Cybersecurity has long been an important area for professional services companies to address, but the work environment since the COVID-19 pandemic has provided even more opportunities for cybercriminals. Amid the widespread shift to remote and hybrid workplaces, there are more vulnerabilities than ever to exploit. Companies in law, architecture, engineering, public relations and other professional services sectors are prime targets due to their systems serving as repositories for large volumes of sensitive data.
To defend against increasingly sophisticated cyber threats, professional services companies should develop and adhere to best practices for cybersecurity and data protection. To safeguard their business and keep pace with evolving compliance regulations, companies should create detailed plans for risk assessment and incident responses.
Related Read: Do Not Go Phish: How To Reduce Your Risk of Cyberattacks
Cyber incidents are growing more frequent and fearsome
Even before the increased use of remote and hybrid work models, cyberattacks were already growing in number and sophistication. Cybercriminals continuously adapt their tactics to circumvent security measures and evade detection. Robust cybersecurity measures and mature data governance can help mitigate risk, but that also requires continuous monitoring, routine staff training and thorough preparedness against a number of different threats. Employees themselves are the biggest source of risk with respect to IT security.
Phishing and other social engineering attacks
In a social engineering attack, a cybercriminal may pose as a colleague or trusted vendor to deceive an employee and obtain their user credentials or access sensitive files. With business email compromise (a type of phishing), the hacker may use a seemingly legitimate email address and even imitate previously sent emails to manipulate the employee. Often, the deceit involves an urgent request from a superior demanding information or even a payment.
United Nations officials noted a 600% increase in malicious emails during the early months of the pandemic and recent studies show no signs of this trend slowing down. A Webroot report revealed a 440% increase in phishing a year into the pandemic. Victims of social engineering may also be embarrassed that their naivete harmed the company. They may be hesitant to report the incident, especially in a remote working environment where an employee’s activity is not as closely monitored. The longer an IT department is unaware of the incident, the more time cybercriminals have to access sensitive information, compromise systems and harm the organization.
Malware, short for “malicious software”, has also become pervasive. Businesses face an array of different types of malware, including keyloggers, rootkits, worms, trojans, spyware, adware and ransomware. Malware targets poorly secured devices and uses a variety of methods beyond just email attachments and file sharing to spread itself through a company’s computer system.
Supply chain attacks are another malicious cyber threat that often use malware to exploit third-party software and managed service providers. Supply chain breaches can come in the form of a compromised software update that infects systems and mines data from multiple companies simultaneously. A hacked application at a file-sharing service provider can expose megabytes of confidential information and affected companies may not even be aware of the breach until they are notified by the service provider.
Ransomware has become the most troubling type of malware, both due to its rapid rise and the paralyzing effect it has by locking access to systems and files until a ransom is paid. Ransomware use increased by 158% in North America from 2019 to 2020 and it is projected to rise even further. The cost of a ransomware incident has spiked as well. The average requested ransom fee increased from $5,000 in 2018 to approximately $200,000 in 2020 and total reported ransomware payments surpassed $350 million in 2020, a 311% rise from 2019. However, the full scale of ransomware is unknown, since many hacks may not be reported and the total cost of ransomware attacks was estimated at $20 billion in 2020.
These hacks often aim at organizations that would suffer the most from restricted access to sensitive data. Also, the advent of “ransomware as a service” enables relatively unsophisticated cybercriminals to purchase and deploy malicious software, which has further fueled the growth of such incidents. As regulators scrutinize how companies report and respond to ransomware, preparedness and resilience are vital.
Protecting data against the devastating consequences of a breach
Clients trust firms in the professional services sector with sensitive information and one breach can negate years of work invested in gaining client trust. Data breaches make headlines when they happen to large companies and the reputational damage can be severe. Smaller companies are also frequent data breach targets, as cybercriminals know that those companies with fewer resources are less likely to have robust security protections in place. While these incidents may not attract as much media attention as breaches at large companies, the consequences can be even more devastating. An estimated 60% of small and medium-sized businesses close permanently within six months of a data breach. Firms that do survive a breach must counteract the reputational damage that is often the result of the breach.
Whether the result of malicious hacking, a compromised third-party vendor or simply human error, a breach can have severe ripple effects across the entire organization. Therefore, data protection is a key component of business continuity. Ideally, there should be multiple layers of redundancy for cybersecurity and data protection, but that can impede accessibility.
Firms with limited resources can prioritize the security of high-value data and focus their efforts on protecting the most likely targets of a cyberattack. They can also engage in robust and consistent measures for risk assessment and mitigation. If a breach does occur, it is critical to take swift and transparent steps toward resolution. Companies can provide those affected with timely updates that accurately reflect the nature and extent of the data breach. Misleading statements and disclosures can result in additional regulatory enforcement.
It is critical to operate on a foundation of modern technology and data architecture. Using old, legacy systems and poor data governance significantly increase enterprise risk. Internal policies should address a wide range of factors, including data adequacy, purpose and use limitations, storage limitations, security and confidentiality, accessibility and data integrity.
Businesses can also securely dispose of old or unnecessary data (e.g., information on old prospects, former clients, et al.) and avoid collecting unstructured or “dark” data that expose the company to unnecessary risk. Using a records retention policy or a privacy-by-design strategy puts data protection as the default setting in processes for collecting, storing and using personal data. This user-centric approach increases transparency and helps protect personal data across the full lifecycle.
Mature data governance also provides operational benefits that extend beyond protection against a breach. A clear view of what data you have, how it is used and where it is stored helps to perform accurate data analysis that yields actionable insights. It helps to communicate data collection, use, retention and disposal policies to customers and key stakeholders as well.
Stay ahead of evolving compliance requirements
Strong data privacy practices help increase customer confidence and mitigate risk. Depending on the jurisdictions in which you operate (customer location is often a determining factor), there are likely legal requirements related to data protection. To mitigate the increased volume of cyber threats and help protect consumers’ privacy, many governments — both foreign and various U.S. states — have recently enacted strong data privacy laws. Though specific aspects vary, noncompliance can result in significant financial penalties, including class action lawsuits.
Data privacy legislation has bipartisan support in the U.S. at the national level and it is only a matter of time before federal law is passed. Companies that take proactive steps to protect their data will be better equipped to comply with evolving regulations.
A proactive approach to data protection can also help protect your bottom line. As the rate of cyberattacks continues to rise and regulatory requirements expand, qualified cybersecurity professionals are in high demand. Any delay in improving your company’s cybersecurity and data protection measures will likely prove costlier in the long term.
How to protect your organization
From client data to operations to finance, cyberattacks endanger your entire organization. A firmwide threat requires a holistic defense and response. Preparation is key. Fortunately, there are proactive steps your company can take to guard against ransomware and other threats and hone your rapid response capabilities, including:
- Increase Awareness and Implement Training
It only takes one employee to open a phishing email and potentially compromise your entire system. You can ensure everyone at your organization is aware of the risks and best practices by developing and holding regular training sessions for staff on cybersecurity protocols.
- Review Access Management
Build a comprehensive user access management program with clearly defined policies and procedures.
- Bolster Perimeter Security
Leverage email traffic monitoring and analytics, as well as advanced intrusion detection and prevention solutions, to secure your network.
- Practice Vulnerability Scanning and Patch Management
Find and resolve vulnerabilities before cybercriminals can exploit them. Consider using a third-party IT or cybersecurity firm to perform an audit.
- Build Operational Resilience
Who would you call if a cyber incident occurred? It is important to identify potential scenarios that could disrupt operations and develop recovery strategies for each. Implement policies, procedures and process controls based on requirements and tolerances.
- Develop Incident Response and Resiliency Plans
Cyber risk continues to evolve. So can your reaction. Assess, test and periodically update policies and procedures for incident response and resiliency.
Related Read: Law Firms are Prime Targets for Hackers — Do You Have a Cybersecurity Plan?
Now more than ever, it is imperative to prioritize cybersecurity to help protect enterprise data, mitigate risk and ensure regulatory compliance, in addition to encouraging lasting confidence among clients and stakeholders.
For more information, contact Joel Herman at [email protected] or 312.670.7444. Visit ORBA.com to learn more about our Law Firm Group.