Key insights
Cybersecurity protections are especially essential for professional services organizations with confidential client information.
Commons cyber risks for professional services organizations include phishing attacks, ransomware attacks, and risks associated with using third-party vendors.
Cyber risk mitigation strategies include training employees, restricting data access, backing up data, and creating incident response plans.
As businesses do more online — including storing client information — cybersecurity becomes increasingly essential.
This is true for professional services organizations, particularly those with confidential client information. Law firms need to be especially prudent about data protection, considering their roles as confidants and protectors of personal information.
In addition to personal and financial information, some law firms are privileged to trade secrets and other confidential information. Lawyers also have legal and ethical requirements to protect client information. Failing to protect client information could result in disciplinary action or legal consequences.
Learn current cyber threats facing professional services organizations and steps you can take to mitigate risk.
What are cyber risks for professional services organizations?
Cybercriminals regularly change tactics to trick employees into mistakenly providing passwords or other means of access to company databases. Here are some of the most common to watch out for.
Phishing attacks
Phishing involves scam emails, text messages, or phone calls to trick employees into downloading malware or providing passwords, usernames, or other private information that can be used to access protected systems. Most successful cyberattacks start through phishing.
Ransomware attacks
Some phishing episodes are a first step in a more sophisticated attack known as ransomware. If an employee is duped into downloading malware, cybercriminals can then encrypt a company’s data and demand payment in exchange for the decryption key.
Ransomware attacks can not only be incredibly costly, they can shut down operations while data is held hostage. For many businesses these days, if you can’t access online data, you can’t conduct business.
Third-party risks
Do you use any third-party vendors for payroll, bookkeeping, data storage, etc.? Most companies use third-party vendors for at least some services, if not a significant amount.
While third-party vendors can help companies save significant time and money, there are data risks to consider. Storing sensitive information on external systems can elevate the risk of data exposure if those third-party companies are compromised.
Before contracting with any third-party vendor, investigate their cybersecurity protection efforts to help better protect your confidential information.
Cybersecurity protections professional services organizations should consider
While there’s no one magic strategy to protect companies from all cyberattacks, there are protections professional services organizations should consider to help mitigate risk.
Restricting data access
Many companies operate under the principle of least privilege, where employees receive only the minimum access levels they need to do their jobs. This principle helps better protect data — the fewer people with logins, passwords, and access means fewer opportunities for successful phishing attacks.
Requiring strong passwords and multi-factor authentication
Require strong, complex passwords for all work systems and make sure employees are storing them securely (i.e., don’t keep them in a Word document on your computer). Also consider implementing multi-factor authentication, where users are required to have two or more authentication methods before permitting system access.
Data governance and security
What is your most sensitive data and how are you protecting it? Categorize your data based on sensitivity and establish handling procedures for each level. It’s also critical to create policies establishing who has access to which data, who can download it, modify it, delete it, etc.
Backup data
Backing up data can help mitigate information and systems lost during attacks. Consider where you’ll store your backup data — in the cloud, on an external hard drive, or in a tape backup system? Also weigh the various backup methods:
- Full backup — This involves copying all data, including files, folders, and databases. This is the most time consuming and labor-intensive option.
- Incremental backup — This option only backs up data that’s changed since the last backup.
- Differential backup — This is sort of an in-between option — it involves backing up data that has changed since the last full backup.
Employee training
Since most successful cyberattacks start through phishing attempts on employees, providing regular employee cybersecurity training may be your most important data protection strategy. Training should involve information on current cyberattack trends, how to spot suspicious emails, and what to do if they do click on a malicious link.
Establish cybersecurity regulations in contracts with third-party vendors
If you use third-party vendors, evaluate how they host, process, and transmit data. Review their cybersecurity prevention efforts and any evaluations of their security posture and incident response planning. For even greater protection, include your requirements for their cybersecurity protections in your contracts for their services.
Create an incident response or business continuity plan
Creating an incident response or business continuity plan can help reduce the impact of a cyberattack. Creating such a plan involves:
- Conducting a risk assessment to identify potential threats and vulnerabilities
- Developing a disruption response plan, including procedures for alternative work arrangements, backup systems, and communication
- Testing the plan to verify it’s adequate and employees are prepared to respond in the event of a disruption
Connect
Tyler Gerig
Digital Growth Senior