Industry insights

Professional services

Compared to many industries, professional services has weathered the COVID-19 pandemic relatively well. This is partly due to continued demand for its services, and also the ability for workers to shift to remote working with relative ease. This does not mean that cyber risk is irrelevant. The industry is a target for ransomware attacks, and firms report they are not managing cyber risk beyond the basic level.

How does the professional services industry stack up?

2.5 (basic)

The average CyQu rating for professional services organizations globally is 2.5/4 (basic).

What this means

This rating indicates that cyber security maturity is at a basic level. Organizational cyber security risk management practices and technologies are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. Risk management practices and technologies are not established organization-wide.

Explore the most pertinent cyber risks to professional services organizations, map them to key cyber security controls, and determine actions your organization can take to close cyber security gaps.

Click below (+) to learn more

*Aon's Cyber Quotient Evaluation (CyQu) is a comprehensive cyber risk assessment that evaluates cyber risk across 9 security domains and 35 critical control areas.

Underpinned by proprietary data and expert insights, explore four key risk themes that are prominent to professional services organizations today.

Read below to learn more

Navigate new exposures:

Rapid digital evolution

The management of device vulnerability in a remote setting has surfaced as a significant challenge in this industry, with 17% of organizations having no formal approach or process. Alarmingly, only 4% felt confident that they had a robust and consistent approach to this critical area.

Know your partners:

Third-party risk

Third-party management remains a real challenge, with 50% of organizations presenting a risk maturity score of 1 overall. Of particular concern is the lack of attention to the due diligence of third-party providers, with 58% of organizations lacking a formal process. As professional service organizations are often targeted because of the data they hold, this must be addressed.

Concentrate on controls:


There is a big divide across organizations when it comes to ransomware security. 30% have robust monitoring; leveraging next generation Endpoint Detection and Response (EDR) tools and behavioral analytics. Conversely, 39% of organizations have very little monitoring in place. Without effective logs, it will be nearly impossible for these firms to confirm to clients whether their data may have been impacted by an attack.

Perfect the basics:


Risk management and governance of data remains an area of weakness for professional service firms. While 36% have no real data governance processes in place, 45% have no formalized approach to the risk management of data security. It is important that firms assess the financial consequences of a data breach on their organization.

Industry insights