At a glance
- Cybercriminals target accounting firms for their valuable client data and weak security.
- Breaches can lead to financial loss, reputational damage, and legal penalties.
- Implement basic security like multi-factor authentication, encryption, and secure backups.
- Regularly update software and train staff to recognise phishing and other scams.
Every client file in your system represents a potential payday for cyber criminals. Tax returns, payroll records, banking details – it’s all there, often spanning years. That information is so valuable that hundreds of thousands of businesses experience cyber breaches in the UK every year (612,000 in 2024). That has prompted recent governments to introduce a slew of regulations and recommendations in an effort to limit the damage.
Despite this, cyber security remains a lower priority for many micro businesses and attention to cyber issues within this cohort has declined in recent years. But when 35% of micro businesses have experienced phishing attacks in the last year alone, and when the most disruptive breaches costs businesses, on average, £3,550, it pays to be prepared.
Why cyber criminals target accounting firms
Ian Nicholson, Head of Incident Response at Pentest People, explains accounting firms can represent a perfect combination for cyber criminals: valuable information with weak defences.
“They hold an absolute goldmine of personal and financial data including tax returns, payroll records, bank and payment details, National Insurance numbers, client PII and business financials. That’s a substantial amount of data that few sectors collect or process,” he says.
Firms also serve as gateways to their clients, executing high-value payments on their behalf. “We see criminals intercept invoicing or bank payments regularly,” Nicholson adds. “They often redirect/manipulate funds, or exploit trust relationships. [Accounting] businesses are seen as soft targets, and criminals know they often have limited IT hygiene, fewer dedicated security professionals and use legacy systems or basic patch practices.”
Kristina Holt, Managing Associate at national law firm Foot Anstey, notes this vulnerability is compounded by firms feeling unfamiliar with the laws and technical side of cybersecurity.
“This can send those responsible for compliance into a frenzy, trying to fix every issue big and small at once rather than concentrating on the core risk areas specific to the business – or, alternatively, giving up any attempt at implementing cybersecurity protocols whatsoever as it all seems too much and too difficult!” she says.
Protecting your firm: A five-point plan
It may be tempting to put cybersecurity in the “too hard” basket. But Tina McKenzie, policy chair at the Federation of Small Businesses (FSB), says cyber crimes can have severe and lasting impact on businesses.
“They can lead to lost files, leaked customer data, business downtime, and serious reputational damage. There might be a huge financial loss to the business, not to mention the stress caused to the business owner and staff,” she says. Inadequate cyber protection can also lead to legal action and hefty fines for failing to comply with the UK GDPR.
Image: Kelvin Boyes / Press Eye.
The good news? Robust security doesn’t require a massive budget and there are bare minimum measures you can put in place. Holt says it can be boiled down to some simple concepts: “The first step is always getting to grips with what the business is actually doing with technology and data, rather than looking at abstract risks.”
1. Enforce multi-factor authentication
Then start with the basics, with “multi-factor authentication on all critical systems, especially email, cloud accounting tools, remote access, and document storage,” Nicholson recommends. This single step blocks the majority of account takeover attempts that lead to business email compromise – one of the most common attacks against accounting firms.
2. Encrypt data
All laptops, tablets, USB sticks and desktops storing client data should be encrypted, along with data files and backups containing personal or financial information. This ensures that if devices are lost or stolen, client data is more likely to stay protected. The FSB also recommends establishing firm-wide rules around handling client information – for example, what can be sent via email or stored on personal devices.
“[Accounting] businesses are seen as soft targets, and criminals know they often have limited IT hygiene…”
Ian Nicholson, Head of Incident Response, Pentest People
3. Secure, tested backups
Make sure you run “secure, up-to-date backups, ideally stored offline or off-site, so if a ransomware or compromise occurs, the firm can recover client data quickly,” adds Nicholson. Use a trusted cloud storage provider.
4. Basic patching and software updates
It’s important to keep operating systems, accounting software, browsers and remote access tools current. “Legacy or unpatched systems are one of the easiest routes we see attackers use,” Nicholson warns. Ensure any personal devices frequently used for work have adequate detection and response tools, with current security patches installed.
5. Staff training
Train all staff to recognise suspicious emails, fraudulent invoice requests and social engineering attempts. “With AI-driven phishing on the rise, scams are now far more convincing, making it easier for employees to be tricked by deepfake emails or fake system alerts,” warns Kevin Curran, IEEE senior member and professor of cyber security at Ulster University.
With cyber criminals growing more sophisticated, unprotected small businesses still won’t stay lucky forever. For more information, free guidance is available from the National Cyber Security Centre and the Information Commissioner’s Office.
Cyber insurance can provide additional support. But most insurers now require basic protections like multi-factor authentication to provide cover. So as well as limiting possible disruption, cybersecurity now carries a direct financial payoff as well.
Join delegates from across the globe to hear from respected industry specialists at the IFA’s International conference online 2025. You’ll hear the latest developments on topics such as AI and international tax. Register now.
