Many organisations are still treating IT as a support function, focused on maintaining systems rather than driving strategy. The ‘keeping the lights on’ mindset has led to mounting technical debt, outdated systems and ultimately security risk. In a world where cyber threats are escalating and each week brings fresh reports of household brands falling victim to cyber attacks or disruptive IT outages, this mentality is dangerous — bringing the issue of cyber security squarely into the boardroom spotlight.
The recent Annual Review from the UK’s National Cyber Security Centre (NCSC) emphasises the urgency to treat cyber security as a strategic imperative. For firms holding and transferring significant amounts of money, or looking after sensitive client data, robust cyber security and proven cyber resilience is a prerequisite for maintaining trust, keeping compliant and protecting against reputational and financial damage. Of course, cyber criminals are attracted to liquid assets and valuable data, so it’s no surprise the Law Gazette recently reported that cyber attacks are up 77 percent.
It’s not hard to stumble across shocking cyber crime statistics, across the last 12 months the NCSC reported nearly half of all incidents handled by them were of national significance, and this has increased three years consecutively. Across all cyber incidents recorded, 25 percent of those were in the financial sector (Bank of England). And, clients are considering this risk in their buying decisions — in 2025, US based research found more than a third of legal clients were willing to pay premiums for firms with strong cyber security measures (Integris).
The ICO is stepping up enforcement, regularly issuing large fines to legal and financial firms that fail to implement adequate measures to protect client data. What’s more, these penalties are publicly announced, putting firms at serious risk of widespread reputational damage beyond just their immediate customer base.
Those who have already been attacked know the impacts are severe. Building resilience takes time, and smart firms are proactively investing before the disruption arrives.
Tom Holloway, Head of Cyber Security at Redcentric, says “Many organisations that we speak with seem to be relying on optimism as a defensive mechanism, rather than investing in genuine and effective measures. The experience of this year’s seminal attacks should hammer home the point that even with robust measures in place, the consequences can be severe, emphasising the importance of a resilient culture and supporting technologies.”
The NCSC puts it perfectly,: ‘Resilience is only as strong as the technology it’s built on.’ With the threat levels that exist today, resilience isn’t just about having a plan, it’s about having the right tools, systems and architecture in place to withstand and recover from attacks.
This isn’t just a priority for large firms; organisations of all sizes need to invest in their cyber security operations and look at an enduring security wrapper, rather than just buying secure solutions that will, over time, become less secure. Exploring options like a vCISO service can be a perfect alternative to a full-time cyber security hire, so firms can access ongoing support without large overheads, and plan for regular vulnerability scanning, patching and ongoing best-practice advice.
Redcentric’s cyber security team combines decades of experience helping UK organisations strengthen defences, improve resilience and meet compliance standards. Book a consultation.
If you’re part of a law firm, don’t miss our webinar on the 24th November: Security and Compliance – Preparing for the Inevitable. Hosted by Tom Holloway, Head of Cyber Security at Redcentric, this session will offer expert guidance on strengthening resilience and preparing for what’s ahead.
