Recently, I had the IT team of an ad-hoc project client contact me about an incident their organisation had suffered. One of their 1,300 employees had received a phishing or scam email and did the one thing you shouldn’t do, submitted username and password. Naturally, the IT team has been doing the right thing, running ongoing training and phishing testing with all employees, to develop awareness and stop such occurrences.

Unfortunately for them, the scam email had come from an organisation that this organisation dealt with on an ongoing basis. This email was sent to approximately 20 employees, and one fell for it. The email had walked straight past the Microsoft 365 email filtering and been delivered to the employee’s mailbox. Unbeknownst to the internal IT team, the employee fell for the scam, submitted the username and password to a fake, Microsoft Office 365 login page, the cybercriminals or hackers had setup.

The cyber criminals or hackers then proceeded to login to the users mailbox and gathered information on all the people that person had been communicating with. Once they had this information, they used automated tools to send out 8,000 phishing or scam emails to the employee’s contacts. The first their internal IT team knew about it, was when Microsoft shut down their account.

Imagine, for a moment, you the equity partner or director of a professional services firm, either yourself or one of your employees, had fallen victim. Imagine what the damage to your reputation and livelihood could be if those scam emails had been sent to one of your biggest clients, someone you knew personally, for a very long time.

Naturally, if they fell victim and perhaps say had their bank accounts drained, or some major intellectual property stolen what would they be saying to you?

Ask yourself this.

  • Do you think they would be scared, angry and upset?
  • What if it was some very personal matters you’d been helping them with? Something they would not want released publicly?
  • How do you think they would be feeling then?
  • Do you think they would want to continue to associate with you and do business with you and your firm?
  • Obviously, would you, if the shoe was on the other foot?

I know you are thinking… So what? What does this have to do with my professional services firm and why should I care? I’ll just go start another firm and leave the one I’m currently with.

There are a number of very important lessons in this situation.

  • The need for ongoing cyber security awareness training and phishing testing.
  • Making sure your employees or team are aware of the warning signs especially with scam or malicious emails.
  • The need for the organisation leaders, to lead by example, when it comes to matters, relating to cyber security. As a mentor of mine likes to say, “The fish rots from the head”.
  • The need, to work with a specialist IT services company with extensive cyber security experience, on an ongoing monthly basis, who can immediately assist in preventing, or at a minimum, mitigating the damage caused, when something like this happens.
  • The need to have multiple layers of cyber security protecting your professional services firm or organisation.
  • Even with an internal IT team, they can’t be watching everything, all the time, 24x7x365 as this will cause them to burn out and quit.
  • It goes without saying, the organisation, in this example, got away lightly with the damage that was caused.

While the organisation got away lightly, there was still major time investment required, from the internal IT team, to work out what had happened and fix the issue. Naturally, this put untold amounts of pressure and pain in the form of lost time and stress on a very stretched IT team, who have been working diligently to stop such situations happening.

So how do you avoid this embarrassment?

Obviously, you want to work with an IT Services company with extensive cyber security experience that implements on going cyber security services to monitor the security of your professional services firm’s IT systems 24x7x365.

There must be a multi layered security approach across all your IT systems either in house, in the cloud or a hybrid system. The services must have guaranteed response times and you must know how long the data is going to be retained for.

While you have no direct control of your client’s or suppliers’ cyber security controls and mechanisms, this is why you must have, ongoing 24x7x365 external security monitoring of your systems. This then allows us to detect when something has happened, even if a cyber criminal or hacker has tried, or succeeded, to delete the evidence of it occurring from your systems.

If you’re an IT Leader for your organisation or perhaps you’re the managing partner or director for your firm, and you have an internal IT team, consider getting them the help they need, to protect you better. To learn more on how we can help, check out our co-managed IT services.

Combine robust IT and cyber security solutions and secure the future of your professional services firm today.

Have questions and want to learn more? Go to and sign up for my FREE 17-minute training video that dives deeper into protecting your legacy, reputation and your family’s livelihood.