News

tenet (1)

Strategies to Protect against CyberCrime - Advice from Tenet Law

Posted by John Points on March 24, 2025 at 4:20pm

Tenet Law are a FAN partner.  They have kindly provided this best-practice guide to protect your business against Cyber Crime.  You can find out more at Tenet's website.

Cyber Risk: Who’s Really Prepared?

Cyber threats are evolving rapidly, yet many organisations remain unprepared for the risks they face and uncertain about how to respond in the event of an incident. No organisation is immune to the risks, making proactive cybersecurity measures essential.

From safeguarding sensitive data to managing third-party risks and responding to ransomware attacks, businesses must first identify vulnerabilities and gaps in their systems and processes.

Adding to the challenge, regulatory requirements impose additional complexity on our already demanding roles. Ensuring compliance and managing policies, procedures, and vendor relationships are crucial.

This article offers practical advice and strategies, helping organisations to feel confident in their approach, emphasising the importance of everyone in the business supporting and building resilience against cybercrime.

Large Organisations Vs Small Organisations

  • Large firms invest heavily in cybersecurity due to greater risks and assets, but their systems are complex and harder to patch.
  • Smaller firms may assume they are not targets or rely on outdated practices, making them vulnerable.
  • Businesses of all sizes should conduct regular audits, training and software updates to avoid vulnerabilities in legacy systems and to comply with the latest regulation.
  • At a minimum, carry out a basic cyber hygiene check annually to review software updates, access controls and incident response plans.
  • Many businesses treat certifications like Cyber Essentials as a tick-box exercise, but these basic measures do not stop advanced cyber threats.
  • The best security tools can be expensive, making them inaccessible for small businesses.
  • ISO 27001 is the international standard for information security, requiring organisations to:
    • Identify security risks.
    • Select appropriate controls to mitigate risks.
    • Establish an internal process to handle incidents.

________________________________________

Protecting Data & Third-Party Risks

  • Fraudsters often target smaller vendors to gain access to bigger companies.
  • Vendor risk assessments are essential—ask suppliers about their cybersecurity controls before sharing data.
  • Review supplier contracts for security clauses and require them to meet cybersecurity best practices.
  • Monitor third-party access—limit vendor access to only what they need, for the time they need it.
  • Effective cybersecurity is about setting clear parameters—knowing what data is coming in, what is going out, identifying risks and defining actions to take when threats arise.
  • Ensure your staff know how to escalate an incident to the appropriate person or team to determine whether a breach has occurred.

________________________________________

Strengthening Defences

  • Many businesses avoid cybersecurity because it feels too technical.
  • Asking "Why do we do it this way?" can reveal security gaps.
  • Get the Board interested by asking “What happens if we lose access to X system for 24 hours?”
  • Cyber risk is now treated like health and safety—it’s no longer optional.
  • Many businesses assume, “It won’t happen to us,” leading to poor preparation and rushed decisions during an attack.
  • Have an incident response plan that includes:
    • Who is involved (internal/external)?
    • What steps must be followed?
    • Who makes key decisions?
    • How are systems restored and regulators informed?
  • Be open and honest about breaches—notify affected parties promptly and follow legal reporting obligations (e.g., GDPR’s 72-hour rule).
  • Transparency is key - I can recover from the truth I can’t recover from a lie!

________________________________________

Real and Relevant Cyber Threats

  • The cybersecurity industry often spreads fear rather than offering practical solutions.
  • Many businesses struggle to identify which threats are real and relevant.
  • Instead of overwhelming staff with too many security policies, focus on keeping it simple.
    • Protect your perimeter (firewalls, network monitoring).
    • Control what goes in and out (limit USB drives, monitor email attachments, downloads).
    • Training and education (unusual payment requests, phishing emails, passwords).
  • AI tools create new risks, such as data leaks, deepfake scams and employees sharing confidential information with AI chatbots.
  • Educate staff on AI risks and set clear guidelines on what can/cannot be shared.
  • Many breaches occur because employees don’t report suspicious activity due to fear of blame.
  • Build a non-blame reporting culture where employees feel safe reporting potential security issues.

________________________________________

Ransomware Dilemmas

  • Many companies quietly pay ransoms instead of reporting breaches.
  • The government is moving toward banning ransomware payments for critical infrastructure sectors.
  • NEVER pay a ransom—it does not guarantee data return and invites further attacks.
  • Have offline backups to restore data if ransomware locks your systems.
  • Some industries must report cyber incidents (e.g., financial firms under DORA regulations) and more mandatory breach disclosure laws may follow.
  • Keep an action log—document every step of your cyber response (who was notified, what actions were taken) for legal and compliance purposes.
  • Stay informed about new cyber security laws (e.g. the UK’s upcoming "King’s Resilience Bill").

________________________________________

Preparing for a Cyber Attack

  • The best way to prepare is to practice before it happens.
  • Run a cyber attack simulation using real-life threats:
    • A fake invoice email with malware.
    • A ransomware attack locking business files.
    • A data breach where customer information is stolen.
    • An employee clicking on a phishing link.
  • Measure response time, decision-making and gaps in your plan.

 

To understand more about Cybercrime watch the latest ‘At the Coalface’ webinar back on YouTube. Tenet’s Arun Chauhan - an accomplished lawyer specialising in fraud investigations and disputes, is joined by leading cyber security expert and consultant Adrian Jolly. Together, they cut through the noise and have an unfiltered conversation about cyber risk, what businesses are getting right, what they’re getting wrong, and how to stay resilient against evolving threats. Click here:

 

Tenet are a multi-award winning law firm specialising in complex fraud disputes, investigations and financial crime compliance. Our experience and sole focus is our expertise of dealing with a range of financial crime and fraud issues and applying that detailed and experienced knowledge to certain sectors, including food. For more information on how you can better prevent or investigate fraud within your business visit our website or sign up to receive articles, events and insights straight to your inbox

Read more…