A holistic approach is key for cybersecurity within professional services firms

Cybercriminals balance their desire for big paydays with the odds of success. Many large law firms, consultancies and ad agencies tend to have strong cybersecurity, so hackers often target the smaller professional services firms they perceive as more vulnerable.

While firms of all sizes are taking cybersecurity seriously, their drive to protect digital assets does not always line up with their resources, says Michael Gerlach, an RSM partner and professional services senior analyst.

“The bigger firms have policies, testing, training, cyber insurance and tools that you would expect,” Gerlach says. “But as you move farther downstream, it gets a little less refined. Smaller firms typically have less of a cyber strategy.”

Because of limited resources, those firms often make do with what they have, he says, adding that he has observed a “hodgepodge approach” that frequently relies on a mix of third-party providers.

Regardless of an organization’s size, leaders need to understand how their data is stored and identify weak spots in their systems, says Gerlach, who advocates a holistic approach to cybersecurity that takes into account all of an organization’s systems. That can be a tough transition for professional services firms, which often have decentralized leadership and disparate workstreams.

“Some firms say, ‘Let’s go down the AI path’ or ‘Let's go down the cloud path,’ and that’s good,” Gerlach says. “But with each investment in technology, you also have additional risks and exposure that you need to address. It’s a matter of ensuring that professional services firms are being diligent about the changes in cyberthreats and working to mitigate them.”