United Kingdom

Professional services firms: Stuck in the middle of a weak cybersecurity chain?

When a global law firm was hit by a major ransomware attack in 2017, it not only represented one of the first prominent cyber-attacks on a professional services business but also revealed, with phones and emails down and access to documentation and work materials severely restricted, how damaging such a hack could be from both a cost perspective and in terms of immediate and wide-ranging business interruption, loss of clients, and reputational damage.

While the law firm was featured in the headlines, the firm has reported that the malware originated via a supplier. The incident highlights the risk to professional services firms from being hit by hackers via their relationships with a third-party – whether it be their client, an IT supplier, or a business partner for example. While a business can aim to have the optimal cyber security measures in place for its own systems, those measures can be undermined by third-party relationships and their critical supply chain. The cyber risk profile of a professional services firm’s supply chain is only as strong as those of its partners and suppliers.

A rich source of confidential information & opportunities for fraud

If sensitive and confidential information represent a valuable commodity to the cyber-hacking community, then professional services firms are the equivalent of a goldmine. Whether operating in the legal world or accounting for example, professional services businesses deal in the currency of sensitive information every day. Further, many hold client funds or act as intermediaries in financial transactions.1 And it’s this storage and trade of information that can make them vulnerable to attacks, particularly when it comes to the third parties they work with.

Business email compromise – it’s on the rise

Phishing and credential theft leading to compromise of business email has risen to be the prominent attack type for professional services firms.2 Financial staff in professional services firms are the most often compromised, but executives are also often compromised in attack – and executives in professional services firm are 6 times more likely to be the “asset” compromised in an attack than their peers in other sectors.3

One of the most obvious third-party vulnerabilities is via the firm’s clients. Law firms frequently share information with clients via email. A client who falls victim to a phishing attack may end up passing on a malware-infected document to the law firm, which then, trusting the client sender itself inadvertently downloads the malware onto its own network. In this scenario, the initial breach may not have been the law firm’s own, but the firm will unfortunately have to deal with the consequences now that their own systems have been compromised – and the sensitive data they hold may now be exposed or lost to an attacker Similarly, through social engineering techniques, attackers seek to transact fraud by posing as a genuine, trusted third-party supplier (perhaps a law firm’s own accountant) to misdirect funds via fraudulent transfer instructions.

Critical infrastructure suppliers under attack

It’s not just clients, however, as professional services firms will be working with numerous other third parties who they rely on to provide services to their clients, and otherwise make their business run. For example, an accountancy firm does not necessarily want to be in the IT business and may opt to outsource much of their IT functionality and management to a supplier, whether it’s infrastructure or the storage of data on the cloud. Businesses may suffer a breach as a direct consequence of using a third-party cloud storage provider to hold that data, revealing that these suppliers are increasingly under attack from cyber criminals who see them as a potential ‘back door’ into the IT networks of their clients – including professional services firms. Of course, it’s the professional services firm that is usually the one with the name and reputation at stake and will experience the bigger share of the negative publicity. This is not to say that firms shouldn’t outsource to specialist providers – but making the decision to outsource and working out a satisfactory commercial arrangement is not enough. The firm still needs to understand and manage the risks associated with the outsourced services and take especial heed of the cyber risk through appropriate steps.

Vulnerable data sharing partnerships

Another, more recent example of a third-party breach affecting many businesses in the legal and professional services world involved a service provider used by law firms for processing and reviewing highly sensitive client data for use in legal proceedings, lawsuits, and sensitive internal investigations. In this instance, the supplier was hit with a ransomware attack which took their system down for a period of days. For law firms, this breach had consequences for the safety of their clients’ sensitive data even though the compromise was to a third-party supplier.

Plug the third-party gaps

For professional services then, the key question should be around how to plug these potential third-party cyber security gaps. The first step should focus on understanding who the business works with. Do firms know precisely which third parties they contract with, who they are sharing data with, or even where they might have connections to each other’s networks?

Professional services firms need to understand the extent of their potential exposure with third parties and ask themselves when they last carried out a cyber-security vetting of their suppliers. Many might have done the vetting when initially contracting with them but have not followed up or refreshed the review in the intervening years.

Equally, it’s important to look at procurement processes and how firms onboard new suppliers when it comes to cyber security, as well as looking at existing suppliers and what contract provisions are in place. It might be that a firm has had provision for regular cyber security assessments but has not prioritised those assessments. There may also be a clause related to audit rights which will allow a firm to audit its supplier regularly or if there is a breach or other incident triggered this right.

Focus on data sharing policies

Cyber security needs to be a live and organic process. One potential solution is for professional services firms to ask their suppliers and other third parties to use a self-assessment cyber security tool to benchmark their cyber strengths and weaknesses. Firms should also look at their policies on data sharing with business partners and clients. By undertaking a policy review, a better understanding can be developed into how information is shared and transferred with clients and other third parties, and appropriate risk mitigation strategies taken. For example, this might involve moving sensitive email traffic and documentation to a secure server dedicated to storing or transferring the data, restricted access and the use of multi-factor authorisation, and cataloguing what is transferred.

Should the worst happen, however, and a breach takes place, a well-practised incident response plan will help the business act decisively to limit the financial and reputational damage, and quickly get the business up and running. This plan needs to pay specific attention to how third parties are included in any response, for example a firm might need to notify other third parties of a breach, even if they haven’t been directly involved.

Work closely with third parties

Provided a business has thoroughly understood the risk from its third parties then the cyber-threat can be minimised and while it is a risk that can’t be eradicated, it can be significantly reduced provided a firm has put the work into understanding and quantifying the risk through working closely with its clients and suppliers.

For more on cyber risk and how to manage the risks associated with the Supply Chain, download Aon’s 2020 Cyber Risk Report.