Many professional service firms have vast stores of incredibly sensitive and valuable information, and it is more vulnerable than ever. Throughout 2020, cyberattacks targeted professional services firms with increased frequency and aggression, with some of the most brazen attacks making international headlines. Because professional services firms are being regularly targeted by increasingly sophisticated cybercriminals, law firms, healthcare providers, accounting firms, business consultants and others are quickly beginning to realize that cybersecurity threats are a serious and growing risk, one that they cannot afford to ignore.
High-Profile Cyberattacks Against Professional Services Firms
In May 2020, the entertainment law firm Grubman Shire Meiselas & Sacks, whose clients include a long list of A-list celebrities, was targeted by the hacker collective REvil (also known as Sodinokibi) in a ransomware attack that allegedly resulted in a data breach of 756 gigabytes of private correspondence and other documents.
Several months later, this same group executed another ransomware attack on The Hospital Group in the United Kingdom, a firm that specializes in plastic surgeries, claiming to have taken more than 900 gigabytes of patient photographs and potentially accessing other confidential files.
Cyberattacks Threaten Professional Service Firms and Their Clients
In these high-profile data breaches, sophisticated hackers were able to bypass security controls of large computer systems and hold major firms for ransom, which compromised their IT systems, daily operations, and confidential information. These were not exploratory attacks; the attackers knew what they were after. For law firms and healthcare providers, a data breach can potentially expose confidential client information and intellectual property, which is what the hackers used as leverage in these cases.
These examples of data breaches illustrate the huge costs, both direct and indirect, that can be caused by a lapse in cybersecurity. Along with client and employee information, professional services firms usually have other types of valuable and sensitive information that could be put at risk, such as business strategies and intellectual property. For the affected service firms, the expense of the ransom and lost business, along with the lasting damage to their brands and reputations, constitute a major blow to their businesses.
The Current Threats Professional Services Should Watch Out For
The current prevalence of data breaches and ransomware attacks highlights a long-term trend: Cyber criminals view firms that specialize in professional services as soft targets that can be easily exploited. Unfortunately, that is all too often the case, especially for smaller firms that might not have the internal expertise to respond to cybersecurity threats.
For companies facing this kind of situation, hiring a service provider that specializes in cybersecurity solutions for a complete risk assessment and security program is the best way to protect their employees and their operations.
Phishing and Spear-Phishing
These common forms of email attacks are designed to trick users into performing a specific action, usually clicking on a malicious link or attachment. Phishing scams cast a wide net by targeting large numbers of users at once, while spear-phishing attacks are highly targeted and will use publicly available (or stolen) information to get a specific person to perform a particular action.
Both types will continue to be a major cybersecurity issue in the year ahead. Email is already a leading point of access for a wide variety of threats, and attackers are expected to ramp up their efforts, particularly in relation to global COVID-19 vaccination efforts.
Malware and Ransomware
As the source of the majority of known data breaches, they will continue to be an issue going forward. Although cybersecurity experts can respond quickly to known malware, there are always new malware exploits being developed.
Shared Logins and Passwords
These are an existing security vulnerability for many small and medium-sized businesses, one that has grown significantly in response to the rise of remote work. When team members use the same credentials across multiple accounts, or account credentials are shared with multiple team members, it makes it easier for hackers to gain access.
Any network that reaches the Internet, like systems with IP addresses or hostnames resolving publicly in DNS, could potentially be exploited through Internet-facing vulnerabilities. In 2021, cybercriminals are expected to focus on compromising internet-facing infrastructure, like exploiting vulnerabilities in unpatched servers. As more and more companies conduct most of their business remotely, tending to these vulnerabilities will require increasing resources.
4 Other Cyber-Threats That Every Business Needs to Watch Out For?
Although some security issues are fiercer depending on the business sector of the concerned companies, there are 4 other broad categories of security threats that all enterprises should take into consideration.
This strategy involves using human interaction to trick users into breaching security policies and compromising IT systems. Phishing, spear-phishing and other misleading or fraudulent communications fall into this category. With the proliferation of publicly available information online, hackers will only become more sophisticated in their approach to these popular attacks. As the COVID-19 pandemic continues to run its course, cyberattacks will continue to build phishing campaigns that use contact tracing or vaccination as a pretext.
Exploitation of System Admin Tools
The exploitation of system administration and management tools is a longstanding IT security concern, but they are expected to be an increasingly important vulnerability for many organizations. As the interconnection of IT systems continues to grow, along with the expansion of remote networks, hackers will have increased opportunities to exploit system weaknesses.
Internet of Things (IoT) Attacks and User Device Vulnerabilities
IoT devices are being used for more and more applications, like capturing data, remotely controlling equipment, and managing infrastructure. But many of these devices lack robust security, creating a whole new category of risks. Bad actors can gain control of IoT devices for use in botnets, and leverage IoT weaknesses to gain access to the network.
Lack of Monitoring
In many companies, a lack of proper monitoring for information technology systems results when there is a lack of personnel with the required expertise. This glaring security gap can sometimes be filled with the right hire, but that does not always address the root cause. In many cases, this type of security issue points to a shortfall in organizational cybersecurity skills. Simply put, many professional services firms focus their attention on meeting their client’s needs, not their IT systems. If an organization is always a step behind when it comes to cybersecurity monitoring, an increase in security issues is bound to result, leading to lost productivity, data breaches and increased costs. For professional services firms without cybersecurity professionals, hiring a managed services provider is a cost-effective solution to the cybersecurity skills gap.
The MicroAge Way
For comprehensive IT support and services, call MicroAge. Enjoy the peace of mind that a well-managed IT department provides and invest your time and energy in growing your business instead! Contact us for a free consultation that will help you reduce downtime, cut costs, and increase efficiency.