Professional, Technical
and Scientific Services


Phishing and credential theft associated with cloud-based mail accounts
have risen as the prominent attack types.



670 incidents, 157 with confirmed data disclosure

Top 3 Partners

Web Applications, Everything Else, and Miscellaneous Errors represent
81% of breaches within Professional Services

Threat Factor

External (77%), Internal (21%), Partner (5%), Multiple parties
(3%) (breaches)

Actor Motives

Financial (88%), Espionage (14%), Convenience (2%) (breaches)

Data Compromised

Credentials (50%), Internal (50%), Personal (46%) (breaches)

Wide range of services, narrower range of threats

Professional Services is a broad category even by NA­ICS standards, and the members of its ranks include law offices, advertising agencies, and engineering and design firms to name only a few. Starting with a focus on the data lost in the 157 Professional Services breaches, Figure 56 gives us an idea of the types of data most commonly involved in these cases.


  • Figure 56

We see an overall increase in Personal data and Credentials breached. A lot of this comes from breaches now compromising multiple data types at the same time. Often, credentials are the key that opens the door for other actions. Figure 57 shows that most of the time, it’s on the way to compromise Internal and/or Personal data. This is indicative of gaining access to a user’s inbox via webmail login using stolen credentials.

  • Figure 56

Sometimes you just have to ask

Credentials compromising email...sounds a lot like Business Email Compromise doesn't it? Figure 58 provides ample evidence that BECs are an issue for Professional Services. Financial staff were the most likely to be compromised in incidents involving fraudulent transactions, but it should be noted that executives were compromised in 20 percent of the incidents and are 6x more likely to be the asset compromised in Professional Services breaches than the median indus­try. You have to hand it to the attackers. At some point one must have thought “why don’t we skip all the hard hacking and just, you know, ask for the money?”

  • figure 58

Paths of the unrighteous

To wrap up, Figure 59 illustrates the single step Misuse and Error breaches, but also shows us the Social and Hacking breaches that take slightly longer to develop. All of it provides excellent immediate teaching moments for any organization.

  • Figure 59

Things to consider

One is the loneliest number

We don’t like saying it any more than you like hearing it, but static credentials are the keys. Password managers and two-factor authentica­tion are the spool pins in the lock. Don’t forget to audit where all your doors are. It doesn’t help to put XO-9’s on most of your entrances if you’ve got one in the back rocking a screen door. 

Social butterflies

You know a great way to capture credentials? A social attack. At least we know where it’s coming from. Monitor email for links and executables (including macro-enabled Office docs). Give your team a way to report potential phishing or pretexting. 

To err is human

Set your staff up for success. Monitor what processes access personal data and add in redundant controls so that a single mistake doesn’t result in a breach.