Cyber security for accountants — 7 checks that protect client data

If you typed “cyber security for accountants” because you need something practical you can act on this week, start here. This piece contrasts common-but-wrong habits I see across accounting practices with the right approach that keeps client records and your firm’s reputation intact. Short sentences. Clear responsibility. No techno-speak.

Keeping everything on passwords and goodwill

The common-but-wrong approach is familiar: passwords are shared by a few partners, sticky notes live under keyboards, and everyone assumes the IT person will tell them if something goes sideways. It feels cheap and fast. It also hands attackers the routine they need.

Why this fails:

  • Shared credentials make it impossible to trace mistakes or breaches to a person — which matters for client trust and any regulatory questions.
  • Weak or reused passwords are the simplest route for credential-stuffing and phishing to gain footholds.
  • Lax device control — personal laptops, unmanaged phones — widens your attack surface beyond what you think is covered.

Business impact (not tech talk): a single compromised login can expose multiple client tax records, push payroll instructions, or allow an attacker to alter invoices — all of which cost time, money and credibility.

Concrete examples of this wrong approach:

  • A practice where everyone uses the firm-wide “Practice2024” password for the practice management tool, shared on a team chat; when one accountant’s home PC is infected, the attacker logs into the practice tool unnoticed.
  • Partners approving BACS payments by email because it’s “quicker”; attackers impersonate a supplier and get funds redirected.

Designing tidy, role-ready controls that people actually follow

The right approach treats cyber security as a set of small, enforced behaviours tied to roles and common tasks. It’s not about perfection; it’s about predictable, repeatable controls that reduce risk and are easy for staff to follow.

Key elements that work for accounting teams:

  • Unique accounts and simple role-based access — everyone gets only the systems they need for their job.
  • Multi-factor authentication (MFA) on email, cloud accounting and client portals — stop relying on passwords alone.
  • Device control: a short list of supported devices, mandatory disk encryption, and simple rules about software updates.
  • Clear payment verification: dual authorisation for BACS, and a written pay-run checklist signed off by two people.
  • Regular, short cyber training focused on phishing and payment fraud scenarios relevant to accountants.

Business impact: these measures keep you auditable, reduce the chance of an attacker moving laterally across systems, and make recovery faster if something does go wrong.

Concrete examples of the right approach:

  • An office that forces MFA on all admin accounts and removes access for ex-staff the same day someone leaves, preventing old logins from being reused.
  • A bureau that requires two people to approve any new supplier payment and has a written verification call policy for changes to bank details.

Practical rollout in an accounting practice

Start small. Pick the highest-impact quick wins and assign clear owners:

  • Owner: practice manager — enforce MFA for email and cloud services within a week.
  • Owner: head of payroll — implement dual approval on BACS within two weeks.
  • Owner: IT lead — publish a supported-device list and enable full-disk encryption on laptops in the month.

Link the changes to everyday tasks so staff see the point: a simple checklist for submitting client documents, a short script for verifying bank changes, and a two-minute demo on spotting phishing emails at the next team meeting.

Where to check official advice

For straightforward, sector-neutral advice the NCSC’s guidance pages cover basics that match what accountants need — access controls, phishing defences and incident response — and are short enough to share with partners and managers. NCSC’s guidance is a good single reference to point people at when they ask for more detail.

Implementation examples you can copy this month

Below are short, repeatable actions paired to the two patterns above — one column shows the common-but-wrong shortcut, the other shows the practical fix. These are concrete items you can assign in a meeting and check off.

  • Login management — Wrong: shared team logins for the practice system. Right: unique accounts, MFA and a deprovisioning checklist. Example: create accounts during onboarding and add leaving checklist item for HR+IT to revoke access.
  • Payments — Wrong: payment approvals by single email. Right: dual sign-off plus independent voice check for changes to bank details. Example: require a second sign-off in your bank and record the phone verification in the payment file.
  • Device hygiene — Wrong: staff use personal devices with no encryption. Right: supported-device policy, mandatory updates, and company-managed encryption. Example: replace unmanaged laptops with encrypted devices or require company VPN and disk encryption for remote work.
  • Phishing — Wrong: one training session a year and no reminders. Right: quarterly, scenario-based micro-training and simulated phishing with feedback. Example: run a short simulated phishing test and review results at the next team meeting.

If you want a single in-house reference to use when assigning tasks, use this cyber security checklist to align owners and dates — it keeps conversations specific and reduces the “who will do it” problem.

Final practical next step: pick three actions from the “Implementation examples” list and give each a named owner and a deadline this month. That gives faster reduction in risk than expensive audits with no follow-through. When those are done, you’ll have time and credibility to tackle the rest, and your clients will notice the difference in how you handle their data.

Soft CTA: Assign those three tasks now and lock in time savings, improved client trust and a calmer year-end.

Related reading