We spoke with Chantal Constable, Head of Financial Services and Insurance at NCC Group, about the most common cybersecurity myths, mistakes, and must-dos for regulated firms.
With more than a decade in financial tech and cybersecurity, Chantal has a front-row seat to the day-to-day challenges of keeping sensitive client communications secure.
In this episode of the podcast, we look at how businesses can reduce cyber risk without adding frustrating layers of friction for employees and customers.
Why Cybersecurity Shouldn’t Be Left to the IT Team
Many companies think cybersecurity is purely an IT function, but as Chantal emphasises, it’s everyone’s job.
If you’re handling client data – even if you’re not technical – you still have responsibilities.
From taking time to verify email recipients to using approved messaging channels, everyday habits can reduce or increase cyber risk.
"We’re not just protecting businesses, we’re protecting everyday people’s transactions.
So, each person in the firm needs to play their part."
– Chantal Constable, NCC Group
Common Slip-Ups When Handling Client Information
Even with robust tools, human error remains the biggest vulnerability.
Chantal sees several repeat mistakes:
- Sending sensitive information to the wrong email address. Always pause before hitting “Send.”
- Forgetting to BCC in group emails. This small oversight can leak personal data to unintended recipients.
- Reusing passwords or sharing them in file names. Attackers can guess or intercept these easily.
- Believing deleted emails are gone forever. Data often remains on backups, and can still be accessed.
"These mistakes happen fast. People rush through their day, and a single click can compromise customer data.
Slow down. Think before you click."
– Chantal Constable, NCC Group
Busting Cybersecurity Myths
Some of the biggest myths revolve around what people assume is ‘secure enough.’
Here are a few Chantal wants to clear up:
- Myth: Password-Protected Documents Are Always Safe: They’re often not. If you use the same password repeatedly, it only takes one slip for an attacker to unlock everything.
- Myth: Company Email Is Automatically Secure: It can be intercepted or spoofed, so basic caution, like verifying unexpected links, still applies.
- Myth: Phishing Only Happens via Suspicious Bulk Emails: Cyber attackers now tailor emails with personal details to trick you into sharing confidential information.
Hidden Email Risks
Email is still the go-to for professional interactions, yet it’s an ever-popular target for hackers.
Even seemingly harmless habits, like forwarding an internal thread to a client, can expose sensitive details.
Chantal stresses the importance of reading each email carefully before sending and using encryption whenever you’re sharing confidential data.
Instant Messaging and Password-Protected Files: Are They Really Secure?
Financial advisers, wealth managers, and insurance professionals often swap key documents via instant messaging apps or password-protected attachments.
But as Chantal explains, convenience can backfire.
"People assume a messaging app is locked down.
Or they trust that a password on a file is enough.
But without true encryption and the right file-sharing policies, you could be taking more risk than you realise."
– Chantal Constable, NCC Group
GDPR and Compliance: Where Companies Slip Up
Regulations like GDPR are designed to keep businesses accountable for client data.
Yet many still fall short by:
- Retaining client data longer than necessary.
- Failing to fully honour opt-out requests.
- Assuming deleted files are truly gone when they are still stored on backups.
"GDPR isn’t just about avoiding fines.
It’s about respecting your customers’ rights to privacy."
– Chantal Constable, NCC Group
Phishing and Deepfakes: How to Verify Identities
Scammers use phone calls, emails, and now hyper-real deepfakes to trick people into thinking they’re communicating with a trusted colleague or client.
Chantal suggests verifying identities through a second channel or by asking for non-public information.
If you get a suspicious email from your CEO, for example, call their direct line or use a secure, in-house messaging tool to confirm the request.
New Threats on the Horizon
Beyond deepfakes, attackers are constantly refining ways to intercept data, exploit software vulnerabilities, and orchestrate elaborate social engineering attempts.
Chantal points out that criminals work as part of organised networks – there’s a lot of money at stake, so the attacks keep evolving.
Keeping your software patched and staying informed about the latest scams is vital.
Making Security Training Engaging
Security training often feels dull, yet staff engagement is the difference between ticking a box and fostering real awareness.
Chantal recommends bite-sized modules, gamified tools, and real-life stories of breaches to keep people interested.
More importantly, internal trainers should highlight the actual consequences of mistakes, such as exposing a client’s bank details, to drive the message home.
Three Simple Steps to Improve Security Now
For financial professionals handling sensitive data every day, Chantal offers three straightforward tips:
- Slow Down and Verify: Whether it’s an email address, a payment request, or a file attachment, take a moment to double-check.
- Use Approved Channels: Don’t switch to personal apps or shortcuts that bypass company protocols.
- Report Anything Suspicious Immediately: A quick heads-up to your IT or security team can stop a threat before it spreads.
"Building a culture of security means making safe practices second nature.
It’s less about piling on extra steps and more about getting everyone to pause and do a quick mental checklist before hitting send."
– Chantal Constable, NCC Group
FAQs
Why Is Cybersecurity Everyone’s Responsibility?
Even the best security tools can’t stop human error.
When staff understand how to spot risks and take basic precautions, it dramatically reduces the chance of a data breach.
Are Password-Protected Files Safe Enough?
Not really. Attackers can crack simple or repeated passwords.
Using a dedicated secure email or encryption solution is far more reliable.
How Do I Spot a Deepfake?
Check for unnatural movements, mismatched lip sync, or awkward pauses.
If in doubt, verify identity via a second, trusted channel – like an internal phone call.
What If My Company Uses Legacy Systems?
Legacy technology can be secure if properly patched and monitored.
Prioritise updates, segment systems, and conduct regular assessments to spot vulnerabilities.
How Can We Make Security Training Less Boring?
Use real-world examples and interactive scenarios so people see the real impact of a breach, rather than just reading static slides.
References
10 Steps to Cyber Security, NCSC, 2023
Guide to Data Protection, ICO, 2023
Cost of a Data Breach Report, IBM, 2023
Reviewed by
Sam Kendall, 31.03.2025
NCC Group, 24.03.2025