www.insurancebusinessmag.com Open in urlscan Pro
2606:4700:10::ac43:ca7  Public Scan

Form analysis
0 forms found in the DOM

Text Content

CONTINUE TO SITE

CONTINUE TO SITE

 * UK
 * US
 * CA
 * AU
 * NZ
 * Asia


 * 
 * 
 * 


Toggle navigation

 * News
    * Breaking News
    * Columns
    * Broker Perspective

 * TV
 * Features
    * Interviews
    * Opinion
    * Broker focus
    * Business strategy

 * Risk Management
    * News
    * Profiles
    * Geo-Political
    * Financial
    * Cyber
    * Operational
    * Regulatory

 * Resources
    * Premium content
    * IB Talk
    * Diversity & Inclusion
    * White papers
    * Featured content
    * Guides
    * Insurance Companies

 * Best insurance
 * Specialty
    * Construction
    * Cyber
    * Environmental
    * Hospitality
    * Marine
    * Motor
    * Natural Catastrophe
    * Professionals Risks
    * Property
    * SME
    * Technology

 * Contact us
    * Contact us
    * E-newsletter
    * Authors
    * Regular Contributors


PROFESSIONAL SERVICE FIRMS FACING INCREASED CYBER RISKS

by Gabriel Olano 18 Nov 2022
SHARE





PROFESSIONAL SERVICE FIRMS FACING INCREASED CYBER RISKS | INSURANCE BUSINESS
ASIA

The professional services sector has seen significant growth over the past few
years, spurred by globalization. However, this growth is also accompanied by
increased exposure to risks, especially those of a technological nature.
Beazley’s latest Cyber Services Snapshot report revealed that professional
service firms are increasingly being targeted by cyberattacks.

According to the report, professional services companies have seen a higher
volume of fraudulent instruction attacks and almost as many business email
compromise incidents so far in 2022 compared to the whole of 2021.



Bala Larson (pictured above), head of client experience at Beazley, told
Corporate Risk and Insurance that professional services firms are lucrative
targets for cybercriminals due to their data-rich environments, including data
about their own B2B clients.

“In some cases, they might hold onto data for very long periods of time, even
after it is no longer useful,” Larson said. “This is especially dangerous
because some of that data might be sensitive, such as passwords and access to
business clients’ IT systems and infrastructure. If leveraged, this data could
give a threat actor a good idea as to who their next targets should be.”

Hackers may also exploit a professional services firm’s good name and reputation
to bypass the defenses of that firm’s clients, as they are often part of trusted
email domains and other whitelists.

“This is one of the reasons why fraudulent instruction and business email
compromises are so common with these organizations,” Larson said. “Not only are
these firms often trusted by other parties, but they also usually have intimate
knowledge of legitimate transactions with large financial consequences. These
transactions present lucrative opportunities for threat actors to hijack
conversations and misappropriate the trust of these firms for their financial
gain.”


WHAT ARE FRAUDULENT INSTRUCTION ATTACKS?

According to Larson, fraudulent instruction occurs when someone is tricked into
making a payment or transferring money by someone purporting to be a vendor,
client, or authorized employee. These often involve spoofed emails and
communications from compromised vendors.

“What makes this form of attack so appealing to threat actors is the low barrier
for entry,” Larson said. “Rather than attack computers, most of these deceptions
target the relationships between people. Because attackers leverage the bonds of
trust in these attacks, some people may not push back on unusual requests to
redirect funds because these are unusual times. Resistance to these attacks may
also be lower in relationships when there is significant trust, or when a new
relationship is in its early stages and there is a greater desire to make the
other party happy.”

Larson provided several tips on how professional services firms, as well as
other businesses, can mitigate risks related to fraudulent instruction. These
are:

 1. Always verify requests for changes to payment instructions or sensitive data
    through a separate, trusted channel (e.g., for an email request, call your
    contact at a number you know is accurate; don’t trust info that a criminal
    may have supplied).
 2. Conduct anti-phishing training for your team.
 3. Implement multi-factor authentication.
 4. Do not wire funds to bank accounts whose details have changed during the
    past 24 hours.

Larson also highlighted general cybersecurity guidelines contained in the Cyber
Security Snapshot report. Risk managers and decision-makers should not only
understand these but also communicate these to the entire organization.

 1. Know your assets – many organizations think they have good asset management
    capabilities, only to discover after an incident that this was not the case.
    Asset management tools can help you understand your system, leading to
    informed longer-term decisions. Your organization’s asset management
    inventory system should include an asset discovery tool that continuously
    maps devices on your internal network, an up-to-date asset database, and an
    up-to-date configuration management database.
     
 2. Don’t just rely on what you think you know based on previous inventories.
    Keep doing continuous discovery on your network to find new or modified
    endpoints. When you discover a new asset, proactively investigate to
    understand why it's not in the inventory and take steps to ensure this
    doesn't happen again.
     
 3. Don’t forget to install security patches and factor in end-of-life planning.
    Vendors commit to sending regular updates to fit security flaws until the
    promised period ends – after that, organizations can continue using the
    version, but there will be no further fixes for vulnerabilities or
    performance issues. It’s essential that organizations plan for this.
     
 4. Remember that this is not just a technology issue – it’s about people and
    processes. Your people have to know what assets they have and divide the
    responsibilities for managing those assets appropriately. The key is having
    leadership in place that understands the importance of asset management,
    knows how to maximize the technology they have or are likely to purchase,
    and is willing to plan out future changes over time and execute
    consistently.







SHARE

Fetching comments...
Please enable JavaScript to view the comments powered by Disqus.


LATEST IB TALK

INSURANCE - THE WEEK IN REVIEW NOV. 14-18


LATEST NEWS

 * GENERALI APPOINTS CEO OF HONG KONG BUSINESS
   
   Executive has held underwriting roles in the US, Europe, and Asia

 * CLIMBING BENEFITS COSTS TOP CONCERN OF APAC BUSINESSES – AON
   
   Pandemic has caused significant shift in employee work motivations

 * ALLIANZ REVEALS KEY TRENDS DRIVING MARINE CLAIMS ACTIVITY
   
   Economic and geopolitical pressures show significant effect on claims values

Submit a press release



SPECIAL REPORTS

5-STAR INSURANCE INNOVATORS 2022

View report

 * UK
 * US
 * CA
 * AU
 * NZ
 * Asia

 * People
 * Terms & conditions
 * Privacy policy
 * Conditions of use
 * About us
 * Contact us
 * Sitemap
 * RSS

 * 

 * 
 * 
 * 

Copyright © 2022 KM Business Information Australia Pty Ltd





×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar
technologies on this site and use personal data (e.g., your IP address). If you
consent, the cookies, device identifiers, or other information can be stored or
accessed on your device for the purposes described below. You can click "Allow
All" or "Decline All" or click Settings above to customize your consent.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalized content profile; ●
Select personalised content; ● Personalized ads, ad measurement and audience
insights; ● Product development. For some of the purposes above, our advertising
partners: ● Use precise geolocation data. Some of our partners rely on their
legitimate business interests to process personal data. View our advertising
partners if you wish to provide or deny consent for specific partners, review
the purposes each partner believes they have a legitimate interest for, and
object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences