Whether you run a professional services firm, a growing SME, or a small team using cloud systems and mobile devices, cybersecurity risks apply. In this blog, we cover what you need to know about the new NCSC guidance as well as sharing lessons from the recent law firm data breach.
Don’t let old tech become your weakest link
The NCSC has released new guidance for retiring digital systems and devices – also known as decommissioning. Although aimed at IT teams, there are clear and simple takeaways that apply to any small business.
Old laptops, accounts and software might seem harmless, but they can quickly become a risk. Devices can still hold sensitive data or provide a backdoor for cyber criminals. According to the NCSC, decommissioning should be treated with the same care as setting up new systems. Here are five key actions you can take:
- Plan your IT upgrade in advance – Don’t wait until the end. If you’re upgrading or switching systems, decide early on how and when to retire the old ones.
- Keep an inventory of your technology use – Track your devices, software and cloud services. This avoids forgotten tools becoming hidden vulnerabilities.
- Back up everything – Before disposing of any system, create a secure copy of your data.
- Wipe data securely – A basic reset is often not enough. Use secure erasure tools or seek professional help. Confirm it’s done properly and keep records of how data was wiped, or ask your IT provider for a certificate of destruction.
You don’t need to be a tech expert to manage these steps, and taking them could protect your business from bigger problems down the line.
You can read the full guidance at ncsc.gov.uk.
The cost of getting it wrong - lesson from a £60,000 fine for north west law firm
In 2022, a Merseyside-based law firm suffered a major cyber-attack. Over 32GB of sensitive client data was stolen and later published on the dark web. The ICO recently fined the firm £60,000 for failing to protect personal data appropriately.
How did this happen?
Hackers accessed the firm’s network using a rarely used administrator account that didn’t have multi-factor authentication (MFA).
The firm didn’t report the breach to the ICO within the required 72 hours. It took 43 days.
The ICO stated that this case shows how serious the consequences can be when businesses fail to secure personal data. According to Andy Curry, interim Director of Enforcement and Investigations - “Failure to protect the information people entrust to you carries serious monetary and reputational consequences.”
Practical takeaways for all businesses from the Merseyside law firm cyber-attack case:
- Enable MFA – This simple step could have prevented the breach.
- Don’t ignore legacy systems – Even if a system is rarely used, it must still be secured and updated.
- Monitor your systems – Use regular scans and alerts to detect unusual activity.
- Understand your reporting duties – If personal data is compromised, you may need to notify the ICO within 72 hours.
- Make cybersecurity an ongoing responsibility – Don’t treat it as a one-off exercise.
For more on this case, see the ICO’s cyber report: ico.org.uk
Additional important tips:
- Use a password manager to generate passwords - Don't use the same one for everything. At a minimum the password should be 3 random words separated by ".".
- Don't write passwords down - especially remove any that are on sticky notes attached to a screen. If that is facing a window someone across the street can take a picture of it with a good camera lens.
Cyber governance: the role of boards and business leaders
Cyber risks can disrupt operations, harm your reputation, and expose you to legal action. That’s why the NCSC and Department for Science, Innovation and Technology (DSIT) are encouraging business leaders to take ownership.
Their new Cyber Governance Code of Practice offers practical guidance for directors and business owners, supported by training and a security toolkit. It’s designed to:
- Help boards understand their responsibilities
- Strengthen cyber governance structures
- Encourage proactive risk management.
While originally intended for larger organisations, the principles are relevant to any business. Good governance means asking questions like:
- Are our cybersecurity policies fit for purpose?
- Is someone accountable at board level?
- Do we have an incident response plan in place?
Strong governance doesn’t just keep you compliant: it supports resilience and growth. To explore the guidance, visit: ncsc.gov.uk/cyber-governance-for-boards
LWA are proud to lead by example when it comes to Cyber Security
LWA have been awarded with a Cyber Essentials Certificate of Assurance for the protection we have implemented across our firm. This certification demonstrates our commitment to cyber hygiene and following best practice protocols, which reassures our clients and contacts that we take their data protection seriously.
At LWA, we recommend that all businesses, regardless of size, take proactive steps to improve their cybersecurity. Whether that’s reviewing old devices, enabling MFA, or strengthening board-level oversight, the effort is always worth it.
If you need support with your business systems or compliance, we’re here to help. Get in touch with our team to discuss how to manage cyber risk, improve internal controls, or ensure your business remains resilient and compliant. You can give us a call on 0161 905 1801 in our Manchester office or call 01925 830 830 for our Warrington tax team. You can also send us an email to mail@lwaltd.com with ‘Cyber security blog follow up’ in the subject field.