Accountants have accelerated their transition from paper-based to digital-based systems, particularly embracing modern cloud-based bookkeeping and practice management software. However, accountants remain highly appealing targets for cybercriminals:
- Many SME firms lack the resources to review their systems and adequately train their staff to reduce cyber risks.
- Accountants often handle transactions involving substantial sums of money, particularly those managing payrolls.
- They store confidential and financially sensitive information about their clients, which can be leveraged for extortion attempts on these companies in supply chain attacks.
While many firms believe that migrating to cloud-based software enhances their cybersecurity, it is crucial to note that cloud software adoption alone does not guarantee improved cybersecurity. Most cloud software operates on a ‘shared responsibility’ model, where the cloud provider is responsible for the platform’s security, but the end user must ensure the secure configuration of the software. Without proper configuration, using cloud software could potentially increase your security risk.
This concept is explicitly stated in the UK Government’s Cyber Essentials standard, which encourages all businesses to adopt it.
Furthermore, some cybercriminals are now creating legitimate accounts on cloud software platforms, including bookkeeping systems like QuickBooks Online, to carry out highly convincing attacks, such as issuing fake invoices with payment details linked to criminal bank accounts.
Securing Your Firm in the Digital Age
So, what steps can you take to reduce the risk of cyberattacks on your accounting firm in the world of cloud accounting? While there is an extensive range of actions and technical solutions you can employ, it’s essential to start with the basics:
- Secure your cloud systems by using unique passwords with 12 characters or more for all accounts and implement multifactor authentication.
- Continuously train your staff to recognize malicious emails. Regular, ongoing training is essential, ideally on a monthly basis.
- Ensure you have a robust email security service that includes protection against impersonation, phishing, and malware. Make sure your email domains are securely configured.
- Develop a cyber security incident response plan and provide regular training to all staff members on its implementation, at least twice a year.
- Consider acquiring a cyber security policy to further protect your firm from potential cyber threats.
If you are uncertain about whether your practice has appropriate cyber security controls in place, you can register for our free security audit here.