UK Cyber Report. PHOTO: Cybercrime Magazine.

2021 / 2022 UK Cybersecurity Census Report

Cyberattacks, poor password security plague professional services firms

David Braue

Melbourne, Australia – Mar. 4, 2022

More than most businesses, legal, consulting, accounting and other professional services organizations are the keepers of massive volumes of personal, confidential, and commercially sensitive information.

This makes them both high-priority targets for cybercriminals — and, a new study from Keeper Security has confirmed, more likely than most companies to be breached.

The average UK-based professional services firm suffered 62 different cyber attacks over the past 12 months, that study — the 2021 UK Cybersecurity Census Report — found, compared with a national average of 44 attacks across all sectors.

Relatively high exposure for the sector is hardly a surprise to Darren Guccione, Keeper’s CEO and co-founder, who is well aware that the data stored by such companies “really is a treasure trove of information.”

“They gather a lot of sensitive private information that just, from a holistic perspective, garners significant value on the dark web,” he told Cybercrime Magazine. “If you were a cybercriminal, this is what you’d want to go after.”

Cybercrime Radio: Survey sheds light on your data

What does your lawyer know?

As the devastating 2016 compromise of Panamanian law firm Mossack Fonseca wrote large, the consequences of such a breach can be catastrophic — and yet, five years later, 59 percent of the 1,000 IT decision-makers surveyed for the study said their employees still don’t understand the implications of poor password security and hygiene.

Professional services firms are meant to model best-practice approaches to legal compliance, regulatory governance, and other areas — so why are they still so bad at cybersecurity?

The problem certainly isn’t the training software, Guccione said, noting that educating the workforce “is not something that’s complicated to execute: there are plenty of vendors out there that offer really great cybersecurity awareness training.”

“The software is fun to use,” he continued. “It’s engaging. It doesn’t take a tremendous amount of time. But it makes a tremendous difference with respect to the security posture in the organization: there is an exponential difference between knowing something about something, and absolutely nothing about it.”

So what’s the problem?

Even with good training available, survey after survey confirms that the cybersecurity message isn’t getting through: more than 80 percent of the time, Guccione points out, data breaches happen because staff still aren’t using adequate password hygiene and security.

The issue, he suggested, seems to be that cybersecurity awareness simply can’t keep up with the rapid changes within the organization. Employees know that cybersecurity is important, but they still don’t fully understand what to do about it.

This challenge is compounded by the travails of internal cybersecurity organizations that are often still struggling to dispel perceptions that security is just another IT function. “People historically thought of IT investments and cybersecurity as being one and the same,” Guccione said, “and they’re just not. Making an investment in IT is not the same as making an investment in cybersecurity, just because cybersecurity tends to be a lot more nuanced.”

Throw all of this in the pot, and you end up with overworked IT staff trying to convince distracted executives to fund the imposition of unenforceable controls on uninterested employees using unmanageable devices.

“The number one thing we hear about, over and over again, is how can the IT department get visibility, control, and security over every employee that’s transacting on an organization’s systems across every single device they use?” Guccione said.

“They’re grappling with this, and continue to catch up as they’ve migrated to cloud and multi-cloud environments.”

Recognizing that organizations aren’t likely to change enough on their own — and that training employees to behave securely is a Sisyphean task — companies like Keeper Security are working to plug the security gap with integrated environments that unify key employee-facing cybersecurity capabilities like password management, secrets management and remote connection management.

The company’s recently announced acquisition of remote-access innovator Glyptodon will further support this integration — simplifying the process of delivering zero-trust frameworks to provide what it calls “hyper-secure access to remote resources.”

Yet even with strong access tools in place, Guccione warned, companies still need to ensure they’ve implemented adequate cybersecurity training — and repeat it on an ongoing basis — as well as enforcing actions such as introducing identity-based access, internal control policies, two-factor authentication where possible, and the regular patching of operating systems, applications, and even firmware.

“All of these systems can pair together for complete, seamless ubiquity,” he said. “It will give you the cybersecurity protection and visibility that you need for every employee and every device that they use.”

“You’ll know what systems, applications, and websites they’re accessing at all times — and you’ll be able to control and monitor that with clarity. It is very powerful.”

Click here to download the 2021 UK Cybersecurity Census Report.

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

2021 UK Cybersecurity Census Report

With the cybersecurity landscape shifting so rapidly, organisations in the UK have had to evolve right alongside it – or open themselves up to major threats.

How exposed are they to the growing number of destructive cyberattacks? What are their cybersecurity investment priorities like? Who is responsible for their cyber defences?

The 2021 UK Cybersecurity Report analysed the behaviour and attitudes of organisations by interviewing 1,000 senior IT decision makers across the UK.