I get it, you’re swamped with billable work.
Clients are breathing down your neck and the ATO is putting you on hold for the millionth time. Things get rushed and cyber security is the last thing on your mind.
In the fog of accounting war, it’s easy for your firm to get complacent and relax on simple things because you just need to get the work out the door.
However, the last thing you want is for your firm to be hacked and the first result in Google when you search your firm’s name will let everyone know.
If you didn’t know this is a thing, try googling “Accounting firm hacked Australia” and you’ll get a nice list.
Now that I’ve set the tone, it’s not all panic.
There is a lot you can do, and many of the most important things are quite easy. I suggest taking some time every year to do a quick review and cover the basics.
Here is a checklist to help make sure your firm is safe.
If you follow all of this, you will already be well ahead of most accounting firms.
Cyber Security Checklist for Accounting Firms
| Area | Check | Yes | No | Not sure | Why this matters |
|---|---|---|---|---|---|
| Email & identity | MFA is enforced on every mailbox, including partners and shared mailboxes | ☐ | ☐ | ☐ | A single mailbox compromise enables impersonation, password resets, and fraud |
| Legacy email access (POP/IMAP without MFA) is disabled | ☐ | ☐ | ☐ | Attackers bypass MFA using older protocols | |
| External email forwarding is disabled or tightly restricted | ☐ | ☐ | ☐ | Forwarding and inbox rules let attackers stay hidden | |
| Staff do not share email or system logins | ☐ | ☐ | ☐ | Shared logins remove accountability and delay response | |
| Access & permissions | Day-to-day accounts do not have admin access | ☐ | ☐ | ☐ | Excess privilege turns small incidents into firm-wide breaches |
| Admin access is temporary and reviewed | ☐ | ☐ | ☐ | Standing admin access is a high-value target | |
| Access is removed or reviewed when roles change or staff leave | ☐ | ☐ | ☐ | Old access is routinely abused in real incidents | |
| Devices & data | Full disk encryption is enabled on all laptops and mobiles | ☐ | ☐ | ☐ | Lost devices expose data without any hacking |
| Screen locks and strong device passwords are enforced | ☐ | ☐ | ☐ | Prevents casual access to sensitive data | |
| Lost or stolen devices can be remotely wiped | ☐ | ☐ | ☐ | Limits damage after physical loss | |
| Backups & recovery | At least one backup is offline or immutable | ☐ | ☐ | ☐ | Online backups are often deleted by attackers |
| Backup restores have been tested, not just configured | ☐ | ☐ | ☐ | Untested backups fail under pressure | |
| Recovery time is known and realistic | ☐ | ☐ | ☐ | Unrealistic expectations delay decisions | |
| Payments & fraud | Bank detail changes are never accepted by email alone | ☐ | ☐ | ☐ | Email impersonation enables direct theft |
| Verification uses a known phone number | ☐ | ☐ | ☐ | Attackers control contact details in emails | |
| The verification process is written and followed | ☐ | ☐ | ☐ | Ad-hoc checks fail under urgency | |
| Incident readiness | There is a one-page incident response plan | ☐ | ☐ | ☐ | The first hour determines the outcome |
| Roles are clear for IT, clients, insurers, and regulators | ☐ | ☐ | ☐ | Confusion wastes time attackers use | |
| The plan is accessible if systems are down | ☐ | ☐ | ☐ | Many plans are unreachable during incidents |
Now, this is just a starter and if you follow all of this you will be way ahead of most accounting firms.
