Employment Documentation Is a Breach Readiness Control
Breach readiness does not start with the alert. It starts in the employment contract, the staff handbook and the policies that tell people what they are responsible for. Mark Fermor on why vague duties become the firm's problem.

Mark Fermor
Director & Co-Founder, Firevault

Breach response is often treated as something that starts after an incident. In practice, part of breach readiness starts much earlier. It starts with whether people understand their responsibilities before anything goes wrong.
Breach readiness starts before the breach
Most organisations treat breach response as something that begins when the alert fires. The plan sits with security. The playbook sits with legal. The retainer sits with an incident response firm. All of that matters. None of it addresses the months before the alert, when the people inside the business are quietly deciding, day by day, how carefully to handle information they were never explicitly told to protect.
If the documents that govern that behaviour are vague, the response will be vague too.
What the paperwork should actually say
Employment contracts, staff handbooks and internal policies should make it explicit how employees are expected to handle confidential information, how to report suspected incidents, which systems are approved for what work, and how to protect business data day to day.
Not a single clause buried on page forty. Named systems. Named data categories. Named reporting routes. Named consequences. A member of staff should be able to read the relevant section and understand, without a lawyer beside them, what they are allowed to do and what they are not.
Why this matters most in professional services
Legal, accountancy, wealth management, consultancy and advisory firms sit on client files, financial records, legal documents, identity data and commercially sensitive material every day. The person opening those files at nine in the morning is often the same person the regulator asks about at the enquiry.
When duties are vague, the firm carries the consequence. The regulator does not accept "we assumed they knew" as a control. Neither does a client whose confidential matter has ended up somewhere it should not.
Policies do not replace technical controls
To be clear, a handbook clause is not a substitute for security engineering. Physical severance, offline storage and role-based access controls limit what can be reached in the first place. That is the ceiling on the damage.
Documentation limits what people are permitted to do with what they can reach, and creates the accountability trail when something goes wrong. One without the other is half a control. Technical controls without documented duties leave you unable to attribute anything after the fact. Documented duties without technical controls leave the duties unenforceable.
The Firevault position
If a person has access to the crown jewels, their duties should not be vague.
The archival copy of client data, matter files, financial records and identity information should live on infrastructure that most staff cannot reach at all. The small number of people who can should have named, documented, auditable responsibilities for handling it. Firebreak enforces the technical severance at the network layer. The handbook enforces the human one on the desk. Both are required, and neither is optional in a professional services setting.
Mark Fermor, co-founder of Firevault, puts it plainly. The firms that recover well from an incident are the ones that already knew, on paper, exactly who was responsible for what. The firms that struggle are the ones still working out the answer in the middle of the fire.
What to review this quarter
- Check that the employment contract references confidential information handling in specific terms, not generic boilerplate.
- Check that the staff handbook names the approved systems and the incident reporting route, and that both are current.
- Check that access to the most sensitive archives is limited by role and documented per named individual.
- Check that leavers are removed from those systems the same day their notice ends, and that this is logged.
- Rehearse an incident where the first question is "who had access to this data on this date" and see how long the answer takes.
If any of those checks take more than a few minutes to satisfy, the paperwork is doing less work than it should be. Fix that before you need it.
Suggested Reading
- What is Offline Secure StorageThe foundation of physical disconnection
- Why Offline Secure StorageThe case for physical control
- Ransomware DefenceHold gold copies offline
- Firevault ControlPhysical path control for IT and OT
- Knowledge VaultAll articles, guides and whitepapers
- Book a DemoSee Firevault in action





