Australian Government Urges Businesses to Uplift Cyber Resilience Following Concerning Rise in Cyber Attacks

The 2024-2025 Australian Cyber Security Centre (ACSC) Annual Cyber Threat Report has noted a concerning increase in both occurrence and self-reported costs for professional services firms in relation to cyber attacks. Medium businesses, which include many legal practices, accounting firms, and healthcare providers, have experienced a 55% increase in attack costs, now averaging $97,200 AUD. Small professional services firms have seen costs rise 14% to an average of $56,600 AUD.

The increase in both occurrence and cost has been attributed to the thriving cyber crime black market in which highly sophisticated ransomware and malware can be purchased by cyber criminals as a service or product to be used against victims. This black marketplace has put conventionally unobtainable malicious cyber methods in the hands of low-level criminals, allowing them to broaden the volume of businesses being targeted.

Ransomware (where your data is encrypted and held for ransom, sometimes also stolen) and data breaches (where data is leaked to an unauthorised individual or party) should be of most concern to professional services firms storing sensitive client information such as healthcare data, legally privileged information, financial records, or other confidential information regarding your clients and your intellectual property. These data and assets are often referred to as the 'Crown Jewels' of a firm and should be secured with an assumed compromise mindset as a priority.

Why You Should Get Specialised Advice to Mitigate the Risk of a Cyber Attack

Adequate advice in relation to cyber security is highly dependent upon the context, specific practices, and assets of a professional services firm. In some cases, it may be appropriate for firms to engage a general IT professional or follow the advice provided in the ASD's Essential Eight for small business. However, increasing cyber threats are compelling many professional services firms to seek specialised advice from cyber security and IT specialists who understand the unique compliance and confidentiality requirements of their industry.

Generally, these specialists go beyond generic IT knowledge and advice. They are aware of the unique risks and challenges of running a professional services practice and understand how to uplift and maintain effective cyber security while maintaining productivity and meeting client obligations. They will also be able to help firms classify the sensitivity of data correctly and provide advice in relation to risk-based cyber threat mitigation techniques which involve individual considerations in relation to your firm and its assets.

An example of a risk-based threat mitigation technique might be restricting access to specific sensitive cloud resources only while staff are connected to your office network. This threat mitigation technique significantly reduces the risk of unauthorised access to those resources via phishing or compromised credentials, as a threat actor wouldn't be able to access those resources unless connected to your office network, even if they are able to obtain login credentials through malicious means. This example is one of an infinite number or combination of threat mitigation techniques which can make a firm significantly less attractive as a target to cyber criminals. Sometimes minimal resistance is all that's needed to discourage a threat actor from attempting to compromise your digital assets.

Professional Services Firms Should Engage in a Cyber Uplift Programme

A cyber uplift is a firm-wide initiative to improve practices and procedures which contribute to a cyber-secure workplace. It's a risk-prioritised approach which takes an 'assume compromise' mindset. The big four, or four key actions for organisations listed by the ACSC, are:

1. Implement Effective Event Logging

Effective event logging is an important risk-mitigation technique that can majorly assist in an incident response situation. Incident response is the actions taken by an organisation after a cyber incident is detected. Effective logging can assist firms to appropriately identify the actions taken by threat actors in the event of a compromise, including potentially the type and amount of data breached and the credentials used to facilitate the breach, all of which are crucial in complying with relevant legislation under the Privacy Act.

2. Manage Legacy IT Risks

Gone are the days of set and forget for IT systems. IT systems need to be consistently updated, managed, or replaced when critical software updates are released or support has terminated. In the case of many professional services firms, these systems can play a crucial role and be a fundamental part of the operations of the practice. Knowing how to accurately identify and mitigate threats in relation to these legacy systems while finding a potentially suitable replacement is absolutely crucial in today's cyber threat landscape.

3. Shut the Back Door

An increasing area of concern in cyber security is what's referred to as supply chain attacks, which is where some software that's used by the software your software uses is compromised. Most non-technical people may not be aware that most, if not all, software available for use—even if purchased—uses thousands of other pieces of software built by other developers and released for free under what's called an open-source licence. This concept has allowed the software and IT industry more generally to make huge strides in innovation, due to software developers not having to rebuild software capabilities that already exist.

The downside of this concept is that it only takes one of the component software parts of a piece of software to be compromised to cause a breach. For 'Crown Jewel' or critically important software assets that hold sensitive client data in a professional services firm, a third-party vendor risk assessment is often necessitated to get a clear view of the risks of a supply chain attack. These attacks, although rare, can be absolutely devastating, especially when implemented against critical systems that are core to a firm's practices.

4. Plan, Educate, Anticipate

Arguably one of the biggest modern threats to cyber security is quantum computers. Although we don't have quantum computers today that can break encryption, we have high confidence that future quantum computers may be able to. This necessitates the concept of Post-Quantum Cryptography, or PQC. PQC are quantum computer-resistant encryption algorithms that, in many cases, need to be used today because of 'harvest now, decrypt later' surveillance strategies used by nation-state and advanced cyber threat actors.

'Harvest now, decrypt later' surveillance uses malicious methods to surveille or watch encrypted traffic over a network, capture and store the encrypted traffic, and then at a later date when quantum computers are functional, decrypt the data. This necessitates that critical systems with sensitive data utilise post-quantum cryptography techniques today, as the encrypted data may be subject to this surveillance method. Often software needs to be assessed by an IT cyber specialist to determine if appropriate encryption algorithms are being used. Simple confirmation from a third-party software provider about the use of appropriate PQC is generally not sufficient for critical systems, as verification and assurance is essential in risk-based threat mitigation techniques.

The Biggest Cyber Threat to Australian Professional Services: Indifference

While lots of effort and work goes into identifying cyber threats and utilising effective mitigation techniques, most of the cyber threats professional services firms face are not nearly as concerning as their indifference to them. Effective cyber security is paradoxical in the sense that the most effective it is, the less you notice it. Most firms don't fully understand the risks of complacency until it's too late—until it's cost them a significant amount from a cyber attack, until it's breached client confidentiality, until it's ruined professional reputations, and in some cases, ruined lives and careers.

My mission is to help professional services firms understand their own risks and take action. You wouldn't trust a general practitioner to perform neurosurgery, you wouldn't hire a conveyancer to run complex litigation, you wouldn't rely on your bookkeeper to provide tax minimisation strategies. The same applies for cyber security. Getting professional and specialist advice is an important part of reducing the risk of cyber incidents and, henceforth, increasing the longevity and trust in your firm.