A recent conversation with cybersecurity expert Francis West prompted me to revisit a previous discussion here about the risks of cybercrime affecting accountants in practice. Given the evolving threat landscape, I asked him to highlight the current challenges and solutions we need to keep in mind.
Francis has been involved in the technology sector for over thirty years, providing IT and cybersecurity solutions to a range of industries, including finance, recruitment, and legal. As the founder of Security Everywhere, his expertise is invaluable in understanding the cyber threats faced by accountants.
—————
ML: Francis, I’m especially keen to get your views on cybercrime and its impact on accountants in practice. You’ve mentioned before that cybercrime is now a highly organised industry. Can you elaborate?
FW: Absolutely. Cybercrime has evolved dramatically. It’s no longer just rogue individuals; it’s a multi-billion-dollar global industry. Hackers operate with precision, often using the Dark Web to buy and sell stolen data. Accountants, who manage sensitive client data like financial records, payroll, and personal identifiers, are prime targets for these criminals as has been shown by numerous reported attacks in recent months. And I\’m sure there have been even more that have not been reported.
—————–
ML: Why should accountants be particularly worried about these threats?
FW: Accountants are custodians of highly sensitive information that hackers find lucrative. Names, addresses, bank account details, payroll records, and even passwords are just the tip of the iceberg. If compromised, this data can be used for identity theft, financial fraud, or even sold to the highest bidder on the Dark Web. In fact, accounting firms are 30% more likely to experience phishing attacks compared to other SMEs due to the nature of the data they handle.
Indeed, research reveals that 67% of UK accounting firms have reported experiencing at least one cyberattack in the past year. Alarmingly, 40% of these breaches were due to employee errors, such as clicking on phishing emails or weak password practices.
________________________________________
ML: Can you share a recent example of how these attacks can succeeed?
FW: Of course. Take phishing, for instance. Hackers often craft emails that appear to come from trusted sources. For example, a scam email might claim to be from HMRC, asking the accountant to verify client details or transfer funds. Once the victim clicks on the link or downloads an attachment, malware is installed, giving the attacker access to sensitive data.
Another example is ransomware attacks. In 2024, several accounting firms in the UK reported being locked out of their systems by ransomware. Hackers demanded payments ranging from £10,000 to £50,000 to restore access. Some accountants paid, only to find their data still unrecoverable. It’s worth noting that 28% of ransomware attacks in 2024 targeted professional services, including accounting firms, with ransom demands often exceeding £20,000.
________________________________________
ML: I suspect I know the anser to this one but what would the impact of such a breach on an accountancy firm?
FW: The consequences can be devastating. Firstly, the firm would have to inform clients about the breach, damaging trust. Clients might even leave, fearing further exposure. Secondly, the Information Commissioner’s Office (ICO) would investigate. If the firm had failed to take adequate precautions, they’d face fines of up to €20 million or 4% of annual global turnover.
ML: That’s probably only goibng to happen in the extreme isn’t it?
FW: That’s true but, beyond financial penalties, there’s the likely reputational damage. Clients trust accountants with sensitive information, and a breach erodes that trust. Losing clients and facing regulatory scrutiny could be enough to shutter a firm. The financial cost is significant too, with the average cost of a data breach for SMEs, including accounting firms, reaching approximately £120,000.
________________________________________
ML: What can accountants do to protect themselves?
FW: Accountants need to adopt a layered approach to cybersecurity. Here are the essentials:
1. Multifactor Authentication (MFA): Ensure all accounts require a second layer of verification, like a mobile code or biometric scan.
2. Enterprise Email Security: Use tools that can detect both “known” and “unknown” threats, offering advanced protection against phishing and malware.
3. Encrypted Communication: Use secure email platforms that encrypt messages, protecting sensitive client data.
4. Regular Backups: Ensure all data is backed up and tested regularly. In a ransomware attack, a robust backup could save your firm.
5. Keep Operating Systems Up to Date: Regularly update software and systems to patch vulnerabilities that hackers might exploit.
6. Attain the UK recognise Cyber Essentials accreditation to prove to their staff and clients that they take this issue very seriously.
7. Ensure staff are well trained to understand the risks and why they must not access client or other sensitive data on their personal devices if these have not been approved as secure by the firm’s Cyber-security advisers.
________________________________________
ML: Francis, how does an accountant’s own cybersecurity posture impact their clients, particularly in terms of the supply chain risk?
FW: That’s a very important point. Accountants don’t operate in a vacuum—they interact with clients, vendors, and other third-party service providers, all of whom play a role in their business ecosystem. If an accountant’s cybersecurity is lacking, it can pose significant risks not only to their own firm but to their clients as well.
For instance, if an accountant’s systems are compromised due to weak security measures, hackers can potentially gain access to sensitive client data, such as financial records, tax information, or payroll details. This can lead to breaches of trust, financial losses, or even regulatory penalties for the client. Furthermore, cybercriminals may use the accountant’s compromised system to target their clients, especially if they hold valuable data.
In essence, accountants are part of their clients’ digital supply chain. If their cybersecurity is insufficient, it creates a vulnerability that can be exploited by attackers to target the clients they serve. It’s a domino effect: a weak link in an accountant’s security can have a direct and often devastating impact on the trust and security of their clients. Therefore, it’s crucial that accountants not only protect their own firm but also understand the broader implications of their cybersecurity posture on their entire network.
________________________________________
ML: Finally, what are your top tips for accountants to safeguard their businesses?
FW:
1. Layered Security: Combine MFA, AI based antivirus using behavioural monitoring, email security, password security, mobile security and full backup of all data at least 2 to 6 times per day.
2. Avoid Public WiFi: Never log into sensitive accounts over public WiFi networks.
3. Use a Password Manager: Tools like the one we provide (Keeper) generate and store complex passwords securely. Over 60% of accounting firms still use shared or recycled passwords, significantly increasing the risks they run.
4. Have a Disaster Recovery Plan: Prepare for the worst with a clear strategy to restore systems and data quickly.
5. Ongoing Education: Stay informed about the latest threats and ensure your team does too. Even the best technology can’t protect against an employee clicking the wrong link.
________________________________________
ML: Thanks, Francis. If any of my readers want to learn more or seek help, how can they contact you?
FW: I’d be delighted to help. You can reach me at Security Everywhere on 020 3195 0555, via email at [email protected], or connect with me on LinkedIn.
