GadgetAccess Cyber Security Advisory
1800 928 982 Book a Diagnostic
Sectors Professional Services
Professional Services Security Advisory

Your clients are asking
about your security. What are you telling them?

Law firms, accounting practices, consulting firms and engineering groups hold some of the most commercially sensitive data in the Australian economy — client files, transaction documents, strategic plans and financial records for clients who are themselves subject to stringent regulatory requirements. Enterprise clients are increasingly conditioning engagements on demonstrated security standards. The question is no longer whether your security posture matters to your clients — it is whether it is strong enough to pass their scrutiny.

Book a Professional Services Briefing Security Gap Analysis

Key Obligations & Standards

Privacy Act 1988Mandatory where personal information held
Notifiable Data Breaches72-hour notification obligation
ISO/IEC 27001:2022Enterprise client procurement standard
SOC 2 Type IITechnology & SaaS client requirement
Client Contract SLAsSecurity requirements in engagement terms
Professional Body RequirementsLaw Society, CPA, Engineers Australia
The Threat Reality

Professional services firms are
a high-value, under-defended target

Professional services firms present an unusual threat profile. They hold extraordinarily sensitive client information — legal privilege, transaction documents, M&A strategy, financial records and personal data — while typically investing significantly less in security than their enterprise clients expect them to. This creates a gap that sophisticated adversaries have learned to exploit.

For law firms specifically, the threat is compounded by the nature of legal privilege. Client communications, litigation strategy and settlement negotiations held in a law firm's systems are among the most valuable intelligence targets in the economy — sought by corporate adversaries, foreign state actors and organised criminal groups pursuing financial advantage.

Business email compromise is the most prevalent attack type against professional services — targeting the trust relationships between partners, clients and financial institutions to redirect payments and harvest credentials. The average BEC loss in Australia is $64,000 per incident — and professional services firms are disproportionately represented in ASD reporting data.

  • Protect client confidentiality against adversaries motivated by commercial intelligence
  • Defend against BEC attacks targeting trust account transactions and invoicing
  • Meet ISO 27001 and NDB requirements increasingly demanded by enterprise clients
  • Prepare for client security due diligence questionnaires and procurement requirements
  • Build a security programme that protects the firm's most valuable asset — client trust

Primary Threat Types — Professional Services

📧
Business Email Compromise

Sophisticated impersonation attacks targeting the financial flows between professional services firms, their clients and financial institutions. Partners, accounts payable staff and clients are targeted to redirect trust account payments, retainer transfers and invoice settlements.

Most prevalent threat · $64K avg. loss per incident
🔑
Credential Harvesting

Targeted phishing campaigns against partners and senior staff seeking access to client document management systems, matter files and email archives. Law firm credentials are particularly valuable for accessing legally privileged communications and M&A transaction data.

High targeting of law & financial advisory firms
🦠
Ransomware

Criminal groups targeting professional services for both the ransomware payment and the threatened exposure of client data. The confidentiality obligations firms owe their clients create additional pressure to pay — making professional services a high-value ransomware target.

Double extortion — payment and data exposure threats
🕵️
Corporate Espionage

State-sponsored and commercially motivated actors targeting M&A transaction intelligence, litigation strategy and competitive intelligence held in law firm and consulting firm systems — often on behalf of clients engaged in the same matters.

State-sponsored + commercially motivated actors
📎
Supply Chain Entry

Professional services firms are increasingly targeted as a supply chain entry point into their enterprise clients — particularly law firms, auditors and consultants with trusted access to client systems, data rooms and financial platforms.

Growing vector — ACSC advisory 2024
The Client Due Diligence Problem

Enterprise clients are now security-gating
their professional services providers

The security due diligence landscape for professional services has changed permanently. What was once a rare request from a particularly security-conscious client is now standard procurement practice for enterprise organisations — driven by their own regulatory obligations and board-level risk management requirements.

📋

Security Questionnaires Are Now Standard

Enterprise procurement processes for professional services now routinely include security questionnaires of 50–200 questions — assessing everything from your data classification framework and encryption standards to your incident response capability and third-party risk management. Firms that cannot answer these credibly are being excluded from panels.

Avg. enterprise DDQ: 80–120 questions
🏅

ISO 27001 Is Becoming a Baseline Requirement

For law firms and consulting practices engaging with financial services, government and large corporate clients, ISO 27001 certification is rapidly shifting from a differentiator to a baseline expectation. Firms without certification are increasingly excluded from enterprise panel appointments — particularly in financial services and government adjacent work.

ISO 27001 now required by 40%+ of enterprise RFPs
⚖️

Your Security Posture Is Your Clients' Risk

APRA-regulated entities are required to manage the security of their service providers under CPS 234. ASX-listed companies face board-level obligations to manage supply chain security risk. When your clients are subject to these obligations, your security posture becomes their compliance problem — and they will act accordingly in procurement decisions.

CPS 234 third-party obligations apply to all service providers
Typical Enterprise Security Questionnaire — Sample Questions & Answers Without a Security Programme
Representative example
Does your organisation hold ISO 27001 certification or equivalent? No
Do you maintain a formal information security policy reviewed at least annually? Partial
Do you encrypt client data at rest and in transit using current encryption standards? Partial
Do you have a documented and tested incident response plan? No
Do you conduct annual penetration testing of your client-facing systems? No
Do you have MFA enforced on all systems that access client data? Partial
Can you provide evidence of security awareness training completed by all staff in the last 12 months? No
Regulatory Obligations

What professional services firms
are legally required to do

The regulatory obligations on professional services firms have expanded alongside their enterprise clients' expectations. Understanding the full scope of what applies to your firm — and the consequences of non-compliance — is the starting point for a credible security programme.

All Professional Services Firms

Privacy Act 1988 & Australian Privacy Principles

Professional services firms that hold personal information about clients, employees or third parties are subject to the Australian Privacy Principles — including obligations around collection, use, disclosure, security and retention of personal information. The proposed Privacy Act reforms will significantly increase obligations and penalties for entities handling sensitive categories of personal data.

Up to $50M penalty · OAIC investigation · Class action exposure
All Professional Services Firms

Notifiable Data Breaches Scheme

Any eligible data breach involving personal information held by a professional services firm must be notified to both the OAIC and affected individuals. Given the sensitivity of client information held by law firms, accounting practices and consultants, almost any breach involving client data will meet the NDB eligibility threshold.

72-hour notification · OAIC report · Client notification
Law Firms

Trust Account & Professional Obligations

Solicitors holding client money in trust accounts have specific obligations under state legal profession legislation regarding the security of trust account systems and client funds. The Law Society of NSW and equivalent bodies have issued guidance on cyber security controls required for practices handling trust money — particularly controls preventing unauthorised payment redirection.

Professional misconduct · Regulatory investigation · Client liability
Enterprise-Facing Firms

Client Contract Security Requirements

Enterprise clients — particularly APRA-regulated entities and ASX-listed companies — increasingly embed security requirements directly in engagement letters and service agreements. These contractual obligations can include information security standards, incident notification timeframes, audit rights and specific control requirements that create immediate legal liability for non-compliance.

Contractual breach · Professional indemnity · Panel exclusion
Trust Account Security — The Law Firm Priority

Business email compromise targeting law firm trust accounts is the highest-consequence cyber threat specific to legal practice. A single successful BEC attack redirecting a property settlement, M&A consideration or estate distribution can result in losses of hundreds of thousands to millions of dollars — and professional indemnity exposure that is difficult to fully recover.

The controls required to prevent trust account BEC attacks are well understood. The gap is implementation — most firms have the tools but lack the configuration, processes and staff training required to make them effective. We close that gap.

MFA on all email and financial systems
Payment verification call-back procedures
Email sender verification and DMARC
Bank account change verification process
Staff BEC awareness training and simulation
Privileged access controls on trust systems
Services for Professional Services

What we deliver to law firms,
accounting practices and consultants

Our professional services advisory is built around the specific threat landscape, client confidentiality obligations and enterprise procurement requirements that professional services firms face. We understand that the reputational consequence of a breach in a firm built on client trust is categorically different from any other sector.

🔍

Security Gap Analysis

A structured assessment of your security posture against the Privacy Act, NDB obligations, ISO 27001 and the client security requirements most commonly appearing in enterprise procurement DDQs — delivered as a prioritised remediation roadmap that makes sense for a professional services operating environment.

View Gap Analysis ↗
🏅

ISO 27001 Certification Programme

A structured gap assessment and remediation programme designed to achieve ISO 27001 certification — the most commonly demanded security standard in enterprise professional services procurement. We have supported firms through first-time certification on the first attempt, typically within four to six months of engagement start.

View Compliance Service ↗
📋

Client DDQ Response Programme

A structured programme to prepare your firm for enterprise security due diligence — building the policies, controls and evidence required to respond credibly to client security questionnaires. Includes a library of pre-completed DDQ responses aligned to common enterprise questionnaire frameworks.

View Gap Analysis ↗
📧

BEC & Trust Account Protection

A targeted engagement to close the email security and process control gaps that enable BEC attacks — covering email authentication (DMARC/DKIM/SPF), MFA on financial systems, payment verification procedures and staff simulation exercises that test real-world BEC response under realistic conditions.

View Gap Analysis ↗
🧭

vCISO Advisory

Strategic security leadership for firms that need CISO-level programme governance for client presentations, panel tenders and board reporting — without permanent headcount. Our professional services vCISOs understand managing partner dynamics, client confidentiality obligations and the specific security expectations of enterprise legal and financial clients.

View vCISO Service ↗
📋

Privacy & NDB Compliance

A comprehensive Privacy Act compliance programme covering personal information handling obligations, data classification, retention and destruction frameworks and a tested NDB notification process — designed to ensure you can meet the 72-hour notification obligation even in a major incident scenario involving sensitive client data.

View Compliance Service ↗
Case Study — Professional Services

Top-tier law firm achieves ISO 27001 certification and wins $4M government panel appointment

A mid-size Australian law firm with a growing government practice had been excluded from two Commonwealth legal services panel tenders due to their inability to demonstrate ISO 27001 certification or equivalent security standards. The panel value was material — the firm engaged GadgetAccess to achieve certification within a six-month window before the next tender cycle.

We completed a gap assessment, designed a remediation programme and prepared the evidence required for certification — achieving ISO 27001:2022 certification on the first audit attempt, within the required timeframe. The firm was subsequently successful on the panel tender they had previously been excluded from.

Discuss a Similar Engagement →
6months
From gap assessment to ISO 27001:2022 certification — within the window required before the next government panel tender cycle.
1stattempt
Certification achieved on the first audit attempt — no audit findings requiring remediation before certificate issuance.
$4Mpanel win
Firm subsequently successful on the Commonwealth legal services panel appointment they had previously been excluded from due to missing certification.

We had been excluded from two Commonwealth panels in 12 months because we couldn't answer the security questions. GadgetAccess got us to ISO 27001 in six months. We won the next panel. The ROI on the engagement was clear on day one of the panel appointment.

— Managing Partner, Mid-Size Australian Law Firm · Sydney
Other Sectors

We also work with

🏦

Financial Services

APRA CPS 234 · ASD Essential Eight 🏛️

Government & Defence

IRAP · Essential Eight · PSPF 🏥

Healthcare & Life Sciences

Privacy Act · SOCI Act · NDB 💻

Technology & SaaS

SOC 2 · ISO 27001 · Privacy Act
Professional Services Advisory

Win the panels you've been
excluded from. Protect the clients who trust you.

Enterprise clients are security-gating their professional services providers. The firms that invest in a credible security programme now will win the work that matters. Book a briefing and we'll show you where your programme stands against their requirements.

Book a Professional Services Briefing ISO 27001 Certification Programme

Briefings scoped to your firm's size, client profile and current security posture. Typical response within one business day.