Skip to content
The Cadarn IT team

Five Cyber Security Wins Your Practice Can Action This Week

Five practical, low or no cost cyber security wins a North Wales accountancy practice can action this week, from MFA to a one page incident plan.

  • Security
  • Quick Wins
An accountant working securely at a desk with a laptop and notepad

January is busy enough without a security scare. For an accountancy practice, the data you hold is exactly what criminals want: client names, National Insurance numbers, bank details, tax records, payroll. The good news is that some of the most effective protection costs little or nothing, and you can put it in place this week between client calls.

Here are five practical wins, each reframed for a small North Wales practice. None of them needs a big budget. Most need an hour or two and a decision to actually do them.

1. Turn on MFA everywhere, starting with Microsoft 365

If you only do one thing, do this. Multi factor authentication (MFA) adds a second step after the password, usually a code or a prompt on your phone, so a stolen password on its own gets nobody anywhere.

That matters because phishing is still how most serious breaches start. A partner clicks a convincing email, types a password into a fake login page, and without MFA the attacker walks straight into the inbox. With MFA switched on, the password alone is useless.

How to action it

  • Start with Microsoft 365, since that is where your email and a lot of client correspondence lives.
  • Prioritise the accounts with the most access first: anyone touching email, payroll, banking or client data.
  • Then roll it out to the rest of the team.

Setting it up takes roughly half an hour, plus a few minutes per person to get everyone enrolled. It is the highest return security task most practices can do, and it is built into software you already pay for. Our cyber security and Cyber Essentials work always starts here.

2. Check what your insurer actually requires

Lots of practices have cyber insurance and assume they are covered. The detail is where it bites. Most policies now come with conditions: you may be required to have MFA, working backups, staff training and up to date software for a claim to be valid.

If you do not meet those conditions, a payout can be reduced or refused at the worst possible moment. It is also surprisingly common not to know the answer at all. In one survey, almost a quarter of business leaders were not sure whether they even had cyber cover.

How to action it

Send your broker a short email and ask three plain questions:

  • Do we have cyber cover, and what does it actually cover?
  • What security controls must we have in place for a claim to be valid?
  • Are there any conditions we are currently not meeting?

Save the reply somewhere you can find it. Now your insurance and your IT are pulling in the same direction rather than quietly contradicting each other.

3. Write a one page incident plan, before January needs it

Imagine client data is breached on the busiest week of self assessment season. Who do you call first? If the honest answer is “I would have to look it up”, that is the gap to close this week.

The first hour after an incident is the one that counts, and most small firms have nothing written down. A single printed page removes the panic and gets you moving while it still makes a difference.

How to action it

Put these on one page and keep a printed copy somewhere safe, separate from your network:

  • Your IT support contact (so help starts immediately).
  • Your insurance broker and policy number.
  • Your bank’s fraud line.
  • The ICO’s details, in case the breach is reportable.
  • Where your backups are and who can restore them.

It takes about three quarters of an hour. Keep it printed, because if your systems are down or locked, a file saved on those same systems is no use to anyone. If a real incident hits, fast clean recovery depends on the backups behind that plan, which is why we wrote a separate guide on backing up your practice properly.

4. Set simple rules for staff using AI tools

AI tools are now part of daily work, and that is fine. The risk is quiet and easy to miss: a team member pastes a client’s name, a contract or a set of figures into a public AI tool to speed up a task, and that information leaves your control. For a practice bound by client confidentiality and data protection duties, that is a real exposure.

You do not need to ban anything. You need a few clear rules so good people do not make an innocent mistake.

How to action it

Agree three short rules and share them with the team:

  • No client personal data goes into public AI tools without approval.
  • No confidential documents get pasted into public AI tools.
  • Anything going to a client or a regulator gets a human sign off before it leaves.

Write it down, tell everyone once, and pin it up. Most firms have not done this yet, so getting it sorted quietly puts you ahead.

5. Review your key software and data suppliers

Your practice trusts a handful of suppliers with serious access: your practice management and tax software, your payroll provider, your email and cloud host. If one of them is breached, the fallout lands on your reputation and your clients, even though the failure was theirs.

Very few small firms ever ask their suppliers about security. A short set of questions is enough to spot the weak link.

How to action it

Pick your three highest access suppliers and ask each of them:

  • Do you enforce MFA on accounts?
  • Are you Cyber Essentials certified?
  • How would you tell us if you had a breach?
  • Who is responsible for data protection on your side?

The answers tell you a lot, and asking the question often nudges a supplier to tighten things up. If Cyber Essentials keeps coming up and you are not sure where your own practice stands, our plain English guide to Cyber Essentials for accountancy practices walks through it.

Pick one and start today

None of these five wins needs new kit or a big spend. Turn on MFA, check your insurance conditions, print a one page incident plan, set three AI rules, and ask your key suppliers four questions. Do one a day and you will be in a noticeably stronger position by Friday.

If you would rather have a fresh pair of eyes confirm where your practice stands, a free Practice IT Health Check gives you an honest, jargon free picture of your backup resilience, security posture and any compliance gaps, with no obligation.

Frequently asked questions

Where should an accountancy practice start with MFA?

Start with Microsoft 365, then your payroll, banking and practice management logins. Roll it out first to anyone who handles client data, email or money, then to everyone else. The whole job usually takes well under an afternoon.

Does our cyber insurance really require MFA?

Many policies do. Insurers increasingly list controls such as MFA, working backups and staff training as conditions of cover. If you do not meet them, a claim can be reduced or refused, so it is worth asking your broker in writing exactly what is required.

Is it safe for staff to use AI tools with client information?

Only with clear rules. Client personal data and confidential documents should not be pasted into public AI tools, and anything going to a client or regulator needs a human to check it first. A short, simple policy keeps everyone on the same page.

What if a breach happens during the January self assessment peak?

That is exactly why a one page incident plan matters. When you are busiest, you do not want to be hunting for phone numbers. A printed list of who to call, including your IT support, your insurer and your bank, means you can act in the first hour rather than the first day.

Want this checked for your own practice?

Book a free Practice IT Health Check, a plain-English, no-obligation review of where your IT stands.

Book your free Health Check

← Back to all guides

See where your practice's IT really stands

Book a free, no-obligation Practice IT Health Check, a plain-English, 15 to 20 minute review of your backups, security, compliance gaps and cloud-readiness. No jargon, no hard sell.