Risk-based assessments

Undertake a proper and thorough risk-based assessment of your firm’s information security requirements. You are legally obliged to do so in respect of all the personal data you hold. Take steps to make information security part of your normal business risk-management procedures. Disseminate key security principles among your staff to ensure they become part of your firm’s culture.

Asset audit

Carry out an audit of any assets that are potentially at risk – identify financial, personal and other information assets that are critical, and the IT services you rely on.

Vulnerability assessment

Undertake an assessment of your cybersecurity resilience and identify where you may have vulnerabilities and take appropriate remedial action. Assess all the IT equipment within your firm, including mobile and personal IT devices. Understand the technical and organisational risks to these and how these risks are currently managed.

Expert advice

Decide whether you need to seek expert advice and assistance to undertake the risk and vulnerability assessments, and to get the right security controls in place for your firm. Regardless of whether your IT is out-sourced or inhouse, it is useful to get external expertise.

Risk framework and governance

Put in place technical and organisational measures to satisfy the security obligations relating to personal data and to control the risk of cybercrime. Monitor their effectiveness on an ongoing basis.

Senior accountability

The senior management team should take ownership of this risk and track it at the firm’s partnership meetings. Appoint a senior member of staff to oversee data and cybersecurity. Ensure they have the right resources and support to do this job.

Cybersecurity policies

Prepare and issue clear policies on all key aspects of data and cybersecurity. All staff should be made aware of their security obligations and the policies that apply to them. These should include, for example: policies on the use, by staff, of business internet facilities for their personal matters; use of social media; and, policies on bring your own device (BYOD).

Monitoring and review

Review your systems and procedures regularly and respond to any changes or problems you identify, including attacks or disruption to your firm.
Ongoing monitoring – test, monitor and improve your security controls regularly to manage any change in the level of risk to your IT equipment, services and information.
Disposing of programs or physical devices – remove any software or equipment that you no longer need, ensuring that it contains no sensitive information.
Managing user access – review and manage any change in user access, such as the creation of accounts when staff members join the firm and deactivation of accounts when they leave.

Incident management

If your firm is disrupted or attacked, carry out a post-breach review. Your response should include: removing any ongoing threat, such as malware; understanding the cause of the incident; and, if appropriate, addressing any gaps in your security that have been identified following the incident.

Record keeping

Keep appropriate records. This should include details and evidence of: your risk-based assessments; the technical and organisational measures taken to protect the security of personal and client data; your processes for testing, assessing and evaluating the effectiveness of those measures; and, cyber-incident management.


The ISO27001 standard is a specification for an information security management system. This will require significant levels of IT governance. As a minimum, you should get Cyber Essentials certified. However, be aware that this does not cover other necessary organisational measures, such as training and policies.




Steps to Cybersecurity

Firms should take a number of steps firms to become cybersecure.

Computer network security

Protect your networks, including your wireless networks, against external attacks by using firewalls, proxies, access lists and so on.
Maintain an inventory of all IT equipment and software. Identify a secure standard configuration for all existing and future IT equipment used by your business. Change any default passwords.

User awareness and training

Education, which can take many forms, is at the heart of understanding the scope and breadth of data protection. Ensure that your staff have read this guide and have received appropriate awareness training, so that everyone understands their role in keeping the firm secure. As well as explaining procedures, the training should incorporate advice on the risks the systems are designed to avoid and their potential consequences.

Malware prevention

Install anti-virus solutions on all systems and keep your software and web browsers up to date.

Removable media

Restrict the use of removable media, such as USB drives, CDs, DVDs and secure digital cards, and protect any data stored on such media to help stop data being lost. Scan all media for malware before importing onto corporate systems.

Encrypt sensitive data

Ensure that sensitive data is encrypted when stored or transmitted online so it can only be accessed by authorised users.

Secure configuration

Many security safeguards will be built in to your computer systems, including anti-virus software, algorithms that check for unusual activity, automatic back-up and so on. Ensure that your IT systems are fit for purpose. Take steps to put security controls in place for your firm. If you use third-party-managed IT services, check your contracts and service level agreements, and ensure that whoever handles your systems and data has these security controls in place.

Managing user access and privileges

Restricting access to inappropriate websites will lessen the risk of being exposed to malware. Create a policy governing when and how security updates should be installed.
Allow staff and third parties minimal access to IT equipment, systems and information. Access controls should be allocated on the basis of business need. Keep items physically secure to prevent unauthorised access.

Home and mobile working

Develop a policy for home and mobile working and ensure staff are trained to follow it. Devices need to be securely configured with anti-virus software, an updated operating system and encryption. Connection to the business systems and data should be secured, for example, through a Virtual Personal Network service.

Website testing

Websites can be altered fraudulently, and without a firm’s knowledge, to include the insertion of false email addresses and phone numbers, leading to clients being lured into providing personal details or paying money into the wrong account. Check your own website regularly or get an outside agency to do so.

Cloud computing and collaboration platforms

Ensure that cloud portal/platform login credentials are secure by following a strong password policy. Enable and configure portal security controls such as IP whitelists and two-factor authentication. Make sure that you and your employees recognise when a cloud-based system is being used and when it might not be appropriate to send or store information via a cloud-based system.

Reduce risk of invoice hijacking

Warn your clients never to send funds to a new account without speaking to the relevant person in the office first; remind clients to check the addresses of any emails purportedly sent by your firm, particularly if they relate to payment of funds. Consider adopting a cybercrime disclaimer warning on your terms of engagement letters and as a footer on all correspondence. This could advise that the firm’s bank account details will not change during the course of a transaction; the firm will not change bank details via email; and, clients should check the account details with the firm in person if they are in any doubt.