tm blog

In the second instalment of our evolving tech world article, Paul Albone gives his 3 top tips on how best to protect your firm from a cyber-attack and discusses the value placed on accreditations within the industry. Click here to read part 1.

Q. What are the three critical things that firms must do to protect against cyberattacks?  

1. Make all your staff aware of the threats of cyber-attacks

Cyber-attackers use malicious code and software to alter system behaviour and data, resulting in disruptive consequences that can comprise a firm’s systems and lead to cyber-crimes such as information and identity theft, or systems being compromised. 

Cyber-attacks come in many guises, so invest the time and effort in training all your staff. There are a number of good online interactive courses to test and measure staff awareness of cyber-attacks.

2. Find your network and system weak spots that could be exploited by a cyber-attacker 

Normally, this takes the form of an independent security vulnerability test by an external supplier. When choosing a supplier, always ensure they are CREST accredited. The CREST scheme assures a firm that the supplier follows strict testing processes for network and system security assessments. The test findings will help a firm prioritise and plan any security vulnerability remediation measures required.

3. Protect your firm with a solid insurance policy

Take out a stand-alone cyber insurance policy, ensuring that it provides your firm with access to a 24/7 incident response team and, as with any insurance policy, ensuring that you understand what is and is not covered.  

Q. What would you recommend as a good starting point when it comes to improving IT performance?

I would start from the business view and work inwards to IT. For example, is there a clear “line of sight” from the business goals into the IT roadmap? Without this, there is a high probability that valuable IT resources are working on low value, non-important activities.

Then, ensure the fundamentals are in place by measuring KPIs, activities and progress. Are IT operations providing the right level of activity and keeping key stakeholders within the firm informed? If not, establish regular reporting covering both high-level and detailed views. 

It’s also important to regularly inspect a system’s performance metrics at all levels in the system infrastructure. How are systems performing? Where are the hot spots? What are the most commonly occurring errors being raised in the system? 

Once you’ve determined this, ensure the IT roadmap has a continuous system improvement plan running right across it to address these issues. Proactive and regular corrective measures are always better than responding to sudden system incidents that can cause significant disruption to a firm.

Q. What is the value of accreditation (such as ISO 27001) and how do you achieve this status?

Our tmgroup journey towards ISO 27001 accreditation originally stemmed from our GDPR compliancy programme. For this, we ensured demonstrable processes were in place to protect the data held on an individual. This involved a comprehensive assessment of our data, processes, controls, risks, protection and privacy across our entire IT systems landscape. As part of this, we reviewed and updated all of our information security management policies and privacy policy. 

For ISO 27001, the key requirement was to demonstrate that our information security management is under control and in place on an ongoing basis. Our accreditation means that tm have passed the strict security requirements set by ISO 27001 in the integration, management and storage of our clients and internal data.

We also have Gold Partner status with Microsoft, which sets us apart as a high calibre business partner and assures our clients that our solutions are designed and developed to the highest standards.

With thanks to Paul Albone, COO at tmgroup

Ever wanted to know how IT teams can evidence their value? Here, in the first of 2 articles, Paul Albone, tmgroup’s Chief Operating Officer (COO), answers pivotal questions on everything from integration to how smaller firms can make the most of their existing IT resources to keep pace with the competition. Be sure to keep an eye out for part 2!

Q. How do firms with a small in-house IT resource keep up with their larger counterparts?

Play to your strengths and be agile. 

Small in-house IT teams are able to rapidly respond to the firms ever changing needs, whilst larger IT counterparts certainly have the scale, but the proportional increase in potential challenges and communication breakdown, bureaucracy and system complexity can slow down responsiveness and agility.

Q. How can IT teams evidence the value they bring to a firm?  

IT teams should consider what they are able to do for a firm over other alternatives. Being in tune with the firm’s needs and delivering repeatedly and consistently are crucial to demonstrating value.

Furthermore, IT teams should assess what key performance indicators exist between IT and the business. Having clear expectations set between the firm and the IT team is important to ensure IT stays focused on what is important to the firm.

Q. How do firms effectively integrate new platforms with legacy systems that may have been in place for many years?

Firms must assess risk before changing any element of their legacy systems. High risk approaches involve legacy systems being changed in-situ to integrate with new platforms and invariably lead to unnecessary complexity and instability of legacy systems. 

Instead, adopt an approach whereby a “wrapper” is built around the legacy system, usually in the form of an API or web service, so that the new platform and legacy system can interact with each other without affecting the underlying functionality of the legacy system.

Q. How can firms effectively evaluate the systems that are on offer to work out which ones are right for them?

Whether it’s a new case management system, CRM or any other system, firms can fall into the trap of focusing on “what” the system can do, rather than what the firm “needs” the system to do.

When choosing a system, always work from the outset of what the firm is trying to achieve as a successful outcome. Involvement and buy-in from all representatives of the firm is paramount to ensure all needs are considered. This will help define clear goals and the success criteria the system must meet.

Also consider requirements such as system performance and availability needs, multi-firm access, support for smartphones or tablets, API availability and data integration. Then look at the systems on offer and always set up a trial with the supplier – with success measures agreed upfront.

Q. How should a Chief Information Officer (CIO) cultivate a partnership between IT and the rest of the business?

Chief Information Officers (CIOs) have traditionally been seen as an internal facing leader of IT. Instead, businesses now need their CIOs to act as consultants to the business, able to seamlessly work across the business, their clients and internal teams to translate the business goals into delivery across a firm’s products and data. They should also consider the ever-present aspects of risk, compliance and security. To make the partnership effective, CIOs must make their plans clear and understandable to all.

Q. How can IT teams communicate effectively with their colleagues in other departments to manage change effectively?

Managing change effectively requires keeping messages clear at all times – whether this is to communicate the direction taken, or update the team on progress and challenges faced. 

Visual tools such as roadmaps, project plans and progress trackers with a simple Green, Amber or Red status are highly effective for communicating with colleagues in other departments. 

Aim to keep visuals at a high-level, so that messages can be understood easily at all times. Communication tools such as Microsoft Teams or Trello are extremely effective for providing real-time information to colleagues in a collaborative environment.