Professional Services: A New Breed of Third Party Cyber Risk to Manage

Organisations are beholden to their suppliers. For a retailer it could mean the difference between having products on the shelves or not. For a manufacturer, it’s about securing the vital components and materials needed to build industry-leading products. In the UK, we are now predominantly a services-based economy. That means a vast and complex supply chain of professional services companies: businesses that offer not tangible goods, but knowledge-based skills that cannot be sourced in-house, observes Azeem Aleem.

The challenge is that these companies often have privileged access to their clients’ IT systems and store highly sensitive customer and corporate data. That means they represent a cyber security risk. An NTT Security poll conducted last year found that an overwhelming number (60%) of global business decision-makers believe third parties like these to be the weakest security link in their organisation.

Fixing this problem will require a rigorous, risk-based approach focused around security Best Practice and achieving visibility, control and continuous improvement.

A digital economy

Professional services are in many ways the lifeblood of the UK economy. According to PwC, firms that carry out auditing, advisory, tax and similar account for 15% of UK GDP, 14% of employment and 14% of exports. Yet even that estimate is likely to be on the conservative side. In fact, the sector covers a vast swathe of businesses including law firms, architects, accountants, advertising and marketing agencies and many more.

Professional services can include virtually anything that can be thought of as a knowledge-based skill. As such, digital infrastructure is vital to the smooth running of these services, enabling seamless online collaboration, reporting, analysis and auditing. Yet where there’s data, people and money, there is always cyber risk. According to NTT Security’s data, the business and professional services sector became the most attacked sector in the EMEA last year, accounting for just over 20% of attacks. It was third globally, comprising 10% of attacks.

Part of the problem stems from the sheer size and complexity of modern digital supply chains. Last year, one vendor reported that the average US or UK company shares sensitive data with over 580 third parties, with nearly 60% of them having experienced a breach caused by one of these firms. Three-quarters said they thought such incidents were increasing. Yet visibility appears to be a major challenge. Over a fifth (22%) of respondents to the study claimed they didn’t even know if they had suffered a breach.

It also appears as if third party risk may still not be receiving the Board-level attention it deserves: only a third (37%) claimed they have enough resources to manage supplier relationships, while a similar number rated their third party risk management programme as highly effective.

Supply chains under attack

Attackers are targeting professional services firms primarily with one of two goals in mind. They’re either after sensitive client data stored by that firm or are targeting the supplier in a kind of ‘stepping stone’ or ‘island hopping’ attack focused on infiltrating the networks of its customers. Half of all attacks analysed recently by one vendor use these island hopping tactics.

Examples of both types of threat are numerous. Law firms represent a particularly attractive target, given the large volume of sensitive information they hold on clients. Perhaps the best example of the potential risks involved comes from two infamous data leaks at separate law firms dubbed the Panama Papers and the Paradise Papers. These exposed the offshore tax avoidance plans of a large number of businesses, celebrities and even world leaders, destroying the trust these customers placed in their legal advisors and putting one of the law firms in question, Mossack Fonseca, out of business altogether.

The threat to the legal sector is clearly growing, as both financially motivated cyber criminals and nation states look for valuable data on M&A deals, patents and other sensitive client information. A PwC report from 2017 claimed 60% of law firms had reported an information security incident over the previous year, up from 42% in 2014. That same year, the UK Solicitors Regulation Authority estimated that £11 million was lost to cyber crime in the previous 12 months.

Sometimes, professional services firms are their own worst enemy when it comes to risk exposure. A 2018 report found over one million corporate e-mail addresses belonging to staff at the UK’s Top 500 law firms for sale on Dark Web sites. Most were linked to a password, offering cyber criminals a simple way to crack open corporate accounts. It’s believed employees had used these corporate credentials to register accounts with consumer sites like Facebook and LinkedIn, which were subsequently breached.

Nation states join the fray

In the other type of attack, professional services firms are targeted with a view to compromising their clients. Operation Cloud Hopper, uncovered in 2017, saw an attack group (APT10) with links to the Chinese state compromise managed service providers (MSPs) on an “unprecedented” scale.

“Given the level of client network access MSPs have, once APT10 has gained access to a MSP, it’s likely to be relatively straightforward to exploit this and move laterally onto the networks of potentially thousands of other victims,” noted PwC. “This, in turn, would provide access to a larger amount of Intellectual Property (IP) and sensitive data. APT10 has been observed to exfiltrate stolen IP via the MSPs, hence evading local network defences.”

Other techniques include ‘watering hole’ attacks, where the website of a professional services firm is compromised in order to spread malware to the computers of partner organisations whose users are likely to visit it. One vendor has even warned of a ‘reverse BEC’ attack in which hackers compromise the mail server of a supply chain organisation in order to spread fileless malware to trusted partners.

The cyber risk from third party professional services firms doesn’t just include data theft. Below par security among suppliers could also expose organisations to the threat of ransomware. According to NTT Security’s findings, business and professional services firms experienced the second highest rate of ransomware infection globally last year.

Time to be proactive

Given the scale of the threats facing organisations, it’s time to elevate third party risk management to the level it deserves. The National Cyber Security Centre has developed some useful guidance setting out four key principles which should inform any programme. These are: understand the risks, establish control, check your arrangements and then work towards continuous improvement.

Understanding the risks means being clear about what needs to be protected and why, who your suppliers are and what if any security gaps they have. Establishing control is all about communicating minimum standards expected of suppliers, building these considerations into contracts and providing cyber security support to suppliers where needed. Assurance requirements should then be built into supply chain management, such as pen testing and/or formal certifications. Finally, it’s a case of encouraging a culture of continuous improvement and mutual trust. This will need to evolve as supply chains change over time.

No organisation can expect to be completely insulated from cyber risk, but this approach seems to set a useful risk-based foundation upon which to build. As for specific steps that we would recommend, they should include first conducting data auditing to understand what needs to be protected and which suppliers handle which high-risk data. Best Practice security controls and processes can include tighter access controls along the lines of least privilege, enforced with risk-based multi-factor authentication. Anti-malware protection and threat detection is also a must on endpoints, networks and servers, as well as for e-mail and web gateways.

Regular patch management should be another ‘given’, alongside continuous network monitoring. Incident response and pen testing plans should be run regularly to ensure IT teams have an up-to-date view of their risk profile. Modern techniques like threat hunting can also provide a more proactive approach to security which will help you head off any attacks before they’ve had a chance to impact the organisation.

Don’t neglect the human element

Azeem Aleem

Azeem Aleem

Finally, don’t forget the role of people in the security environment. They’re often thought of as the weakest link, but if properly trained they can provide a welcome first line of defence, helping to spot phishing attempts and reducing the risk of accidental data disclosure and privacy leaks.

Throughout, the focus should be on trying to pre-empt attacks by using threat intelligence effectively to patch vulnerable systems and profile and hunt down attackers. Incident response is a vital part of any security posture, but is increasingly difficult for organisations to perform effectively in-house. This is where third party expertise should be sought as the final piece of the puzzle to enhance risk management efforts.

Azeem Aleem is Vice-President of Consulting at NTT Security

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts