Regulated firms still lose client data through everyday communication mistakes - wrong recipients, weak file-sharing habits, and assumptions that standard email is safe enough.
On Regulated Digital Episode 16, Chantal Constable, Head of Financial Services and Insurance at NCC Group, breaks down the cybersecurity myths, mistakes, and must-dos that matter most when client communications are on the line.
With more than a decade in financial tech and cybersecurity, Chantal Constable works with regulated firms where a single misdirected email or rushed click can expose pensions, insurance, or banking data.
The practical goal is to reduce cyber risk without piling on friction that staff and customers will simply work around.
Why Cybersecurity Shouldn’t Be Left to the IT Team
Many companies still treat cybersecurity as a purely technical function. In regulated client services, everyone who handles data shares responsibility for how information is sent, stored, and shared.
If you work with client data - even without a technical role - you still need to verify email recipients, use approved messaging channels, and spot when a request does not look right.
The NCSC’s 10 Steps to Cyber Security framework treats people, process, and technology together. That matches how breaches often start: a normal business action, not a failed server.
"We’re not just protecting businesses, we’re protecting everyday people’s transactions.
So, each person in the firm needs to play their part."
Chantal Constable, Head of Financial Services and Insurance, NCC Group
Security culture shows up in whether people pause before they send, not only in what the security team buys.
"Firms can invest in strong controls and still lose client data through a rushed email. The gap is often habit - whether people verify, use approved channels, and escalate something that feels off."
Paul Holland, Founder and CEO, Beyond Encryption (Mailock)
Those habits matter most where client communications leave the firm every day.
Common Slip-Ups When Handling Client Information
Even with mature tooling, human error remains the biggest vulnerability in day-to-day client work.
These mistakes show up repeatedly across financial services and insurance teams:
Wrong recipient: Sending sensitive information to the wrong email address. Pause before you hit Send.
BCC errors: Forgetting to BCC in group emails can leak personal data to unintended recipients.
Weak password habits: Reusing passwords or putting them in file names makes interception or guessing easier.
False confidence in deletion: Deleted emails often remain on backups and can still be accessed.
"These mistakes happen fast. People rush through their day, and a single click can compromise customer data.
Slow down. Think before you click."
Chantal Constable, Head of Financial Services and Insurance, NCC Group
Most incidents in regulated firms still trace back to a small set of repeatable communication errors.
Busting Cybersecurity Myths
Some of the biggest gaps come from what teams assume is “secure enough” in everyday workflows.
Password-Protected Files and “Safe” Email
Myth: Password-protected documents are always safe. They are often not. Reusing the same password across files means one slip can unlock multiple attachments.
Myth: Company email is automatically secure. Messages can still be intercepted or spoofed. Unexpected links and payment requests still need verification.
Myth: Phishing only arrives in obvious bulk emails. Attackers now tailor messages with personal details to extract confidential information.
Email is where those myths do the most damage in day-to-day client work.
Hidden Email Risks
Email remains the default route for professional client contact - and a primary target for attackers.
Seemingly small habits matter. Forwarding an internal thread to a client can expose metadata, earlier messages, or attachments the recipient was never meant to see.
Read each message carefully before sending. Where confidential data is involved, use encryption and approved sharing routes rather than informal workarounds.
For higher-risk outbound messages, secure email and recipient authentication help firms keep email as the delivery channel while adding stronger access checks.
Instant Messaging and Password-Protected Files: Are They Really Secure?
Advisers, wealth managers, and insurance professionals often exchange documents through instant messaging apps or password-protected attachments because it feels faster.
Convenience can hide real exposure when encryption, policy, and channel approval do not match the sensitivity of the data.
"People assume a messaging app is locked down.
Or they trust that a password on a file is enough.
But without true encryption and the right file-sharing policies, you could be taking more risk than you realise."
Chantal Constable, Head of Financial Services and Insurance, NCC Group
Policy and tooling only help when the channel matches the sensitivity of what is being sent.
GDPR and Compliance: Where Companies Slip Up
Regulations such as GDPR exist to keep businesses accountable for how client data is handled. The ICO guide to data protection is a useful reference for what good practice looks like in the UK.
Retention, opt-outs, and deletion are where many firms still fall short in practice:
Retaining client data longer than necessary.
Failing to fully honour opt-out requests.
Assuming deleted files are gone when copies still sit on backups.
"GDPR isn’t just about avoiding fines.
It’s about respecting your customers’ rights to privacy."
Chantal Constable, Head of Financial Services and Insurance, NCC Group
Privacy rules are only as strong as the retention, deletion, and opt-out processes behind them.
Phishing, Deepfakes, and Evolving Attacks
Scammers use phone calls, email, and increasingly convincing deepfakes to impersonate colleagues or clients.
When a payment request or sensitive instruction arrives unexpectedly, verify through a second channel or ask for information only the real contact should know.
Need A Safer Way To Send Sensitive Email?
Mailock keeps email familiar while adding protected access, recipient checks, secure replies, message tracking, and sender controls.
If a CEO email looks urgent, call a known direct line or use an approved in-house messaging route before you act.
Attackers also work in organised networks. There is serious money behind fraud, so social engineering and software exploitation keep evolving.
Patching, monitoring, and staying current on common scam patterns remain baseline defences. Research such as the IBM Cost of a Data Breach Report continues to show how costly preventable incidents can be for regulated businesses.
Making Security Training Engaging
Training only works when staff remember it under pressure. Bite-sized modules, gamified tools, and real breach stories often land better than static slide decks alone.
Trainers should spell out concrete consequences - such as exposing a client’s bank details - rather than abstract policy language.
Three Simple Steps to Improve Security Now
For teams handling sensitive client data daily, three habits make an outsized difference:
Slow down and verify: Check the email address, payment request, or attachment before you send.
Use approved channels: Do not switch to personal apps or shortcuts that bypass company protocol.
Report anything suspicious immediately: Early escalation gives security teams time to contain a threat.
Those three checks are simple, but they catch many of the mistakes that turn into client data incidents.
Before You Send Sensitive Client Data
Is the recipient address correct and expected?
Is this the approved channel for this type of data?
Does the request need a quick check on a second channel?
Building that rhythm into everyday work reduces the chance that speed becomes the reason data leaves the firm.
"Building a culture of security means making safe practices second nature.
It’s less about piling on extra steps and more about getting everyone to pause and do a quick mental checklist before hitting send."
Chantal Constable, Head of Financial Services and Insurance, NCC Group
For regulated teams, the useful test is whether everyday sending habits match the sensitivity of the data and whether staff follow the channels the firm has actually approved.
FAQs
Why Is Cybersecurity Everyone’s Responsibility?
Even strong technical controls cannot remove human error, so firms reduce preventable breaches when staff know how to spot risks and take basic precautions.
Are Password-Protected Files Safe Enough?
They are often weaker than teams assume because attackers can crack simple or repeated passwords, so approved encryption and secure sharing routes are more reliable for sensitive client documents.
How Do I Spot a Deepfake?
Check for unnatural movements, mismatched lip sync, or awkward pauses, and verify identity via a second trusted channel if anything feels off.
What if My Company Uses Legacy Systems?
Legacy technology can be secure if it is patched and monitored, with updates, segmentation, and regular assessments to spot vulnerabilities.
How Can We Make Security Training Less Boring?
Use real-world examples and interactive scenarios so people see the impact of a breach rather than only reading static slides.
Sam Kendall works on digital marketing at Beyond Encryption, helping build B2B marketing activity around research, first principles, and sustainable growth. He writes about marketing effectiveness, positioning, customer communications, and digital culture, with longer-form work published at ATNL.
.svg)
Sam Kendall
.svg)
Previous post