Current Challenges and Opportunities in the Legal Sector

Current Challenges and Opportunities in the Legal Sector: Insights from our legal roundtable

Throughout the year, QuoStar holds roundtable events for the legal sector, where a small group of attendees can get together over a three-course meal to share industry insight and best practice. At the end of April, we held our first event of 2024, with QuoStar CEO, Rob Rutherford joining myself and several Partners, Managing Partners, and Heads of IT from south coast law firms.

It was a fascinating evening of discussion, with a focus on how best law firms can mitigate mounting cybersecurity risk, drive operational efficiency and use tech innovation to gain an advantage.

Law firms in the crosshairs

Cyber risk is fundamentally a strategic business risk today – and one that impacts all legal sector organisations, no matter what their size. Attendees around the table agreed that their company is very much in the crosshairs of threat actors – whether they’re financially motivated cyber-criminals, state-sponsored hackers or even disgruntled current or former employees. Automated tools mean these bad actors can continuously probe for vulnerabilities in public-facing IT infrastructure without breaking sweat.

Their efforts are hitting home. Current data is hard to come by, but the Solicitors Regulation Authority claims that 18 law firms in the UK were hit by ransomware in 2021. Three-quarters (73%) of the firms it visited for a cybersecurity review a year earlier reported cyber-related incidents. Separate data from the Information Commissioner’s Office (ICO) analysed by insurer Chaucer reveals that the number of legal sector data breaches reported to the regulator increased 36% annually to reach 226 in 2022/23.

There are many reasons why law firms are a popular target for attack. They hold sensitive client information, handle large volumes of funds and play a key role in business transactions. The National Cyber Security Centre (NCSC) warns that firms acting for organisations that engage in “controversial” work such as life sciences or energy may also be targeted by hacktivists. The top threats to the sector are phishing, data breaches, ransomware and supply chain compromise, it says.

Time for multi-layered cyber-defence

As digital investment grows in the sector, so does the cyber-attack surface. All attendees recognised the challenge – agreeing that everyone in an organisation needs to play a part in keeping their firm safe. From a strategic perspective we recommend the following:

  • Deploy robust security controls and best practices such as advanced firewalls, multi-factor authentication (MFA), complex passwords, mobile device management, and vulnerability management.
  • Don’t ignore the human factor. Ongoing staff awareness raising and education is key to mitigating the risk of phishing, which is often the starting point for breaches
  • Put an incident response plan in place today, to enhance business resilience and minimise the impact of a security breach if one occurs. Data cited by the Law Society claims only 35% of law firms have one in place. It’s also important to test this, such as what happens if the firm is affected by Ransomware.
  • Consider obtaining a cyber accreditation such as Cyber Essentials Plus and ISO27001. This won’t stop attacks occurring, but will ensure the organisation is better placed to respond efficiently, mitigate the impact, whilst also reassuring clients. QuoStar can help by undertaking an independent audit to identify any gaps in current security posture, risk management, governance and compliance.

Risk extends to third parties

Law firms increasingly outsource parts of their IT function to third-party suppliers – whether they’re a provider of cloud services (CSP), SaaS applications or managed services (MSP). But these entities in turn can be a target for attack – making it essential that they maintain the same high level of cybersecurity as their client organisations. It is no defence to say that a third party was responsible for a breach. The regulator will generally hold both parties responsible. Nor is this a theoretical risk. A UK-based MSP was hacked last year via an exploited vulnerability and the resulting breach impacted dozens of its legal sector customers for over a month.

Attendees around the table argued that it’s not good enough to assume that larger suppliers are inherently to be trusted. Given what’s at stake, it’s vital to conduct thorough due diligence, and undertake a security audit of any prospective supplier, which QuoStar can help with. Those accredited with Cyber Essentials Plus, ISO 27001 or other standards/frameworks are a good place to start.

Gaining an advantage through AI

Finally, no roundtable discussion on technology would be complete without a conversation about the role AI could play in driving advantage. The IT and business leaders we spoke to are rightly sceptical about many of the claims currently being made by vendors about their products – especially legacy tech vendors they see as jumping on the AI bandwagon.

Most of those around the table understood AI to mean generative AI (GenAI) tools like ChatGPT and Copilot. But in fact, there’s much more to the technology than this. Law firms could utilise:

  • Pure AI, using core algorithms to develop their own AI solutions. One example we heard was a law firm using AI to predict the outcome of litigation cases
  • GenAI: AI that can produce and summarise content including text, video and images
  • Packaged AI: suppliers that have built AI features into their technology and deliver these to law firms, eg many suppliers now embed machine learning into their applications

Attendees were unanimous in agreeing that AI will play a major part in the practice of law in the future. But they also argued that headlines claiming it will replace large number of lawyers and fundamentally change the way the sector operates have been significantly oversold.

AI will simply be another tool. By all means experiment with it – especially GenAI, which could have some productivity benefits – but don’t feel like the company will be left behind if it does not embrace AI immediately. There are certainly challenges to be managed – not least, biased/inaccurate output, and potential data security and confidentiality risks when inputting information. The best option for many may be to wait for others to make the leap first and then learn from them.

Stay informed, sign up

QuoStar is designated a Microsoft Solutions Partner for Data & AI (Azure)

QuoStar is designated a Microsoft Solutions Partner for Data & AI (Azure)

Data sits at the beating heart of any business. How effectively organisations can extract insight and value from it will play a big part in determining their long-term success. It could help to drive more efficient business processes, reduced wastage and enable better-informed, strategic business decisions. Thanks to cloud-powered AI and analytics tools, more organisations than ever have access to potentially transformative, cutting-edge capabilities.

That’s why QuoStar was delighted to be recently designated a Microsoft Solutions Partner for Data & AI, to bolster our existing three Solutions Partner certifications. It means that we now hold all Microsoft Solutions Partner designations for Azure. The announcement is further proof of QuoStar’s expertise in cloud transformation and commitment to empowering clients with the best in Azure data services.

What does it mean?

Being recognised as a Microsoft Solutions Partner for Data & AI reinforces our expertise in Azure data services – enhancing client confidence that their projects are safe in QuoStar’s capable hands. Among other things, partner status denotes a high degree of skill and experience in delivering:

  • Database migration to Azure, or undertaking projects to ensure clients have access to the best Azure offering possible
  • Deployment and guidance on platform-native governance across Azure and inside the managed data
  • Analysis of existing workloads, and extract, transform, load (ETL) operations to migrate data to cloud-based data warehouses and enable cloud-based analytics solutions
  • Ongoing support and optimisation of workloads, helping clients offload performance, cost and reliability concerns
  • Tailored Microsoft analytics solutions using Azure Synapse Analytics, Azure Data Lake, Azure Data Factory and Azure Databricks
  • Client adoption of Al and Azure solutions

From strength to strength

This new Microsoft designation for QuoStar follows similar milestones last year. In May 2023 we announced the Microsoft Solutions Partner for Modern Work designation. It signifies our commitment to helping clients enhance productivity and support the shift to hybrid work using Microsoft 365. Then in June the same year, QuoStar was named a Microsoft Solutions Partner for Infrastructure (Azure) – highlighting our expertise in helping clients migrate their critical infrastructure workloads to Microsoft Azure.

As a Microsoft Solutions Partner, QuoStar will continue to work hand-in-hand with clients to help them optimise their use of data – using the latest Azure-based technologies and in-depth understanding of their business requirements.

To help support these efforts, we’re currently developing a new standardised approached, aligned to Microsoft values, designed to streamline projects and improve outcomes. When complete, it will help by highlighting what methodology a client should follow to better understand how their data is used day-to-day and how they can extract maximum value from it. It will focus on things like data structuring, visibility tooling, governance and cost optimisation alongside AI.

“It is QuoStar’s ongoing investment in its people, process and products that has enabled us to  gain this Solutions Partner for Data & AI accreditation. The new skills our people continue to learn, along with QuoStar’s ‘right person, right role’ ethos, will drive the company’s enduring value for our clients.” 

– Charlie Thompson-Hill, Head of Presales and DevOps

Are you ready to harness the power of data with QuoStar? Get in touch today for a discovery call and a complimentary assessment to learn how we can help you optimise your data across multiple systems, to drive business growth.

How careful planning can take the pain out of ransomware breach response

How careful planning can take the pain out of ransomware breach response

There is plenty that organisations can do to enhance their resilience to ransomware breaches. But no preventative strategy can ever be 100% guaranteed to succeed. The modern corporate attack surface is simply too porous and expansive, and threat actors too persistent, for that. That’s why network defenders should also be primed and ready for a worst-case scenario.

As we explained in our previous blog, an attack can strike at any time. And when it does, those in charge are often trapped in a whirlwind of confusion. The key to successfully managing such a situation lies with forward planning.

Planning for a breach

Ransomware is among the most common and acute cyber-threats facing UK businesses. And the threat will continue to grow with the advent of AI, the National Cyber Security Centre (NCSC) recently warned. For smaller businesses its impact can be particularly destructive. A 2022 study revealed that a fifth of US and European businesses had nearly been forced into bankruptcy by a historic attack. Last year one of the UK’s largest privately owned logistics firms entered administration due to “disruption” caused by a ransomware compromise.

Yet it doesn’t need to be this way. It all starts with putting the right team together. Ideally, it should include key representatives from the IT and security function, PR and legal – and possibly also HR and customer service stakeholders. That’s because, when a ransomware attack hits home, it can impact disparate parts of the business.

PR is essential to help organisations manage their external communications strategy. HR should be on hand to manage internal comms and cross-departmental collaboration. And legal will dispense critically important advice on engaging with regulators, managing potential customer/employee class action suits, and more. For most organisations, customer service will also need to be involved to manage the fallout for end customers. If any piece fails, there could be significant financial and reputational repercussions, including customer churn, regulatory fines and lawsuits.

The average cost of a UK data breach is calculated at $4.2m (£3.3m) today. But in some cases, ransomware has caused losses measured in the tens of millions. From a regulatory perspective, organisations need to think not just of data protection watchdog the Information Commissioner’s Office (ICO) but also any relevant industry-specific bodies, like the Financial Conduct Authority (FCA).

Putting the pieces in place

Every organisation is different, and there’s no single agreed format that an incident response team should take. Most important is that everyone has a clearly defined role that they understand, and that they are working under unequivocal instructions from an incident response lead. In many cases, this will be a senior individual from the IT team. Crucially, they need not only experience of working under pressure – and ideally in crisis incident response situations – but must also be given the authority to lead for the duration of an incident. That means even members of the organisation and board senior to that individual must respect their decision making.

The next thing a team needs is a plan. This is where many organisations fall down, by attempting too much. No one can predict how or when a ransomware breach will take place, and what its impact may be on the organisation. But many try, by building out complex incident response plans which will likely be redundant as soon as attackers strike. The key to success is rather to keep things simple and high level. The incident response team will need to improvise, but within their own clearly defined roles. It’s also important to ensure any pre-written plan is accessible in a crisis – ie, not stored on a server that has been encrypted by ransomware.

In a similar way, organisations shouldn’t overthink things by scheduling frequent incident response training exercises. In a typical organisation there are mini incidents occurring all the time which can be used to hone the skills of team members. Once a driver has passed their test, they aren’t forced to sit another one every six to 12 months: simply by being behind the wheel they continue to practice and improve the required skills.

Communicating clearly

Above all, when working through post-ransomware breach response, organisations must foreground the importance of clear communication. That could mean:

  • Communication between incident response team members
  • Communication with the board and senior managers (they should be kept updated at frequent intervals)
  • Communication with the wider community of employees – to ensure they follow policy by limiting what they publish online about an incident, and to maintain morale during what could be a long road to recovery
  • External comms. It’s vital that a senior spokesperson is chosen as part of the incident response team. This individual should be the face of the organisation during the breach response. External comms is critically important to prevent rumour and speculation, especially in the early hours and days following a breach

This is by no means a comprehensive checklist for post-ransomware breach response. But it’s somewhere to start.

For a more detailed briefing on what to expect from a ransomware attack and how to respond, register today for our upcoming reality check webinar: Assessing the real impact of a Ransomware attack.

Assessing the real impact of a Ransomware attack, webinar registration

A whirlwind of confusion: what happens in the first hours of a ransomware attack

What to expect when ransomware actors come knocking

The global economy might still be struggling to get back on track. But the finances of the cybercrime underground are in rude health. Payments from ransomware victims exceeded $1bn last year – a record high. And that’s just for the cryptocurrency wallets forensics analysts were able to track. The real figure is undoubtedly much higher. In this context, all organisations should plan for the day when they too will be compromised by ransomware actors.

Unfortunately, many still do not. And their lack of preparedness is something threat actors thrive on. During the post-breach response period, they will do everything in their power to ramp up victims’ confusion, in order to extract maximum financial returns.

Network defenders must stay calm and stick to their plan. When it comes to ransomware, forewarned is forearmed.

The worst-case scenario

There are several ways in which an organisation could end up a ransomware victim. RDP compromise, email phishing and exploitation of software vulnerabilities are still the top three attack vectors for threat actors. But the first the organisation may actually see of an attack is likely to be a ransom note on a networked PC – or potentially an entry in a ransomware data leak site detailing how much data has been stolen.

From the start, network defenders are on the back foot. They may have no prior experience of dealing with a ransomware breach. Their adversaries, on the other hand, are usually seasoned professionals with stacks of domain expertise. Their operations behave more like regular SMBs than one may imagine. And in some cases, their resources can match those of high-flying enterprises. One infamous group, Conti, reportedly spent $6m (£4.8m) annually on salaries, tooling and support services.

Many questions to answer

Victim organisations will have a relatively short time frame in which to act. This kind of time-based pressure is a classic social engineering technique designed to rush victims into making irrational decisions. A clock may count down the minutes they still have left to purchase a decryption key. Or for breaches where only data was stolen, until that data is ‘leaked’ to the world.

In the meantime, business leaders will be frantically asking their IT teams to answer their questions:

  • How do we deal with this?
  • Who can help us?
  • How much of the business is impacted?
  • How much data has been exfiltrated?
  • How much downtime can we expect?
  • Has the story been reported in the media/on social media?

Unfortunately, without a clear, pre-rehearsed incident response plan and team in place, such questions can be tricky to answer. And the threat actors will be doing what they can to continue wrongfooting their victims. Among the tactics designed to sow confusion and force payment may be:

  • Exaggerating how much sensitive data they have been able to exfiltrate
  • Threatening to launch a distributed denial of service (DDoS) attack
  • Contacting customers and partners and asking them to demand the company pays a ransom
  • Threatening to inform regulators about the breach

Such efforts are becoming increasingly persistent, and novel. In one case, a ransomware group hijacked a US university’s emergency broadcast system to send staff and students text messages and email alerts that their data was stolen and would soon be released. In another, they hijacked and defaced the victim organisation’s website to display a ransom note to the world. In a third case, a ransomware group claimed it was willing to alert crooked traders about a breach before it was made public, so that they could short the listed firm’s stock.

Such efforts have one single goal in mind: to throw a spanner in any recovery plans and put network defenders on the back foot. If they can frighten the organisation in to paying the maximum ransom demand rather than a lower negotiated figure, all the better.

Struggling to respond

Organisations caught in this whirlwind of confusion will find it extremely difficult to successfully respond unless they have prepared for something like this worst-case scenario. Yet unfortunately, government data tells us that just a fifth (21%) of UK businesses even have an incident response plan in place, rising to 47% of mid-sized firms. Fewer than two-fifths (37%) have cyber-insurance.

This matters, because despite the news headlines, most ransomware victims are not big-name brands or government agencies, but SMBs. The median size for a breached organisation stood at just 230 employees in Q4 2023. Some 36% of victims in the period had fewer than 100 staff members. There is a ruthless logic to this. Smaller firms are less likely to have the resources and expertise needed to protect against ransomware attacks in the first place, or contain and recover from them rapidly if they are breached.

The truth is that no organisation is safe from ransomware today. But a compromise doesn’t have to precipitate an existential corporate crisis. The message is simple: plan today to avoid a whirlwind of pain tomorrow.

To find out more on what a ransomware attack could entail for your organisation, and how to mitigate and respond effectively, sign up to our forthcoming reality check webinar: Assessing the real impact of a Ransomware attack.


Assessing the real impact of a Ransomware attack, webinar registration




Copilot for Microsoft 365: Our first impressions

Copilot for Microsoft 365 QuoStar first impressions

Copilot for Microsoft 365 was announced to much fanfare back in March 2023. It promises much: to free staff from the drudgery of day-to-day workplace tasks and in so doing unleash a new wave of productivity growth. But what’s the actual experience of using it like?

Our experts have had a few weeks to road test the tool. There are certainly some impressive features. But organisations should also be aware of what it can’t yet do, without them first spending significant extra time and resources on assessment and preparation of their data architecture.

What Copilot for Microsoft 365 does well

The bottom line is that Copilot for M365 can add value for employees using it for basic tasks in Teams, Excel, Word, Outlook and PowerPoint. In that respect, it could save users a few hours per month depending on their role. Here are our initial first thoughts:

  • The potential for time saving is clear to see, but doesn’t feel like the finished article just yet
  • Preparation needs to be done; organisations shouldn’t just dive right in
  • Word and PowerPoint Copilot work especially well for inspiration and a starting point in documents. But not to give you what you want without manual intervention.
  • It is worth the money. Even though we’ve not used Copilot to its full extent yet, users don’t need to be saving too much time in their workload for the ROI that under £30 a month provides
  • Time savings will just be the beginning. It could increase employee satisfaction, improve the quality of work and reduce digital debt
  • Remember that improper deployment without the right security measures may expose confidential company and employee details

Copilot for Microsoft 365 is particularly good at specific tasks/use cases. These include:

  • Effective meetings: Using Microsoft Teams CoPilot to take notes/summary enables users to concentrate on presenting and engaging.
  • Data Analysis: Bulky spreadsheets andare easily summarised, using CoPilot in Excel—whether that is producing diagrams, creating Pivot tables or projections.
  • Content Creation: Copilot in Word and PowerPoint is useful at providing starting documentation when users need inspiration, or for rewriting paragraphs with a different tone/language.
  • Email Processing: Copilot in Outlook can summarise emails when users have been out of the office, draft responses to emails, and rewrite emails with a different tone.

Where there’s AI, there’s risk

However, there is one major challenge for organisations wanting to jump into Copilot for Microsoft 365 from day one. It’s only as good as the policies and data they put in place. A lot of work needs to be done first to structure and segment corporate data correctly. This could run into the tens of thousands of pounds of consultancy work to review the data, understand how the organisation wants to structure it and then move it into the Microsoft cloud data storage ecosystem.

There’s a significant security and compliance dimension to this. Although we’re not talking about an open data ecosystem like ChatGPT (instead, data is restricted to an organisation’s Microsoft Graph and 365 apps) there is a risk of users inside the company accessing data they don’t have permissions to view.

Licensing costs and considerations

Stripping out the upfront costs mentioned above to get your data organised and structured, whilst the licensing cost per user for Copilot for Microsoft 365 may feel significant, it isn’t if organisations are genuinely saving those two hours per month per employee. Copilot is now available for just £27.30 per person per month, billed annually and upfront.

However, it’s worth remembering that licenses must be paid up front on an annual basis, and this will only get you the basic Copilot tool. Without an E5 license, organisations won’t have the required security functionality. There’s also functionality such as automatic subtitling of foreign language speakers that requires a premium Teams license.

Note that in order to benefit from those Teams capabilities listed above, the meeting organiser needs to have a Copilot license, which effectively means every employee needs one to be truly effective. This could significantly increase licensing costs across the organisation. Beware those hidden costs!

Organisations should also bear in mind user training is key to learn how to work with AI and provide the right prompts to get the information you need – we found the effectiveness of Copilot initially lower than expected until we knew the right questions to ask, and whilst Copilot is still developing, some time efficiencies may be eroded as users are forced to chop and change between apps.

Getting started with some quick wins

That said, there are things organisations can do today to extract value from Copilot for Microsoft 365. Consider the following tasks:

  • Summarising large volumes of emails in the mailbox to catch up/prioritise quickly
  • Drafting new emails at speed
  • Recapping Teams meetings
  • Creating new images at speed
  • Summarising lengthy documents
  • Finessing/rewriting existing content with a specific tone/audience in mind

However, to gain true value from the product, organisations will need to:

  • Reach out to third-party experts to assess and prepare:
  • Structure and segregate relevant corporate data
  • Work out data security, privacy and compliance controls
  • Purchase Copilot for Microsoft 365 and any relevant additional licenses
  • Expand and extend with third-party plugins. As the ecosystem grows, this could add significant value

It’s worth noting (as with all things Microsoft) the product is constantly evolving – Microsoft has recently announced incoming additional functionality, with Restricted SharePoint Search coming early April, focused on simplifying site audit permissions, and CoPilot for OneDrive scheduled for release in Late Aril / early May, which promised to hep users quickly retrieve information from files stored in OneDrive.

Microsoft has several resources to help organisations discover how the Copilot tool works, how to prepare their tenant, and the technical onboarding requirements for IT admins.

If you’re looking to introduce Copilot for Microsoft 365 into your organisation, get in touch with QuoStar today. Our team of Microsoft experts are here to help you get started.


IT as business enabler: the technology opportunity for professional services

IT as Professional Services business enabler

IT has traditionally had a reputation for micro-management. In too many professional services firms, the Department of No stood in the way of productivity and growth. But post-pandemic, things are changing. During that period, many boards and senior managers had a lightbulb moment – finally realising the value that technology can deliver to the firm.

To accelerate this path to progress, professional services organisations need to continue evolving how their IT department works, and what it is responsible for. In many cases, this will mean outsourcing more infrastructure.

A recent Saffery podcast featuring QuoStar’s Chris White and Saffery’s ITDirector, David Fazakerley, have some fascinating insight on this topic.

The changing face of IT

To add true value to the post-pandemic professional services organisation, the IT department must change its role from technology provider to business enabler. As such, the role of CIO or IT director will evolve into one of translator: speaking the language of business to the board and of bits and bytes to the IT team.

There are three ways we can observe this change happening in organisations today:

Cloud: There was a time when IT managed everything in house. Now cloud services have matured, there’s little justification for such an approach. Public cloud infrastructure, private cloud (IaaS) and software-as-a-service (SaaS) can be highly cost-effective – enabling firms to scale up and down as required. And they are often more secure than anything that can be managed internally. Increasingly, cloud is seen as just another utility.

That frees IT from the operational shackles of keeping the lights on, to focus on a more strategic role. Today, IT’s role should be to select the right partners and providers to work with, understand what the firm’s employees need to maximise productivity, and deliver the best possible service for clients. Professional services firms aren’t IT shops. They’re lawyers, accountants and specialist consultants. So IT’s role at its core should be to support these client services via optimised use of technology.

Cybersecurity: Cyber-threats are surging amidst geopolitical uncertainty and a cybercrime underground said to be worth trillions annually. One vendor blocked 85.6 billion threats in the first half of 2023 alone. Government figures from April 2023 reveal that over half medium (59%) and large (69%) UK businesses suffered a serious cyber-attack or breach in the previous 12 months.

Professional services IT teams aren’t equipped to handle this deluge all by themselves. Instead, their job is to educate users, understand the organisation’s risk appetite, and outsource where necessary to providers with the requisite skills, resources and technology. It’s about building a cohesive hybrid team, so that when the worst-case scenario occurs, everyone knows their role and can react quickly in order to rapidly contain and recover.

It’s also about recognising that not all of cyber-risk management is a matter of putting in place another firewall or a web filter. The human-shaped problem continues to be a major risk factor, in the form of social engineering and phishing. And that can’t be solved by technology alone. It’s a problem set to get much worse with the advent of generative AI (GenAI), which will democratise the ability to launch highly convincing phishing campaigns in multiple languages.

Security awareness and training programmes will therefore be an increasingly important part of risk mitigation in professional services firms. To stand any chance of success, lessons must be run in short, sharp bursts, contain real-world simulations and cover the whole organisation, from boardroom down to contractors and part-timers. And any courses must be run continuously: as long as the bad guys keep innovating, there’s always something new to learn. Once again, the value from IT will come from choosing the right third-party provider to supply these capabilities.

In short, effective cybersecurity is about firstly stopping the bad stuff getting in. If that isn’t possible, the focus should be on limiting the damage once threat actors are inside the network. And if they are able to cause any damage, ensure the organisation can recover as quick as possible with enhanced resilience.

Artificial intelligence: AI has the potential to transform professional services, especially generative AI (GenAI) of the sort pioneered by ChatGPT. But there’s also a lot of froth and bluster in the market. And the risk of accidentally exposing sensitive information or believing GenAI-generated falsehoods is high. This could have a potentially serious impact on corporate reputation.

Once again, the IT department’s role is not to build its own large language model (LLM) or chatbot tools. It is to assess what’s available on the market and advise the business about possible solutions that match the organisation’s risk appetite. There’s also important work to be done in updating policies, to ensure employees understand what they can and can’t do.

Saffery’s Fazakerley explains that he has been on a steep learning curve over the past few months, familiarising himself with GenAI. The key to optimised use is understanding where GenAI’s strengths and weaknesses are, which is why the firm uses Microsoft Copilot secured within an Azure tenancy, so any sensitive data inputted via prompts isn’t exposed to the wider world.

Fazakerley claims it has transformed and enriched his search experience. And whereas it may not be advisable to generate content on tax advice, it has been extremely useful at summarising existing advice in a more accessible language that clients may better understand. In that way. it’s helped Saffery think differently about how it interacts with clients, to change engrained habits. For that reason, the tech has already garnered significant enthusiasm from non-IT members of staff, which is a rarity, he says.

The road ahead

This is a vision of IT fit for the digital age: as a core business-enabling function. It imagines an IT department focused on how to optimise the organisation’s use of technology, so it can deliver the best possible client service. And on explaining to the board where and how this tech is generating ROI.

To find out how QuoStar can help your professional services organisation, get in touch today for a complimentary strategic review with Chris White or another of our C-suite consultants. They’re on hand to deliver the strategic leadership mid-sized companies need to transform their IT function, and align it with long-term business objectives.

Tempering the ”super-hype” around AI: A realistic outlook

Avoiding the “super-hype”

AI will be transformational, so we don’t need to debate or doubt that. However, when we look at the implications for businesses, we need to take a breather and blow a bit of the froth from the frenzied hype that is being whipped up right now. There is both fear and excitement in equal measure, and in many cases, both are unfounded. This is just distracting for businesses as they plan for the future. My contention is that by thinking clearly and taking good advice, businesses can avoid expensive mistakes and find value in practical and relevant applications of AI today.

We hear a lot about the societal and political implications of AI replacing some or even all white-collar work in future. While this makes for interesting and provocative reading, I want to focus on what business leaders should be thinking about today.

We are still in the very early days of this AI wave, and that creates hype. The news sites want content that is sensational, and the consulting firms want you to pay for consulting projects to alleviate the fear they create. You’ll notice that many blogs, articles, and IT talks use words like “could” and “should” rather than “does” and “will.” You also frequently hear “expected,” “projected,” and “forecasted” from consulting firms.

We are in “super-hype” territory, similar where we were with Cloud 15+ years ago.  Was cloud transformational? Yes, it was, completely – the world got smaller, markets grew, and all of us got access to the technologies previously reserved for the global giants.  We got this for a small fee per user plus a lot more. It took time for that value to filter through though, and for markets and technologies to mature. I expect AI to mature faster, and the potential impact to be broader but for most of us, the same principles will apply over the next couple of years.

We are seeing a lot of hype right now, particularly around ChatGPT and Copilot. Is ChatGPT delivering huge value to the masses really? Is Microsoft Copilot going to give you a real competitive advantage right now? They are very useful tools for sure but not earth-shattering yet. The whole arena is still immature.

Unless you are a very large business, a corporate giant, a specific niche player or perhaps a research organisation, I’d say your requirements will be met naturally by the market. It’s happening now, and you will not miss the boat if you think this through carefully and take advice from trusted and qualified technology partners.


Value from AI today

Although in their early stages, there is value to be had today from practical applications of AI, largely at the Machine Learning end of the spectrum. Many software and platform vendors are building and buying AI technologies to enhance their offerings already, and some have done so for several years. We are seeing steady developments in most business systems, and here are a few examples:

  • Cybersecurity: With cyber threats becoming more sophisticated, mid-sized businesses are adopting AI-powered cybersecurity solutions like SentinelOne and MS Defender, which use machine learning to detect and respond to security threats more efficiently than traditional antivirus products. AI can also help businesses with data protection, compliance, and incident response.
  • Customer Relationship Management (CRM): Businesses are using AI-enhanced CRM platforms like Salesforce or HubSpot to streamline their sales processes and improve their customer service. These platforms can leverage AI to predict customer behaviour, personalise communication, and automate responses, leading to more efficient sales cycles and higher customer satisfaction.
  • Accounting: AI tools are being used to automate bookkeeping and financial analysis. For instance, many accounting platforms use AI to categorise expenses and make tax recommendations. AI can also help businesses with cash flow forecasting, fraud detection, and risk assessments.
  • Human Resources and Recruitment: HR tools with AI-enhancement assist in automating payroll, benefits administration, and recruitment processes. AI algorithms can screen resumes, schedule interviews and even predict candidate fit and thereby make hiring process faster and more effective. AI can also help businesses with employee engagement, retention, and development to foster a positive and productive working culture.
  • Inventory Management and Supply Chain Optimisation: Mid-sized retail and manufacturing businesses utilise AI for inventory forecasting and supply chain optimisation. Tools like NetSuite or SAP Business One employ AI to analyse sales data and predict inventory needs to reduce overstock and stockouts.  AI can also help with demand planning, logistics, and quality control, improving operational efficiency and client satisfaction.
  • Marketing and Customer Insights: AI within products, such as Marketo and Pardot help businesses analyse customer data, predict market trends, personalise marketing campaigns and ultimately increase engagement and conversion.  AI can also help businesses to create content, manage social media and web analytics to enhance brand awareness and reputation.
  • Predictive Maintenance in Manufacturing: Companies are implementing AI for predictive maintenance in manufacturing; using sensors and data analytics to monitor the condition and performance of machines and equipment, predicting and even preventing failures. Tools like IBM Maximo or Microsoft Azure IoT use AI to optimise maintenance schedules, reduce downtime, and extend equipment life, thereby saving costs and improving quality.

Get the right guidance

I hope I have shown that AI is delivering practical and relevant value now for organisations that know how to make use of it. The market is delivering the functionality and evolving it continually. That does, of course, mean that businesses should keep their eyes open and watch their markets.

AI will arrive through the sales engines of technology vendors. And this is where most care is needed: to avoid being swept up by the hype of a new technology, buying vapourware and undertaking projects that will never realise the sold visions and dreams.

Most importantly, this all means that every business needs access to sound advice from partners who live these technologies daily and whom they can trust to provide practical guidance rather than speculation. I always recommend appropriate research, evaluation and piloting to build awareness and familiarity. There is value to be had for sure, but we do need to calm some of the hysteria.

Reassessing IT Security in Professional Services: A Board-Level Imperative

Doing “the basics” is not enough

The landscape of IT security has shifted significantly, yet a sense of apathy remains, rooted in the scaremongering sales tactics of the past decade. Today’s reality is starkly different: every firm and individual is a potential target, and the consequences of lax security are not just damaging but potentially catastrophic, leading to public embarrassment, hefty fines, and severe business disruptions.

Alarmingly, many professional services firms are not adhering to even the basic tenets of Cyber Essentials, a fundamental cybersecurity framework. Worse still, some firms rest on the mistaken belief that compliance with such frameworks alone guarantees security. Cyber Essentials really is ‘just the basics’ – not a badge of being secure.

Technical controls like advanced firewalls and detection systems are prevalent but often give a false sense of security. The analogy of a fortress with an open back window is apt; firms have robust protections in certain areas but unknown critical vulnerabilities in others. The security measures are not as integrated and comprehensive as they should be.

A glaring gap in many firms is the absence of a solid GRC framework and an Information Security Management System (ISMS). IT security is not just about technology; it’s about ongoing processes, risk management, evaluations, reporting, and testing.

Implementing an ISMS, particularly one aligned with ISO 27001, is essential for establishing a strong cybersecurity posture. Utilising key elements of this standard can significantly bolster a firm’s defence against cyber threats, even if you don’t certify against the standard. There’s no reason why every firm shouldn’t at least have a risk register and details of the security controls associated with countering those risks. It seems odd not to do it when you understand how much common sense it makes.

Despite the technical aspects of cybersecurity, the problem is not confined to the IT department, it is a challenge that must be tackled at the board level. Many firms still erroneously view Information Security and Cyber Security as IT issues when they are, in fact, most certainly broad organisational concerns.

It is vital for the business and IT to have a clear understanding of the organisation’s risk posture; identifying all risks faced by the business and the controls necessary to manage them. Regrettably, this level of understanding is often absent within a number of IT and business leadership teams, leading to insufficient risk management strategies. As an example, I’d argue that a significant number of firms don’t appropriately assess the security of their supply chain. This is almost as if they’ve delegated accountability to their suppliers for their firm’s operation; that’s a big statement to make i.e.  ‘we are going to close our eyes and hope they’ve got it under control’.

The issue is compounded as many IT teams are currently overwhelmed in firms. They were historically tasked with maintaining operations but are now also burdened with managing numerous transformation projects post-COVID, along with a vast information security landscape to get control of. Many are really struggling, yet the board won’t assign the necessary focus or budget to really get hold of it.

Reassessing IT Security in Professional Services


Professional services firms must urgently re-evaluate their approach to IT security, transitioning from outdated perceptions to a holistic, board-level governance model. This shift is critical not just for the integrity of their IT infrastructure but for the survival and competitiveness of the firm in an increasingly digitized and threat-prone world.


In response to the demands of professional service firms, QuoStar’s CISO service has been built to manage all of the key areas highlighted, from the ground up. It’s a comprehensive support service to give the IT team and the firm’s board real confidence that they are managing cyber security appropriately and effectively. In addition, it delivers:

  • Ongoing senior IT security leadership and guidance.
  • IASME or ISO 27001 implemented and managed (if desired).
  • The ability to effectively manage and respond to cyber-security threats.
  • A defined, ongoing roadmap for cyber-security protection.
  • All key documentation, policies and processes agreed and in place.
  • All key parties engaged in security standards implementation.
  • An overall definition of cyber-security strategy and tactics.
  • All key stakeholders understand the business objectives.
  • The ability to formally evidence management of cyber-security
  • Continual review & evaluation of the threat landscape to control your risk profile.

Schedule a complimentary review with a CISO.

Public, Private, or Multi-Cloud: Getting the right mix for your business

For many businesses, the challenge with IT generally and with Cloud specifically, is one of complexity and choice. There are simply too many options to choose from, leaving firms uncertain about how to make good strategic choices.

Competitive pressures, cost control and a need for businesses to be more agile and responsive are all good reasons to invest in Cloud. The pandemic only accelerated this trend with new investments in IT projects promising to deliver radical improvements to core business processes in terms of greater control and reduced costs. Alongside this, a Cloud platform can also bring with it new threats, most obviously to security, with ransomware a persistent and growing risk which can threaten the reputation and even the viability of an enterprise. More broadly, new challenges in Governance, Risk Management and Compliance (GRC) arise for which most businesses are ill equipped.

The Risks of Following the Herd

Against this background, making the right choice is challenging, as it is unlikely that an internal IT team is up to speed on the best options as well as the challenges and pitfalls which can arise.

Fear and uncertainty can then become the main drivers behind Cloud investment and “strategy” sometimes amounts to little more than following prevailing wisdom in the sector. This very often means a wholesale commitment to a Public Cloud platform from one of the globally recognised brands such as Microsoft Azure, Amazon Web Services (AWS) and Google Cloud Platform (GCP).  Whilst this often seems like a safe choice, an exclusive commitment to one provider or platform can result in a spiralling costs and IT systems which drift from the specific requirements of a business.

A common problem arises when proprietary applications which are essential to the smooth running of a business, are transferred to a Public Cloud platform and poorly integrated with other applications. Far from improved productivity, this often leads to poorer performance which can impact profitability.

All of his can lead to a stand-off between frustrated IT teams and sceptical senior management.

Choosing a Cloud Platform which fits your Business

At QuoStar, we do not think there is a “one size fits all” approach to Cloud.  Every business is unique with its own specific challenges and its own commercial strategy. We have been designing, building and managing Cloud platforms for over 15 years, in each case ensuring that our clients get platforms which are fit for purpose.

We always start with understanding what a business is trying to achieve.  With a clear business context, we apply analysis to assess the requirement for Cloud or, if Cloud platforms are already in place, to uncover opportunities for better security, stability, and effectiveness. Our assessment also delves into licencing and resource allocation to find ways to reduce spend whilst maintaining quality.

A Platform Agnostic Approach

Crucially, we are platform agnostic which means that we will always propose the right mix of Public, Private and Multi-Cloud to fit the needs of a business. Whether the need is for a single virtual server in a Private Cloud, or a global hybrid environment incorporating Public, Private and on-premise platforms, we can deliver a robust managed service. This is underpinned by our true purpose-built Multi-Cloud platform which, together with our clients, our engineers can deploy over the short or long term.

At the heart of our service is an elite team of Cloud professionals, each with 10 years’ experience in delivering Cloud platforms. We know that no single enterprise can have all the specialist IT skills to keep their systems running, so QuoStar can support IT teams through their transformation journey and help them to develop.

Empowering Businesses to Exploit the Potential of Cloud

We are committed to empowering clients to exploit their expanding Cloud capabilities and have earned recognition for our comprehensive Cloud training programs which bridge the skills gaps in their IT teams. We partner with these teams and facilitate knowledge sharing as demands on them increase. Our selection as a nominee for Cloud Services Provider of the Year Award at the 2023 CRN Channel Awards highlights the quality of service we consistently deliver to our clients.

We also recognise that the success of our solutions extends beyond the technology itself. For example, GRC is second nature to us, so we make it a priority to support our clients with systems and processes which embed best practice and provide year-round support.

Your business isn’t generic, and neither should your Cloud solution be.

Schedule an initial consultation with a QuoStar Cloud specialist.

Why an Azure Managed Service is essential

In today’s fast-paced digital landscape, more and more businesses are turning to cloud solutions be that private or public to streamline their operations and stay competitive. Azure is one of the most popular cloud computing platforms on the market, providing a wealth of benefits for businesses of all sizes. However, managing Azure can be complex and time-consuming, especially for organisations without in-house IT resources. That’s where an Azure managed service from a managed service provider (MSP) like QuoStar comes in. In this blog post, we explore why an Azure managed service is critical for any business using Azure.

Cost Control

One of the primary benefits is cost control. Azure provides a wide range of pricing options and services, making it easy for businesses to overspend if not managed carefully. An MSP can help optimise Azure usage, identify unnecessary costs, and recommend cost-saving measures. They can assist in selecting the right Azure services based on specific needs, adjusting usage patterns, and leveraging cost-saving opportunities such as reserved instances.

Furthermore, an Azure managed service helps accurately forecast Azure expenses, enabling effective budget planning. This aspect is particularly crucial for small and medium-sized businesses that may lack the resources to handle unexpected costs.


Security is another crucial consideration for businesses utilising Azure. As cyber threats evolve and become more sophisticated, having a robust security strategy in place is paramount. An Azure managed service can help implement best practices for Azure security, including identity and access management, network security, data encryption, and more. They also keep you updated with the latest changes, security patches, and updates to minimise the risk of security breaches and data loss.

A sophisticated Azure managed service, provided by the right MSP, can monitor your Azure environment for suspicious activity and proactively address security threats. This capability is especially important for businesses operating in regulated industries where data security is critical, such as legal or finance.

Technical Landscape

The technical landscape of Azure is constantly developing, with new features and services introduced regularly. For businesses, this presents both opportunities for innovation and challenges in keeping up with the ever-changing Azure ecosystem. An MSP can help navigate this landscape, stay up to date with the latest Azure features, and provide recommendations on how they can benefit your business. They can also help you avoid common pitfalls, such as overprovisioning or underutilising Azure services.


Automation plays a crucial role in an MSP’s services. Implementing automation on their own can be challenging and time-consuming for businesses. Automation saves time and resources, increases efficiency, and reduces the risk of errors. An MSP can automate routine tasks like patching, backups, and monitoring, allowing businesses to focus on their core operations. It also facilitates the deployment of correct frameworks and enables quick responses to security threats, minimising the risk of data loss or downtime.

Why QuoStar’s Managed Service

At QuoStar, we offer a comprehensive Azure managed service that blends automation and advanced monitoring, ensuring consistent and high-quality support. We’re committed to delivering personalised assistance to each of our clients, taking the time to understand their unique needs and tailoring our services accordingly. Here’s what sets us apart:

  • Azure expertise: Our seasoned team of Azure experts goes beyond the basics, covering everything from Infrastructure as a Service (IaaS) to Platform as a Service (PaaS). Benefit from the depth of our Azure knowledge.
  • Microsoft Solutions Partner: We’re not just another service provider; we are a Microsoft Solutions Partner for Infrastructure (Azure).
  • Industry recognition: Finalists for Cloud Services Provider of the Year at the CRN Channel Awards 2023, which shows that we’re among the best at what we do.
  • 24/7/365 support: Count on our UK-based support team to be there when you need them, ensuring your cloud environment runs smoothly around the clock. Rest easy knowing expert assistance is always within reach.
  • Risk-free assessment: Take advantage of our complimentary Azure assessment; if no significant issues are found, there’s no charge.

Don’t let the complexities of Azure management overwhelm you. With QuoStar’s Azure Managed Service, you can confidently take control of costs, ensure security, and smoothly navigate Azure.

Experience Azure’s benefits for cloud success.

Start a conversation with us or book your risk-free assessment today. Whether you need Azure consultancy or ongoing managed services, we’re here to assist you at every phase of your Azure journey. Take the first step towards a more efficient Azure solution, supported by a trusted partner.

Microsoft Solutions Partner for Infrastructure and Finalists for Cloud Services Provider of the Year at the CRN Channel Awards 2023