In an era dominated by digital transformation, the professional services sector is perched on the precipice of cyber risk. As firms increasingly digitise their operations, the allure of efficiency and convenience is accompanied by a lurking threat: the ever-evolving realm of cyber threats.
For years, professional services firms have retained a reputation of being an appealing target for cyber criminals looking to exploit the vast amount of sensitive client data and client monies they hold. The National Cyber Security Centre (NCSC) along with the Information Commissioner’s Office (ICO) continue to remind firms of their role in reducing cyber risk, and particularly ransomware risk – the biggest online threat to the UK. Therefore, it’s vital that firms understand what they can do to reduce the risk of a cyber attack.
Ransomware payments on the rise
Ransomware has become more problematic due to the value in extorting and publishing sensitive data. In the past, ransomware attackers would typically infiltrate a firm’s computer systems and encrypt data, in the hope that the subsequent operational disruption would encourage those firms to pay a ransom demand.
However, if a firm had back-ups in place (or at least, back-ups that weren’t compromised during the attack), they could often recover data without paying the ransom demand.
To improve their leverage in ransom negotiations, cybercriminals have now started to exfiltrate data during ransomware attacks, which they can then threaten to publish online. As a result, even if a firm has back-ups in place, the potential reputational damage caused by having their data published online may make them more inclined to pay the ransom demand. This is a particular vulnerability for legal firms, given the volume of records and personal information held.
Evidence suggests this strategy is working. The cybersecurity firm, Sophos, revealed that ransomware payments have nearly doubled in the past year, with UK companies paying more than the global average. They found that average ransomware payments globally rose to US$1.5m, up from US$812,000 the previous year. By contrast, the average payment made by UK organisations stood at US$2.1m.
The NCSC has also raised concerns about the expected rise in ransomware with artificial intelligence (AI), and how the use of AI can impact the efficacy of firms’ cybersecurity operations.