Before and After a Breach: How to Think About Your Cybersecurity Strategy

Your practice manager arrives at work on a Tuesday morning to find that a staff member received a suspicious email overnight, clicked a link, and entered their login details before realising something was wrong. Now no one knows what was accessed, what was exposed, or what to do next. The phone calls start. The panic sets in. And the question nobody wants to answer is: were you ready for this?

Most small professional services businesses in Canterbury have some cybersecurity measures in place. Antivirus software, maybe a firewall, a password policy that staff follow about half the time. But there is a difference between having a few tools and having a strategy. A genuine strategy covers two things: what you do to stop an incident happening, and what you do when one happens anyway. Security professionals call these two phases prevention and recovery. If you have only thought about one of them, you have a gap.

Prevention is everything that happens before a breach. It includes making sure staff can recognise a phishing email - which remains the most common way attackers get into a business. It includes controlling who has access to what, so a compromise of one staff account does not expose your entire client database. It includes keeping software updated, because outdated systems are one of the easiest targets for attackers. And it includes getting a security audit done periodically, so you know where your weak points are before someone else finds them. If you handle sensitive client data - health records, legal files, financial information - the stakes of getting this wrong are higher than most.

Recovery is everything that happens after something goes wrong. This is the part most businesses have not thought through. A good recovery posture means having a written incident response plan - not a vague idea, but an actual document that tells your team who to call, what to contain first, and how to communicate with affected clients. It means having data backups that are tested regularly, not just assumed to exist. And it means knowing your obligations under the NZ Privacy Act 2020, which requires you to report certain breaches to the Office of the Privacy Commissioner at privacy.org.nz. Failing to notify when you should is a compliance problem on top of a security problem.

The businesses that come through a security incident with the least damage are not necessarily the ones that prevented everything. They are the ones that knew what to do next. They had a plan, they had their data backed up, and they had an IT team that could respond quickly. That combination - solid prevention and a tested recovery plan - is what a mature cybersecurity approach looks like for a business your size. For a broader view of where to focus, the steps that reduce your data breach risk are a useful place to build from.

If you are not sure which of these two areas needs the most attention right now, that is a reasonable place to start. Talk to whoever manages your IT support and ask them directly: if someone clicked a phishing link today, what would happen next? If the answer is uncertain, that tells you something important. Attacks like the kind that quietly work through your whole team at once are exactly the scenario a tested plan is designed to handle. For professional services firms looking for IT support built around practice-specific needs, that is the right conversation to be having now.

ITstuffed works with professional services businesses across Canterbury on exactly this kind of setup. A 15-minute IT Fit Check is a good way to find out where you actually stand.