If you provide professional services, clients expect you to treat their confidential and sensitive information with care and respect. Most likely, that’s an undertaking that forms part of your profession’s code of practice. It’s a given that you won’t leave their files on the bus or share details of an upcoming deal with a third party.
But before you congratulate yourself on your high standards, what if we’re not thinking about negligence by you or one of your team? What if we’re talking about sophisticated criminals hacking into your systems or launching malware attacks? Is your cybersecurity as robust as it needs to be?
Make no mistake, professional service providers are a key target for cybercriminals. Attacks are growing in both number and severity. Financial losses can be significant. One survey showed around 30 per cent of such attacks involved financial theft. In 40 per cent of those, six-figure sums were stolen. Even where money isn’t the prime target, damaged reputations can be crippling. Contracts can be lost. Attacks can rip holes in client relationships that have taken years to build.
Perhaps the most worrying thing is that you’re probably aware of all I’ve just said. While there’s a growing awareness of increased risk, the numbers taking the steps required to defend their businesses – and their clients – isn’t keeping pace. It’s almost as though people are sitting with their fingers crossed, not wanting to raise alarm bells, hoping they won’t be the target.
One reason for this is that often professional service providers see IT as a nice-to-have tool rather than a critical part of their service. Their day-to-day transactions might depend upon information technology, but the principles of the law, accounting and underwriting, were established long before the advent of technology. Those principles are their focus. Often they don’t have an in-house IT specialist with all the know-how on cyber defences. With the greatest of respect, they muddle through, not quite grasping the terminology that defines licencing and access permissions.
We’ve encountered situations where password sharing is the norm, where an intern has effective access to any and all parts of a system. In one case, a temp could have easily walked away with client information, payroll and personnel details, banking and contract information.
When we point out the glaring holes in a firm’s security, the word ‘trust’ is usually mentioned. But let’s be clear, the fact that you trusted your people will ring very hollow with clients whose info has been stolen. And frankly, cyber criminals are ready and waiting to exploit these trust-based loopholes.
We chose the words ready and waiting quite deliberately. That’s how professional services firms need to be with their cyber defences. Ready with their defences and aware that an attack could come at any time. Cyber security isn’t something you do as a one-off. It’s a continuing process that must become embedded in the culture, constantly reviewed and, if necessary, enhanced.
Please, please, please don’t ignore the threat. Professionalism doesn’t just cover your sphere of expertise. It’s how you approach every aspect of your work. If you haven’t got the specialist knowledge needed to protect your clients and defend your business, talk to someone who has.