Management consultants, accountants, public safety offices, marketing firms, and many more business and professional services organizations are high-value targets for cybercriminals due to the range of confidential client information they handle. Companies in this sector should all have solid security postures — and many do. But there’s still an alarming number of enterprises that do not.
A survey by Hiscox found that 7 out of 10 business and professional services organizations are not prepared for a cyber attack. Worse, 45% reported that they had experienced at least one cyber attack in the past year, while two-thirds had been hit by two or more attacks.
Meanwhile, Security Infowatch reports that 62% of law firms do not have an information security professional and only 41% have documented cybersecurity policies.
The consequences can be devastating. In addition to the financial impact, the reputational damage caused by an attack can be significant. Business services firms are trusted with highly confidential client data, the loss of which can literally be costly, particularly in the light of new regulations like GDPR. Furthermore, these firms are trusted vendors to organizations all over the world, and must maintain vigorous security performance.
A deeper dive into the cyber risk facing business services organizations
In light of these threats, BitSight’s Data Science team took a closer look at the security performance of organizations in the business services sector. The team collected data as of June 1, 2019 for a range of business services companies, including accounting firms; management consultancies; marketing and advertising agencies; staffing and recruiting firms; professional training and coaching organizations; graphic design companies; organizations specializing in security and investigations; and more.
The first key takeaway is that improvement is required. BitSight finds that almost half of all Business Services companies do not have Advanced Ratings—meaning they are at a much higher likelihood of breach. Our security ratings range from 250 to 900, with a higher rating equating to a better security posture. Anything above 740 is considered “Advanced”. However, companies with a security rating of 500 or lower are nearly five times more likely to experience a publicly disclosed data breach.
Forty-five percent of these companies were found to have out-of-date systems or unsupported devices. These systems and devices can be difficult to patch and track, making them primary targets for enterprising hackers.
Furthermore, the metrics (below) show that the ports of 44% of business services companies are inherently insecure or vulnerable to cyberattack.
Less than 4% of business services companies had one or more botnet infections within the last three months. This number may seem low, but even one botnet infection can be devastating because it extends beyond a single machine. These infections occur when networks of computers have been compromised or infected with malware.
BitSight research identified a solid correlation between botnet infections and data breaches. More specifically, companies with a BitSight botnet grade of B or lower were more than twice as likely to experience a publicly disclosed data breach.
On the bright side, this sector has some of the highest adoption of email protection controls among all of the sectors tracked by BitSight, with almost 70% of companies using either SPF or DKIM across all their email servers. SPF and DKIM — authentication protocols that organizations can use to validate that emails have not been forged — allow mail readers to check if the mail was really sent from the “From” domain. This assists in spotting SPAM and phishing emails.
Finding security in a complex ecosystem
As our data shows, the systems and networks of business services companies are highly vulnerable to attack or, in some cases, already compromised.
However, the challenge of security performance management also extends to the supply chains of these companies. Services firms occupy a broad and interconnected business ecosystem that relies on many third parties, yet these firms often find themselves playing the role of "third party" to their own customers. As a result of this complex ecosystem, it can take days (or sometimes longer) to discover a breach.
While internal security performance is a key priority for business services firms, they clearly cannot ignore the threat from external parties. Breaches traced to “trusted” third-party vendors and partners are a serious and increasing phenomenon. In the fall of 2017, the Ponemon Institute reported that more than half (56%) of companies surveyed said they had experienced a data breach or cyberattack caused by a third-party — up from 49% in the prior year.
Business services companies must establish — and maintain — sterling reputations to succeed in their respective spheres of operation. After all, the nature of their work requires them to have access to their clients’ most sensitive and valuable information. Whether working to assess or improve a client’s finances, its business processes, or its legal strategies, these firms must be discreet and highly trustworthy. Business services firms that fail to meet these expectations will see their entire business models suffer.
Continuous monitoring is required
In our interconnected and interdependent digital world, an internal-only security focus is far from adequate.
Business services companies must look well beyond their own firewalls if they are to truly protect their own data and the client information with which they’re entrusted. They must evaluate and continuously monitor their own security postures as well as those of every partner and third-party that may also pose security risks. They must also collaborate closely with those third-parties and create a roadmap for security that scales to meet the demands of the organizations they serve.
Making the grade
While business services companies are performing reasonably well in some areas of their security posture, there remains room for improvement. Overall, the sector lags other industries in terms of overall security performance. Furthermore, legacy systems and vulnerabilities remain a risk factor for a significant percentage of firms. But by continuously monitoring the security profiles of their third-party partners with security ratings — and addressing any vulnerabilities or concerns identified — business services firms can greatly improve their ability to keep their reputations intact and their clients loyal.