We all use professional services firms. We share a lot of data with them. We have to do this– from accountants to auditors to law firms, we need them to run our businesses.
It seems cyber criminals have recognised this and are targeting these organisations. Here are a couple of examples:
- The National Cyber Security Centre – which is part of GCHQ – has published its latest Cyber Threat to the Legal Sector report to highlight the potential threats to legal firms, from ransomware attacks by criminals to intellectual property theft by state actors. Legal firms urged to strengthen cyber defences with latest... - NCSC.GOV.UK
- These threats are real – as evidenced by Mondelez International (the maker of Oreo cookies and Ritz Crackers), whose past and present employee data was stolen from its law firm Bryan Cave Leighton Paisner LLP.
- In a separate suite of incidents, organisations such as the BBC lost data when a payroll service provider, Zellis, was impacted by a vulnerability in the IT software MoveIT.
- If you have a UK pension, you may well have been impacted by the ransomware infection of outsourced service provider and pensions administrator Capita.
These are just a few examples. In our experience, many professional service providers were ignored by organisations considering their supply chain risks in favour of other, more obvious, suppliers. However, the hackers have evidently realised the value of the data held by these providers, and the importance of reputation to them, and so the threats are growing.
So, what should you do?
- At least understand everyone you’re sharing data with, and consider how big an issue it would be if they were hacked and lost your data.
- There is no harm in asking the provider how they secure your data.
- If you want to go further, you could send them a questionnaire to determine how they secure your data. Please get in touch if you need one (for free).
- Finally, you could audit them. This can be costly and time consuming but is an effective way of checking security at your most critical suppliers.
Many suppliers have accreditations and certificates that demonstrate security. This is a good place to start, of course. However, many professional service providers don’t have these at all, so you might want to start your assessments with your lawyers, accountants, and corporate service providers.