QuoStar has hit plenty of milestones over the past two decades. But the past few weeks have been particularly special. First, the company was named as one of the top managed service providers (MSPs) in the world by Channel Futures MSP 501. And today, we’re following that up with inclusion on the famed Sunday Times 100 list.
It’s another tremendous accolade, but we’re grounded in our commitment to delivering the best outcomes for our clients, which has been central to our success and will continue to be our touch-stone. This recognition reflects the win-win partnerships we’ve cultivated over the years and underscores our dedication to maintaining these standards.
Following in the footsteps
The Sunday Times 100 has been around in some form or another for over a quarter of a century. The league table ranks the top 100 independent, privately owned companies in the country with sales of over £5m that recorded the fastest-growing sales over the past three years. Over the years, it’s played host to some of the UK’s biggest and most important names, including Carphone Warehouse, retailer Boden and chip giant Arm Holdings – which was sold to Softbank for over £20bn.
Richard Tyler, Founding Editor of The Sunday Times 100, explains that it’s increasingly challenging for even fast-growing British companies to make it onto the prestigious list.
“The pace of growth required to secure a place on the league table has shot up this year, so QuoStar should be particularly proud of its achievements in what have remained challenging trading conditions,” he says.
QuoStar CEO, Robert Rutherford, adds his thanks to both the firm’s employees and clients. “This outstanding achievement reflects our performance over the past few years and is a testament to the dedication, effort, values, and skills of our entire team. We always knew we were doing something great – now a major award confirms it,” he says.
Keeping things simple
Today, QuoStar employs over 100 people and serves hundreds of clients across the UK and overseas, from offices in Bournemouth, London and Leeds. Yet despite our continuous growth trajectory over the years, the mission hasn’t changed.
It’s not about chasing growth for growth’s sake. It’s about continuing to do the simple things well. Building solid client relationships. Taking time to understand their unique requirements. And using our decades of in-house IT expertise to deliver exactly what they need to succeed.
These tenets will always be central to the QuoStar way of doing things. We can’t wait to see what the future holds.
QuoStar will join other Sunday Times 100 founders and directors in celebrating at an invitation-only networking dinner on Wednesday, 18th September at The British Museum.
Since its inception in 2005, QuoStar has been on a mission to bring enterprise-grade IT services to businesses of all sizes. Nearly two decades later, its focus on excellence, partnership and client outcomes remains as committed as ever.
Our CSAT scores, averaging at 98%, suggest that our clients approve of what we are doing, and now we have market recognition for this. We are delighted to have been recognised by the Channel Futures MSP 501 as one of the ‘best of the best’ managed service providers (MSPs) in the world. This achievement is a testament to a great deal of hard work and our relentless focus on delivering for our clients.
What’s the MSP 501?
The Channel Futures MSP 501 has been ranking the world’s MSPs for the past 17 years, according to a strict set of criteria. It includes annual revenue, profitability (as measured by EBITDA) and recurring revenue. MSPs also undergo a detailed review by a Channel Futures research team, which further ranks applicants according to long-term financial health, commitment to recurring revenue and operational efficiency.
This year’s list was described by Channel Futures as “one of the most competitive in the survey’s history”, which makes QuoStar’s inclusion doubly gratifying. Those sitting alongside QuoStar on the list generated a combined revenue of nearly $25bn, with average growth or recurring revenue of 19%.
“This recognition underscores our team’s performance, strong partnerships, and our client-focused strategies,” says CEO Robert Rutherford. “This is just the beginning—more well-deserved awards are on the horizon. Thank you to our clients and our team for making this possible. We are excited for 2024 and the years to come as we execute plans, deliver outcomes and maintain quality.”
Delivering time and again
MSP 501 winners are described by Channel Futures as among “the most innovative, driven, and successful MSPs in a fiercely competitive industry”. For QuoStar, being named among the top global MSPs underscores the dedication of our elite team of IT experts, who work so hard to build best-in-class solutions for clients. It’s not about being the biggest, or most successful. It’s about delivering for those clients every single time—to transform and grow their businesses through tailored IT solutions.
Thanks go out to both our clients and our team for helping us achieve this milestone. It won’t be the last. In the meantime, QuoStar will keep doing what we’ve always done. Building great relationships with clients and technology companies. Staying at the cutting edge of technology innovation and delivering service excellence. Even as we continue to grow, this focus will never change.
Throughout the year, QuoStar holds roundtable events for the legal sector, where a small group of attendees can get together over a three-course meal to share industry insight and best practice. At the end of April, we held our first event of 2024, with QuoStar CEO, Rob Rutherford joining myself and several Partners, Managing Partners, and Heads of IT from south coast law firms.
It was a fascinating evening of discussion, with a focus on how best law firms can mitigate mounting cybersecurity risk, drive operational efficiency and use tech innovation to gain an advantage.
Law firms in the crosshairs
Cyber risk is fundamentally a strategic business risk today – and one that impacts all legal sector organisations, no matter what their size. Attendees around the table agreed that their company is very much in the crosshairs of threat actors – whether they’re financially motivated cyber-criminals, state-sponsored hackers or even disgruntled current or former employees. Automated tools mean these bad actors can continuously probe for vulnerabilities in public-facing IT infrastructure without breaking sweat.
Their efforts are hitting home. Current data is hard to come by, but the Solicitors Regulation Authority claims that 18 law firms in the UK were hit by ransomware in 2021. Three-quarters (73%) of the firms it visited for a cybersecurity review a year earlier reported cyber-related incidents. Separate data from the Information Commissioner’s Office (ICO) analysed by insurer Chaucer reveals that the number of legal sector data breaches reported to the regulator increased 36% annually to reach 226 in 2022/23.
There are many reasons why law firms are a popular target for attack. They hold sensitive client information, handle large volumes of funds and play a key role in business transactions. The National Cyber Security Centre (NCSC) warns that firms acting for organisations that engage in “controversial” work such as life sciences or energy may also be targeted by hacktivists. The top threats to the sector are phishing, data breaches, ransomware and supply chain compromise, it says.
Time for multi-layered cyber-defence
As digital investment grows in the sector, so does the cyber-attack surface. All attendees recognised the challenge – agreeing that everyone in an organisation needs to play a part in keeping their firm safe. From a strategic perspective we recommend the following:
Deploy robust security controls and best practices such as advanced firewalls, multi-factor authentication (MFA), complex passwords, mobile device management, and vulnerability management.
Don’t ignore the human factor. Ongoing staff awareness raising and education is key to mitigating the risk of phishing, which is often the starting point for breaches
Put an incident response plan in place today, to enhance business resilience and minimise the impact of a security breach if one occurs. Data cited by the Law Society claims only 35% of law firms have one in place. It’s also important to test this, such as what happens if the firm is affected by Ransomware.
Consider obtaining a cyber accreditation such as Cyber Essentials Plus and ISO27001. This won’t stop attacks occurring, but will ensure the organisation is better placed to respond efficiently, mitigate the impact, whilst also reassuring clients. QuoStar can help by undertaking an independent audit to identify any gaps in current security posture, risk management, governance and compliance.
Risk extends to third parties
Law firms increasingly outsource parts of their IT function to third-party suppliers – whether they’re a provider of cloud services (CSP), SaaS applications or managed services (MSP). But these entities in turn can be a target for attack – making it essential that they maintain the same high level of cybersecurity as their client organisations. It is no defence to say that a third party was responsible for a breach. The regulator will generally hold both parties responsible. Nor is this a theoretical risk. A UK-based MSP was hacked last year via an exploited vulnerability and the resulting breach impacted dozens of its legal sector customers for over a month.
Attendees around the table argued that it’s not good enough to assume that larger suppliers are inherently to be trusted. Given what’s at stake, it’s vital to conduct thorough due diligence, and undertake a security audit of any prospective supplier, which QuoStar can help with. Those accredited with Cyber Essentials Plus, ISO 27001 or other standards/frameworks are a good place to start.
Gaining an advantage through AI
Finally, no roundtable discussion on technology would be complete without a conversation about the role AI could play in driving advantage. The IT and business leaders we spoke to are rightly sceptical about many of the claims currently being made by vendors about their products – especially legacy tech vendors they see as jumping on the AI bandwagon.
Most of those around the table understood AI to mean generative AI (GenAI) tools like ChatGPT and Copilot. But in fact, there’s much more to the technology than this. Law firms could utilise:
Pure AI, using core algorithms to develop their own AI solutions. One example we heard was a law firm using AI to predict the outcome of litigation cases
GenAI: AI that can produce and summarise content including text, video and images
Packaged AI: suppliers that have built AI features into their technology and deliver these to law firms, eg many suppliers now embed machine learning into their applications
Attendees were unanimous in agreeing that AI will play a major part in the practice of law in the future. But they also argued that headlines claiming it will replace large number of lawyers and fundamentally change the way the sector operates have been significantly oversold.
AI will simply be another tool. By all means experiment with it – especially GenAI, which could have some productivity benefits – but don’t feel like the company will be left behind if it does not embrace AI immediately. There are certainly challenges to be managed – not least, biased/inaccurate output, and potential data security and confidentiality risks when inputting information. The best option for many may be to wait for others to make the leap first and then learn from them.
Data sits at the beating heart of any business. How effectively organisations can extract insight and value from it will play a big part in determining their long-term success. It could help to drive more efficient business processes, reduced wastage and enable better-informed, strategic business decisions. Thanks to cloud-powered AI and analytics tools, more organisations than ever have access to potentially transformative, cutting-edge capabilities.
That’s why QuoStar was delighted to be recently designated a Microsoft Solutions Partner for Data & AI, to bolster our existing three Solutions Partner certifications. It means that we now hold all Microsoft Solutions Partner designations for Azure. The announcement is further proof of QuoStar’s expertise in cloud transformation and commitment to empowering clients with the best in Azure data services.
What does it mean?
Being recognised as a Microsoft Solutions Partner for Data & AI reinforces our expertise in Azure data services – enhancing client confidence that their projects are safe in QuoStar’s capable hands. Among other things, partner status denotes a high degree of skill and experience in delivering:
Database migration to Azure, or undertaking projects to ensure clients have access to the best Azure offering possible
Deployment and guidance on platform-native governance across Azure and inside the managed data
Analysis of existing workloads, and extract, transform, load (ETL) operations to migrate data to cloud-based data warehouses and enable cloud-based analytics solutions
Ongoing support and optimisation of workloads, helping clients offload performance, cost and reliability concerns
Tailored Microsoft analytics solutions using Azure Synapse Analytics, Azure Data Lake, Azure Data Factory and Azure Databricks
Client adoption of Al and Azure solutions
From strength to strength
This new Microsoft designation for QuoStar follows similar milestones last year. In May 2023 we announced the Microsoft Solutions Partner for Modern Work designation. It signifies our commitment to helping clients enhance productivity and support the shift to hybrid work using Microsoft 365. Then in June the same year, QuoStar was named a Microsoft Solutions Partner for Infrastructure (Azure) – highlighting our expertise in helping clients migrate their critical infrastructure workloads to Microsoft Azure.
As a Microsoft Solutions Partner, QuoStar will continue to work hand-in-hand with clients to help them optimise their use of data – using the latest Azure-based technologies and in-depth understanding of their business requirements.
To help support these efforts, we’re currently developing a new standardised approached, aligned to Microsoft values, designed to streamline projects and improve outcomes. When complete, it will help by highlighting what methodology a client should follow to better understand how their data is used day-to-day and how they can extract maximum value from it. It will focus on things like data structuring, visibility tooling, governance and cost optimisation alongside AI.
“It is QuoStar’s ongoing investment in its people, process and products that has enabled us to gain this Solutions Partner for Data & AI accreditation. The new skills our people continue to learn, along with QuoStar’s ‘right person, right role’ ethos, will drive the company’s enduring value for our clients.”
– Charlie Thompson-Hill, Head of Presales and DevOps
There is plenty that organisations can do to enhance their resilience to ransomware breaches. But no preventative strategy can ever be 100% guaranteed to succeed. The modern corporate attack surface is simply too porous and expansive, and threat actors too persistent, for that. That’s why network defenders should also be primed and ready for a worst-case scenario.
As we explained in our previous blog, an attack can strike at any time. And when it does, those in charge are often trapped in a whirlwind of confusion. The key to successfully managing such a situation lies with forward planning.
Planning for a breach
Ransomware is among the most common and acute cyber-threats facing UK businesses. And the threat will continue to grow with the advent of AI, the National Cyber Security Centre (NCSC) recently warned. For smaller businesses its impact can be particularly destructive. A 2022 study revealed that a fifth of US and European businesses had nearly been forced into bankruptcy by a historic attack. Last year one of the UK’s largest privately owned logistics firms entered administration due to “disruption” caused by a ransomware compromise.
Yet it doesn’t need to be this way. It all starts with putting the right team together. Ideally, it should include key representatives from the IT and security function, PR and legal – and possibly also HR and customer service stakeholders. That’s because, when a ransomware attack hits home, it can impact disparate parts of the business.
PR is essential to help organisations manage their external communications strategy. HR should be on hand to manage internal comms and cross-departmental collaboration. And legal will dispense critically important advice on engaging with regulators, managing potential customer/employee class action suits, and more. For most organisations, customer service will also need to be involved to manage the fallout for end customers. If any piece fails, there could be significant financial and reputational repercussions, including customer churn, regulatory fines and lawsuits.
The average cost of a UK data breach is calculated at $4.2m (£3.3m) today. But in some cases, ransomware has caused losses measured in the tens of millions. From a regulatory perspective, organisations need to think not just of data protection watchdog the Information Commissioner’s Office (ICO) but also any relevant industry-specific bodies, like the Financial Conduct Authority (FCA).
Putting the pieces in place
Every organisation is different, and there’s no single agreed format that an incident response team should take. Most important is that everyone has a clearly defined role that they understand, and that they are working under unequivocal instructions from an incident response lead. In many cases, this will be a senior individual from the IT team. Crucially, they need not only experience of working under pressure – and ideally in crisis incident response situations – but must also be given the authority to lead for the duration of an incident. That means even members of the organisation and board senior to that individual must respect their decision making.
The next thing a team needs is a plan. This is where many organisations fall down, by attempting too much. No one can predict how or when a ransomware breach will take place, and what its impact may be on the organisation. But many try, by building out complex incident response plans which will likely be redundant as soon as attackers strike. The key to success is rather to keep things simple and high level. The incident response team will need to improvise, but within their own clearly defined roles. It’s also important to ensure any pre-written plan is accessible in a crisis – ie, not stored on a server that has been encrypted by ransomware.
In a similar way, organisations shouldn’t overthink things by scheduling frequent incident response training exercises. In a typical organisation there are mini incidents occurring all the time which can be used to hone the skills of team members. Once a driver has passed their test, they aren’t forced to sit another one every six to 12 months: simply by being behind the wheel they continue to practice and improve the required skills.
Communicating clearly
Above all, when working through post-ransomware breach response, organisations must foreground the importance of clear communication. That could mean:
Communication between incident response team members
Communication with the board and senior managers (they should be kept updated at frequent intervals)
Communication with the wider community of employees – to ensure they follow policy by limiting what they publish online about an incident, and to maintain morale during what could be a long road to recovery
External comms. It’s vital that a senior spokesperson is chosen as part of the incident response team. This individual should be the face of the organisation during the breach response. External comms is critically important to prevent rumour and speculation, especially in the early hours and days following a breach
This is by no means a comprehensive checklist for post-ransomware breach response. But it’s somewhere to start.
The global economy might still be struggling to get back on track. But the finances of the cybercrime underground are in rude health. Payments from ransomware victims exceeded $1bn last year – a record high. And that’s just for the cryptocurrency wallets forensics analysts were able to track. The real figure is undoubtedly much higher. In this context, all organisations should plan for the day when they too will be compromised by ransomware actors.
Unfortunately, many still do not. And their lack of preparedness is something threat actors thrive on. During the post-breach response period, they will do everything in their power to ramp up victims’ confusion, in order to extract maximum financial returns.
Network defenders must stay calm and stick to their plan. When it comes to ransomware, forewarned is forearmed.
The worst-case scenario
There are several ways in which an organisation could end up a ransomware victim. RDP compromise, email phishing and exploitation of software vulnerabilities are still the top three attack vectors for threat actors. But the first the organisation may actually see of an attack is likely to be a ransom note on a networked PC – or potentially an entry in a ransomware data leak site detailing how much data has been stolen.
From the start, network defenders are on the back foot. They may have no prior experience of dealing with a ransomware breach. Their adversaries, on the other hand, are usually seasoned professionals with stacks of domain expertise. Their operations behave more like regular SMBs than one may imagine. And in some cases, their resources can match those of high-flying enterprises. One infamous group, Conti, reportedly spent $6m (£4.8m) annually on salaries, tooling and support services.
Many questions to answer
Victim organisations will have a relatively short time frame in which to act. This kind of time-based pressure is a classic social engineering technique designed to rush victims into making irrational decisions. A clock may count down the minutes they still have left to purchase a decryption key. Or for breaches where only data was stolen, until that data is ‘leaked’ to the world.
In the meantime, business leaders will be frantically asking their IT teams to answer their questions:
How do we deal with this?
Who can help us?
How much of the business is impacted?
How much data has been exfiltrated?
How much downtime can we expect?
Has the story been reported in the media/on social media?
Unfortunately, without a clear, pre-rehearsed incident response plan and team in place, such questions can be tricky to answer. And the threat actors will be doing what they can to continue wrongfooting their victims. Among the tactics designed to sow confusion and force payment may be:
Exaggerating how much sensitive data they have been able to exfiltrate
Threatening to launch a distributed denial of service (DDoS) attack
Contacting customers and partners and asking them to demand the company pays a ransom
Such efforts are becoming increasingly persistent, and novel. In one case, a ransomware group hijacked a US university’s emergency broadcast system to send staff and students text messages and email alerts that their data was stolen and would soon be released. In another, they hijacked and defaced the victim organisation’s website to display a ransom note to the world. In a third case, a ransomware group claimed it was willing to alert crooked traders about a breach before it was made public, so that they could short the listed firm’s stock.
Such efforts have one single goal in mind: to throw a spanner in any recovery plans and put network defenders on the back foot. If they can frighten the organisation in to paying the maximum ransom demand rather than a lower negotiated figure, all the better.
Struggling to respond
Organisations caught in this whirlwind of confusion will find it extremely difficult to successfully respond unless they have prepared for something like this worst-case scenario. Yet unfortunately, government data tells us that just a fifth (21%) of UK businesses even have an incident response plan in place, rising to 47% of mid-sized firms. Fewer than two-fifths (37%) have cyber-insurance.
This matters, because despite the news headlines, most ransomware victims are not big-name brands or government agencies, but SMBs. The median size for a breached organisation stood at just 230 employees in Q4 2023. Some 36% of victims in the period had fewer than 100 staff members. There is a ruthless logic to this. Smaller firms are less likely to have the resources and expertise needed to protect against ransomware attacks in the first place, or contain and recover from them rapidly if they are breached.
The truth is that no organisation is safe from ransomware today. But a compromise doesn’t have to precipitate an existential corporate crisis. The message is simple: plan today to avoid a whirlwind of pain tomorrow.
Copilot for Microsoft 365 was announced to much fanfare back in March 2023. It promises much: to free staff from the drudgery of day-to-day workplace tasks and in so doing unleash a new wave of productivity growth. But what’s the actual experience of using it like?
Our experts have had a few weeks to road test the tool. There are certainly some impressive features. But organisations should also be aware of what it can’t yet do, without them first spending significant extra time and resources on assessment and preparation of their data architecture.
What Copilot for Microsoft 365 does well
The bottom line is that Copilot for M365 can add value for employees using it for basic tasks in Teams, Excel, Word, Outlook and PowerPoint. In that respect, it could save users a few hours per month depending on their role. Here are our initial first thoughts:
The potential for time saving is clear to see, but doesn’t feel like the finished article just yet
Preparation needs to be done; organisations shouldn’t just dive right in
Word and PowerPoint Copilot work especially well for inspiration and a starting point in documents. But not to give you what you want without manual intervention.
It is worth the money. Even though we’ve not used Copilot to its full extent yet, users don’t need to be saving too much time in their workload for the ROI that under £30 a month provides
Time savings will just be the beginning. It could increase employee satisfaction, improve the quality of work and reduce digital debt
Remember that improper deployment without the right security measures may expose confidential company and employee details
Copilot for Microsoft 365 is particularly good at specific tasks/use cases. These include:
Effective meetings: Using Microsoft Teams CoPilot to take notes/summary enables users to concentrate on presenting and engaging.
Data Analysis: Bulky spreadsheets andare easily summarised, using CoPilot in Excel—whether that is producing diagrams, creating Pivot tables or projections.
Content Creation: Copilot in Word and PowerPoint is useful at providing starting documentation when users need inspiration, or for rewriting paragraphs with a different tone/language.
Email Processing: Copilot in Outlook can summarise emails when users have been out of the office, draft responses to emails, and rewrite emails with a different tone.
Where there’s AI, there’s risk
However, there is one major challenge for organisations wanting to jump into Copilot for Microsoft 365 from day one. It’s only as good as the policies and data they put in place. A lot of work needs to be done first to structure and segment corporate data correctly. This could run into the tens of thousands of pounds of consultancy work to review the data, understand how the organisation wants to structure it and then move it into the Microsoft cloud data storage ecosystem.
There’s a significant security and compliance dimension to this. Although we’re not talking about an open data ecosystem like ChatGPT (instead, data is restricted to an organisation’s Microsoft Graph and 365 apps) there is a risk of users inside the company accessing data they don’t have permissions to view.
Licensing costs and considerations
Stripping out the upfront costs mentioned above to get your data organised and structured, whilst the licensing cost per user for Copilot for Microsoft 365 may feel significant, it isn’t if organisations are genuinely saving those two hours per month per employee. Copilot is now available for just £27.30 per person per month, billed annually and upfront.
However, it’s worth remembering that licenses must be paid up front on an annual basis, and this will only get you the basic Copilot tool. Without an E5 license, organisations won’t have the required security functionality. There’s also functionality such as automatic subtitling of foreign language speakers that requires a premium Teams license.
Note that in order to benefit from those Teams capabilities listed above, the meeting organiser needs to have a Copilot license, which effectively means every employee needs one to be truly effective. This could significantly increase licensing costs across the organisation. Beware those hidden costs!
Organisations should also bear in mind user training is key to learn how to work with AI and provide the right prompts to get the information you need – we found the effectiveness of Copilot initially lower than expected until we knew the right questions to ask, and whilst Copilot is still developing, some time efficiencies may be eroded as users are forced to chop and change between apps.
Getting started with some quick wins
That said, there are things organisations can do today to extract value from Copilot for Microsoft 365. Consider the following tasks:
Summarising large volumes of emails in the mailbox to catch up/prioritise quickly
Drafting new emails at speed
Recapping Teams meetings
Creating new images at speed
Summarising lengthy documents
Finessing/rewriting existing content with a specific tone/audience in mind
However, to gain true value from the product, organisations will need to:
Reach out to third-party experts to assess and prepare:
Structure and segregate relevant corporate data
Work out data security, privacy and compliance controls
Purchase Copilot for Microsoft 365 and any relevant additional licenses
Expand and extend with third-party plugins. As the ecosystem grows, this could add significant value
It’s worth noting (as with all things Microsoft) the product is constantly evolving – Microsoft has recently announced incoming additional functionality, with Restricted SharePoint Search coming early April, focused on simplifying site audit permissions, and CoPilot for OneDrive scheduled for release in Late Aril / early May, which promised to hep users quickly retrieve information from files stored in OneDrive.
IT has traditionally had a reputation for micro-management. In too many professional services firms, the Department of No stood in the way of productivity and growth. But post-pandemic, things are changing. During that period, many boards and senior managers had a lightbulb moment – finally realising the value that technology can deliver to the firm.
To accelerate this path to progress, professional services organisations need to continue evolving how their IT department works, and what it is responsible for. In many cases, this will mean outsourcing more infrastructure.
A recent Saffery podcast featuring QuoStar’s Chris White and Saffery’s ITDirector, David Fazakerley, have some fascinating insight on this topic.
The changing face of IT
To add true value to the post-pandemic professional services organisation, the IT department must change its role from technology provider to business enabler. As such, the role of CIO or IT director will evolve into one of translator: speaking the language of business to the board and of bits and bytes to the IT team.
There are three ways we can observe this change happening in organisations today:
Cloud: There was a time when IT managed everything in house. Now cloud services have matured, there’s little justification for such an approach. Public cloud infrastructure, private cloud (IaaS) and software-as-a-service (SaaS) can be highly cost-effective – enabling firms to scale up and down as required. And they are often more secure than anything that can be managed internally. Increasingly, cloud is seen as just another utility.
That frees IT from the operational shackles of keeping the lights on, to focus on a more strategic role. Today, IT’s role should be to select the right partners and providers to work with, understand what the firm’s employees need to maximise productivity, and deliver the best possible service for clients. Professional services firms aren’t IT shops. They’re lawyers, accountants and specialist consultants. So IT’s role at its core should be to support these client services via optimised use of technology.
Cybersecurity: Cyber-threats are surging amidst geopolitical uncertainty and a cybercrime underground said to be worth trillions annually. One vendor blocked 85.6 billion threats in the first half of 2023 alone. Government figures from April 2023 reveal that over half medium (59%) and large (69%) UK businesses suffered a serious cyber-attack or breach in the previous 12 months.
Professional services IT teams aren’t equipped to handle this deluge all by themselves. Instead, their job is to educate users, understand the organisation’s risk appetite, and outsource where necessary to providers with the requisite skills, resources and technology. It’s about building a cohesive hybrid team, so that when the worst-case scenario occurs, everyone knows their role and can react quickly in order to rapidly contain and recover.
It’s also about recognising that not all of cyber-risk management is a matter of putting in place another firewall or a web filter. The human-shaped problem continues to be a major risk factor, in the form of social engineering and phishing. And that can’t be solved by technology alone. It’s a problem set to get much worse with the advent of generative AI (GenAI), which will democratise the ability to launch highly convincing phishing campaigns in multiple languages.
Security awareness and training programmes will therefore be an increasingly important part of risk mitigation in professional services firms. To stand any chance of success, lessons must be run in short, sharp bursts, contain real-world simulations and cover the whole organisation, from boardroom down to contractors and part-timers. And any courses must be run continuously: as long as the bad guys keep innovating, there’s always something new to learn. Once again, the value from IT will come from choosing the right third-party provider to supply these capabilities.
In short, effective cybersecurity is about firstly stopping the bad stuff getting in. If that isn’t possible, the focus should be on limiting the damage once threat actors are inside the network. And if they are able to cause any damage, ensure the organisation can recover as quick as possible with enhanced resilience.
Artificial intelligence: AI has the potential to transform professional services, especially generative AI (GenAI) of the sort pioneered by ChatGPT. But there’s also a lot of froth and bluster in the market. And the risk of accidentally exposing sensitive information or believing GenAI-generated falsehoods is high. This could have a potentially serious impact on corporate reputation.
Once again, the IT department’s role is not to build its own large language model (LLM) or chatbot tools. It is to assess what’s available on the market and advise the business about possible solutions that match the organisation’s risk appetite. There’s also important work to be done in updating policies, to ensure employees understand what they can and can’t do.
Saffery’s Fazakerley explains that he has been on a steep learning curve over the past few months, familiarising himself with GenAI. The key to optimised use is understanding where GenAI’s strengths and weaknesses are, which is why the firm uses Microsoft Copilot secured within an Azure tenancy, so any sensitive data inputted via prompts isn’t exposed to the wider world.
Fazakerley claims it has transformed and enriched his search experience. And whereas it may not be advisable to generate content on tax advice, it has been extremely useful at summarising existing advice in a more accessible language that clients may better understand. In that way. it’s helped Saffery think differently about how it interacts with clients, to change engrained habits. For that reason, the tech has already garnered significant enthusiasm from non-IT members of staff, which is a rarity, he says.
The road ahead
This is a vision of IT fit for the digital age: as a core business-enabling function. It imagines an IT department focused on how to optimise the organisation’s use of technology, so it can deliver the best possible client service. And on explaining to the board where and how this tech is generating ROI.
AI will be transformational, so we don’t need to debate or doubt that. However, when we look at the implications for businesses, we need to take a breather and blow a bit of the froth from the frenzied hype that is being whipped up right now. There is both fear and excitement in equal measure, and in many cases, both are unfounded. This is just distracting for businesses as they plan for the future. My contention is that by thinking clearly and taking good advice, businesses can avoid expensive mistakes and find value in practical and relevant applications of AI today.
We hear a lot about the societal and political implications of AI replacing some or even all white-collar work in future. While this makes for interesting and provocative reading, I want to focus on what business leaders should be thinking about today.
We are still in the very early days of this AI wave, and that creates hype. The news sites want content that is sensational, and the consulting firms want you to pay for consulting projects to alleviate the fear they create. You’ll notice that many blogs, articles, and IT talks use words like “could” and “should” rather than “does” and “will.” You also frequently hear “expected,” “projected,” and “forecasted” from consulting firms.
We are in “super-hype” territory, similar where we were with Cloud 15+ years ago. Was cloud transformational? Yes, it was, completely – the world got smaller, markets grew, and all of us got access to the technologies previously reserved for the global giants. We got this for a small fee per user plus a lot more. It took time for that value to filter through though, and for markets and technologies to mature. I expect AI to mature faster, and the potential impact to be broader but for most of us, the same principles will apply over the next couple of years.
We are seeing a lot of hype right now, particularly around ChatGPT and Copilot. Is ChatGPT delivering huge value to the masses really? Is Microsoft Copilot going to give you a real competitive advantage right now? They are very useful tools for sure but not earth-shattering yet. The whole arena is still immature.
Unless you are a very large business, a corporate giant, a specific niche player or perhaps a research organisation, I’d say your requirements will be met naturally by the market. It’s happening now, and you will not miss the boat if you think this through carefully and take advice from trusted and qualified technology partners.
Value from AI today
Although in their early stages, there is value to be had today from practical applications of AI, largely at the Machine Learning end of the spectrum. Many software and platform vendors are building and buying AI technologies to enhance their offerings already, and some have done so for several years. We are seeing steady developments in most business systems, and here are a few examples:
Cybersecurity: With cyber threats becoming more sophisticated, mid-sized businesses are adopting AI-powered cybersecurity solutions like SentinelOne and MS Defender, which use machine learning to detect and respond to security threats more efficiently than traditional antivirus products. AI can also help businesses with data protection, compliance, and incident response.
Customer Relationship Management (CRM): Businesses are using AI-enhanced CRM platforms like Salesforce or HubSpot to streamline their sales processes and improve their customer service. These platforms can leverage AI to predict customer behaviour, personalise communication, and automate responses, leading to more efficient sales cycles and higher customer satisfaction.
Accounting: AI tools are being used to automate bookkeeping and financial analysis. For instance, many accounting platforms use AI to categorise expenses and make tax recommendations. AI can also help businesses with cash flow forecasting, fraud detection, and risk assessments.
Human Resources and Recruitment: HR tools with AI-enhancement assist in automating payroll, benefits administration, and recruitment processes. AI algorithms can screen resumes, schedule interviews and even predict candidate fit and thereby make hiring process faster and more effective. AI can also help businesses with employee engagement, retention, and development to foster a positive and productive working culture.
Inventory Management and Supply Chain Optimisation: Mid-sized retail and manufacturing businesses utilise AI for inventory forecasting and supply chain optimisation. Tools like NetSuite or SAP Business One employ AI to analyse sales data and predict inventory needs to reduce overstock and stockouts. AI can also help with demand planning, logistics, and quality control, improving operational efficiency and client satisfaction.
Marketing and Customer Insights: AI within products, such as Marketo and Pardot help businesses analyse customer data, predict market trends, personalise marketing campaigns and ultimately increase engagement and conversion. AI can also help businesses to create content, manage social media and web analytics to enhance brand awareness and reputation.
Predictive Maintenance in Manufacturing: Companies are implementing AI for predictive maintenance in manufacturing; using sensors and data analytics to monitor the condition and performance of machines and equipment, predicting and even preventing failures. Tools like IBM Maximo or Microsoft Azure IoT use AI to optimise maintenance schedules, reduce downtime, and extend equipment life, thereby saving costs and improving quality.
Get the right guidance
I hope I have shown that AI is delivering practical and relevant value now for organisations that know how to make use of it. The market is delivering the functionality and evolving it continually. That does, of course, mean that businesses should keep their eyes open and watch their markets.
AI will arrive through the sales engines of technology vendors. And this is where most care is needed: to avoid being swept up by the hype of a new technology, buying vapourware and undertaking projects that will never realise the sold visions and dreams.
Most importantly, this all means that every business needs access to sound advice from partners who live these technologies daily and whom they can trust to provide practical guidance rather than speculation. I always recommend appropriate research, evaluation and piloting to build awareness and familiarity. There is value to be had for sure, but we do need to calm some of the hysteria.
The landscape of IT security has shifted significantly, yet a sense of apathy remains, rooted in the scaremongering sales tactics of the past decade. Today’s reality is starkly different: every firm and individual is a potential target, and the consequences of lax security are not just damaging but potentially catastrophic, leading to public embarrassment, hefty fines, and severe business disruptions.
Alarmingly, many professional services firms are not adhering to even the basic tenets of Cyber Essentials, a fundamental cybersecurity framework. Worse still, some firms rest on the mistaken belief that compliance with such frameworks alone guarantees security. Cyber Essentials really is ‘just the basics’ – not a badge of being secure.
Technical controls like advanced firewalls and detection systems are prevalent but often give a false sense of security. The analogy of a fortress with an open back window is apt; firms have robust protections in certain areas but unknown critical vulnerabilities in others. The security measures are not as integrated and comprehensive as they should be.
A glaring gap in many firms is the absence of a solid GRC framework and an Information Security Management System (ISMS). IT security is not just about technology; it’s about ongoing processes, risk management, evaluations, reporting, and testing.
Implementing an ISMS, particularly one aligned with ISO 27001, is essential for establishing a strong cybersecurity posture. Utilising key elements of this standard can significantly bolster a firm’s defence against cyber threats, even if you don’t certify against the standard. There’s no reason why every firm shouldn’t at least have a risk register and details of the security controls associated with countering those risks. It seems odd not to do it when you understand how much common sense it makes.
Despite the technical aspects of cybersecurity, the problem is not confined to the IT department, it is a challenge that must be tackled at the board level. Many firms still erroneously view Information Security and Cyber Security as IT issues when they are, in fact, most certainly broad organisational concerns.
It is vital for the business and IT to have a clear understanding of the organisation’s risk posture; identifying all risks faced by the business and the controls necessary to manage them. Regrettably, this level of understanding is often absent within a number of IT and business leadership teams, leading to insufficient risk management strategies. As an example, I’d argue that a significant number of firms don’t appropriately assess the security of their supply chain. This is almost as if they’ve delegated accountability to their suppliers for their firm’s operation; that’s a big statement to make i.e. ‘we are going to close our eyes and hope they’ve got it under control’.
The issue is compounded as many IT teams are currently overwhelmed in firms. They were historically tasked with maintaining operations but are now also burdened with managing numerous transformation projects post-COVID, along with a vast information security landscape to get control of. Many are really struggling, yet the board won’t assign the necessary focus or budget to really get hold of it.
Conclusion
Professional services firms must urgently re-evaluate their approach to IT security, transitioning from outdated perceptions to a holistic, board-level governance model. This shift is critical not just for the integrity of their IT infrastructure but for the survival and competitiveness of the firm in an increasingly digitized and threat-prone world.
Resolution
In response to the demands of professional service firms, QuoStar’s CISO service has been built to manage all of the key areas highlighted, from the ground up. It’s a comprehensive support service to give the IT team and the firm’s board real confidence that they are managing cyber security appropriately and effectively. In addition, it delivers:
Ongoing senior IT security leadership and guidance.
IASME or ISO 27001 implemented and managed (if desired).
The ability to effectively manage and respond to cyber-security threats.
A defined, ongoing roadmap for cyber-security protection.
All key documentation, policies and processes agreed and in place.
All key parties engaged in security standards implementation.
An overall definition of cyber-security strategy and tactics.
All key stakeholders understand the business objectives.
The ability to formally evidence management of cyber-security
Continual review & evaluation of the threat landscape to control your risk profile.
