The nature of professional services firms places them in a clear position at the top of the data economy today. Professional services firms such as accounting and business advisory firms collect large amounts of sensitive personal data and have a high trust level for this data from their clients. While they do not have a public-facing brand the way a bank or a healthcare organization does, the professional services firms' role in protecting client's personal data remains vital to maintaining a client's continued loyalty to the firm.

That trust can be extremely valuable to the firm. The Sax LLP data breach served as an example of how a single, unauthorized access event can reveal a client's critical identity-related data that is stored within a professional services firm's business model. Because of the nature of their client relationships, professional services firms, like accounting and business advisory firms, routinely deal with a large amount of sensitive data on behalf of their clients — including Social Security numbers, driver's licenses, tax returns, and financial statements.

Professional services firms also often aggregate data from multiple clients (individuals, families, and businesses) and create a centralized, combined data repository of sensitive, high-value data. Each professional services firm is at risk for cybersecurity breaches because the amount of sensitive personal information that can be compromised in a breach creates the potential for clients to continue to suffer long-term financial or psychological harm.

Another major issue with identifying structural evidence is the time it takes from being detected to properly identifying what is happening. In most professional services scenarios, social networking, including remote office access, leads to an optimized environment for social collaboration, where bad activity becomes difficult to identify as opposed to normal usage. Because of this, the potential for an unauthorized breach doesn't set off alarms in a timely manner, so organizations are left to conduct a forensic review to determine what happened and what information was impacted. This process, while critical and needed, can extend the amount of time from the second an unauthorized user gained access to the time an organization publicly acknowledges an event.

The data types associated with these events, including their birth date, identifying number, and passport data, are typically sensitive because they are difficult or impossible to replace. Unlike e-banking credentials or credit card information, these types of identifiers will remain as is for the rest of their lives and will have a more extensive impact on individuals long after the organization secured its systems and removed the unauthorized user.

The public learns about incidents of breach of security through state regulatory filings. In many instances these filings present a factual timeline of the date and times of unauthorized access, the investigation conducted and the types or categories of confidential or protected information that may have been included in the breach. Additionally, over time these filings have provided if nothing else, a trend that indicates a growing number of data breaches are happening at professional services firms than happened in the past. This does not mean that professional services firms are negligent. It simply demonstrates that due to the sheer volume of data/information that is handled by professional services firms, it is more likely to experience such a breach than the average business.

As different types of digital operations continue to increase in the advisory and accounting and consultant areas. Therefore these types of incidents illustrate a much broader concept than simply what is happening today to professional services firms. Cybersecurity today is not an isolated risk associated with cyberbreaches to professional services firms, it encompasses an overall Risk Management Concept between clients relying on the professional services firms to maintain the security of their data/information, as well as the regulatory responsibilities associated with Government Oversight and the Longterm viability/credibility of an institution.