Professional Services
Professional services organisations support hundreds of organisations across the Island’s economy. They hold personal data and sensitive information about hundreds of clients. This means that they are an attractive target for cyber attackers.
Professional services includes:
- web and software development
- marketing, PR and advertising
- financial planning and accounting
- legal
- architecture and interior design
- private health, including dental and mental health
Whatever type of professional service you offer, a cyber attack could have a significant impact on your business. A successful attack is likely to cause disruption to your day-to-day work. This could lead to a loss of income in the short term. In the medium term, it could lead to a loss in trust from your clients, which will lead to longer term losses.
We’re here to offer information, advice and support. For more information, contact us, or check our Advice and Guidance page for the latest information.
If you have any questions, you can contact us:
- by phone on 01534 500050
- via email (hello@jcsc.je)
- or by booking a meeting with the team
Beginning section How a cyber attack could affect your professional services organisation
How a cyber attack could affect your professional services organisation
A cyber attack could affect your professional services organisation in many ways. How it affects you will depend on the type of attack, and what the attackers have managed to access. This page gives examples of some of the issues you might face.
Access to basic functions
If your staff use online tools in the course of their work, they might not be able to access them after a cyber attack. This includes online banking and Client Relationship Management systems (CRMs). Depending on the type of organisation, your staff may also need internet access to use specialist software.
In some cases, you might be able to find offline alternatives. But you will likely experience a drop in productivity if you rely on these alternatives. In other cases, offline alternatives may not be available. This means that some staff may not be able to perform their core functions.
Loss of communication with clients
Depending on the nature of the attack, you might lose access to your email and your CRM. This will leave you unable to speak with clients about your day-to-day business.
The attack could also affect your website or social media channels. Taken together, this would mean that you have no way of informing clients about the attack. You will also have no way of reassuring them about the scale of the attack, or the work you’re doing to respond to it.
A key part of responding to a cyber attack is communication: silence is likely to cause unease and even distrust for your clients.
Reputational damage
Your organisation’s reputation is built on the trust that clients have in your staff and your organisation. A cyber attack could damage your reputation long after it’s dealt with. The reputational damage will depend on the cause of the attack, the scale of the attack, and how you respond. But it is very likely that any reputational damage will have a longer term effect on your income.
Staff impacts
A successful cyber attack will mean that staff will have to adapt and change how they do their job. But it could also have a financial effect. If the attack targets your HR or payroll systems, you may be unable to pay staff salaries in good time.
Beginning section How to protect your professional services organisation
How to protect your professional services organisation
Potential cyber criminals are always developing new techniques and approaches. This means that there’s no way to guarantee that your organisation is safe from every cyber attack.
However, there are several steps you can take to reduce how likely you are to be victim of a cyber attack.
Backup important information
- Identify which information is critical and make sure that you have a segregated backup. This backup can be online, for example, through a cloud-based service. It can also be offline: on a USB stick, an external hard drive, or a computer which is not connected to the internet. You can also use cloud-based services to backup your information.
- Schedule regular backups of your data. This will mean that you have access to the most recent version of your critical information.
- Test your backups regularly. This will mean you know if the backups are working. It will also mean that you understand how to recover the information if you need to.
Keep your devices and software up to date
- You should update all your IT devices regularly. This process is called patching. It means that the developer of your device has identified security issues and fixed them.
- We recommend that you aim to install patches no more than 14 days after they’re released by the developer.
Protect against malware
Malware is a piece of software which is designed to damage, disrupt, or gain access to your systems. You should take the following steps to stop malware causing harm:
- You should install antivirus software and firewalls on all devices. This includes any personal devices that staff use as part of their work.
- Antivirus software detects and removes any malicious software or viruses from your computer.
- Firewalls create a protective barrier between your network and external networks.
Use strong passwords
- Turn on password protection wherever it is available: this includes across your devices and the services you use.
- Make sure that all staff are using strong passwords. The National Cyber Security Centre (NCSC) suggest using a combination of three random words.
- Use extra security protections, including 2 step verification, wherever it is available. You can find more guidance on this via the National Cyber Security Centre (NCSC).
Be wary of phishing attacks
- Cyber attackers use phishing as a way into a system or network. They will often send an email to trick a user into clicking a link or downloading an attachment. The attachment or link will allow the attackers to steal the user’s information.
- Ensure that staff are aware of this risk, and that they remain vigilant.
Have a plan
- If you develop and test an incident response plan, it won’t prevent a cyber security attack. But if you have an incident response plan, it’ll help you respond if you do experience an attack.
- An incident response plan sets out what you would do in the event of a cyber attack. This includes who will make decisions, how you can contact them, and what process you will follow.
- An incident report will also set out when to seek legal or HR support.
- You can find more information about incident response plans via the UK’s National Cyber Security Centre (NCSC).
Beginning section Cyber Essentials
Cyber Essentials
Cyber Essentials aims to protect organisations against a range of cyber attacks. The scheme is backed by the UK Government and is available in Jersey.
Cyber Essentials is a certification scheme. To be certified, you need to have basic cyber security measures in place. This scheme focuses on preventing the most common types of cyber attacks. These attacks are usually targeted at organisations that have no basic protections.
Once you’ve introduced these measures, then you can become certified. There are two different levels of certification.
Cyber Essentials (CE). To reach this level, you take part in a self-assessment. This process is easy-to-follow so that even small organisations can take part. This level of certification costs from £320 (from 2nd April 2024).
Cyber Essentials Plus (CE+). This level builds on the CE accreditation. We recommend this certification if your organisation uses technology to deliver your service. We also recommend this for organisations that process confidential data. What you pay for CE+ will depend on how big your organisation is.
Find out more about on-Island providers of Cyber Essentials.
Beginning section Jersey Cyber Shield
Jersey Cyber Shield
Jersey Cyber Shield is a free service offered by JCSC for organisations. We have designed it to work with the security measures you already have to give you extra protection.
We use four methods to find security weaknesses which an attacker could target. If we find weaknesses, we tell you what they are so that you can address them.
Jersey Cyber Shield is suitable for different sizes of organisation and is free to join. (There are some optional elements which are more complex. Because of this, we may need to request a contribution if you want access to these services.)
You can find out more about Jersey Cyber Shield on this page.
Beginning section National Institute of Standards and Technology (NIST) Cyber Security Framework
National Institute of Standards and Technology (NIST) Cyber Security Framework
NIST’s Cyber Security Framework helps organisations manage cyber security risks. The framework includes five sections which – used together – will help you manage risks over time.
The Framework does not set out steps to follow, but gives an outline of the things you need to consider. It gives guidance on the types of controls you can put in place, and what practices you can adopt.
Version 2.0 of the Framework is the most up-to-date version. You can read the full Framework here. There are also Quick Start Guides for different types of organisations.
Beginning section International Organisation for Standardisation (ISO) Guidelines
International Organisation for Standardisation (ISO) Guidelines
The International Organisation for Standardisation (ISO) sets out best practice on a range of topics in Guidelines. These Guidelines are flexible so that organisations of different sizes can use them.
There are two Guidelines that can help you improve cyber security in your professional services organisation. You should review which standard is most relevant to your organisation. It may be that a combination of the standards is most useful.
ISO/IEC 27032:2023 is for any organisation which uses the internet as part of its day-to-day-work. ISO/IEC 27032:2023 includes guidance on:
- the links between internet security, web security, network security and cyber security
- how to address common internet security issues
- how to work with your stakeholders to resolve cyber security issues
ISO/IEC 27001:2022 is for companies of any size that own or manage data as part of their day-to-day work. ISO/IEC 27001:2022 includes guidance on:
- how to vet people, policies and technologies to ensure they are secure
- how to establish an Information Security Management System (ISMS)
- how to develop policies procedures and controls as part of your ISMS
Please note that the standards are updated from time to time to reflect the latest practice.
Beginning section Useful resources
Useful resources
If you need more information about cyber security, your IT provider should be your first contact.
The UK’s National Cyber Security Centre (NCSC) has produced advice and guidance that can support you. This includes:
-
A toolkit that Boards can use to discuss cyber security in the organisation. This toolkit gives Board members a summary of key issues and examples of good practice. It also includes a way to measure the organisation’s performance.
-
Exercise in a Box. This online tool allows you to test and practice your response to a cyber attack. There are exercises of different types and sizes which you can use for free.
-
Infographics about key issues. You can share these with managers and staff to provide a clear starting point for discussion and training.
- This guide also includes information about the steps you can take to protect yourself if you are a small business.
You can also find more advice and guidance on our website.
Reporting an Incident
If you experience a major cyber security incident and report it to us, we can help you in several ways. We can provide technical advice and guidance to help you respond. We can also use our access to intelligence and expertise to help inform how you respond.
In some circumstances, we can provide direct technical support, and help you communicate.
You can also report an incident
- by phone on 01534 500050
- via email (incidentreports@jcsc.je)
- online via this form
Find out more about how we can help.
Who you need to contact will depend on the type of attack you experience.
Jersey Financial Services Commission (JFSC). Registered persons are required to disclose information about cyber security incidents. A full list of the report requirements is available via the JFSC website.
The States of Jersey Police (SoJP). You should contact the SoJP where a crime has taken place, or if you suspect that a crime has taken place. They have the ability to handle digital forensic investigations. More information on how to report a crime is available via the SoJP website.
Jersey Office of the Information Commissioner (JOIC). You should report the incident to JOIC if the cyber attack has led to a personal data breach. You can find more information on when and how to report a breach via the JOIC website.
Action Fraud. Action Fraud is the UK reporting centre for fraud and cybercrime. You can make a report via the Action Fraud website.