Pro services under attack

Among all the other bad news in the excellent Cy-Xplorer 2023 report from Orange Cyberdefense, this nugget of threat intelligence poked me in the eye:



I've become increasingly concerned about the information risks relating to professional services in recent years. They seem obvious targets for malicious cyber attacks, given:

  • The nature, quantity and value of the information they hold concerning past and present clients;

  • The importance of keeping the information confidential while maintaining its integrity and availability, particularly clients' forensic material, intellectual property and sensitive internal notes;

  • They are mostly small to medium-sized, comparatively wealthy companies, experts in areas other than information risk and security operations (such as legal, accounting, consulting, IT, architecture and engineering);

  • The legal and commercial fallout from serious incidents involving information theft and extortion could be catastrophic for them and their clients.
The free SecAware Information Security Guideline for Professional Services encourages professional services providers and their clients to identify, evaluate and address information risks relating to professional services engagements. It suggests a range of information security, privacy, governance and other controls to mitigate unacceptable information risks, applicable to the successive stages of typical engagements or business relationships.

Persuading 'the professional services industry' to take this issue seriously is no easy task however. The diversity of professional services, coupled with the tendency of professionals to associate with peers in their own narrow specialisms, presumably limits the potential for information sharing and consensus. Maybe the increasing reports of serious incidents will finally register with their management teams and owners. Perhaps pressure from clients, authorities/regulators, professional standards bodies and business associations will force a change of heart. Meanwhile, what else can be done?