…and What to Do Instead

1. Assuming Compliance = Coverage

Many legal and financial firms believe that meeting basic compliance standards means they’re covered in the event of a breach; whether by regulators, clients, or insurers. But increasingly, insurers, auditors, and enterprise clients are demanding evidence of active, demonstrable cyber resilience. 

Takeaway: It’s not enough to say “we’re compliant.” You need logs, testing records, incident response drills, and board-level risk ownership to satisfy scrutiny, and to protect your reputation when things go wrong. 

2. Believing Backups Neutralise Ransomware

Backups are critical, yes. But if your data is exfiltrated and leaked (think client files or financial reports) backups don’t undo reputational damage or regulatory scrutiny. 

Fix: Layer backups with encryption, segmentation, and rapid breach containment procedures. 

3. Skipping Realistic Phishing Simulations

Staff training is not a tick-box exercise. Legal secretaries and finance teams are prime targets for social engineering. The goal is behavioural change, measured by how people actually respond to threats. 

Takeaway: Around 1 in 4 UK businesses suffer a phishing attack each year, and 1 in 3 GDPR breach reports to the ICO stem from phishing (FoxTech Threat Report). Simulation isn’t optional, t’s your frontline defence. 

4. Overtrusting MFA as a Silver Bullet

MFA helps. But phishing kits can steal tokens. Session hijacking can bypass it. Threat actors are evolving faster than settings. 

Fix: Consider phishing-resistant MFA options like Passkeys or FIDO2. Especially critical for protecting sensitive client communications and remote access to case systems or financial portals. Use conditional access tooling that looks for changes in users’ behaviour and forces stronger authentication where there’s a change (different country, strange hours). 

5. Relying on the IT Guy to “Handle It All”

If cybersecurity lives in one inbox, it’s a point of failure. What happens if they’re on holiday when ransomware hits? Systems administration and cybersecurity are connected but have different skill sets. 

Takeaway: In legal and FS firms, downtime means missed filings or transaction delays. Security needs shared responsibility, escalation paths, and third-party validation. Document and test your incident response plan to cope with absences. 

6. Ignoring Client Security Questionnaires Until It’s Panic Mode

These are getting tougher. Professional indemnity insurers, institutional investors, and enterprise clients are asking about encryption, logging, MFA, and zero trust architecture—rather than antivirus solutions. 

Fix: Conduct pre-audit readiness scans. Prepare evidence packs. Foxtech can help with both. Being able to respond quicky and fully shows preparedness and cybersecurity maturity, increasing confidence in your business’ security standpoint.  

7. Skipping External Attack Surface Testing

If attackers can scan your environment, so should you. And more than once a year. 

Takeaway: Mid-sized firms often overlook exposed case management systems, misconfigured CRMs, or stale subdomains. Modern threat actors find exposed misconfigurations in minutes. 

Fix these mistakes before they cost you trust – or clients.

Legal and financial firms don’t just face technical risk. They face regulatory scrutiny, reputational damage, and lost business. Most firms think they’re protected. But the truth is, compliance doesn’t equal resilience 

Discover what attackers can see, before your clients or regulators do. 

🎓 Want a deeper dive? 

Join a panel of cybersecurity experts live for Hiding in Plain Sight: The Cyber Risks Built Into Your Daily Operations. I’ll unpack real examples, answer questions, and share how other firms are getting ahead of risk.