Professional services firms — law, accounting, consulting, financial advisory — hold some of the most commercially sensitive data in the economy. A single firm's file servers may contain M&A strategies, financial records, legal correspondence, and personal information for dozens of significant clients simultaneously. That concentration makes them attractive targets.
The Threat Profile
Ransomware groups have become sophisticated in identifying professional services targets. The HWL Ebsworth attack in 2023 demonstrated that a successful breach of one firm provides leverage against dozens of its clients. Government agencies, financial institutions, and listed companies all had data exposed through that single incident.
Common Security Gaps in the Sector
Professional services firms have historically prioritised billable work over IT investment. Common gaps include: no MFA on remote access systems (including file sharing platforms and matter management software), legacy on-premises file servers without access controls commensurate with the sensitivity of the data, and limited monitoring capability — meaning breaches are discovered late.
Client Data Obligations
Beyond the Privacy Act, professional services firms have obligations under professional conduct rules — solicitors' rules, APES standards for accountants — that may impose additional obligations when client data is compromised. Regulatory bodies expect firms to notify affected clients promptly and to demonstrate that reasonable security measures were in place.
Priority Actions
MFA on all systems handling client data. Network segmentation isolating matter management systems from general office networks. A documented incident response plan tested before it is needed. Annual penetration testing that specifically tests the security of client data. Staff training focused on the BEC and phishing patterns most commonly targeting the sector.
