When access becomes a risk: Cyber threats facing professional services

Professional services ensure success for their clients, but what about their own livelihoods? Their access is their bane, as threat actors seek to leverage them as springboards to others.

Professional services have become some of the pillars that support organizations in achieving better efficiencies. Rather than have all the required internal resources (which can be costly), it often makes more sense to contract outside help, bringing to bear short-term, expert solutions or advice to relevant issues.  

In truth, professional services represent a unique world, as they can be used as individually offered options, such as consulting, PR, and graphic design, or scaled to deliver entire business operations, including management consulting, security services, recruitment, and engineering. 

However, in a world where trusted business relationships are exploited by cyber threat actors, are the security practices employed by these service providers professional enough to protect both themselves and their clients?

Asking the right questions

As a business grows, its operations become more complex, which can seem daunting to leadership. With size also comes increased legal and other obligations that require specialized expertise. This has an impact on budgets, especially when dealing with a costly area, such as compliance implementation, for example. 

Looking through a cybersecurity lens, a CEO, CFO or chief information security officer could ask, “Why hire an entire internal Security Operations Center staff when we can have it outsourced to a professional managed security service provider (MSSP), fulfilling our compliance obligations, and even increasing our security posture more inexpensively?”

Considering that the professional services market is expected to grow by USD 2.07 trillion by 2028, we can surmise that such questions will be asked at an increasing rate. Plus, with expanding skills gaps in several sectors, the never-ending search for productivity and efficiency won’t die down.

This search, however, has its own set of issues. It’s a sound idea to plug internal gaps by looking for solutions outside company premises, but weak supply chain links exist, and they are not unknown to threat actors who might want to tip the scales in their favor. 

Professionals under the scope

How do hackers tip those scales? For example, in 2020, a cybersecurity firm was attacked by a sophisticated APT group. Apparently, the hackers sought customer-related information, acquiring some of the company’s own internal cybersecurity tools meant for penetration testing.  

Hypothetically, by combining data from a customer whose systems had been tested by the same penetration tools they acquired, the malicious actors could create highly targeted spear phishing campaigns, or simply find the right target and opportunity to penetrate defenses. 

It’s not only the security pros that threat actors target, though. Financial companies like accounting firms are also desirable targets, due to the vast amount of sensitive financial data they handle. Then, there are law firms, which often deal with confidential client information. In one case, a law firm that handles data breaches was hit by a data breach, exposing information on 637,000 victims.

“Scamception”

Apart from small and medium-sized businesses (SMBs) and larger firms, there are also individual service offers. On classifieds pages like craigslist, one can find professionals offering their services. These are usually individual contractors running very small businesses, who lend their hands to projects as requested, based on their qualifications.

So, if I were, let’s say, a tried and tested cyber compliance expert, I could advertise my services online, looking to help businesses satisfy insurance or regulatory demands. However, who’s to say that I’d be an actual compliance expert? I could very well just pretend, and, by gaining trusted access to the information of an individual or even a company, quickly turn into an insider threat.

Such scams are not uncommon. The amount of sensitive information that changes hands (depending on the service), from personal or company information to financial data, is practically an open invitation for malicious actors. Thus, not unlike job scams, companies and people should be aware of such dangers.

How to protect professionals

Protecting a person, or an entire professional services industry, is not strictly about the security angle, but it’s also about the improved efficiencies, productivity, and, ultimately, profitability it could bring. In essence, what’s better than knowing that your new partner is secure enough to deal with?

This, however, depends on the size of the contracted organization. A small or home office might not have the same security needs as an enterprise. Just the same, endpoint security should remain as the first line of defense for both, joined by regular cybersecurity awareness trainings, as knowing what a threat might look like could serve to prevent an incident down the line.

On top of these, professionals should also think about the vulnerabilities of the devices and programs they use for their daily tasks. For these circumstances, it would be wise to consider extended prevention modules like ESET Cloud Office Security, an all-in-one solution capable of mitigating risk stemming from sophisticated phishing attacks, spam, or questionable files. After all, most professional communication takes place through email, which is thick with threat actors phishing for victims.

What’s more, if a professional service deals with payment data or sensitive client information, there are some compliance asks to consider, based on standards such as the PCI DSS, or legal acts like General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), which recommend or require secure authentication, encryption, and more.

A zero-sum game

Remediation is a fool’s errand. This might sound controversial, but partners won’t take a business seriously after it has suffered a major cyber incident. Having one’s sensitive info out there on the dark web is a great recipe for a future cyber disaster.

Much like in regular warfare, cybersecurity is a zero-sum game. For the professional services industry, keeping their clients satisfied is of utmost importance. Thus, the fact is that with better security, the quality of the service provided also rises. Would that reflect associated financial gains? An answer to that leads to another question: Would you put your savings under a mattress for anyone to find, or inside a bank with a sturdy vault instead?