Once considered an optional extra, cyber security is now a non-negotiable for accountancy practices. The sector has emerged as a prime target for modern-day cyber criminals, thanks in part to a large volume of held personal and financial data. But cyber-readiness continues to lag, with few practices prepared for the worst.
When it comes to insurance, the cyber landscape is shifting. It is becoming increasingly difficult for practices to obtain cyber insurance unless they can meet certain criteria, such as multi-factor authentication. At the same time, anecdotal evidence suggests that cyber insurance is being bundled into PII insurance or otherwise offered without question. But the reality is that your security measures must be clearly defined and implemented upfront – or the likelihood of a successful claim is slim.
In short, robust cyber prevention is the only viable option to minimise the impact of an attack. That’s why we’ve put together the below cyber security checklist, along with some practical cybersecurity measures for accountancy practices to follow.
Cyber security checklist
The following measures represent a general set of minimum cybersecurity standards for protecting your practice and meeting insurer expectations. Implementing them can strengthen client trust and provide a platform for business growth.
Backup management | Maintain at least weekly backups of all sensitive and business-critical data, and protect them with MFA, encryption, offline storage, or separate credentials. |
Protected backups | Use email filtering/scanning to block malicious attachments and links, and review antivirus software and firewall configurations at least quarterly. |
Email filtering and scanning | Filter and scan incoming emails for malicious attachments and/or links. |
Antivirus and firewalls | Review antivirus software and firewall configurations and setting on at least a quarterly basis. |
Critical patching | Havea patching policy in place to apply critical and high-priority security patches across all business systems within 30 days of release. |
Strong passwords | Require administrator passwords to be at least 10 characters, mixing letters, numbers, and symbols. |
Multi-factor authentication (MFA) | Enforce MFA for remote network access, privileged accounts, external contractors, vendors, all email accounts, and mobile devices. |
Cyber and phishing training | Provide annual training for all staff and contractors, including simulated phishing exercises. |
End of life systems segregation | Isolate any unsupported software or platforms from the main network to limit exposure. |
Practical measures for accountancy practices
The checklist above outlines the essential technical safeguards every firm should have in place. However, building cyber resilience also relies on those safeguards being applied, monitored and supported in practice, from ingrained day-to-day behaviours to the smart use of available tools. Done well, it can transform a compliance exercise into an effective defence against cyber threats.
Leverage built-in tools – If you use Microsoft 365, enable security features such as Microsoft Defender for Office 365, Exchange Online Protection, and Advanced Threat Protection. Use the Microsoft Entra Admin Centre to monitor your security score and follow its improvement recommendations.
Make cyber security a team effort – Encourage staff to question suspicious emails, share phishing examples internally, and keep cyber security on the agenda in team meetings. Regular communication on this topic is vital.
Run phishing simulations – Use your external IT partner to run unannounced phishing campaigns. These exercises can help to identify vulnerabilities in staff behaviour. If you do not have an IT partner, consider using online tools to run your campaign.
Stay vigilant with updates – Apply software updates promptly to close known security gaps.
Recognise the business case – Cyber credentials are increasingly a prerequisite for winning larger contracts, especially government tenders. Failure to maintain a robust cyber security posture can act as a barrier to growth.
Client-facing conversations – Include IT security as a standing agenda item in client meetings to demonstrate your commitment and share best practice.
Be alert to AI-threats – With the rise of AI, phishing emails are becoming ever more convincing including those purporting to be from HMRC, Companies House or ACCA.
Cyber security is an ongoing discipline. Embedding the above measures into your operations and ways of workings not only reduce your risk, but also strengthen your reputation as a custodian of client data. Ultimately, this can be the foundation for your practice’s long-term success.
For more information, reach out to a member of our team.