RiskXtraJune2019
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Cyber Security: Risk Mitigation for Professional Services<br />
client information. A PwC report from 2017<br />
claimed that 60% of law firms had reported an<br />
information security incident over the previous<br />
year (up from 42% in 2014). That same year,<br />
the UK Solicitors Regulation Authority<br />
estimated that circa £11 million had been lost<br />
to cyber crime in the previous 12 months.<br />
Sometimes, professional services firms are<br />
their own worst enemy when it comes to risk<br />
exposure. A 2018 report found over one million<br />
corporate e-mail addresses belonging to staff<br />
at the UK’s Top 500 law firms for sale on Dark<br />
Web sites. Most were linked to a password,<br />
offering cyber criminals a simple way in which<br />
to crack open corporate accounts. It’s believed<br />
employees had used these corporate<br />
credentials to register accounts with consumer<br />
sites like Facebook and LinkedIn, which were<br />
subsequently breached.<br />
Nation states join the fray<br />
In the other type of attack, professional<br />
services firms are targeted with a view to<br />
compromising their clients. Operation Cloud<br />
Hopper, uncovered in 2017, saw an attack<br />
group (namely APT10) with links to the Chinese<br />
state compromise managed service providers<br />
(MSPs) on an “unprecedented” scale.<br />
“Given the level of client network access<br />
MSPs have once APT10 has gained access to a<br />
MSP, it’s likely to be straightforward to exploit<br />
this and move laterally to the networks of<br />
potentially thousands of other victims,” noted<br />
PwC. “In turn, this would provide access to a<br />
larger amount of Intellectual Property (IP) and<br />
sensitive data. APT10 has been observed to<br />
exfiltrate stolen IP via the MSPs, hence evading<br />
local network defences.”<br />
Other techniques include ‘watering hole’<br />
attacks, whereby the website of a professional<br />
services firm is compromised in order to spread<br />
malware to the computers of partner<br />
organisations whose users are likely to visit it.<br />
One vendor has even warned of a ‘reverse<br />
business e-mail compromise’ attack in which<br />
hackers compromise the mail server of a supply<br />
chain organisation in order to spread fileless<br />
malware to trusted partners.<br />
The cyber risk from third party professional<br />
services firms doesn’t just include data theft,<br />
either. Below par security among suppliers<br />
could also expose organisations to the threat of<br />
ransomware. According to NTT Security’s<br />
findings, business and professional services<br />
firms experienced the second highest rate of<br />
ransomware infection globally last year.<br />
Given the scale of the threats confronting<br />
organisations, it’s time to elevate third party<br />
risk management to the level it deserves. The<br />
“The cyber risk from third party professional services firms<br />
doesn’t just include data theft, either. Below par security<br />
among suppliers could also expose organisations to the<br />
threat of ransomware”<br />
National Cyber Security Centre has developed<br />
some useful guidance setting out four key<br />
principles which should inform any programme.<br />
These are: understand the risks, establish<br />
control, check your arrangements and then<br />
work towards continuous improvement.<br />
Understanding the risks means being clear<br />
about what needs to be protected and why,<br />
knowing who your suppliers are and being<br />
aware of what – if any – security gaps they<br />
have. Establishing control is all about<br />
communicating minimum standards expected<br />
of suppliers, building these considerations into<br />
contracts and providing cyber security support<br />
to suppliers where and when needed.<br />
Assurance requirements – such as pen<br />
testing and/or formal certifications – should<br />
then be built into supply chain management.<br />
Finally, it’s a case of encouraging a culture of<br />
continuous improvement and mutual trust. This<br />
will need to develop through time as supply<br />
chains evolve and change over time.<br />
Risk-based foundation<br />
No organisation can expect to be completely<br />
insulated from cyber risk, but this approach<br />
seems to set a useful risk-based foundation<br />
upon which to build. As for specific steps that<br />
we would recommend, they should include first<br />
conducting data auditing to understand what<br />
needs to be protected and which suppliers<br />
handle which high-risk data.<br />
Best Practice security controls and processes<br />
can include tighter access controls along the<br />
lines of least privilege, enforced with risk-based<br />
multi-factor authentication. Anti-malware<br />
protection and threat detection are also a<br />
‘must’ on endpoints, networks and servers, as<br />
well as for e-mail and web gateways.<br />
Regular patch management should be<br />
another ‘given’, alongside continuous network<br />
monitoring. Incident response and pen testing<br />
plans must be run regularly to ensure IT teams<br />
have an up-to-date view of their risk profile.<br />
Modern techniques like threat hunting can also<br />
provide a more proactive approach towards<br />
security which will help in heading off any<br />
attacks before they impact the organisation.<br />
Finally, don’t forget the role of people in the<br />
security environment. They’re often thought of<br />
as the weakest link, but if properly trained they<br />
can provide a welcome first line of defence.<br />
Azeem Aleem: Vice-President<br />
of Consulting at NTT Security<br />
53<br />
www.riskxtra.com>