In our modern independent services economy, outsourcing of business and professional services is now commonplace, but this practice is extending the attack surface area available to attackers.
Firstly, what do we mean by business and professional services? Professional service firms can be any business that offers customized, knowledge-based services to clients of which some examples include outsourced information technology, lawyers, advertising professionals, architects, accountants, financial advisers, and consultants, among others – a large sector then.
For the first time ever, according to our 2018 Global Threat Intelligence Report, the business and professional services sector appears in the top five globally attacked industries. It ranks third with 10% of global attacks, behind finance (26%) and technology (25%).
What’s more, attacks on this sector are dominated by known bad sources (ie IP addresses that are known to be bad) at 34%, followed by web application attacks (21%) and ransomware attacks (17%).
The report paints a bleak picture for some of the regions too. Business and professional services have become the most attacked sector in EMEA with just over 20% of attacks and, in the Americas, activity from known bad sources account for a massive 69% of activity against the sector.
Why is this important? Historically, attackers have focused on business and professional services to steal information directly, but they’re also recognising they are often the weakest link and therefore targeting them to steal information about their clients and partners.
Simply put, the smaller services that form part of a large supply chain are merely stepping stones for hackers to launch a bigger and potentially more devastating attack.
Web application attacks, for example, in the business and professional services sector are often associated with large data breaches. Hackers may use web application attacks against a professional services vendor to gain unauthorized access to their clients’ information, potentially including access credentials of their clients’ online resources. After all, why attack a target directly when a cyber criminal can access it indirectly through business and professional services?
This method was seen publicly years ago, when a large retailer was breached indirectly after its heating and cooling services vendor was compromised and the attackers to took advantage of the connectivity between and data associated with the mutual systems. The point is that ecosystems of business partnerships and services extend attack surface areas and increase risk.
Threats can come from anywhere and from any industry, so having mature approach to cybersecurity and risk management is critical. Ensure due diligence of your partners. Understand what data they hold, where they store it and how it is protected.
And don’t forget to implement the basics in your own organization. Make sure systems are patched, the latest versions of security software are installed, and that passwords are used with strong authentication. A wider incident response plan should be in place too so, should the worse happen, you know what policies and procedures are in force. Finally, ensure a collective responsibility. All employees have a role to play in a mature approach to cybersecurity.
For more insights and recommendations on how to evolve your security strategy, download our Global Threat Intelligence Report here.