How accountants can face up to the cyber threat

Author: Markel UK

Rich Pickings

Accountancy firms are particularly attractive to cyber-criminals, says Duncan Cooper, chairman of technology firm CETSAT: “Much like IT or managed service providers, accountancy firms often hold the ‘keys to the kingdom’ for their clients,” he points out. “This means they store critical information, manage confidential data and sometimes even control aspects of their clients’ financial affairs. This unique position makes them a particularly lucrative target for attackers looking to exploit or monetise sensitive data.”

Truman Kain, security researcher at cybersecurity platform Huntress, describes accountancy firms as a “one-stop shop for hackers”. “Successful attacks allow hackers to commit financial fraud, launch business email compromise attacks and sell financial data on the dark web,” he says. “Large firms have dedicated security teams, but the smaller firms do not. If you’re an attacker looking at soft targets, it makes sense to go after those with the most lucrative data.”

Consequences of Cyber-Incidents

Any cyber-incident could have serious consequences for accountancy firms. “Under GDPR and other regulations, firms face significant fines, along with potential lawsuits from affected clients,” says Linnell. “Operationally, breaches can lead to regulatory investigations, demands to cease processing and data loss, disrupting audits and tax filings while increasing recovery costs.”

But the biggest danger lies in the reputational risk. “Accountants can only do business based on trust,” says René-Sylvain Bédard, founder of managed security service provider Indominus. “When your accounting firm gets breached, there is a financial impact, but the issue is deeper. That trust needs to be repaired, and often it cannot be.”

Spencer Summons, founder of cybersecurity organisation Opliciti, suggests smaller accountancy firms in particular fail to understand the risks involved. “This can lead to a false sense of security and less budget allocation for cybersecurity,” he says. “Consequently, they have fewer specialised security resources and inadequate risk-based controls.”

Taking Action

Alex Brearley is director of South Yorkshire accountancy firm Brearley & Co and understands the potential dangers. “Firms should implement strong data encryption and multi-factor authentication to secure access to client information,” he advises.

“Regular security audits and staff training are essential, as human error can be a major risk factor. Employees should be trained to recognise phishing attempts, particularly via email, and follow best practices for handling data securely.” The use of secure, cloud-based accounting software with built-in security features can enhance protection, while firewalls, endpoint security and email filtering help prevent malware and ransomware attacks, he adds.

RMT Accountants is part of Sumer Group, which operates accountancy hubs around the UK. It has set up its own technology practice – RMT Technology – which acts as its own in-house security arm but also helps external clients. “It means we have maximum protection as accountants by having the team on-site but they also provide the same service for a range of companies, including other professional services firms,” says Stephen Slater, director of RMT Accountants.

As well as having measures such as multi-factor authentication, a 24/7 security operations centre and employee training in place, he stresses the need for data backups that are stored securely offsite. “Regularly backing up critical data ensures that if a cyber-attack occurs, firms can restore their data with minimal disruption,” he says. “Cloud-based backups that are encrypted provide additional security.” He also recommends an independent annual review of a firm’s cyber position, with the intention of working towards the Cyber Essentials Plus (CE+) certification.

Rapid Reaction

Accountancy firms also need to ensure they know what to do if they are faced with a data breach. “This often involves isolating affected systems, changing passwords and working with cybersecurity experts to limit further damage,” says Cooper.

They must also understand and adhere to local regulations regarding data breaches, as well as communicating with clients. “This may include notifying relevant authorities, such as the ICO in the UK or other supervisory bodies globally, affected clients, and potentially the public if sensitive personal data is exposed,” he adds.

“Open, honest communication with clients and stakeholders can help mitigate reputational damage. It is crucial to clearly outline the steps taken to address the breach and prevent future occurrences.”

1. https://www.icaew.com/insights/viewpoints-on-the-news/2024/oct-2024/why-small-accounting-firms-are-prime-targets-for-cybercriminals 2. https://ico.org.uk/media/action-weve-taken/reprimands/4027047/20231010-inv01202022-reprimand-optionis-group-limited.pdf

2. https://ico.org.uk/media/action-weve-taken/reprimands/4027047/20231010-inv01202022-reprimand-optionis-group-limited.pdf