RiskXtraJune2019
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
x<br />
RISKXtra<br />
Professional Services: A New Breed<br />
of Third Party Cyber Risk to Manage<br />
In the UK, we are now<br />
predominantly a<br />
services-based<br />
economy. That<br />
realises a vast and<br />
complex supply chain<br />
of professional<br />
services companies (ie<br />
businesses that offer<br />
not tangible goods,<br />
but rather knowledgebased<br />
skills that<br />
cannot be sourced inhouse).<br />
Azeem Aleem<br />
observes the cyber<br />
security implications<br />
Professional services companies often have<br />
privileged access to their clients’ IT<br />
systems and store highly sensitive<br />
customer and corporate data. That means they<br />
represent a cyber security risk. A detailed NTT<br />
Security poll conducted only last year found<br />
that an overwhelming number (60%) of global<br />
business decision-makers believe third parties<br />
like these to be the weakest security link in<br />
their organisation.<br />
Fixing this problem will require a rigorous,<br />
risk-based approach focused around security<br />
Best Practice and achieving visibility, control<br />
and continuous improvement.<br />
Professional services are, in many ways, the<br />
lifeblood of the UK’s economy. According to<br />
PwC, firms that carry out auditing, advisory, tax<br />
and similar account for 15% of the UK’s GDP,<br />
14% of employment and 14% of exports. Even<br />
that estimate is likely to be on the conservative<br />
side. In fact, the sector covers a vast swathe of<br />
businesses including law firms, architects,<br />
accountants, advertising and marketing<br />
agencies and many more.<br />
Professional services can include virtually<br />
anything that might be thought of as a<br />
knowledge-based skill. As such, digital<br />
infrastructure is vital to the smooth running of<br />
these services, enabling seamless online<br />
collaboration, reporting, analysis and auditing.<br />
Yet where there’s data, people and money,<br />
there’s always cyber risk. According to NTT<br />
Security’s data, the business and professional<br />
services sector became the most attacked in<br />
the EMEA last year, accounting for just over<br />
20% of all attacks. It was third globally,<br />
comprising 10% of attacks.<br />
Part of the problem stems from the sheer size<br />
and complexity of modern digital supply chains.<br />
Last year, one vendor reported that the average<br />
US or UK company shares sensitive data with<br />
over 580 third parties, with nearly 60% of them<br />
having experienced a breach caused by one of<br />
these firms. Three-quarters suggested they<br />
thought such incidents were increasing.<br />
Visibility appears to be a major challenge,<br />
though. Over a fifth (22%) of respondents to<br />
the study claimed they didn’t even know if they<br />
had suffered a breach episode.<br />
It also appears as if third party risk may still<br />
not be receiving the Board-level attention it<br />
deserves: only a third (37%) of respondents<br />
claimed they have enough resources to manage<br />
supplier relationships, while a similar number<br />
rated their third party risk management<br />
programme as being highly effective.<br />
Supply chains under attack<br />
Attackers are targeting professional services<br />
firms with one of two goals in mind. They’re<br />
either after sensitive client data stored by that<br />
firm or are targeting the supplier in a kind of<br />
‘stepping stone’ or ‘island hopping’ attack<br />
focused on infiltrating the networks of its<br />
customers. Half of all attacks analysed recently<br />
by one vendor used ‘island hopping’ tactics.<br />
Examples of both types of threat are<br />
numerous. Law firms represent a particularly<br />
attractive target given the large volumes of<br />
sensitive information they hold on clients.<br />
Perhaps the best example of the potential<br />
risks involved comes from two infamous data<br />
leaks at separate law firms dubbed ‘The<br />
Panama Papers’ and ‘The Paradise Papers’.<br />
These episodes exposed the offshore tax<br />
avoidance plans of a large number of<br />
businesses, celebrities and even world leaders,<br />
destroying the trust these customers placed in<br />
their legal advisors and putting one of the law<br />
firms in question, Mossack Fonseca, out of<br />
business altogether.<br />
The threat posed to the legal sector is clearly<br />
growing, as both financially motivated cyber<br />
criminals and nation states look for valuable<br />
data on M&A deals, patents and other sensitive<br />
52<br />