Professional, Technical
and Scientific Services


    Phishing and credential theft associated with cloud-based mail accounts
    have risen as the prominent attack types.



    670 incidents, 157 with confirmed data disclosure

    Top 3 Partners

    Web Applications, Everything Else, and Miscellaneous Errors represent
    81% of breaches within Professional Services

    Threat Factor

    External (77%), Internal (21%), Partner (5%), Multiple parties
    (3%) (breaches)

    Actor Motives

    Financial (88%), Espionage (14%), Convenience (2%) (breaches)

    Data Compromised

    Credentials (50%), Internal (50%), Personal (46%) (breaches)

    Wide range of services, narrower range of threats

    Professional Services is a broad category even by NA­ICS standards, and the members of its ranks include law offices, advertising agencies, and engineering and design firms to name only a few. Starting with a focus on the data lost in the 157 Professional Services breaches, Figure 56 gives us an idea of the types of data most commonly involved in these cases.


  • Figure 56
  • We see an overall increase in Personal data and Credentials breached. A lot of this comes from breaches now compromising multiple data types at the same time. Often, credentials are the key that opens the door for other actions. Figure 57 shows that most of the time, it’s on the way to compromise Internal and/or Personal data. This is indicative of gaining access to a user’s inbox via webmail login using stolen credentials.

  • Figure 56
  • Sometimes you just have to ask

    Credentials compromising email...sounds a lot like Business Email Compromise doesn't it? Figure 58 provides ample evidence that BECs are an issue for Professional Services. Financial staff were the most likely to be compromised in incidents involving fraudulent transactions, but it should be noted that executives were compromised in 20 percent of the incidents and are 6x more likely to be the asset compromised in Professional Services breaches than the median indus­try. You have to hand it to the attackers. At some point one must have thought “why don’t we skip all the hard hacking and just, you know, ask for the money?”

  • figure 58
  • Paths of the unrighteous

    To wrap up, Figure 59 illustrates the single step Misuse and Error breaches, but also shows us the Social and Hacking breaches that take slightly longer to develop. All of it provides excellent immediate teaching moments for any organization.

  • Figure 59
  • Things to consider

    One is the loneliest number

    We don’t like saying it any more than you like hearing it, but static credentials are the keys. Password managers and two-factor authentica­tion are the spool pins in the lock. Don’t forget to audit where all your doors are. It doesn’t help to put XO-9’s on most of your entrances if you’ve got one in the back rocking a screen door. 

    Social butterflies

    You know a great way to capture credentials? A social attack. At least we know where it’s coming from. Monitor email for links and executables (including macro-enabled Office docs). Give your team a way to report potential phishing or pretexting. 

    To err is human

    Set your staff up for success. Monitor what processes access personal data and add in redundant controls so that a single mistake doesn’t result in a breach.