How to improve cybersecurity in your practice

This guide outlines how to create a cybersecurity plan for your practice.


Cybercrime is rising. Nearly one in three businesses experience cyber attacks or breaches at least once a week, according to UK government research.

As professionals who regularly deal with sensitive financial data, accountants and bookkeepers must keep their practices safe. Here’s how.

Cybersecurity risks in the accounting industry

The average cost of a UK data breach or cyber attack is £4,200, but this figure increases the larger the business. Financial institutions and professional services are at an increased risk of cybercrime, meaning accountants and bookkeepers need to keep on top of cybersecurity in their practices.

Here are just a handful of cybersecurity risks practices could come up against:

  1. Phishing: Cybercriminals send legitimate-sounding messages posing as a trusted individual or entity. These messages can come via email, SMS, or another digital platform, and could ask you to click a link (which downloads a virus) or share private or sensitive information (like bank details).
  2. Data breaches: Information is stolen or accessed without authorisation. A cybercriminal might view, alter, or steal information or client data. Note: data breaches don’t always come from an outsider. Employees can make genuine mistakes that result in a breach too.
  3. Ransomware: Cybercriminals gain access to your computer system and encrypt your files, holding your information ‘ransom’ until payment is made. During a ransomware attack, you cannot access the information or system being held ransom.
  4. Malware: This is a catch-all term for malicious software, such as ransomware, spyware, and viruses. This software is designed to access, alter, damage, destroy, or steal information.

Benefits of using cybersecurity in the accounting industry

Cybercriminals have all kinds of tools and techniques for tampering with your data. Fortunately, having a strong cybersecurity approach can help you protect your practice.

Here are the key benefits of cybersecurity for accounting and bookkeeping practices:

  1. Regulatory compliance: International regulations such as GDPR (General Data Protection Regulation) require that businesses have protections in place for the data they keep. Improving your practice cybersecurity can ensure regulatory compliance.
  2. Increased protection from data breaches: With the right protections in place, you can stop cybercriminals from accessing, damaging, or stealing private information.
  3. Builds client trust and confidence: Every day, clients trust their accountants and bookkeepers to keep their data safe. By investing in cybersecurity, you’re demonstrating that you have the tools and know-how to protect their information.
  4. Limits the cost to your business: Cyber attacks are expensive in more ways than one. As we’ve already explored, they cost businesses thousands. But they can also cost you clients and your good reputation. Cybersecurity can save you money – and future business.
  5. Shows you’re taking digitalisation seriously: As the Making Tax Digital roll-out continues, investing in the digital aspects of your business demonstrates that you’re prepared for the future of accounting and bookkeeping.

Cybersecurity best practices for accountants and bookkeepers

Regardless of how many digital tools you use, every practice can benefit from having the following measures in place.

Password management

Using strong, unique passwords for every platform and device is essential. Don’t be tempted to use the same password for more than one account, and update them at regular intervals. Otherwise, hackers stand a better chance of cracking your account.

Where possible, use two-factor authentication to secure your accounts. Two-factor authentication requires users to complete two steps before accessing their account – it usually means inputting your password and then using a code sent to you via text or email. This puts an additional step between your information and the hacker trying to access it.

Access management and user profiles

Modern software tools allow you to customise access levels for different people – and this is something you should use for cybersecurity purposes. Only give people access to the level of information they need to perform their role – the more you limit the spread of information, the fewer opportunities cyberattackers have to access it.

Many software applications will flag when a user is signing in from a different location or device. This can help you stop security threats before they breach your system. With Xero, you can customise user roles and permissions for every person on the platform.

As a rule of thumb, try not to use public wi-fi networks for work purposes. Public wi-fi attracts hackers because it often has a low level of security. Using a VPN (Virtual Private Network) can protect you on public wi-fi, but it isn’t a fix-all.

Software updates, firewalls, anti-virus updates

Old versions of software can be more susceptible to cyber attacks. Developers regularly update software programmes to be more secure, so make sure you’re staying on top of all your updates.

Along with your software updates, make sure you have a firewall in place for your internal network. A firewall monitors incoming and outgoing traffic on your network. It can block malware and other suspicious traffic. Think of it as the security guard standing between your network and the public internet, monitoring who comes through.

Another tool to explore is anti-virus software. This can protect your practice against some of the nastier attacks we mentioned earlier in this guide – like malware, spyware, and ransomware. As with the general software you use in your practice, make sure you’re updating anti-virus software regularly too.

Good data practice

The best way to stop criminals from accessing private data is to not keep it in the first place. Only collect and store essential data for your practice and clients.

In line with GDPR, make sure you’re deleting legacy data at the right times too. Holding onto old data can put you at risk of breaching GDPR rules, and leaving more available to hackers.

Another feature of good data practice is encryption. This turns the data you hold into a scrambled code that can only be unscrambled by an authorised person accessing the information. Look out for software tools that have encryption as standard.

Training employees

Cybersecurity threats are constantly evolving as hackers come up with new ways to infiltrate businesses. Keeping your team up to date with the latest cybersecurity information is essential for protecting your practice. Schedule regular training on cybersecurity, and deliver ad hoc training when new cybersecurity threats are identified.

If you do come up against a cybersecurity threat in your practice, use it as an opportunity to teach your team about cybersecurity risks for businesses.

Using secure software or applications like Xero

While having security software in place can help you protect against all manner of cyber threats, the software you use in your daily workflow matters too.

Xero has inbuilt security features, such as encryption, user management and permissions, and multi-factor authentication to help protect your data and practice.

Developing a practice cybersecurity plan: A practical guide

Cybersecurity is a work in progress. The sooner you start, the better you can protect your practice and clients.

Here’s a small business cybersecurity plan example that you can use in your practice:

1) Identify assets and risks

Accounting and bookkeeping practices will have swathes of private and confidential information to take care of. The first step in your cybersecurity plan should be to identify the assets and information in your practice – such as client data, financial records, and proprietary software.

Next, conduct a risk assessment for the hardware and software you’re using in your practice. Identify the cybersecurity risks and vulnerabilities – such as an outdated software package that contains private client data.

2) Establish security policies and procedures

Keeping your practice secure involves every member of the team. Having security policies and procedures in place will help you uphold practice protections, mitigate cyber risks, and – worst case scenario – resolve a breach more effectively.

Here are some things you could include in your policy:

  • Data protection
  • Password management
  • Device usage
  • Remote work
  • Incident response
  • Reporting security incidents
  • What to do after a breach
  • How frequently teams should receive training

Make sure you outline clear expectations for each point, and ask your team if there’s anything they feel is missing from your policy. Team members will often have their own view of different parts of the business, so make sure you include them.

3) Implement access controls

One of the easiest ways to reduce the chance of cybercrime in your practice is to limit access to sensitive data. Introduce role-based access controls and user management systems, so that sensitive data can only be accessed by a small number of people.

For every user account, make sure passwords are strong and unique, and that multi-factor authentication is in place. Only give teams access to the information they need to do their job, to limit the spread of information.

4) Secure network infrastructure

As an increasing number of practices embrace the cloud, protecting your network infrastructure is essential. Firewalls, intrusion detection systems, and encryption protocols can all help to keep your practice safe, and cybercriminals out.

Keep your software and firmware updated. Software developers will sometimes release ‘patches’ that plug security gaps – so make sure you’re staying on top of updates.

5) Secure physical environment

Cybersecurity isn’t just about the virtual world. You must also protect your hardware and physical assets such as servers, computers, and storage devices. A combination of solutions might be necessary – locks, surveillance systems, and access control mechanisms can help keep information in the right hands, and out of the wrong ones.

6) Backup and recovery

Having a backup and recovery system in place is essential for business continuity – not just cybersecurity. Establish a regular data backup procedure, and test the system to make sure you can recover data in the event of a cyberattack or system failure. Store back-ups off site or in the cloud, so they’re safe from physical damage or theft.

7) Stay informed and updated

Cybercriminals are always coming up with new ways to infiltrate your business. Stay ahead of the curve by researching the latest cybersecurity threats and best practices, and new technologies. For example, you might want to explore how blockchain technology can enhance security. Check out webinars and conferences, or participate in professional networks.

Regularly review your cybersecurity plan to check it’s still airtight. Update it to address new risks and changes in technology at your practice. For instance, if you’re embedding new cloud-based software in light of Making Tax Digital, you also need to integrate it into your cybersecurity plan.

8) Perform regular audits and assessments

Auditing your cybersecurity measures can help you spot weaknesses before cybercriminals can. Pull in a third-party expert or consultancy for independent assessments, penetration testing, and advisory support. They’ll give you an objective view of the potential vulnerabilities and overall effectiveness of your strategy.

The crucial role of cybersecurity in the operations of accountants and bookkeepers

Accounting and bookkeeping practices run on trust – clients depend on you for expert advice, talk about some of the most personal parts of their business, and entrust you with their financial data. Investing in cybersecurity shows them you can be trusted to keep delivering these essential services.

The cybersecurity tips and best practices in this guide are a strong starting point, but make sure you’re also partnering with software providers that take data protection and cybersecurity seriously – like Xero. Protecting your practice is an ongoing journey, but it’s not something you have to do alone.

For more information on how we help keep your practice safe, check out our security page.


Xero does not provide accounting, tax, business or legal advice. This guide has been provided for information purposes only. You should consult your own professional advisors for advice directly relating to your business or before taking action in relation to any of the content provided.

Become a Xero partner

Join the Xero community of accountants and bookkeepers. Collaborate with your peers, support your clients and boost your practice.