How cybersecurity experts from top firms manage risks and responses

Professional services firms are strengthening cyber resilience to protect their businesses and clients. Three industry experts share their views on vital safeguards.

9 November 2023

The latest figures from the Australian Cyber Security Centre’s Annual Cyber Security report1 show the business cost of cyber-attacks continues to rise as the threat landscape evolves. Flashpoints from global conflicts to breakthrough technologies are ensuring that this remains a persistent trend.

The nation’s professional services firms – from accountants to lawyers and consultants – have a unique perspective. Those in technology practice areas can help clients navigate cyber threats and incidents. Meanwhile, firms themselves have become high-value targets given the often-sensitive information they hold.

CommBank Head of Professional Services, Daniela Pasini says that as the digital transformation of the professional services sector continues, additional cyber security vigilance and robust organisational controls are vital to risk management.

To explore the topic of cyber resilience, three experts from across the sector weigh in on emerging threats and vulnerabilities, how firms can safeguard themselves and their clients and what to do in the event of a breach.

What’s worrying the experts

Amid countless factors raising the prospect of a cyber-attack, two in particular stand out.

Ian Blatchford, the Deloitte Partner leading the company’s Asia Pacific cyber practice, highlights “geopolitical tensions, where some nation states are letting criminals operate with impunity, and the rise of artificial intelligence”.

“The ability to generate things like deep fakes, imitate someone’s voice or likeness to bypass security controls really concerns me,” Blatchford says.

Brendan Tomlinson, Partner at law firm Maddocks specialising in technology, agrees, saying generative AI is lowering the barrier to entry for hackers – however, he expects AI will also prove helpful in combatting cybercrime.

Principal at cyber security legal and advisory firm, Cyber GC, Annie Haggar, invokes cultural theorist Paul Virilio who famously wrote, “When you invent the ship, you also invent the shipwreck.” Haggar says cyber security is often that negative side of digital innovation and must be considered alongside adoption.

Scope and size of the target

While many businesses are focused on improving internal safeguards, they may overlook weaknesses across the supply chain. 

Blatchford says, “Many organisations don’t grasp what the ecosystem looks like in terms of third parties. Many breaches we see are perpetrated via third parties that are often the weak link.”

Haggar explains that given professional services firms come in all shapes and sizes, they can have varying levels of cyber controls. She says they may see themselves more as trusted advisers than suppliers but may have access to the “crème of information that threat actors are after.”

To mitigate this threat, Haggar says firms should be careful in deciding what information they keep, and responsibly dispose of anything they don’t need. 

“People used to talk about data being the new oil. Data is valuable, can be used in AI, and improve processes, but actually, data in the world of cybersecurity is nuclear waste,” Haggar says.

“Data is incredibly dangerous to store because you become a target, and we advise only collecting it if you absolutely can't avoid it.”

She says that to prevent cyberattacks, firms should adopt the mindset of ‘security by design’. That means when choosing technology, setting up processes, onboarding and training people, security is the underpinning principle that everything is built on.

Addressing vulnerabilities

When implementing preventative measures, Blatchford notes that "attackers generally go after the easy in - the settings that haven't changed in a while that allow a hacker to tunnel into the network.”

There are also technical vulnerabilities that companies need to be aware of, noted Tomlinson. "Vulnerabilities and unpatched or outdated firewalls or VPNs are still an issue. But we're seeing more activity like initial access brokers selling stolen credentials and browser-based attacks, known as water-holing." 

To get cyber hygiene right, the experts say firms can consider the following steps:

  • Security strategies - if you haven’t already, ensure you are compliant with the Australian Cyber Security Centre ‘Essential Eight’ at a minimum.
  • Eliminate passwords - implement just-in-time passwords and ideally remove them with fingerprint and facial recognition.
  • Narrow the blast radius – put in place policies to reduce data being stored, for example, setting limits for email inboxes.
  • Be proactive - having up-to-date data security policy and response plans, testing them regularly and running scenario planning. 
  • Secure external support – have pre-established teams and advisers on call and consider cyber insurance coverage.
  • Limit personal devices for work – use work devices, set rules on who can use them and the software and apps authorised for download.
  • Training and contingencies - people are the weakest link and strongest defence if they have the right skills. Make sure they know how to identify suspicious activity.

Responding to a breach

Having a solid incident response plan is just as important as putting in preventative measures. A methodical approach and a dedicated team of professionals are also essential to effectively handling unexpected incidents.

Blatchford recommends “Staying calm and following a highly methodical approach to understanding what happened, containing that event, preserving evidence for the authorities and potential criminal investigations, and then moving into some form of phase recovery.”  

He says that collaborating with vendors and government agencies is crucial when facing an attack to contain and recover from breaches. Taking responsibility, rectifying the situation, and rebuilding trust can help prevent legal actions and promote a more secure environment.

Tomlinson adds, "When you pull out the data breach response plan, you must also gather the organisation's key members and expert advisors that you've already pre-determined will be involved.

“At a minimum, your response plan should cover taking urgent steps to investigate, mitigate the actual threat, and engage those that need to be notified. It should also be regularly updated and stress tested.”  

Haggar says one of the common missteps is when businesses move too early to reassure stakeholders and clients without knowing the full extent of a breach.

“If you come out and say everything is fine, and it turns out it's far worse than initially thought, you can lose trust that’s never regained. Instead, you’re better off saying, ‘we're investigating, here is the support we've got, and we don't know yet but will inform you when we do’, Haggar says.

While the threat landscape continues to change, the basic principles of cyber safety remain firmly in place. While there are many technical steps a firm can take, the human element must also be considered which is where raising awareness, having clear procedures, and training is crucial. After all, cyber criminals tend to prey on human vulnerability more than weaknesses in IT systems.

Want to know more?

CommBank is committed to protecting its business and customers from scams, fraud and other cyber-attacks. For more ways to safeguard your information, search CommBank Business Security.

Spark brighter ideas

Get the latest research, actionable insights and expert views on the big issues facing businesses.

Things you should know

  • ACSC Annual Cyber Threat Report, July 2021 to June 2022. https://www.cyber.gov.au/about-us/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022

    The article on this page are published solely for information purposes. The article has been prepared without considering your objectives, financial situation or needs, you should, before acting on the information, consider its appropriateness to your circumstances and if necessary seek the appropriate professional advice. Any opinions, conclusions or recommendations are reasonably held or made, based on the information available at the time of each publications compilation, but no representation or warranty, either expressed or implied, is made or provided as to the accuracy, reliability or completeness of any statement made.