Cyber Security issues all professional services firms should be aware of

We have continued to observe the professional services sector being a target for cyber criminals. In a sector that handles significant amounts of sensitive data, is reliant on people to oversee and take the right actions or inactions, and often holds client funds as well, it is no surprise that the sector continues to be a target for those looking to disrupt or pursue illegal activity.

There continues to be an increase in cyber-attacks affecting organisations of all levels. The frequency, severity, and impact of these attacks can often lead to adverse regulatory, financial and/or reputational implications.

2024 has not had the type of large-scale global attacks seen in previous years, however, the largest cyber incident involved human error whilst updating software meant to protect organisations from these very threats. The CrowdStrike incident in July caused significant IT outages at a global level. Critical systems faced disruptions, leading to widespread consequences. Downtime from the outage has led to financial losses due to halted operations, lost productivity, and costs related to breach mitigation. Even companies who didn’t use CrowdStrike directly were impacted as 3rd party supply chain providers were also affected.

This incident demonstrates the need for solid incident response and disaster recovery processes which are suitable for all potential threats. To address this, organisations must continue to develop and implement measures and controls to protect their IT systems, data, and people. However, the risk relating to cyber-attacks continue to grow, particularly with the evolution of technology. We continue to witness threat actors establishing new and evolving methods to breach organization’s controls and cyber preventative measures.

Common Causes of Cyber Security Breaches

Cyber security breaches can be caused by various factors, ranging from human error to sophisticated attacks. The following points list some of the common threats and contributing factors behind cyber security breaches, and what best practices an organization can implement to mitigate the cyber risks.

Common Threats

• Phishing Attacks - Phishing attacks involve tricking individuals into providing sensitive information, such as login credentials or financial details. These attacks often come in the form of deceptive emails or messages that appear to be from legitimate sources. Educating employees on how to recognise phishing attempts is crucial in preventing these types of breaches.
• Insider Threats - Insider threats can come from current or former employees, contractors, or business partners who have access to your systems. These individuals might misuse their access, either maliciously or unintentionally, leading to data breaches. Implementing strict access controls and monitoring user activity can help detect and prevent insider threats.
• Social Engineering - Social engineering involves manipulating individuals into divulging confidential information. This can be done through various means, such as impersonating a trusted colleague or authority figure. Training employees to verify identities and be cautious with sensitive information can help prevent social engineering attacks.

Contributing Factors

• Human Error - Human error is one of the leading causes of cyber security breaches. This can include anything from weak passwords, falling for phishing scams and simply sending an email to an unintended recipient. Employees might inadvertently click on malicious links or download infected attachments, giving cybercriminals access to sensitive information. Regular training and awareness programmes can help mitigate this risk. Also, principle of least privilege (PoLP) should be implemented which refers to an information security concept in which a user is given the minimum levels of access – or permissions – needed to perform his/her job functions.
• Weak Passwords - Weak passwords are a significant vulnerability. Many people use simple, easily guessable passwords or reuse the same password across multiple sites. This makes it easier for hackers to gain access to accounts. Implementing strong password policies (including multi-factor authentication) and encouraging the use of password managers can help strengthen this weak point.
• Unpatched Software - Software vulnerabilities are another common cause of cyber security breaches. When software is not regularly updated, it can leave systems exposed to known exploits. Cybercriminals often target these vulnerabilities to gain unauthorised access. Ensuring that all software is up-to-date with the latest patches can significantly reduce this risk, following suitable testing of the patches being provided
• Inadequate Security Measures - Many organisations fail to implement adequate security measures, leaving their systems vulnerable. This can include a lack of firewalls, antivirus software, or intrusion detection/prevention systems. Conducting regular security audits and investing in robust security infrastructure can help protect against breaches.
• Poor Network Security - Weak network security can also lead to breaches. This includes unsecured Wi-Fi networks, lack of encryption, and poor network segmentation. Ensuring that your network is secure and regularly monitored can help protect against unauthorised access.

Mitigating Cyber Risks

The process to mitigate cyber risks and prevent cyber security breaches is complex and dependent on circumstances. However, the fundamental should include the following:

• Implement a risk-based cyber security framework, refresh annually or following significant changes.
• Implement security controls throughout the layers of your IT environment.
• Consider holistic controls
• Practice security performance management through continuous monitoring.
• Develop an incident response plan, and test it.
• Understand and address third-party risk management.
• Consider compliance and regulatory requirements.
• Raise employee awareness.

Assurance

For many Boards, a technical subject such as cyber security can sometimes be difficult to fully understand and may present the challenge of “we don’t know what we don’t know”. We are therefore seeing more and more Board and Audit Committees raising the profile of cyber risk within their organisation and seeking assurance that the appropriate mitigating cyber controls and processes are in place. This is often conducted through Internal Audit or by independent reviewers and assists governance stakeholders in gaining meaningful insights into how well cyber risk is managed.

To discuss how we can help you implement a plan to mitigate cyber risks and prevent cyber security breaches, please contact your usual BDO contact, or complete the contact us form.