When your whole team needs bringing up to speed

Excerpt: You've got Cyber Essentials. Your accountant's still using 'Password1'. Here's how to have the conversation without losing the relationship.

---

The Security Talk Nobody Wants to Have

When the people you rely on aren't as secure as you are

---

I'll never forget the moment.

We'd just got our Cyber Essentials certification. Six weeks of hard work, late nights, biscuit-fuelled panic. We were proud. We were compliant. We were secure.

Then I watched my accountant log into his system to show me our quarterly figures.

Password field: eight asterisks. No second prompt. No authentication app. No code sent to his phone.

"Dave," I said carefully, "do you use multi-factor authentication?"

He looked at me like I'd asked if he believed in unicorns.

"Multi what?"

The Problem Nobody Talks About

Here's the uncomfortable truth: your security is only as strong as the weakest link in your network.

You can have perfect passwords, flawless policies, and a Cyber Essentials certificate framed on your wall. But if your accountant has access to your financial data and they're running on hope and an eight-character password from 2015, you've got a problem.

Same goes for your bookkeeper. Your solicitor. Your marketing agency. Your IT support, ironically. Anyone who handles your data or connects to your systems.

We spend so much time securing ourselves that we forget to look at the people around us.

Why It Matters

When a supplier gets breached, your data goes with them.

Think about what your accountant holds: bank details, payroll information, tax records, client names, financial projections. Now imagine that in the hands of criminals.

The breach didn't happen to you. But it's your data. Your clients. Your reputation.

This isn't hypothetical. Supply chain attacks are one of the fastest-growing threats to small businesses. Criminals know that small firms often work with even smaller suppliers who have even weaker security. They target the weakest link, and then they work their way up.

Your accountant might be the door they walk through.

The Conversation You Need to Have

I know. You don't want to have this conversation.

Dave's been your accountant for fifteen years. He knows your business inside out. He's helped you through audits, tax investigations, that nightmare VAT situation in 2019. You trust him.

And now you have to ask him if he uses proper passwords.

It feels awkward. Patronising. Like you're questioning his competence.

But here's the thing: you're not questioning his competence as an accountant. You're asking about something that probably nobody has ever asked him before. Something he might not have thought about.

You might be doing him a favour.

How to Start

Don't ambush them. Don't make it accusatory. Don't open with "I'm worried about your security."

Start with yourself.

"Dave, we've just been through Cyber Essentials certification. Part of the process made me think about everyone who handles our data. I wanted to check in about how you manage security on your end."

You're not attacking. You're sharing your journey. You're inviting them into the conversation.

The Questions to Ask

Keep it simple. You're not auditing them - you're getting a sense of where they are.

"Do you use multi-factor authentication?"

If they don't know what that means, you have your answer. Explain it simply: "It's when you need a code from your phone as well as your password to log in."

"How do you handle passwords?"

Are they using a password manager? Unique passwords for different systems? Or one password for everything, written on a sticky note under the keyboard?

"When did you last update your software?"

Old software has old vulnerabilities. If they're running systems from five years ago, they're running risks from five years ago.

"Do you have any security certifications?"

Cyber Essentials, ISO 27001, anything? If they do, great. If they've never heard of them, that tells you something.

"What happens if you have a breach?"

Do they have an incident response plan? Do they know who to contact? Would they tell you if your data was compromised?

What You Might Hear

Best case: "Actually, we got Cyber Essentials last year. Happy to share our certificate."

Brilliant. Shake hands. Move on. Buy them a coffee.

Middle case: "We've been meaning to look into that. What would you recommend?"

This is an opportunity. Share what you've learned. Point them toward resources. Offer to connect them with people who can help. Be the person who helps them start their journey, like someone once helped you.

Worst case: "We've never had a problem. I don't see why we need all that."

This is harder. But it's important.

When They Push Back

Some people will resist. They'll say it's overkill. They'll say small businesses don't get targeted. They'll say they've been doing things this way for years and it's always been fine.

Sound familiar? That was me, three years ago.

You can't force someone to change. But you can be clear about your expectations.

"Dave, I understand where you're coming from. I felt the same way until recently. But we're now required to think about our whole supply chain. I need to be able to show that the people handling our data have basic security in place."

You're not threatening. You're explaining your reality. The requirements you're under. The risks you're trying to manage.

Setting Expectations

Depending on the relationship, you might need to formalise this.

For key suppliers - anyone who handles sensitive data regularly - consider:

A simple security questionnaire. Nothing elaborate. The basic questions above, in writing, once a year.

A data processing agreement. Standard GDPR stuff, but include expectations about security measures.

Certificate requirements. For critical suppliers, you might make Cyber Essentials a requirement for continued partnership.

This isn't about being difficult. It's about being professional. Large firms do this routinely. There's no reason small businesses can't do the same.

When the Relationship Can't Continue

Sometimes, despite your best efforts, a supplier won't change.

They refuse to implement basic security. They dismiss your concerns. They make it clear that your data protection isn't their priority.

At that point, you have a decision to make.

I've ended supplier relationships over this. It wasn't easy. One of them was someone I'd worked with for nearly a decade. But when they made clear that my security concerns weren't their problem, I knew I couldn't trust them with my clients' data anymore.

The relationship mattered. But the data mattered more.

Dave's Journey

Back to Dave. My accountant.

After our conversation, he went quiet for a few days. I worried I'd offended him.

Then he called. "Jim, I've been thinking about what you said. I've looked into this multi-factor thing. Can you help me set it up?"

Six months later, Dave got his own Cyber Essentials certification. He now asks his other clients about their security. He's become a convert.

That awkward conversation led to genuine change. Not just for my data, but for all his clients' data.

One conversation. Ripple effects.

The Talk Nobody Wants to Have

It's uncomfortable. I won't pretend otherwise.

But the alternative is worse. The alternative is hoping your suppliers are secure without ever checking. The alternative is finding out they weren't when it's too late.

Your accountant doesn't know what multi-factor authentication is. Your bookkeeper uses one password for everything. Your solicitor's firm hasn't updated their systems in three years.

These are problems. They're also opportunities.

Have the conversation. Share what you've learned. Bring people with you.

The security talk nobody wants to have might be the most important one you'll ever start.

---

Jim Simpson is an SME Cyber Resilience Consultant with TransCrypt. Dave is not his accountant's real name, but Dave did give permission for this story to be told. He's quite proud of his Cyber Essentials certificate now.