ICAEW.com works better with JavaScript enabled.
This episode discusses the findings of the government’s Cyber Security Breaches Survey, how hybrid working is affecting the taxation of greener forms of transport, and the release of public finance figures for April 2023.


Philippa Lamb 


  • Ian Pay, Head of Data Analytics and Tech, ICAEW
  • Steve Wade, Partner, People Advisory Services, EY
  • Martin Wheatcroft, adviser and Fellow, ICAEW


Philippa Lamb: Hello and welcome back to the Insights podcast. I’m Philippa Lamb with a month’s key developments in accountancy. This time we’re looking at new cyber security guidance for SMEs, how taxation is being used to incentivise green travel, and the UK’s fiscal position with the news that April’s deficit was the second highest since records began. Why did it hit £26bn? What does it mean? And what can we expect next time? Joining us today we have Ian Pay, ICAEW Head of Data Analytics and Tech, Steve Wade, EY Partner in People Advisory Services, and Martin Wheatcroft, ICAEW advisor and Fellow. Hello, everyone, thanks for being with us. Ian, let’s start with cyber security. We’ve got the government’s new cyber security breaches survey, can you just run us through the main findings?

Ian Pay: The findings are broadly in line with previous years, there’s been a slight fall in the number of reported cyber breaches in businesses over the last year or so. and that’s mainly driven by a lower number in smaller businesses and charities. Over half of medium and large businesses have reported a cyber attack in the last 12 months, but that is a little bit lower at the smaller business end. And there’s a number of potential reasons for that, which may be worth exploring.

PL: Well, yes, it may be fewer breaches, or it may be less monitoring and logging. Which do you think it is?

IP: There’ll be a number of reasons why smaller businesses are reporting fewer attacks, and part of that may be that they are being targeted less, but part of it is also that they’ll be less aware of those attacks. Another story that’s coming out of the report is that smaller businesses are placing less priority on cyber security, and if you’re placing less priority on something, then you are perhaps less aware of when things are happening in that space. There is one other factor to consider, which is around the third party and supply chain piece. A lot of businesses are not necessarily looking at their supply chain risks from a cyber security perspective – only one in five businesses are actually reviewing their cyber risks in the supply chain. If you’re heavily relying on the third parties for your software services, then you may not be aware of when breaches are happening in that supply chain.

PL: Just circling back to that thought you had about the possibility that there are actually fewer breaches on smaller businesses, why might that be? Is it just the criminals setting their sights higher? Because the actual average cost of a breach is very low, isn’t it, about £1,100?

IP: Yes, that’s the number quoted in the NCSC’s report. And it’s worth emphasising that that is an average, it may be that a breach costs less than that but there is also a risk that a breach costs substantially more than that. I would say criminals are probably looking for the high-value, high-prize areas. It’s worth saying that there are a lot of nuances in the report, so when we look at charities, for example, or in the public sector, smaller public sector organisations are at very, very high risk of attack, because some of the data that they’re holding, potentially very sensitive information, can be very valuable for exploitation for ransomware.

PL: What do you think the reasons are, if it is the case? Are smaller businesses just not paying as much attention to cyber security as they were before?

IP: Unfortunately, it has to come down to the environment that we’re in at the moment, the cost-of-living crisis, inflation concerns. There’s only so many hours in the day and ultimately, business owners need to focus on what matters most, and what matters to most of them at the moment is ensuring that they can stay in business. So cyber security probably just falls down the priority list a little bit there.

PL: The cost has risen, isn’t it? Am I right in thinking there’s a national shortage of cyber security experts?

IP: Yes, it’s really, really difficult to recruit cyber specialists at the moment. A lot of large organisations have been talking about the challenges in getting good quality candidates through the door. So, it is a really, really tricky one for smaller organisations to get the level of expertise and get access to the level of expertise. Simple economics means that it costs more to get that in.

PL: Thinking about that interesting point you raised about supply chain, what’s the advice there?

IP: I think very simplistically, the advice on your supply chain cyber security is to have those very open conversations with your supply chain and try and understand. Review your supply chain, review the risks and be as aware as you can. It’s very difficult to influence change in that supply chain, but if you are aware of it, then that’s the beginning of being able to do something about some of those risks.

PL: Presumably difficulty arises because smaller companies may be dealing with smaller supply chain companies, so you’ve got a multiplication of the problem?

IP: Yes, you have diminishing returns as you work your way down the chain. It can be very difficult to impose anything on a contractual basis, but it’s trying to instil the good practices in your supply chain, trying to encourage your supply chain to do as you do, and hopefully you’re also following best practices as well. That may be the route to go down.

PL: So it’s a collaboration?

IP: Yeah, so really seeing your supply chain as partners in the defence against cyber criminals.

PL: Thinking about SMEs more widely, what would be your simple steps for significantly reducing risk, bearing in mind what you’ve said about cost.

IP: A lot of the basic-level cyber hygiene is actually free to implement. We’re talking about things like good password policies – that’s around the complexity of passwords, the expiry of passwords, just ensuring employees are aware of how to manage passwords effectively. Using multifactor authentication where you can, and that is getting an SMS code on your phone when you log in. Google are moving away from passwords entirely to what they call pass keys, which is a very secure way of logging into your Gmail or other Google-based systems. So that’s freely available for a lot of people now. Applying software updates is another really, really key area that doesn’t cost anything to do, just making sure that you are keeping on top of the software updates on your mobile devices, on your laptops and your desktop computers to ensure that all those security patches are being installed as and when they’re available. And really simple things like firewalls and antivirus packages, a lot of home and business broadband will include these as standard now, so really making sure that they’re switched on and being kept up to date. And lastly, the education and awareness piece where you have employees is often one of the best defences. Phishing attacks are the most common type of attack by a very, very significant margin. The best way to guard against phishing attacks is just to be aware of what to look out for.

PL: And there’s guidance on this, isn’t there, on the ICAEW website?

IP: Yes, on the ICAEW website, we have recently updated some guidance, we’ve got a 10-step guide to good cyber security, including a number of different points and some advice and a checklist as well. That will hopefully give you some pointers as to the sorts of things you should be thinking about to have that really robust cyber environment. And none of these steps are at a significant cost or administrative burden, necessarily.

PL: That’s great. Thanks very much Ian. Now, Steve, green travel, can you just briefly remind us of the main ways that tax is currently used to incentivise it?

Steve Wade: One at the moment is electric cars, because they get very good tax benefits. Another one is the cycle-to-work scheme, where employers can provide bicycles for commuting to work. And a lesser known one is that in certain circumstances, public transport can be basically subsidised by employers. But that’s in very specific circumstances.

PL: Thinking about the cycle-to-work scheme, that’s been a bit of a victim of the pandemic, hasn’t it, the hybrid working? So, the issue here, I think, is that the employee is supposed to use the bike for more than half of qualifying journeys, is that right?

SW: That’s right, and a qualifying journey is basically a commuting journey. And of course, during the pandemic, commuting to your study or your kitchen table wouldn’t count. But fortunately, the government relaxed the rules during the pandemic, so that you didn’t have to make that qualification. But without the pandemic, the rule’s now back in, and employers find it extremely difficult to police and monitor. I think there is an argument that as part of the reason it was brought in was to make people fitter. There are some costs that were quoted by the government that inactivity costs the NHS £1bn a year, and further indirect costs of £8.2bn, so cycle to work was seen as a way of getting people fitter. So, I think there is an argument that we should just have a bike scheme to help people get fitter and remove the qualification because it’s so difficult to police.

PL: Yes, absolutely, I understand exactly what you’re saying. Is there a sense that the government’s likely to review these restrictions? Because obviously hybrid, it’s here to stay, isn’t it? People are not going to make those qualifying journeys.

SW: Hybrid working is definitely here to stay, and I do think there needs to be a review of hybrid in general, because the current tax rules were not really designed for this way of working. And it’s a big problem across the tax system, or rather across the employment tax system, because even, for example, whether you’re an employee or not goes back many years and is based on case law. But the old test is whether you are in a servant-master relationship, basically, and that doesn’t fit with modern working anyway, even if you’re an employee. That’s not really how business works these days. Then you add on the fact that people can quite often choose when to work at home and when not to, ok, there may be some parameters around that, but quite a lot of people now have very flexible work schemes. And the distinction between them and someone self-employed from their working patterns has perhaps disappeared quite a lot. It’s no longer so rigid. There are, of course, still some big differences, which is, as an employee, in general, you’re unlikely to make a loss at work, whereas a self-employed person on a piece of work could make a loss. But remote working has really shook up the tax system, and it really does need a review.

PL: These are interesting thoughts, because I was thinking about green company cars. Presumably hybrid isn’t such an issue there, because they weren’t really ever about travel to and from work. But there are other issues there now aren’t there?

SW: There are, and in certain cases, if you have a car for work, depending on where you work, a purely electric car perhaps wouldn’t suit you because you might be in an area of the country with very few charging points, for example. Or you might need to travel extreme distances, and you don’t really want to wait for it to charge up. So, it depends on your circumstances, how useful an electric car is. But certainly as a perk car, it’s very good now for employees, because it has no carbon emissions, which means you can combine the provision of the company car with salary sacrifice, and what’s known as the OPRA rules do not apply. They do apply to cars that are not ultra-ow emission vehicles, and what they mean is the car benefit rules are altered so that is the higher of the normal car benefit, or the amount of the salary you’ll sacrifice. But that doesn’t apply to an electric car, so you can save on national insurance and tax by sacrificing. You do then get a car benefit, but the car benefit for electric cars is currently 2% of the list price, and it is increasing, it’s going to be 5% in 2027-28. The government fortunately realised that car schemes usually have leases of a number of years, maybe two, maybe three, and so they publish the rates in advance. And although if there was a national emergency or something like that, they can change them, or they might want to change them in that situation, but they don’t really change them once they publish them unless they have a very good reason to.

PL: And 5% is still far, far lower than non EVs, isn’t it?

SW: Yes, if it’s a non-EV, it could be up to 37%. So that’s quite a difference and quite a saving.

PL: Just thinking about charging that you mentioned earlier, what’s the tax situation if the employer pays for that?

SW: It’s a matter of debate at the moment with the revenue. I think it’s true to say the tax profession believes that the legislation is quite clear, and that is if it’s a company car that’s been charged up – whether at home or elsewhere, it doesn’t matter – and the employer’s paying for it, because the way the legislation is written, electricity isn’t a fuel. It might power the car, but it’s not a fuel for the purposes of the fuel benefit. So you don’t get a fuel benefit charge, so it’s tax free. It’s different if it’s your own car and you’re being reimbursed for the cost of the electric there. Then it would depend on whether you could show that the reimbursement was purely for business purposes.

PL: So it sounds as if the legislation has some catching up to do across the piece here?

SW: Yes, I think it does. Certainly, we would like clearer guidance on the revenue about the fact that isn’t the fuel charge when it’s a company car.

PL: On commuting costs more generally – they’re generally not deductible here in the UK, but that’s not the case in some countries abroad, is it?

SW: No, some countries do give relief for commuting. I would love commuting by train, for example, to be tax deductible, because I commute into London and I live quite a way away, so I have a bias to that. The problem is any changes to the rule would come at great cost to the exchequer, and it’s unlikely that they would go all out and give all commuting costs tax relief. That said, there is a problem – and hybrid working has made this worse – which is before hybrid, most people had one place of work, in the jargon it’s known as their permanent workplace. And so it’s clear what your commute is. But if you have temporary workplaces, which are defined in the legislation, you can effectively get relief for travelling to that workplace. But with hybrid, it’s sometimes now quite difficult to determine where someone’s permanent workplace is, and where someone’s temporary workplace is. So I do you think the rules need to be revised due to the fact that the old way of working, certainly for many office workers, has now changed, and it’s not always clear what is a commuting journey and what is not a commuting journey.

PL: Thanks, Dave, you raised some really interesting points there, food for thought. And finally, Martin, the deficit. April’s was bigger, it was the second highest since records began. Why was that?

Martin Wheatcroft: Well, there’s quite a few reasons. It’s normally quite difficult to say much after just one month of the financial year. Normally, I would hesitate to comment on the public finances just after one month’s data. But on this occasion, yes, we can say quite a few things. The first thing is that interest costs have continued to rise, and that’s definitely feeding through into that number. Debt is very high, and so higher interest rates equals higher debt interest. But also inflation, which is continuing to persist a lot more than people were expecting, that’s driven up the interest that’s payable on index-linked debt that the government uses, which is linked to RPI. And so that’s a big, big impact on this month’s numbers.

PL: So does that suggest, then, that we should see those numbers improve later in the year?

MW: Yes, we should. Well, interest rates are likely to remain high for some time, and they could go higher, but certainly as inflation starts to come down…

PL: And energy prices, presumably?

MW: Yeah, so the other big driver is energy prices, and we have the energy price guarantee – that’s part of the costs that the government is recording. And the good news is that guarantee won’t be necessary from July onwards, when electricity prices start to come down below that guarantee level, and therefore the cost to the government will reduce. So that’s positive.

PL: Do we know by how much, Martin?

MW: Well, it’s running about £4bn a month, so it’s not huge-huge, but it is substantial. And the fact that it’s going to end in July, when energy prices come down below the guarantee level, is positive news for the public finances, as that will cap the amount around £12bn for the first quarter, and then cease thereafter. But what we also have is some positive economic news in the form of high migration numbers. That will benefit the exchequer by having more taxpayers, people coming in to do jobs. Whatever you think of migration more generally, that is certainly the impact of having more people arriving.

PL: Am I right in thinking student numbers play quite heavily into that?

MW: They do, there’s quite a lot of students in the migration numbers, and of course, they’re bringing in money – fees to the university and spending while they’re living in the UK. So again, that’s positive, higher education is one of our bigger export earners.

PL: But we’ve got this recent announcement from government that they’re going to bar them from bringing family with them. Well, most of them.

MW: Yes. And that will help reduce the flow and mean that this positive news – at least positive from a public finance perspective – probably won’t persist as far and it will present some issues for the higher education sector.

PL: I think that kicks in next year, doesn’t it?

MW: I suspect it will start to affect numbers in the autumn because the news as much as the when the rules come into place will be quite as important. There are some quite substantial uncertainties as well that could go in the other direction of being bad for the public finances. Clearly, we’ve still got a lot of pay disputes going on, so pay settlements are likely to hit the public finances, including some backdated claims to the last financial year.

PL: And one-off payments, presumably, as well?

MW: And one-off payments that haven’t yet been reflected in the numbers. And as we said earlier, interest rates going up – if they do go up an extra percentage point compared with where they are now that will have quite a big impact.

PL: So how do you think we might see fiscal policy change as a result of this?

MW: It’s only one month’s numbers, so we’ll see how the rest of the year develops. One potential impact is that the chancellor, and the government more widely, are very keen to announce some tax cuts ahead of the next general election. And whether that happens this autumn, or may be put off until next spring in the hope of better numbers coming through, we’ll have to see. The challenge there is what happens after the general election as which party takes power. It is quite traditional now for the first budget after a general election to be a tax-raising budget. And that seems increasingly likely that there will need to be tax rises after the next general election.

PL: Yes. I’m sure a lot of conversations going on at Whitehall about this right now. Martin, thanks really, really helpful. Martin, Ian, Steve, thank you all, great roundup of the month. You can find more information on the topics discussed today by digging into the show notes for the episode. Make sure to also sign up to daily, weekly or monthly newsletters from ICAEW Insights. That way you’ll get the latest accountancy news direct to your inbox but at your preferred frequency. Later this month Chatham House CEO Bronwen Maddox will return to chair a special episode on tax policy and the UK’s changing social contract between government and citizens. And you can join me for an In Focus podcast discussing whether the practicalities around ESG are just becoming prohibitively costly for SMEs. Meantime, I’ll end with my regular request for you to rate, review and share this episode if you found it helpful, and subscribe to ICAEW Insights on your podcast app. Thanks for being with us.