Skip links

Effective Cyber Security for Regulated Firms – Why a Structured Approach is Paramount to Managing Risk

With cyber attacks and data breaches hitting the news headlines seemingly daily, it cannot have escaped anyone’s notice that risk management around cyber crime is now a massive issue for all businesses.  regulated firms are particularly at risk given they are dealing with so much confidential material, ranging from personal data, to trade secrets, to large financial transactions, through to the personal affairs of high profile clients.  As such, I frequently get asked by my regulated firm clients for advice on the best ways to manage the risk around cyber security, so today I thought it would be useful to share some information on this important subject.

Cyber crime is now a widespread issue, with a study published by Osterman Research Inc in August 2016 showing that 72% of UK based organisations had suffered a security attack in the previous 12 months.

Cyber Attacks

The types of attacks experienced are diverse, ranging from "phishing" attacks, where criminals attempt to obtain access to confidential information or passwords, through to "ransomware" attacks, such as the recent WannaCry attack on the NHS and many other organisations, where criminals hold your data to ransom by encrypting it and demanding money for its decryption.  The motivation behind these attacks varies from quick money-making scams, through to much more sophisticated espionage.

Protecting confidential client information is one of the most essential requirements for any legal business to ensure compliance with SRA Principle 10 and outcome 4.1. As such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Senior Partner involvement with establishing and maintaining an effective information risk management regime, which incorporates appropriate policies to match the firm's risk appetite.

Risk Management

And this is where a structured approach to IT management becomes critical.  With many in-house IT Managers understandably being pulled from pillar to post delivering day-to-day support, it is easy to lose sight of the systemised approach and relentless attention to detail that is needed to manage a regulated firm’s risk around cyber security.  There is so much more to cyber security management than technology. Yes a suite of technological solutions will be part of the solution (and these days that needs to be a lot more than some antivirus software and a firewall), but just as important are your firm’s processes and procedures surrounding cyber security.  For example: How promptly do security updates get applied to your servers and PCs? How are they tested to ensure they won’t cause a problem with your systems? What procedures do you have around leavers and removing their access, including remote access? How do you separate and secure data that is held on personal devices such as emails on smart phones? What policies do you have to prevent data leakage from stolen mobile devices or copies of files made to portable media like USB sticks? How do your staff know which emails are genuine and safe to open, and more importantly, which they shouldn’t open? How do your processes and procedures ensure new starters or temporary resources are educated in cyber safety procedures?  How is your system backed up and how long would it take to recover it in the event of something like the recent ransomware attack? How often is it tested to ensure it would be successful? How would your firm operate in the interim? And in the worst case scenario, how would you handle communication of a cyber attack in order to minimise the reputational damage?
To compound matters, cyber crime is a constantly changing landscape, with new threats emerging continuously and a constant need for regulated firms to re-evaluate and update their risk management plans in order to remain one step ahead of cyber criminals.
With so much to consider, does this mean regulated firms should shy away from using technology? Absolutely not. Effective use of technology is essential to the survival of any business these days, and regulated firms are no different. With changes in working practices, increasing globalisation, increased competition and the widespread adoption of new technologies by consumers, it is actually critical that regulated firms embrace technology if they are to survive and thrive.  Cyber security is just like any other risk which needs to be managed.
And in my experience, the key to successful risk management around cyber security is having a highly structured approach, encompassing effective procedures and policies that are constantly reviewed and updated, along with a suite of supporting technologies.  Such policies will involve a multifaceted approach, incorporating user training to help people at all levels in the firm understand how to reduce the likelihood of attack, a suite of technological solutions to help guard against threats, day-to-day operating procedures that are rigorously adhered to, as well as contingency plans to fall back on should the worst happen.  Such a structured approach towards management of IT systems not only addresses the challenges of cyber security but also brings with it the ability to successfully and safely harness technology to deliver real value to regulated firms.
Over coming blogs, I will be exploring in more depth some of the key issues around successful use of IT in regulated firms, including protecting both client confidentiality and the structural and financial stability of your regulated firm, through appropriate risk management. In the meantime, if you are concerned about your firm’s vulnerability to cyber threats, please do not hesitate to contact me on 0118 920 9600 or email when I will be happy to arrange a no obligation conference call.

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size regulated firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for regulated firms please visit our website

Rob Leverton

Rob has worked as an IT technician and project manager with Connexion for 14 years before moving into his current role as head of the technical services team.

Although Rob comes from a technical background he’s very much a people person and he is exceptionally good at building excellent working relationships with our customers and his technical team to deliver service excellence to our clients.

Rob Leverton

James Stratton

James is passionate about technology and how it can transform business.  Having worked with hundreds of businesses in many different sectors over the last 25 years he has a huge amount of business IT knowledge that he enjoys imparting to Connexions customers.

James is responsible for Connexions strategic development and also still enjoys a role in consulting and sales and marketing