Trustwave SpiderLabs: The Unique Factors that Make Professional Services a Target

Trustwave SpiderLabs has put together nine vertical threat reports over the past 12 months, but in its most recent effort, the 2024 Professional Services Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report, our team of elite researchers delve into one of the broadest and most complicated vertical sectors yet covered.

Professional services differ somewhat from verticals such as healthcare, manufacturing, and retail because they encompass many different business types, ranging from accounting to legal to various consultancies. Each can be attacked in a specific way, which means no silver bullet works for all security measures that can be put in place.

Additional unique factors include:

• High Value of Data: Law firms and other professional services firms deal with a wealth of sensitive information - intellectual property, legal documents, financial records, and personal client data. This data is highly attractive to cybercriminals seeking financial gain, a competitive edge, or for identity theft purposes.
• Complex Vendor Ecosystem: These firms often rely on a network of third-party vendors and suppliers for various services. Each vendor introduces a potential security risk, as a weakness in a vendor's system can be exploited to gain access to the professional services firm's network.
• Regulatory Burden: The professional services industry, especially law firms, faces strict regulations regarding data protection, privacy, and security. Compliance with these regulations can be complex, requiring significant resources and ongoing vigilance.
• Reputation is Paramount: A cyberattack can have a devastating impact on a professional services firm's reputation. Clients trust these firms to keep their data confidential and secure and a data breach can erode client trust and damage future business prospects.

The 2024 Professional Services Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies will walk the reader through all the attack types used against professional service organizations, but let’s take a look at one of the most prevalent.

Supply Chain Exposure

The report covers how threat actors have been successfully attacking third-party vendors. In many cases, this is done to gain access to an organization further up the supply chain.

However, professional services present an interesting dichotomy. Not only are they vulnerable to an attack on their supply chain, but after all, many tend to use multiple vendors to provide their services, and they are often part of another organization's supply chain. This fact could make them twice as appealing to the average attacker.

Trustwave SpiderLabs details how third-party software, particularly file transfer services like MOVEit, is a common cause of supply chain breaches in professional services. Later in the report, we’ll highlight several examples where MOVEit vulnerabilities were exploited to access sensitive data at firms like Ernst & Young, Deloitte, PwC, and Kirkland & Ellis. The report also details breaches caused by vulnerabilities in third-party cloud storage platforms and electronic discovery vendors used by professional services firms like Proskauer Rose, Quinn Emanuel, and Goodwin Procter.

To reduce the risk of being hit with a supply chain attack, Trustwave SpiderLabs suggests:

• Vet Third-Party Vendors: Conduct security assessments and include strict cybersecurity clauses in contracts, requiring regular audits and breach notifications.
• Review & Patch: Regularly review vendor security practices, conduct vulnerability assessments, and implement penetration testing.
• Tighten Internal Controls: Enforce access controls, change control, and audit trails to monitor unauthorized activity.
• Data Security: Encrypt sensitive data at rest and in transit, restrict access based on need, and monitor access logs for suspicious behavior.
• Compliance: Ensure vendors comply with relevant data protection regulations.
• Employee Training: Train employees on cybersecurity hygiene to identify and prevent phishing and social engineering attacks.

Trustwave SpiderLabs Industry Report Series

As previously noted, the professional services sector report is the latest in a series researched and published by Trustwave SpiderLabs. Please visit these for an in-depth analysis of the security issues facing each industrial sector:

• 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies
• 2024 Education Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies
• Trustwave SpiderLabs' 2024 Technology Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies
• 2024 Education Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies
• 2023 Manufacturing Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies
• 2023 Retail Sector Threat Briefing and Mitigation Strategies
• 2023 Financial Services Sector Threat Briefing and Mitigation Strategies
• 2023 Hospitality Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies
• Cybersecurity in the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape

Please download the 2024 Professional Services Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies for all the background details on these threats, the groups behind them, and how to properly defend your professional services firm.