In this blog we explore three strategies that professional services firms should apply to reduce their cyber-risks.
The impact of a cyber security event can bring an entire business operation to a standstill. In a past blog, we highlighted the large cost of cyber-attacks to Australian organisations. We also presented some concerning statistics that showed almost 60 percent of Australian businesses are interrupted by cyber-crime every month. Furthermore, 60 percent of SMEs hit with a significant cyber security incident will go out of business within six months. Most cyber-security threats come from external sources. However, external threats can be perpetuated by an insider’s inadvertent actions and in some cases malicious actions.
Dark Reading’s Strategic Security Survey showed that over 25 percent of cyber-security breaches are caused by insiders – your trusted employees. The report also found that 44 percent of organisations say authorised users and employees pose the greatest threat to data security and 61 percent of organisations believe negligent users will be the primary cause of a data breach in the next 12 months (Vijayan, 2018). So do you really know what your employees are getting up to online? Cyber criminals understand these weakness and use this to their advantage by launching sophisticated cyber-attacks including social engineering and advanced persistent threats (APT) to get to the information they’re after.
Professional services firms such as accountants, law firms and consultants have rich client data and a wealth of personally identifiable information. This type of information is attractive for cyber-criminals and is used primarily for extortion and identity theft. More importantly, professional services firms are data-intensive relying heavily on computer and information systems. Therefore, reliable uninterrupted access to information systems and data is crucial for business operations. An excellent case study of how a professional services firm suffered as a result of a cyber-attack is the global law firm DLH Piper. DLH Piper, like many global companies, had their entire operations crippled by the Petya ransomware event in June 2017. The Petya ransomware attack struck across the globe shutting down computers at many multinational businesses, including the Australian offices of DLH Piper (ABC News, 2017). Ransomware is malicious software that locks up computer files with unbreakable encryption and then demands a ransom in bitcoin for its release. Another driver for professional services firms is the importance of maintaining the privacy of sensitive client data from theft and loss.
General Data Protection Regulation (GDPR)
Australian businesses need to comply with the EU’s General Data Protection Regulation (GDPR) requirements. These requirements came into force on 25 May 2018 and apply to Australian businesses of any size if they “have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU” (Australian Government, OAIC, 2017). The GDPR includes requirements that are similar to the Australian Privacy Act 1988. Additional measures have been included in the GDPR to foster transparent information handling practices and business accountability around data handling. Australian businesses need to have confirmed by now whether they are covered by the GDPR, and if so, take steps to implement any necessary changes to ensure compliance.
Three strategies to reduce cyber-risks and comply with GDPR
If you wish to further explore how to implement these three strategies in your firm, please contact us directly.
ABC News 2017, ‘Petya cyber attack: Ransomware virus hits computer servers across globe, Australian office affected’, ABC News, accessed 8 February 2019, <https://www.abc.net.au/news/2017-06-28/ransomware-virus-hits-computer-servers-across-the-globe/8657626>
Australian Government 2017, ‘General Data Protection Regulation guidance for Australian businesses’, accessed on 11 February 2019, Office of the Australian Information Commissioner, ‘https://www.oaic.gov.au/media-and-speeches/news/general-data-protection-regulation-guidance-for-australian-businesses>
Vijayan, J 2018, DarkReading, ‘Data Breaches: Vulnerability Rising’, DarkReading