Cybersecurity Threats to Professional Services Firms

Cybersecurity threats 2018: Your data attracts cybercriminals.

Professional Service firms are a favorite target for bad actors looking for an easy wire fraud or blackmail score because they know the firms have sensitive data. And, more importantly, they know most firms lack the required security operations to prevent it.

Cybercriminals had a wildly successful year in 2018. Some household names like Facebook, Marriott, and British Airways got hit hard with data breaches, between them exposing the sensitive information of over 50 million users. The frequency of cyber attacks and the total cost for the year is on a record-setting pace.

The IRS, AICPA, and FBI have issued dozens of warnings and published guides on how to protect your clients and your firm from security threats. While this likely isn’t the first — and should definitely not be the last — guide you read on security solutions, we’ll do our best to keep it simple. Improving your cybersecurity isn’t as daunting as it might seem. In fact, there are a lot of things you can do to beef up your security without spending a dime. Review all 7 simple ways to immediately boost your firm’s cybersecurity in our (see our “7 simple ways to immediately boost your firm’s cybersecurity” checklist for ideas).

In this post we will:

  • List the top 5 cybersecurity threats faced by professional service firms.
  • Provide tips on how to detect a cyber threat.
  • Share some recommendations on how to boost your cybersecurity.
  • Give you 3 steps to follow if your firm has been breached.

What are the most common types of cyber attacks?

  1. Phishing/Spear-Phishing Emails
  2. Malware
  3. Passwords Shared Across Multiple Logins
  4. Simple Passwords
  5. Open Ports

 

Phishing*/Spear-Phishing**
For yet another consecutive year, email holds the top spot as the number-one point of access for advanced persistent threats. More than 90% of phishing attacks start with an email. Email was not built to be secure. It was built to be an open communication tool. Hackers take advantage of this, knowing that a single click is all it takes to gain entry.

* Phishing is the general term for cyber attacks that try to trick the recipient into opening a malicious email attachment or link.
** Spear-phishing attacks are crafted to target specific individuals.

Malware
Malware can be broadly defined as malicious software used to gain access to computer systems and steal sensitive data. Malware comes in two flavors: new malware and known malware. New malware exploits vulnerabilities that security professionals have never seen before. These are called “zero-day” attacks, and most targeted firms have no way of stopping them. Fortunately, these represent a small proportion of total breaches. The majority of breaches are known malware attacks. Known malware is preventable through software updates and patches that neutralize the malware. Staying up to date with your software updates is one of the first — and easiest — steps you can take to improve your cybersecurity. Turning on auto-updates is the best way to ensure you don’t miss a critical patch.

Passwords shared across multiple logins
Using the same login credentials for all your accounts is one of the worst things you can do. When hackers manage to get a hold of your login info, they try to use those credentials everywhere. Users who keep the same login name and password across multiple sites make the hacker’s work easy. In response, password management tools that create unique credentials for every login are growing in popularity. That’s a good thing. Adopting a proven password management tool for your team is a solid prevention and mitigation measure.

Simple Passwords
Password effectiveness (you know, when the login box rates the password you’re typing as weak, medium, or strong) is measured two ways: length and entropy. Entropy is just a fancy way to say “randomness.” The longer the password, the better. And the more random the password, the better.

Here are some estimated password hacking times:

  • Password (8 characters, 0.01 seconds to breach)
  • Qv153z!f (8 characters, hours to breach)
  • BatmanandRobin11 (16 characters, days to breach)
  • ji39xsCs00!25521 (16 characters, years to breach)

 

As you can see, entropy, or randomness, is the most important factor, adding years to the crack time. Most people use whole words in their passwords to make them easy to remember. Unfortunately, that also makes them far easier to brute-force attack. The key takeaway here is never, ever use something obvious like the street you live on, favorite sports team, alma mater, kid’s name, pet name, first concert, or mother’s maiden name. Never weave your security answers into your passwords. A great password is one that doesn’t use common words or anything that people could possibly guess by knowing you, or knowing about your life. Randomness is golden.

Open Ports
Ports are hard to understand — and to explain — but we’ll try to simplify them. Ports are gateways into and out of your system. There are hardware ports and software ports. The Internet connects to your router by a cord, and that physical connection is a hardware port. The ports we’re concerned with are the other kind: software ports.

We won’t bother quoting the wiki definition of a software port because we ended up more confused after reading it (and we know what they are). Just know this: software ports are gateways through which data packets are sent and received. They can be open or closed. Bad guys look for open ports to use as backdoors into your firm. It starts with a scan to look for open ports. If that scan reveals an open port with a software system asking for a password, the hacker can gain entry by cracking the login. While most of our recommendations can be carried out on your own, this is one case where we strongly suggest hiring an IT professional to assess and plug your open-port vulnerabilities.

Don’t leave it to IT. Change your firm’s behavior & culture.
Unless you have IT standing over the shoulder of every employee, watching as they respond to emails, IT alone can’t protect your firm or clients from cyber attacks. You have to change behavior and culture. Educate your entire staff regularly on the dangers of email. Drill them to recognize common phishing scams, and test their vigilance with simulated phishing attacks. Reinforce the fact that all it takes is one accidental click in an email to trigger a costly data breach.

The best thing you can do?
Education is the minimum. It’s a great start. But even the most tech-savvy teams aren’t immune to the tired-after-a-long-day, accidental misclick. Truth is, you can’t sufficiently protect your workplace from cybersecurity threats if you’re still using email for client business. Email is and will continue to be the #1 access point for cybercriminals looking to steal sensitive data. You can either live with email and stress daily about someone making an honest mistake and clicking opening the door or, you can remove email altogether and work with clients on a secure, invite-only platform with secure messaging, file sharing and storage. You know where we stand.

Looking to take the next step towards securing your firm? Book a demo and see Liscio in action.