Professional Services (PS) firms (including, for example, architects and engineers) are often involved in fast-moving environments where the projects that they develop are completed for clients within tight deadlines and client expectations must be met as well as abide by Government regulations. Digital technology has become a fundamental part of the way these firms work together with their teams and the services they provide to their clients. However, increased usage of digital technology creates an additional risk that is frequently overlooked by these PS firms — that being the potential for Cyber Hygiene to impact productivity by exposing sensitive information to unauthorised individuals and/or parties.

Even in well-run PS Firms like LaBella Associates, Cyber Hygiene can have a severe negative impact if it is not handled properly. The LaBella Associates Data Breach incident involved unauthorised access to sensitive and confidential information (personal and financial) demonstrating how Cyber Hygiene may be affected negatively in environments where teams, third-party vendors, and clients share sensitive information.

In PS Firms, Cyber Hygiene consists of many different elements. In particular, a core component to Cyber Hygiene in PS firms is Access Management, which limits which users may view or change sensitive project data and client information. Access management includes multifactor authentication, Role-Based Access Control, and regular audits to ensure there is no unauthorised access to the Sensitive Data.

The second point is that secure communication practices need to be implemented. Project teams typically share files through email, cloud service providers, and various collaboration tools. The use of encrypted communications, secure file transfer protocols, and documented data retention policies can all assist in reducing the likelihood of unintentionally leaking or breaching sensitive information.

A third point is that devices and endpoint management are essential. Many professionals are conducting their work off-site or from customer locations where they are using portable computers (laptops), tablets, and smartphones. The assurance that devices have been secured through encryption, have the latest software updates and are being monitored for malware greatly reduces the risk of unauthorized access.

Training personnel and implementing a supportive culture is also a critical factor. Members of project teams should be informed about phishing schemes, social engineering practices, and the importance of creating and maintaining unique passwords. If an organization implements a culture where each employee is aware of the value of maintaining good cyber hygiene, employees will be much more likely to detect potential threats and take action quickly without delaying project completion.

Lastly, it is necessary for organizations to include third-party vendors and subcontractors within their cyber hygiene strategies. The majority of project-based firms contract with other companies for outside consulting services, third-party contractors or use external software applications. Each of these sources creates additional cyber vulnerabilities. Successful mitigation of these third-party risks begins with clear contractual language, periodic audits, and monitoring of third-party access to company resources.

It is a delicate balance when managing the interplay among speed, efficiency, and security. Ideally, an organisation's cybersecurity policy should not create barriers that restrict individuals from conducting their work quickly, but if the policy is too lax or relaxed it will expose an organisation's systems and data to attack from outside sources. The LaBella Associates Data Breach provides an excellent example of the impact of ignoring basic cyber hygiene principles; as a result of the data breach, LaBella lost significant amounts of trust with its clients, serious regulatory compliance issues, and major financial losses.

By prioritising secure practices related to the project-based environment, professional services organisations can maintain operational efficiency while ensuring that sensitive information is appropriately safeguarded. Cyber hygiene should not be the sole concern of IT professional; rather, cyber hygiene is a strategic imperative that supports both the professional services firm and the firm’s clients within an ever-evolving digital workplace.