breaches can still occur. How a firm responds can make all the difference in containing the damage. Ideally, someone experienced in incident response and forensics investigations is called in well before the IT department begins to work on the issue. The advisor will systematically identify and preserve as much evidence as possible. The investigation could include network servers and applications, computer-system memory, firewalls, virtual private networks, email, building-access logs, system backups, third-party providers (such as cloud services) and video surveillance.

The advisor will want to know what is known and unknown about the event. Questions could include: How did malware get into a laptop to begin with? What has that laptop been connected to and what could the criminals have additional access to as a result?

Analyzing evidence is the next stage. The advisor will define the time period of the compromise as accurately as possible and then evaluate the risk of harm. For example, an advertising firm’s main server containing all of its information about current and past clients going back several years is breached. The information is in Word documents, Excel spreadsheets, PowerPoint presentations, email and databases.  The advisor will produce a comprehensive collection of that data for review by consolidating it from all file formats into a spreadsheet that is more easily analyzed.

Analysis spans many levels. Figuring out the depth and breadth of access to data that employees have based on their usernames and passwords can help identify areas affected by a breach. For example, knowing that Windows passwords are stored as an alphanumeric string that can be cut and pasted into a password box, thus gaining someone access to a restricted area, is just one small example of considerations made during analysis.

While a firm may want to complete an investigation quickly due to numerous pressures, there are many questions that need to be asked to learn what really happened. The process can take several weeks or months, so even when regulatory requirements stipulate that firms have 60 days to investigate an incident, they should not wait until the last moment.

Mitigating costs and risks

No organization is too small or too large to be attacked, and more firms are being proactive now with preventative measures. Doing a risk assessment before a data breach occurs, followed by the development of a security program, is a great way to minimize risk. An incident response plan should be in place, with mock response drills.  Firms should also conduct security awareness training. From a technical perspective, a program should be in place to classify and identify types of data. It should be segregated, divided among different locations—known as data pooling—to protect it. Test all backup, archiving and anti-virus solutions, noting any vulnerabilities in the firm’s network that hackers may exploit.

RSM contributors

  • Chris Murphy
    Partner

Related insights

Subscribe to Risk Bulletin

Our cybersecurity, risk and fraud professionals provide regular insights and regulatory compliance updates to help your organization manage risk.