Most professional services firms do not fail on cybersecurity because nobody cared.
What this helps you check
Use this as a practical starting point for a calmer internal review.
- First-hour cyber incident readiness
- Microsoft 365, device, and privacy breach basics
- Who needs to be involved before pressure arrives
They fail because nobody had time to check the quiet gaps.
An old guest account is still active. A laptop is not properly managed. A shared folder has been open for too long. A suspicious email is reported late on a Friday afternoon, and the team is not quite sure who should make the first decision.
For legal, financial, and advisory firms, those small gaps matter because the information involved is not ordinary. It may include client records, matter details, financial documents, personal information, contracts, strategy papers, or commercially sensitive correspondence.
That is why cybersecurity for professional services firms should be treated as a trust issue first, and a technical issue second.
The NZ risk picture is not theoretical
New Zealand organisations are still dealing with steady cyber pressure.
The National Cyber Security Centre reported 1,369 incident reports in the first quarter of 2025, with $7.8 million in direct financial loss reported for the quarter. Phishing and credential harvesting increased 15% from the previous quarter.
For a professional services firm, that should sharpen the focus on three everyday questions:
- Can the firm quickly identify whether an account, device, or inbox has been compromised?
- Can the firm protect client information if something is lost, stolen, or accessed by the wrong person?
- Can the firm make calm decisions in the first hour of an incident?
The answer does not need to be dramatic. It does need to be clear.
Start with the systems where client trust actually lives
For most firms, the highest-risk systems are not obscure technical tools. They are the platforms people use all day.
Microsoft 365 is often where client emails, shared files, Teams messages, documents, calendars, and external collaboration all meet. That makes it powerful, but it also means permissions and access settings need regular attention.
A practical review should look at:
- Who has access to key mailboxes, folders, and SharePoint sites.
- Whether external sharing links still make sense.
- Whether guest users are still required.
- Whether multi-factor authentication is enforced properly.
- Whether administrators have separate, protected accounts.
- Whether staff can report suspicious emails without confusion.
These checks are not about creating friction. They are about reducing the chance that one small access issue becomes a firm-wide problem.
Device security is often where theory meets reality
Every firm should be able to answer one simple question:
If a laptop went missing today, what would we know and what could we do?
Could you see when it last checked in? Could you lock it? Could you wipe it? Would client files still be protected if the device never came back?
If the answer is unclear, the firm is carrying avoidable risk.
Good device management is not about controlling people. It is about protecting the work they are trusted to handle.
Privacy breach readiness matters before the breach
New Zealand privacy obligations also need to be part of the conversation.
The Office of the Privacy Commissioner expects serious privacy breaches to be reported as soon as practicable, with 72 hours used as the guide once an organisation becomes aware that a breach is notifiable.
That does not mean every technology incident is automatically a notifiable privacy breach. It does mean firms need a practical process for deciding:
- What happened?
- What information may be involved?
- Who may be affected?
- Is serious harm possible?
- Who needs to be notified, and when?
- Who is responsible for keeping a record of the decision?
The worst time to work this out is after the breach has already happened.
What Matt Allwood sees in real firms
Matt Allwood, EQIQ's Managing Director, leads the firm's strategy, client outcomes, and service quality. His experience across IT services, infrastructure, and business technology strategy in the New Zealand SME market has shaped a very practical view of cybersecurity.
Most firms do not need more noise. They need clear ownership, clean systems, sensible controls, and senior people who can explain what matters without turning the conversation into a technical performance.
That is especially important in professional services, where the real impact of a cyber incident is not just downtime. It is the uncomfortable possibility of having to tell a client that confidential information may have been exposed.
A practical cyber assessment should answer these questions
If your firm wants a useful starting point, ask:
- Are all user accounts still required?
- Are former staff, contractors, and guests fully removed?
- Is multi-factor authentication enforced across the right systems?
- Are privileged accounts separated and protected?
- Are devices encrypted, managed, and recoverable?
- Are backups tested, not just assumed?
- Are file-sharing permissions reviewed regularly?
- Does the team know how to report a suspected incident?
- Is there a first-hour response plan?
- Is there a privacy breach decision process?
If the answer to several of these is "not sure", that is not a failure. It is a useful signal.
The goal is not perfect security. It is better control.
Cybersecurity can sound overwhelming when it is framed as an endless list of tools, threats, and acronyms.
For professional services firms, the better question is simpler:
Can we protect client trust in the moments that matter?
That means knowing who has access, how devices are protected, how sensitive information is shared, how incidents are escalated, and who makes decisions under pressure.
It is practical work. It is also work that should be done before urgency forces the issue.
FAQs
What is cybersecurity for professional services firms?
Cybersecurity for professional services firms is the practical protection of client information, email, devices, file sharing, identities, backups, and response processes. It is especially important for legal, financial, and advisory firms because they handle sensitive and confidential information every day.
What should a NZ professional services firm include in a cyber review?
A cyber review should include Microsoft 365 access, multi-factor authentication, device management, backup recovery, external sharing, guest access, administrator accounts, staff reporting processes, and privacy breach response.
When does a NZ privacy breach need to be reported?
The Office of the Privacy Commissioner expects serious privacy breaches to be reported as soon as practicable. Its 72-hour expectation is a guide once an organisation becomes aware that a breach is notifiable.
Sources: National Cyber Security Centre, Office of the Privacy Commissioner, and EQIQ local brand materials.
Book a Conversation
