Deepfakes – AI-generated likenesses – have been big news in January, with Grok’s ability to generate fake images of people without their consent making international headlines and leading to significant regulatory scrutiny. ICAEW explored the ease with which deepfakes can be generated back in 2024, and as AI tools continue to evolve and become more sophisticated, so the threats associated with them increase.

Away from the big headlines, deepfakes have also been grabbing attention within the world of accounting and tax. Prominent tax lawyer Dan Neidle recently highlighted how he had been deepfaked on a YouTube channel, alongside several US-based tax influencers.

Fortunately, the videos were taken down after being flagged, and were relatively poor quality deepfakes, but it highlights a new challenge to accountants and tax professionals seeking reliable and accurate sources of information. This is also increasingly true in the audit space, as noted by this recent article. Scepticism, particularly in regard to information that may be AI-generated, remains key.

Auditors’ key role in cyber defence

When a cyber incident takes place, particularly at a larger organisation, at some point the response to that incident will come under scrutiny from financial auditors. So it’s perhaps unsurprising that research, conducted last year by a group of academics from Macquarie University in Australia, appears to suggest auditors play a crucial role in improving the cyber defences of their clients.

Analysing audits and cyber incidents at over 2,800 US companies across a 16-year period, the research determined that auditors who dealt with a cyber incident at one client were typically much more likely to ensure their other clients had robust cyber controls.

The likelihood of identifying system weaknesses increased by 21% amongst auditors who dealt with a breached client. Equally, when the same group of auditors did not identify any IT control deficiencies, those clients were less likely to suffer a subsequent cyber breach. It goes to prove the important role that auditors have in performing a thorough review of their clients’ IT environments, including cyber risks.

Cyber incidents are having a huge impact

As news came out that the economy grew slightly more than expected in November, an unexpected explanation arose as to why: Jaguar Land Rover (JLR).

As covered in our September 2025 roundup, JLR experienced a significant cyber attack, halting production for several weeks. But its recovery appears to have resulted in a tangible boost to the UK economy. Roughly half of November’s 0.3% growth figure was attributed to a 1.1% rise in industrial output. More specifically, car production grew by over 25% compared to the previous month. While this news is positive for the UK economy, it’s a reminder that weaker economic performance through September and October was also at least in part due to JLR’s cyber incident.

Kensington and Chelsea Council’s cyber incident in November also continues to have an impact. This month, officials informed residents that their personal details may have been stolen in the attack.

Neighbouring Westminster Council and Hammersmith and Fulham Council were both also affected, through some shared services. Public sector organisations are particularly vulnerable to cyber criminals due to the legacy nature of many of their systems, and the value placed on the data that they hold.

Further details of the fallout of the incident are also starting to emerge through published cabinet minutes. Staff at the council only recently regained internet access on their internal network, while other council services may continue to be affected until the summer, with the collection of council tax and payment of suppliers also impeded.

Once again, cyber incidents don’t just impact the organisation that is attacked but can have a knock-on effect throughout the supply chain. Kensington and Chelsea, Westminster, and Hammersmith and Fulham, have all provided details of the services affected on their websites.

It’s in this context that the UK Government has launched its Cyber Action Plan, with £210m of funding to deliver substantial change to the public sector’s cyber landscape and digital resilience, recognising that the digitalisation of public services also requires robust cyber defences to a far greater degree than ever before. Earlier this month we highlighted how the five delivery strands of the plan have relevance to organisations of all shapes and sizes.

Cyber criminals are changing their approach

Ransomware was big news in 2025. While it continues to be prevalent, a recent report from Symantec has shown how criminals are starting to move away from encrypting data and move towards far simpler theft and extortion.

Traditionally, once ransomware has infected a system, the software encrypts the contents of the system, making it totally inaccessible. A ransom demand is then sent, with the threat that if it isn’t paid, the data will be lost forever.

So-called “extortion-only” attacks work on the basis that the theft and public release of the data itself is of far greater significance to some organisations. This approach becomes popular as the intrinsic value of data gains recognition, and more organisations develop robust backup and resilience plans such that encryption of systems is less impactful. Given the complexity of the encryption/decryption process, it becomes appealing to criminals to simply skip this step and jump straight to threatening to publish the stolen data.

The report from Symantec highlights that the estimated number of extortion-only attacks has grown from just 28 globally in 2024, to around 1,500 in 2025. It changes the risks associated with cyber and ransomware attacks, with a focus on ensuring that data cannot be stolen, rather than ensuring that systems cannot be encrypted. Data loss prevention (DLP) tools are likely to gain prominence as a key part of cyber defence.

It isn’t just ransomware where cyber criminals appear to be taking a ‘back to basics’ approach. The UK’s National Cyber Security Centre (NCSC) has encouraged all organisations, but particularly local government and providers of critical infrastructure, to be vigilant and reinforce their defences against potential ‘denial of service’ (DoS) attacks, which are designed to disrupt and disable web-based services by simply overwhelming servers with superfluous traffic. Evidence collected by NCSC in partnership with other international bodies suggests Russian state-aligned groups are persistently targeting UK organisations with these unsophisticated but potentially highly disruptive attacks.

Ending the roundup on a more positive note, earlier this month Microsoft announced that they had managed to take down RedVDS, a global cyber cybercrime subscription service and key player in the burgeoning “ransomware-as-a-service” industry. By dismantling the infrastructure used by the service, Microsoft has been able to disrupt its operations. However, it is likely that RedVDS – and others – will appear again on the dark web in future, leveraging alternative infrastructure. The cat and mouse game of cyber security continues in 2026.