Professional service firms facing increased cyber risks

The professional services sector has seen significant growth over the past few years, spurred by globalization. However, this growth is also accompanied by increased exposure to risks, especially those of a technological nature. Beazley’s latest Cyber Services Snapshot report revealed that professional service firms are increasingly being targeted by cyberattacks.

According to the report, professional services companies have seen a higher volume of fraudulent instruction attacks and almost as many business email compromise incidents so far in 2022 compared to the whole of 2021.

Bala Larson (pictured above), head of client experience at Beazley, told Corporate Risk and Insurance that professional services firms are lucrative targets for cybercriminals due to their data-rich environments, including data about their own B2B clients.

“In some cases, they might hold onto data for very long periods of time, even after it is no longer useful,” Larson said. “This is especially dangerous because some of that data might be sensitive, such as passwords and access to business clients’ IT systems and infrastructure. If leveraged, this data could give a threat actor a good idea as to who their next targets should be.”

Hackers may also exploit a professional services firm’s good name and reputation to bypass the defenses of that firm’s clients, as they are often part of trusted email domains and other whitelists.

“This is one of the reasons why fraudulent instruction and business email compromises are so common with these organizations,” Larson said. “Not only are these firms often trusted by other parties, but they also usually have intimate knowledge of legitimate transactions with large financial consequences. These transactions present lucrative opportunities for threat actors to hijack conversations and misappropriate the trust of these firms for their financial gain.”

What are fraudulent instruction attacks?

According to Larson, fraudulent instruction occurs when someone is tricked into making a payment or transferring money by someone purporting to be a vendor, client, or authorized employee. These often involve spoofed emails and communications from compromised vendors.

“What makes this form of attack so appealing to threat actors is the low barrier for entry,” Larson said. “Rather than attack computers, most of these deceptions target the relationships between people. Because attackers leverage the bonds of trust in these attacks, some people may not push back on unusual requests to redirect funds because these are unusual times. Resistance to these attacks may also be lower in relationships when there is significant trust, or when a new relationship is in its early stages and there is a greater desire to make the other party happy.”

Larson provided several tips on how professional services firms, as well as other businesses, can mitigate risks related to fraudulent instruction. These are:

1. Always verify requests for changes to payment instructions or sensitive data through a separate, trusted channel (e.g., for an email request, call your contact at a number you know is accurate; don’t trust info that a criminal may have supplied).
2. Conduct anti-phishing training for your team.
3. Implement multi-factor authentication.
4. Do not wire funds to bank accounts whose details have changed during the past 24 hours.

Larson also highlighted general cybersecurity guidelines contained in the Cyber Security Snapshot report. Risk managers and decision-makers should not only understand these but also communicate these to the entire organization.

1. Know your assets – many organizations think they have good asset management capabilities, only to discover after an incident that this was not the case. Asset management tools can help you understand your system, leading to informed longer-term decisions. Your organization’s asset management inventory system should include an asset discovery tool that continuously maps devices on your internal network, an up-to-date asset database, and an up-to-date configuration management database.
    
2. Don’t just rely on what you think you know based on previous inventories. Keep doing continuous discovery on your network to find new or modified endpoints. When you discover a new asset, proactively investigate to understand why it's not in the inventory and take steps to ensure this doesn't happen again.
    
3. Don’t forget to install security patches and factor in end-of-life planning. Vendors commit to sending regular updates to fit security flaws until the promised period ends – after that, organizations can continue using the version, but there will be no further fixes for vulnerabilities or performance issues. It’s essential that organizations plan for this.
    
4. Remember that this is not just a technology issue – it’s about people and processes. Your people have to know what assets they have and divide the responsibilities for managing those assets appropriately. The key is having leadership in place that understands the importance of asset management, knows how to maximize the technology they have or are likely to purchase, and is willing to plan out future changes over time and execute consistently.