Cybercriminals are frequently targeting mid-sized, service-based businesses such as law firms, accounting firms, and financial services firms at unprecedented rates. While the news is full of stories of high-profile data breaches affecting the likes of Facebook, Google, Marriott, MyFitnessPal, and other prominent companies; this focus on large companies inaccurately creates a perception that only big organizations are cybersecurity targets. In reality, small and mid-sized firms confront significant cybersecurity risks as well. Many professional services firms are unaware and ill-prepared for a cyberattack, even though they are often primary targets. Professional services firm cybersecurity is critical.
According to Verizon’s Data Breach Investigations Report, 61% of small businesses experienced a cyberattack during the last year.
Law firms can be a prime target for cybercriminals because they house intellectual property or patent applications, financial records, and other sensitive documents. The Texas Lawbook Survey reported that 42 out of the 49 law firms surveyed experienced a cyber attack. The survey also found that 44 of these law firms worked with vendors that also had experienced a data breach. Across the US, the picture is much the same. According to the American Bar Association’s Legal Technology Survey Report, almost 25% of law firms reported they had been a victim of a data breach.
Accounting and financial services firms are also frequent targets for hackers. Accounting firms hold personal information such as tax identification numbers and sensitive financial information that is very valuable to cybercriminals looking to commit fraud. The goal of this type of data breach is to steal data, and the more valuable the data is, the more attractive it is to cybercriminals. Customer tax and banking details can be taken from accounting and financial services firms can allow cybercriminals to conduct account takeover attacks on those customers and commit identity theft crimes.
Criminals are increasing focus on professional services firms. Many mid-sized accountancy, financial services, law and other types of firms house data that can be leveraged for financial gain or intellectual property that can be used to gain a competitive advantage.
Michael Greene, CEO, Enzoic
Valuable data is the primary reason that these businesses are targets. Smaller professional service firms typically have more relaxed IT security practices and infrastructure, so they are more straightforward targets for bad actors. (Learn more about why small and medium-sized businesses are attacked here.)
Medium-sized firms not only underestimate how likely they are to be the victim of a cyberattack, but they also underestimate the consequences of an attack. According to Kaspersky Labs, the average cost of an SMB data breach in the US is $149,000. This figure takes into account the costs of downtime, reputation damage, data retrieval, repairs and upgrades, and ransom payment. Despite the reality of a data breach costing $149,000, a full 70% of respondents to AppRiver’s security survey thought they would lose only $25,000 in a successful data breach. Even more alarmingly, more than half of respondents believed they would lose less than $10,000.
If a company is consistently underestimating the likelihood and costs associated with an attack, it is most likely not taking the necessary steps for protection. Medium-sized professional services firms often have small IT or cybersecurity teams that don’t have the resources to defend against and respond to cyber-attacks. Lack of funds often makes them vulnerable to hackers looking to exploit these weaknesses.
Hackers are interested in account takeovers for more than just financial gains. Many of them want to get into your bank accounts and e-commerce accounts. A significant amount of energy is focused on this area. However, another area that is often forgotten but is a considerable focus for hackers is intellectual property. Intellectual property comes in many forms, and businesses often underestimate their value. FBI Chief Christopher Wray believes that intellectual property theft is one of the biggest cybersecurity threats facing US businesses. SMBs are the targets of foreign states because those governments are looking to advance their economy with stolen IP.
“There is nothing like it. I am not someone who is prone to hyperbole, but… the thing that shocked me was the breadth, depth, and the scale of the Chinese counterintelligence. We’re investigating espionage and criminal investigations in nearly all 56 FBI field offices, almost all of which lead back to China. It covers every sector of the economy. It covers academia.”
FBI Chief Christopher Wray
Employees are often the biggest weakness for firm cybersecurity so educating employees on cybersecurity is important. But firms also need to ensure that they have security policies in place to protect their data and systems in case of human error. There are multiple methods hackers are using to compromise professional services firms. Two of the most common attack vectors are spear-phishing and attacks based on credential reuse.
Spear-phishing is a step up from a traditional phishing attack. In a phishing attack, the attacker will target a high number of people with an email or communication that contains a malicious link masquerading as a benign link. Phishing attacks often try to steal user credentials to gain access to an account or application. Phishing scams tend to be general in nature so they can appeal to a broader cross-section of the population. By contrast, a spear-phishing attack will target select individuals or a company and will appear to come from a trusted source.
Spear-phishing attacks work because of human nature. We naturally lower our defenses when we see an email from a person or company we trust, and we are more likely to act without performing due diligence. In a medium-sized service-based business, the situation may look something like this: You receive an email that appears to be from someone you work with regularly. The email is addressed directly to you, and they ask you to log in to see a notification regarding a recent order. They will provide a malicious link that masquerades as a legitimate-looking login portal, and this is where you will be encouraged to enter your credentials.
Reused credentials also pose a significant threat to medium-sized businesses. The vast majority of us have multiple online accounts for both personal and business purposes. When we have so many username and password combinations to remember, we often cut corners and reuse the same password across multiple accounts. While this is more convenient in the short term, it’s incredibly risky.
If one of these accounts is breached, your username and password will be exposed and up for grabs by hackers. Responsible companies will notify you if one of your accounts has been the victim of a data breach, and you will have the opportunity to change your password. However, if you have reused these credentials across multiple accounts, then those accounts are now at risk too. Hackers know that this behavior is typical, and they will and do try to exploit it.
For a medium-sized service-based business, expanding its IT team may not be feasible. There are significant costs associated with hiring new skilled employees, and it may draw resources away from other business projects. However, this isn’t an all or nothing type of situation.
The choice isn’t to hire more IT professionals or do nothing. We are in the age of AI and automation, where small and medium-sized businesses can use inexpensive tools to increase their cybersecurity significantly.
Simple and highly effective automation tools like password screening software tools can go a long way to protecting a business from vulnerabilities related to credential reuse. With password screening tools, username and password combinations can be checked against known exposed credentials to alert employees of their danger. Employees can also be informed when their passwords are common or weak and how long it would take to crack them. This puts the power back into the hands of employees and encourages them to take a more informed and active role in cybersecurity. Automation tools are also available to detect and block phishing and spear-phishing emails, as well as to remind employees of risks.
Cybersecurity automation tools are becoming a prominent part of a professional services firm’s toolbox against cybersecurity threats, and this trend is expected to increase. Automated tools are becoming extremely powerful and versatile, as well as inexpensive, which is why more mid-sized companies are adopting them.
Increased education and awareness of cybersecurity issues is also a key area where medium-sized businesses can improve. This education needs to be company-wide, reaching directors and CEOs as well as lower-ranked employees. Higher ranking staff are often the target of spear-phishing attacks because they hold the decision-making power.
There isn’t a one method approach to improving the security of medium-sized firms, but rather several approaches that need to work in tandem. Firms need to educate themselves on the realities of cyberattacks to protect themselves. Firm cybersecurity has to be a high priority.