There is a revealing contradiction sitting at the heart of most professional service firms right now. Ask any practice principal, compliance officer or senior partner whether data security matters, and the answer is unanimous: it is the single most important consideration when modernising IT. Research confirms it — close to seven in ten IT leaders place data security at the very top of their priority list when upgrading or evolving their technology environment.

Yet when those same leaders are asked how confident they feel about passing their next regulatory audit, the picture shifts dramatically. Only around a third describe themselves as extremely confident. That is a significant credibility gap — and for firms in regulated sectors such as financial advice, legal practice, accountancy and insurance broking, it represents a tangible business risk.

The Quiet Accumulation of Complexity

No firm sets out to create a complicated IT environment. It happens gradually, decision by decision, year by year. A cloud accounting platform is adopted. Microsoft 365 replaces an on-premises mail server. A CRM goes live to improve client relationship tracking. A file-sharing platform is introduced to make collaboration easier for remote staff.

Each change is sensible on its own. Each solves a genuine problem. But collectively, they create a layered infrastructure where data lives in multiple locations, moves between platforms in ways that are not always documented, and is accessed by people whose permissions may not reflect their current role.

Meanwhile, older systems often remain in place. A legacy server continues to hold historical client files. A database that predates the current practice management system still runs because migrating it felt too disruptive. These are not unusual situations — they are the norm across professional services. But they are also precisely where security governance starts to erode.

The Questions That Expose the Gap

If an auditor — or an insurer, or a regulator — were to walk into your firm tomorrow and ask a few straightforward questions, how comfortable would you be with your answers?

  • Where, specifically, is your sensitive client data stored? Not approximately. Not “somewhere in the cloud.” But precisely which platforms, which servers, which storage accounts.
  • Who has access to that data right now? Not who should have access. Not who had access when the permissions were last set up. But who can actually reach it today — and is that list current?
  • How does data move between your systems? When a client file is shared between your CRM, your document management platform and your email, is that transfer encrypted? Is it logged? Could you produce an audit trail?
  • Are old platforms still holding data they no longer need? If a legacy server or retired application still contains client records, that data is still your responsibility — and still a target.

These are not hypothetical concerns. They are precisely the types of questions that arise during FCA reviews, SRA audits, ICO investigations and cyber insurance renewals. Firms that cannot answer them clearly face material consequences: regulatory censure, insurance complications, reputational harm, and loss of client confidence.

Access Permissions: The Risk Nobody Reviews

Of all the data security risks in a professional service firm, stale access permissions may be the most common and the least addressed. When a new employee joins, they are given access to the systems they need. When they change roles, additional access is typically granted. But when someone moves on — or when a role evolves — the old permissions rarely get revoked.

The result, over months and years, is an access landscape that bears little resemblance to how the business actually operates today. Former staff may still appear in active directory groups. Contractors who completed a project eighteen months ago may still hold login credentials. And team members who shifted from one department to another may retain access to data they no longer need.

This is not merely an administrative inconvenience. Under GDPR and most regulatory frameworks, access to personal data must be limited to those with a legitimate, current need. Outdated permissions represent a failure of that principle — and they are a known entry point for attackers. We explored a stark example of this in our article on how old passwords are still unlocking systems, where forgotten credentials were exploited because access reviews had not kept pace with staff changes. 

Legacy Systems: Comfortable, but Costly to Ignore

Professional service firms are often reluctant to retire legacy systems. The reasons are understandable — migration is disruptive, data formats may not transfer cleanly, and there is a natural inertia when something “still works.” But legacy systems carry disproportionate risk.

Older platforms may no longer receive security patches, leaving known vulnerabilities unaddressed. They may not support modern authentication methods such as multi-factor authentication. They may store data in formats that are difficult to audit, export or encrypt. And they create skills dependencies — the person who understood the system may have left the firm years ago.

Research bears this out: more than half of organisations report difficulty finding staff with the skills to manage their existing technology effectively. For professional firms where the IT function is often lean, this creates a situation in which critical systems are running without anyone fully understanding them. This kind of accumulated technical shortfall has very real consequences for security and performance. As we discussed in our article on whether technical debt is slowing your business down, deferred decisions about outdated platforms do not stay neutral — they become active sources of risk. 

AI Without Foundations: Amplifying Risk, Not Reducing It

Artificial intelligence is rapidly moving from novelty to necessity across professional services. Firms are exploring AI-powered tools for document review, compliance checking, fraud detection, workflow automation and client communication. The potential benefits are genuine — improved efficiency, reduced human error, and faster decision-making.

But AI is only as reliable as the data it draws upon. If client data is fragmented across multiple platforms, if access controls are inconsistent, or if legacy systems hold records that are outdated or poorly structured, then AI tools will inherit every one of those problems. Worse, they may act on flawed data at scale and at speed, compounding errors that would previously have been caught by a human review.

For regulated firms, this introduces a new category of governance risk. If an AI system makes a recommendation based on incomplete or inaccurate data — and the firm acts on that recommendation — the accountability still rests with the firm. Regulators will not accept “the AI told us to” as a defence. That is why data quality, structure and access control must be addressed before AI adoption, not after.

The Skills Gap Compounds the Problem

Running a modern, secure IT environment requires a blend of strategic oversight and technical expertise. Yet many professional service firms operate with minimal internal IT resource. The day-to-day demands of keeping systems running often crowd out the governance tasks that matter most — access reviews, vulnerability assessments, policy updates and incident response planning.

This is not a criticism of the people involved. It is a structural reality. The threat landscape has evolved significantly, with attacks growing more sophisticated and harder to detect. As we highlighted in our piece on the next generation of phishing attacks, today’s threats no longer rely on clumsy emails with obvious errors — they are polished, personalised and increasingly difficult to distinguish from legitimate communication. Keeping pace with that reality demands dedicated focus. 

Outsourcing to a managed IT partner does not remove accountability — but it does ensure that the skills and attention your security posture requires are consistently available, rather than competing with the hundred other things on someone’s desk.

Cyber Insurance: When Confidence Meets Scrutiny

Many professional service firms carry cyber insurance — or are considering it. But the cyber insurance market has matured considerably in recent years. Insurers no longer accept vague assurances about security. They ask specific, evidence-based questions about access controls, patching cycles, authentication methods, data classification and incident response capabilities.

Firms that cannot provide clear, documented answers face higher premiums, coverage exclusions or outright refusal. And in the event of a claim, gaps between the stated security posture and the actual position can invalidate cover entirely. The confidence gap is not just an internal concern — it is a financial one.

What Closing the Gap Looks Like in Practice

Addressing the disconnect between security confidence and security reality does not require a dramatic transformation. It requires structured, ongoing attention to a set of practical activities:

  • Data mapping: Know where your data lives — every platform, every server, every cloud service. Document it. Review it regularly.
  • Access auditing: Review who has access to what on at least a quarterly basis. Revoke permissions that are no longer needed. Enforce the principle of least privilege.
  • Legacy assessment: Identify any systems that are out of support, unpatched or poorly understood. Build a realistic plan to retire or replace them.
  • Authentication enforcement: Ensure multi-factor authentication is enabled on every system that holds client data. No exceptions.
  • AI readiness: Before adopting AI tools, audit your data quality and access controls. Ensure the data AI will use is accurate, current and appropriately governed.
  • Incident response planning: Have a documented, tested plan for responding to a data breach. Know who to contact, what to do and how quickly it must happen.

These are not theoretical exercises. They are the practical foundations that separate firms which can demonstrate compliance from those that merely hope for the best.

The Overlooked Digital Perimeter

It is also worth noting that security is not limited to servers and cloud platforms. Every device your team uses — every laptop, tablet and smartphone — represents a potential entry point. And within those devices, the web browser itself collects and stores more information than most people realise: saved passwords, session tokens, browsing patterns and cached credentials. We explored this in detail in our article about how your browser knows more than you think, and it is an aspect of security that regulated firms cannot afford to overlook. https://www.absolutelypc.co.uk/your-browser-knows-more-than-you-think/

A Board-Level Conversation, Not Just an IT Task

Data security in a regulated professional service firm is not an IT problem. It is a governance issue. It belongs on the board agenda alongside financial performance, client retention and regulatory compliance — because it directly affects all three.

The firms that manage this well are not necessarily the ones with the largest IT budgets. They are the ones that treat data security as an ongoing discipline rather than a one-off project. They ask the uncomfortable questions regularly. They review access, update policies, test their defences and maintain a clear, current picture of where their data is and who can reach it.

If reading this has raised questions about your own firm’s position, that is a good sign. It means you are taking it seriously. And if you would like an independent, clear-eyed assessment of where you stand — without jargon, without pressure and with complete confidentiality — we are here to help.

Get in touch with Absolutely PC and let us help you close the gap.

What next?

One of my passions is helping businesses to succeed and if I can help you save some money as well – even better. You can fill out our contact form, phone us or click on the appointment button below and let’s start a conversation to see if I can help your business. Our guarantee:

  • There are no hidden charges – this is a 100% free 15 minute consultation with no hidden charges.
  • We will never spam you or sell on your contact details.
  • We will treat your information with absolute confidentiality.
AI
Business professional reviewing Microsoft Copilot features on a Windows 11 screen in a professional office environment evaluating AI productivity tools for regulated firms

Is Microsoft Copilot Really the Top Productivity App in Windows 11?

Microsoft has declared Copilot the number one productivity app in Windows 11. For regulated firms handling sensitive client data and strict compliance requirements, bold marketing claims deserve careful scrutiny. Real productivity for professional services teams depends on solid foundations: organised files, reliable processes, and proper governance, not just a new AI assistant. Before adopting any tool, the smarter question is where does your team actually waste time?

0