The research from Check Point this week confirming that cyber incidents in financial services doubled in 2025 didn't surprise me. What should surprise you is how those attack patterns immediately spill over into your accounting firm, architecture practice, or boutique consulting shop. There's a brutal logic to modern cybercrime that extends far beyond the obvious targets.
If I were running a criminal operation today, I'd target financial institutions too. Their security posture is among the most mature in any industry. The draw for criminals is that these networks are highly interconnected and any downtime costs millions per hour. That translates directly to faster payouts. When a bank can't process transactions, the business hemorrhage creates pressure to pay ransoms quickly. The same tools used to attack JPMorgan last Tuesday get used against your 50-person law firm by Wednesday. That part rarely makes the news.
Attackers Don't Discriminate, Their Tools Do
The report notes a 105% increase in DDoS attacks against financial institutions. DDoS remains popular because it's cheap to execute and creates immediate pain. Criminals don't need sophisticated code when overwhelming a network with traffic gets the job done. But tools scale. The same botnets used against large banks cost less than $50/hour to rent on dark web marketplaces. Your firm's website or cloud applications are now facing industrialized attack capabilities that were previously reserved for multinationals.
Organized groups like Breach Laboratory, responsible for 43 incidents in 2025, develop playbooks against large institutions and then repackage them for mid-market victims. That is why we keep seeing the same attack patterns turn up in professional services firms. Cloud misconfigurations get exploited inside Azure or Google Workspace environments. Unmonitored API endpoints let data leak out quietly, with no alarm to notice it going. And weak identity governance, the stale accounts and over-broad permissions nobody cleaned up, gives an attacker room to move laterally once they are inside. None of these are exotic. They are the predictable seams in a setup that was stood up quickly and never hardened.
The Economic Blind Spot
Financial institutions understand security as existential. They staff large teams, buy premium tools, and accept rigorous compliance burdens. Mid-market firms operating on tighter margins make different trade-offs, and those trade-offs tend to rest on a few comforting assumptions that do not survive contact with how attacks actually work.
The first is "we're too small to be targeted." The trouble is that nobody is targeting you personally. Attacks against companies with 50 to 200 employees rose 320% last year because automated scanning sweeps the entire internet looking for common vulnerabilities, and a firm with a misconfigured tenant looks identical to a bank with the same gap. Being small does not make you invisible. It makes you the easier of two doors.
The second is "our cloud provider handles security." Microsoft and Google secure the infrastructure underneath you, but the data and the configuration on top of it are yours to protect, and that is where most breaches actually happen. I have watched firms expose sensitive client documents through nothing more exotic than a SharePoint permission set the wrong way, with the platform working exactly as designed.
The third is "our IT guy has it covered." This one is the kindest and the most dangerous, because it asks one capable person to outpace criminal groups that employ full-time developers refining their methods every week. No individual, however good, keeps up with that alone. It is not a knock on your IT person. It is a mismatch of scale.
Defending Like (Smart) Bankers Do
The Check Point report correctly emphasizes identity-centric security and layered defenses. For resource-constrained firms, those principles come down to three priorities that do not require a bank's budget.
The first is to treat identity as your perimeter. MFA everywhere is the baseline, not the finish line. Beyond it, you want regular access reviews that actually remove the credentials of people who left months ago, privileged access management so admin rights are not sitting on everyday accounts, and alerting that flags abnormal login times and locations before a stolen password turns into a quiet tour of your systems. Most breaches we see start with a valid login that should have been impossible, and identity is where you catch that.
The second is to automate cloud vulnerability scanning. You do not need an enterprise platform to do this well. A scheduled PowerShell or Python script that checks for publicly exposed storage buckets, overly permissive firewall rules, and unused admin accounts will catch the large majority of the misconfigurations that attackers scan for, and it runs for free on infrastructure you already pay for. The value is in running it on a schedule and acting on what it finds, rather than discovering the open bucket the same week a stranger does.
The third is to rehearse incident response before you need it. The law firms we work with now run quarterly tabletop exercises, walking through a ransomware scenario start to finish. The point is less about the technology and more about the decisions: who authorizes a payment, who contacts clients, how fast you can actually isolate an infected system. The first time a firm answers those questions should not be at two in the morning with files encrypting in real time.
The Extortion Playbook Comes for Services Firms
Financial institutions face public shaming campaigns and data leaks to pressure consumers. Professional services face a different pressure point. Client confidentiality breaches. A threat actor doesn't need to encrypt your files when leaking merger documents or real estate bids destroys trust. We arrested an attack last month where criminals infiltrated a firm's M365 environment, gathered email evidence of an acquisition, then demanded payment not to inform the target company.
This is the new normal. Your real value sits in delicate relationships and non-public information clients entrust you with. Defending that requires the same mindset shift banks made post-2008. Security preserves the firm's existence. Treating it as an inconvenience is how firms end up compromised.
It is worth sitting with why this model is so effective against firms like yours specifically. A bank has regulators, insurers, and a communications team built to absorb a public incident. A 40-person accounting practice has its reputation, and that reputation is the entire business. When an attacker holds a folder of your clients' financial records or a law firm's privileged correspondence, they are not threatening your systems. They are threatening the trust that every future engagement depends on. That is why the data-leak model has largely replaced pure encryption for these targets: you can restore files from a backup, but you cannot restore a client's confidence that their merger terms stayed private. The leverage is the relationship, and the relationship is what you sell.
The uncomfortable implication is that backups, while essential, are not the whole answer anymore. You also have to make the data hard to take in the first place, which loops back to identity, configuration, and monitoring rather than recovery alone. A firm that can restore quickly but leaks client data along the way has solved the wrong half of the problem. The goal is to make exfiltration noisy and difficult, so an intruder trips an alert long before they have assembled anything worth extorting you over.
Start Here Monday Morning
If this landed, there are three things worth doing before the week gets away from you, none of which require a budget approval. Pull the login logs from your primary cloud platform, whether that is Microsoft 365 or Google Workspace, and look for sign-ins from locations or devices you do not recognize, because that is often the first and only warning you get. Confirm your backups are genuinely isolated: are the nightly copies disconnected from the network so ransomware cannot reach them, and have you actually tested a restore in the last quarter, or are you trusting a backup you have never opened? And sit down with leadership to settle the questions you do not want to be debating mid-incident, like the threshold for involving law enforcement and where the firm stands on paying a ransom. Write the answers down while everyone is calm.
Financial services firms face relentless attacks because criminals align effort with reward. Your firm has become rewarding enough. The defenses exist, but they're useless until treated as operational necessities rather than items on a someday list.
The encouraging part is that the same logic that makes you a target also tells you how to stop being an easy one. Attackers optimize for effort against reward, so you do not have to be impenetrable. You have to be enough work that the automated sweep moves on to the next firm that did not bother. Tight identity controls, a hardened cloud configuration, isolated and tested backups, and someone actually watching the alerts are not exotic measures. They are the difference between being the easy door and the one not worth forcing. The firms that get hit are rarely the ones that thought hard about this. They are the ones who assumed their size would protect them, right up until it did the opposite.
Data source for statistics cited: FinTech Magazine