What the Latest UK Cyber Survey Means for Practices
The UK government cyber survey shows breach rates stuck and phishing dominant. Here is what it means for your accountancy practice, plus three actions to take.
- Security
- Compliance
Each year the UK government publishes its Cyber Security Breaches Survey, a national stock-take of how British organisations are coping with online threats. It is one of the few sources of hard data rather than scare stories. For a small accountancy practice, the headline numbers are worth a few minutes of your time, because they describe exactly the kind of risk your firm carries every working day.
Your practice sits on a concentrated pile of the most sensitive data there is: client bank details, tax references, payroll, identity documents and the trust that comes with handling all of it. The survey does not single out accountants, but read through that lens, three findings stand out. Here is what each one means for a practice your size, and one concrete thing to do about it.
Finding one: the breach rate is stuck
The survey found that 43% of UK businesses reported a cyber breach or attack in the past twelve months. That figure has held steady for three years running. It is not falling.
That last point matters more than the headline. A stubborn number tells you the threat is not a passing wave that will recede on its own. Attackers are not getting bored, and the firms getting hit are not all careless. The risk has settled into a permanent background level that every business has to manage continuously.
What it means for your practice
If roughly two in five businesses are affected in a single year, a small practice is not too small to be on the list. Attackers rarely target a named firm; they cast wide and let automated tools find whoever has a gap. A January self-assessment crunch, a member of staff working from home, an ageing server quietly missing updates: these are the openings.
One action to take
Treat security as routine maintenance, not a one-off project. Put a recurring date in the diary, quarterly is sensible, to review the basics: who has access to what, which accounts still belong to people who have left, whether backups are actually running and whether software is up to date. A free Practice IT Health Check is a simple way to get an honest, plain-English baseline before you start.
Finding two: phishing is the main way in
Phishing dominates the survey. Among the businesses that reported any breach, phishing was involved in around 85% of incidents. It is, by a distance, the most common route through the front door.
Phishing is the fake email, text or message that tricks someone into clicking a link, entering a password or paying a fraudulent invoice. It works because it targets people, not machines. No firewall stops a member of staff from typing their password into a convincing copy of the Microsoft sign-in page.
What it means for your practice
For an accountancy firm, phishing is doubly dangerous. The obvious harm is an attacker getting into your email or systems. The second harm is invoice fraud, where a criminal who has read your mailbox sends a client a genuine-looking request to change bank details. That kind of loss damages client relationships as much as finances. We cover the mechanics in detail in our guide to invoice fraud and business email compromise.
One action to take
Do two things together, because they reinforce each other. First, switch on multi-factor authentication (MFA) on every account, especially email and your practice management software, so a stolen password alone is not enough to get in. Second, run short, regular phishing awareness sessions for all staff, including partners. People who know what a suspicious message looks like are your strongest defence. Our cyber security and Cyber Essentials service walks through both.
Finding three: most firms have no rules for AI tools
This is the newest finding, and the one most likely to catch a practice off guard. The survey found that among organisations using or exploring AI tools, only around a quarter had put any security rules in place around them. Most have none at all.
Staff are already using these tools. Someone might paste a client letter into ChatGPT to tidy the wording, or drop a spreadsheet into an online summariser to save time. Often nobody has decided whether that is allowed, and nobody knows where the data goes once it leaves your network.
What it means for your practice
For an accountancy firm this is a confidentiality and compliance issue, not just an IT one. Client financial data fed into a free AI tool may be stored on systems you have never reviewed and cannot control. That sits awkwardly with your GDPR obligations, your AML duties and the confidentiality your clients assume. It is also exactly the kind of governance gap professional bodies are starting to ask about. Our note on what ICAEW expects from practice IT and data security sets out the wider picture.
One action to take
Write a short, friendly AI use policy: one page, not a legal document. State plainly which tools are approved, and make the core rule simple: no client data, names or figures go into any AI tool that has not been checked and approved. Then tell the team it exists. A clear instruction prevents almost all of the accidental exposure, and it shows clients and your supervisory body that you have thought about it.
A worthwhile fourth note: who owns this
One more figure is worth a mention. The survey found that only around a third of business boards are meaningfully involved in cyber decisions, leaving most firms running on a quiet assumption that “IT will handle it”. In a small practice, the partners are the board. If security only ever lives with whoever is most comfortable with computers, it tends to drift. Naming one partner as the person responsible, even informally, keeps it on the agenda.
Pulling it together
The survey’s message for a small practice is calm rather than alarming. The threat level is steady and predictable, the main route in is phishing, and the fastest-growing blind spot is unmanaged AI use. None of the responses are expensive or technical:
- Review the basics on a regular schedule rather than once.
- Turn on MFA everywhere and keep staff phishing-aware.
- Write a one-page rule on AI tools and client data.
- Give one partner clear ownership of security.
These are also the foundations of Cyber Essentials, so acting on the survey moves you towards a recognised standard at the same time. If you would like to know where your practice stands today, our plain-English Cyber Essentials guide for practices is a good next read.
Frequently asked questions
Does the cyber survey apply to small accountancy practices?
Yes. The Cyber Security Breaches Survey covers UK businesses of all sizes, and the headline 43% breach rate includes small firms. Practices hold concentrated client financial data, so the findings on phishing and weak AI policies are very relevant to a small accountancy office.
What is the single most useful action from these findings for a practice?
Turn on multi-factor authentication everywhere and run short, regular phishing awareness for every member of staff. Phishing was involved in around 85% of breaches, and these two steps close the most common route in without needing a big budget.
Do we need an AI policy if staff only use free tools like ChatGPT?
Especially then. Free tools are the ones most likely to be used without oversight. A short written rule on what client data can and cannot be pasted into any AI tool protects client confidentiality and supports your AML and GDPR duties.
How does this link to Cyber Essentials and ICAEW expectations?
The survey findings map closely onto what Cyber Essentials certification and your professional body already ask for: controlled access, MFA, staff awareness and clear policies. Acting on the survey moves you towards both at once.
Want this checked for your own practice?
Book a free Practice IT Health Check, a plain-English, no-obligation review of where your IT stands.
Book your free Health Check