Balancing security and innovation in a crisis
The rapid global shift to a remote workforce and increased reliance on digital infrastructure was met almost immediately by a staggering uptick in cybercrime. With security resources and budgets stretched thin to accommodate remote workforces, cybercriminals were quick to capitalize on the increased attack surface and general uncertainty, striking with a 667 percent increase in coronavirus-related cyberattacks.
The relentless attacks have driven security concerns to the top of many boards’ agendas, but for the professional services industry the threat of cybercrime is an existential one. At the heart of these firms is sensitive client data, making them a highly attractive target for cybercriminals who can monetize stolen data in many ways; extortion, ransom, sell it on the black market or all of the above. The remits of professional services firms also mean that the consequences of any kind of cyber breach are severe. A single breach can not only irreparably damage the firm’s brand, but also jeopardize clients’ names and operations.
New technology, new threats
Amidst this challenging landscape, the pressure to remain competitive has, unsurprisingly, not eased. In many ways, the rapid changes necessitated by the outbreak have encouraged professional service firms to adopt innovative technologies like cloud networking, automation and artificial intelligence. These technologies give firms a measurable edge in collaboration, sharing, understanding and strategizing around in-house and client data, and finding efficiencies to pass on to their clients. These same technologies, however, can also increase risk and the number of entry points cybercriminals have to clients’ valuable information. It is a tension being felt in boardrooms as leaders struggle to prioritize forging ahead with new technology or mitigating the risks of cyberattacks in a particularly risky environment.
What must be achieved is a balance between innovation and security, based on an organization’s risk appetite, business objectives and regulatory climate. Firms can avoid putting their reputations at risk by ensuring data and regulatory compliance, identifying and fixing weak points with an ethical hacking service and making sure IT departments control access to confidential information using encryption and managing identity with PKI. Firms should also consider working with a trusted security partner who can provide a comprehensive and proactive security plan, provide insight across their entire organizational ecosystem, optimize controls to support secure innovation and ensure the firm keeps pace with the sector’s changing security requirements and the complex threat landscape.
Insiders pose a risk
It is not just new technology that can pose a serious risk. Perhaps the greatest danger to a professional services firm is its people — and our new ways of working magnifies this weakness. With the shift away from secure private networks to SD-WAN, Internet and cloud-based connectivity, there are many ways for individuals to unwittingly offer cybercriminals a route into a company’s network.
The remote workplace has dramatically increased the number of personal devices used to perform company business and increased network entry points expand the attack surface and increase the risk of data breaches against the already heightened threat landscape. The growth of mobile devices in particular increases the likelihood that a phishing attack will be successful. When working on a cell phone, the layout of emails and websites makes it difficult for people to determine what is legitimate and what is fraudulent. People are also more likely to make snap decisions on a cellphone, accidentally opening the door to email-based spear phishing, spoofing attacks that mimic legitimate websites and attacks via social media.
However, the most pressing issue for professional services firms could be the lack of employee awareness about these dangers. Employees will often find ways to circumvent security controls if it makes their jobs easier, so finding ways to educate employees can be highly beneficial to ensuring compliance. In a people-centric industry, even a small percentage of staff being careless or unaware of security protocols can increase risk significantly. People can be your biggest asset or your biggest liability.
To mitigate this risk, professional services firms can focus employee education programs that underscore the fact that security is everyone’s responsibility. A trusted security partner can guide the firm on best practices for all employees to follow, offer visibility into when they are not and help make security training an ongoing ritual within the firm.
In a time of crisis, deciding to prioritize innovation for the sake of competitive advantage or security for the sake of risk mitigation can be challenging for business leaders. However, the two need not be mutually exclusive. By partnering with a credible security partner, professional services firms can achieve a healthy balance that not only provides the flexibility to react quickly to rapidly changing market conditions, but also the ability to continuously seek efficiencies to operations.