Q: Kerrie, what is the scale of the cyber threats Accountancy firms are currently facing?
A: It's far more extensive and sophisticated than many firms realise. In 2024 alone, there were approximately 8.6 million cyberattacks reported against UK businesses. It is only set to get worse, in fact, Suzanne Grimmer of the National Crime Agency has predicted that this year will be the worst year on record for ransomware attacks in the UK.
The threat landscape has evolved significantly; cybercriminals now operate with the precision and coordination of a well-organised business. It's no longer just about phishing emails - it's a comprehensive ecosystem of threats, including advanced ransomware and supply chain vulnerabilities. Accountancy firms, with access to large volumes of sensitive client and financial data, are highly attractive targets.
Q: Can you break down how that cybercrime ecosystem actually works?
A: Absolutely. It starts with 'stealers' - these are hackers who steal credentials and sell to other cyber criminals to carry out the attacks. In February alone, there is evidence that at least 23 billion stolen logs were circulating on the dark web. Next in the chain, we have initial access brokers who break into networks and then sell the access they have obtained to ransomware gangs and their affiliates. Ransomware gangs develop sophisticated malware and licence this to affiliates who use the malware to extort businesses. This licence model has significantly reduced the barrier to entry, meaning more and more cyber criminals are constantly entering the market.
Q: What are some of the most common types of attacks Accountancy firms are experiencing?
A: The most prevalent is Business Email Compromise - this is where criminals use phishing to gain access to a company's email system. Once inside, they monitor communications - particularly around payment instructions, payroll, or tax filings - and then intercept or manipulate invoices or client correspondence. They'll change bank details and trick clients into transferring funds to the criminal's account instead of the intended recipient. They also use stolen HMRC login credentials to make fake tax claims.
Then there's ransomware, which often has the most devastating consequences.
Q: OK, what kind of damage can ransomware cause?
A: At its worst, it can cause businesses to collapse and cease trading. Downtime of 3 - 4 weeks is the best-case scenario - but in most cases, firms are affected for months and years.
Criminals will also steal confidential client data and threaten to expose it unless a ransom is paid. According to the National Crime Agency, average ransom payments are in the region of £1.5 million.
Unfortunately, ransom payments are only one element of the consequences. On top of that, there are additional financial losses related to remedying the attack, lost revenue and cash flow implications - not to mention reputational damage, potential client lawsuits, regulatory penalties, and spiralling insurance premiums.
Q: What are the common mistakes Accountancy firms are making?
A: The biggest mistake by far is assuming their IT provider is also their cybersecurity expert. While IT teams can implement essential controls like multi-factor authentication (MFA) and antivirus software, they are not risk management specialists and seldom understand how cyber criminals behave. Unfortunately, this means vulnerabilities go unidentified and uncontrolled, subsequently allowing criminals to exploit those weaknesses.
It is a fact that every cyber breach we have investigated, the firm has solely relied on their IT provider marking their own homework.
Other common mistakes are firms thinking they're too small to be a target, believing that cloud-based platforms are more secure than traditional server-based networks, and relying on the security of hosted cloud providers. Many of the attacks that we deal with here at Mitigo are aimed at small-medium-sized Accountancy firms who mainly operate in the cloud.
Q: Are regulators stepping up expectations too?
A: Absolutely. Obviously, accountancy firms must act in the best interests of their clients and keep sensitive financial information secure. They also have obligations under GDPR, with the Information Commissioner's Office (ICO) clamping down on firms that have experienced a data breach as a result of a cyber-attack --- which, in turn, is due to negligent cyber risk management practices.
Additionally, the government has recently introduced the Cyber Governance Code of Practice, which outlines clear expectations for directors and partners regarding cyber risk management.
If you suffer a breach and can't demonstrate appropriate governance and controls, there will be severe consequences.
Q: Finally, if you had one piece of advice what would it be?
A: Get an independent cyber risk assessment carried out by cyber risk management specialists. In our experience, too many accountancy firms are reliant on their IT provider and are hoping they are secure.
Expectations are much higher now, with increasing pressure from regulators, not to mention the continued rise in cyberattacks.
It's time to start proving that you are secure.
Are you relying on your IT provider to keep you safe?
Mitigo works with accountancy firms across the UK to assess, manage and monitor their cyber risk -- so they can protect their clients, their reputation, and their business.
Don't wait until it's too late.
Get in touch to arrange an independent cyber risk assessment.