Due to the nature of their work, consulting firms have access to, receive and store highly confidential sensitive information relating to their clients. As such, they have become an increasingly attractive target for cybercriminals. With data breaches hitting consulting companies, they can no longer ignore the very real threat of a breach.
When it comes to professional services such as consulting and accounting firms, the average cost of a data breach in 2021 was $4.65 million/breach, according to IBM and the Ponemon Institute’s 2021 Cost of a Data Breach report. Lost business accounted for 38% of the total data breach cost. This includes business disruption and revenue losses from system downtime but also lost customers and reputational damage.
Consulting firms are fundamentally built upon client trust, and data breaches can have a devastating effect on future business. As such, cyber incidents have the potential to produce a company-ending event when it comes to professional services. Losing existing clients and the ability to gain new ones because of a diminished reputation and goodwill can force companies to shut their doors ultimately.
But what are the most prevalent threats consulting companies face, and how can they tackle them? Let’s take a closer look.
Phishing and social engineering attacks
The days of brute force attacks on company networks have long been set. Most cybercriminals nowadays find it easier to use phishing and social engineering to infiltrate a network. Tricking employees into revealing credentials or clicking an infected link or attachment is all they need to gain access to a work computer. Once inside, they can easily infect the entire network.
Phishing is how most ransomware attacks are executed. Visiting what may appear to be a benign or known website, employees can become unwitting victims of drive-by downloading when malware is downloaded and installed without the user’s knowledge.
To fight this sort of attack, companies must deploy and regularly update anti-malware solutions and firewalls. They also need to educate their employees on how they might be targeted and how they should react. Going further, consulting firms should enable Trusted Platform Module (TPM) capabilities and implement a Zero Trust architecture.
TPM, recently made a requirement for Windows 11 by Microsoft, ensures that security features such as data execution prevention and disk encryption are in use. Zero Trust architecture meanwhile scrapes the traditional castle-and-moat approach to cybersecurity which focuses on building walls against outsiders but allows complete freedom to users inside the network. It proposes a new way of tackling cybersecurity: never trust, always verify. Zero Trust ensures that users, devices, and network traffic are verified and subject to least-privilege rules when accessing trusted resources. In this way, should one computer become infected, attackers are prevented from moving laterally across the network.
Consulting firms tend to have an especially high employee turnover rate. This means that every year consultants will switch between organizations, often winding up in competing companies. Many of them are likely to attempt to take confidential information with them when they leave. Depending on the quantity of data involved, this can spell disaster for a company. Not only because data is being exfiltrated but also because that sensitive data is being taken out of the security of the company network and therefore becomes vulnerable.
Consulting firms can turn to Data Loss Prevention (DLP) to tackle this issue. Most DLP solutions come with device control features that allow companies to block or limit the use of removable devices such as USBs, mobile phones or external drives which might be used to steal data.
DLP tools can also block the transfer of data defined as sensitive. Malicious insiders can thus be prevented from sending sensitive information by email, uploading it to the cloud or file-sharing services, printing it or copy-pasting it into the body of an email.
Finally, employees are, unfortunately, a company’s weakest security link. Their gullibility is what makes phishing and social engineering attacks happen, and it is their carelessness that can unintentionally lead to data breaches. Whether sending a document containing highly sensitive information to the wrong address, using personal accounts to perform their work duties or using third-party insecure services to transfer and share sensitive data, employees have been behind some of the most disastrous data breaches that have taken place in the last ten years.
DLP solutions can also help companies with employee negligence. Consulting firms can define what sensitive data means to them in the context of their business or even particular projects and apply policies to block the transfer of files containing it. Through content inspection and contextual scanning, DLP solutions can identify sensitive data in hundreds of file types and prevent it from being shared via popular messaging apps such as Skype or Slack via personal emails or cloud applications.
Some solutions, like Endpoint Protector, take things one step further and allow different policies to be applied to particular departments. In this way, employees working directly with important clients can be more strictly controlled than those that do not handle sensitive data on a day-to-day basis. DLP policies can thus be tailored to a consulting firm’s needs, allowing for a flexible implementation that ensures efficiency and minimal disruption to a company’s workforce.
Consulting firms have a lot to lose in case of a data breach. Reputation is a crucial factor in their success, and losing it can have drastic consequences. Data breaches can be a blow consulting companies may not recover from, which is why prevention and a solid cybersecurity framework have become indispensable to their business operations.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.