Cyber: what to ask your IT vendor.

Most small-firm cyber advice falls into one of two traps. Either it reads like a security textbook (encryption modes, attack-surface analysis, threat modelling — all valid, none of it operational at your scale), or it's a glossy checklist that says “ensure MFA is enabled” without telling you who's actually doing it.

The version that fits a small firm: assume your IT vendor is doing most of the work. The operator's job is to know what they're supposed to be doing, ask the questions that surface whether they actually are, and run the cadence that catches drift before it becomes an incident. This piece is that working kit.

Caveat: this is operating guidance, not regulated security advice. For specific obligations under the SRA, ICO guidance, and your insurer's requirements, treat this as a starting point and verify against current authority.

The seven controls

1. Multi-factor authentication on everything

Email, practice management, document management, accounts, VPN, anything cloud. Without MFA, a stolen password is a breach; with MFA, it's an inconvenience. The ICO, the SRA, and most cyber insurers now treat “no MFA” as a serious finding.

Implementation: enforce, don't encourage. “MFA is recommended” means “most users haven't turned it on.” Configure tenant-level enforcement; the few legacy applications that don't support modern MFA either get retired or get conditional-access policies.

2. Phishing-resistant email

Three things together:

• Email security gateway (Microsoft Defender for Office 365, Mimecast, Proofpoint, etc.) configured to block the common phishing patterns and mark external mail clearly.
• SPF, DKIM, DMARCproperly configured on the firm's domain, so attackers can't spoof you to your own clients (the most damaging variant of BEC). DMARC at “reject” or “quarantine”, not “none”.
• A clear out-of-band verification rule for any payment instruction received by email. Specifically: for any change to bank details on a transaction, a phone call to a previously known number, not a number in the email. This single rule has prevented more conveyancing frauds than all technical controls combined.

3. Endpoint protection that's actually managed

Modern EDR (endpoint detection and response) on every laptop and desktop, centrally managed. Microsoft Defender for Endpoint, CrowdStrike, SentinelOne — there are several good options. The point isn't the brand; the point is that someone (your IT vendor or in-house IT) is actually watching the alerts and responding to them within hours.

Free consumer antivirus on personal laptops is not sufficient. Neither is “built-in Windows security” without configuration and management. The management is the product.

4. Patching, on a cadence

Operating systems, browsers, practice management software, document management software, accounts software — all patched within defined windows. Critical patches within 72 hours; routine within 30 days. Servers (if you still have any on-premises) on the same cadence.

Where firms get caught: the legacy server in the corner running the old case management system, two versions behind, that “works fine, don't touch it.” That's the box that gets ransomed. Either it gets patched and maintained, or it gets retired.

5. Backups that are tested

Backups exist; tested backups are rarer. The standard:

• Daily backups of all client data and accounts data.
• At least one copy is offline or immutable (so ransomware can't encrypt it along with the live system).
• Quarterly recovery test — actually restore a sample of data into a test environment and confirm it works. Most backup failures are discovered during the recovery attempt, which is the worst possible time.
• Annual full disaster recovery test — could the firm actually keep operating if the primary system was lost?

6. Identity and access management

Three principles:

• Least privilege.People have access to what they need, not everything. Junior fee-earners don't need access to the full client database; paralegals don't need administrative rights.
• Joiners/movers/leavers process. A named owner (usually the practice manager working with IT) makes sure access is provisioned on day one and revoked on the day someone leaves — same day, not next quarter. The IT side of leavers is one of the biggest exposure points at small firms.
• No shared accounts.Every login is per-person. The “reception desk” account everyone shares is a finding waiting to happen.

7. Security awareness, but the useful kind

Most security awareness training is forgettable annual e-learning. The version that works:

• Quarterly simulated phishing tests, with brief per-person feedback for those who click. The metric is click-rate trending down over time, not punishment for individuals.
• A 15-minute quarterly briefing for the team — what we saw this quarter, what changed, what to watch for. Real examples (suitably anonymised) from the firm's own email gateway, not generic case studies.
• The out-of-band verification rule (control 2) drilled into the team until it's reflexive. Especially in conveyancing.

The IT vendor questions

Most small firms outsource the seven controls to an IT managed services provider. The questions to ask the provider, in writing, that surface what's actually in place:

1. Is MFA enforced (not just available) on every cloud system we use? Specifically on email, the practice management system, and remote access?
2. What email security gateway do we have? Are SPF, DKIM, and DMARC configured on our domain, and at what DMARC enforcement level?
3. What endpoint protection is on our laptops? Who watches the alerts and on what cadence?
4. What's our patch cadence for operating systems and for the practice management/accounts/DMS systems? Where are we currently behind?
5. When was the last time we successfully tested a restore from backup? Of what data?
6. What's the joiner/mover/leaver process? Specifically, if a fee-earner leaves on Friday, by what time is their access revoked?
7. What's the incident response plan? Who's called, in what order, with what authority?

Three honest signals from the answers: (a) the provider gives specific, evidenced answers — good; (b) the provider gives vague reassurances without specifics — concerning; (c) the provider has to come back to you on multiple questions before answering — they don't know.

If you'd rather have an independent technical reviewer sit in on the conversation, Techsperience does this kind of vendor audit — translating the answers into “what's actually in place vs what should be” without the firm having to learn the underlying security stack.

Incident response — the basics

A small firm doesn't need a 30-page incident response plan. It needs a one-page document with:

• Definitions: what counts as an incident (lost laptop, suspicious email opened, data exposure, ransomware, BEC).
• First call: the named person inside the firm (usually the practice manager) and the named contact at the IT vendor. Phone, not email.
• Containment: who has authority to isolate a machine, suspend an account, block a domain.
• Notification: the regulator (ICO within 72 hours where applicable, the SRA where applicable), the cyber insurer (often within 24 hours), the affected clients (in line with regulatory requirements).
• Communications: who speaks publicly, who handles client communication, what the holding message is.

Print it. Keep a copy somewhere it's findable when the network is down — which is precisely when you'll need it.

The cyber insurance question

Most small firms now have cyber insurance, often as part of a broader policy. Two practical points:

• The policy will name conditions — usually including MFA, patching cadence, backup arrangements, training. If you don't meet them, the policy may not pay out. Read the conditions; verify against your reality.
• The insurer's incident response panel — the forensics, legal, and PR firms they'll bring in if you have a breach — is often genuinely useful. Know who they are before the incident, not during it.

What good looks like at month three

MFA enforced on every cloud system. SPF/DKIM/DMARC at enforcement on the firm's domain. EDR on every laptop, with an IT vendor watching alerts. A patching cadence that's being followed. Backups tested in the last quarter. A joiner/mover/leaver process that runs same-day. Quarterly phishing simulations and briefings. An incident response plan that fits on one page and is known by name to the partners and the practice manager.

That isn't cyber security solved — nothing is. But it's the realistic baseline that blocks the attacks that actually happen to firms your size, and gives you a defensible position with regulators and insurers if something does get through.