How to improve your practice’s cybersecurity

Published 10 December 2025

Table of contents

• Understanding cybersecurity risks in the accounting industry
• Why cybersecurity is important for businesses and the accounting industry
• Cybersecurity best practices for accountants and bookkeepers
• Developing a cybersecurity plan for your practice
• Cybersecurity is about more than regulatory compliance
• FAQs on cybersecurity best practices

Understanding cybersecurity risks in the accounting industry

The global average cost of a data breach is $4.4 million, according to an IBM report. Financial institutions and professional services can be an attractive target for cybercriminals, due to the sensitive data held on their servers. This means accountants and bookkeepers need to adopt cybersecurity best practices to keep their business and clients safe.

Here are some cybersecurity risks you could come up against:

• Phishing: Cybercriminals send legitimate-looking messages posing as a trusted person or entity. These messages come via email, SMS, and other digital platforms. They might ask you to click a link (which downloads a virus), or request private information like bank details or Social Security numbers.
• Data breaches: Information is stolen or accessed with authorization. A cybercriminal might view, alter, or steal information. Data breaches don’t always come from an outsider – employees can make genuine mistakes that result in a breach too.
• Ransomware: Cybercriminals gain access to your computer system and encrypt your files, holding your information ‘ransom’ until payment is made. During a ransomware attack, you cannot access the data or system being held ransom.
• Malware: This is a catch-all term for malicious software, such as ransomware, spyware, and viruses. This software is designed to access, alter, damage, destroy, or steal information.

Why cybersecurity is important for businesses and the accounting industry

Cybercriminals have all kinds of tools and techniques for tampering with your data. Fortunately, having strong cybersecurity measures in place can help you protect your practice. Keeping information safe isn’t just about meeting regulatory requirements – it’s about upholding client expectations, developing digital skills, and ensuring the reputation of your practice. Here’s what happens when you take cybersecurity seriously:

• Builds client trust and confidence: Every day, clients put their faith in you to keep their data safe. By investing in cybersecurity, you’re demonstrating that you have the knowledge and tools to protect their information.
• Increased protection from data breaches: With preventative measures in place and processes for dealing with risks, you can stop cybercriminals from accessing, damaging, and stealing private data.
• Regulatory compliance: Federal law, such as the Gramm-Leach-Bliley ACT (GLBA), requires financial institutions to explain information sharing practices with customers and safeguard sensitive data. Tax professionals are also required by law to have plans in place for protecting client data. Cybersecurity is also governed at state-level, with laws like the California Consumer Privacy Act (CCPA) and New York SHIELD.
• Limits the cost to your business: If a cyberattack happens, it costs you time, can cost you money, and could also cost your reputation. An example of this is that tax professionals with Preparer Tax Identification Numbers (PTINs) face IRS penalties for data security failures.
• Shows you’re taking digitalization seriously: 82.5% of all filings to the IRS in 2024 were filed digitally. Showing that your practice can not only adopt the tools, but maintain security, proves you’re prepared for the future of accounting and bookkeeping.

Cybersecurity best practices for accountants and bookkeepers

Regardless of how digital your processes are, every practice can benefit from having the following cybersecurity best practices in place.

Good data practices

The best way to stop criminals from accessing private data is to keep less of it in the first place. Only collect and store essential data for your practice and clients. Under the the Gramm-Leach-Bliley ACT (GLBA), the Federal Trade Commission (FTC) Safeguards Rule demands that financial institutions, including accounting and bookkeeping practices, have a written security plan containing administrative, technical, and physical safeguards to protect data.

Administrative safeguards are things like your policies and procedures for protecting data. Technical safeguards are the technologies and tools you use to keep information safe – like anti-virus software. And physical safeguards are things like locks or alarms.

An example of a strong technical safeguard is encryption, which turns the data you hold into a scrambled code that can only be unscrambled by an authorized person. Some software tools have encryption features as standard, and the IRS requires electronic filing of tax returns to use encryption in transit and at rest.

Password management

Use a strong, unique password for every platform and device. This is essential – don’t be tempted to use the same password for more than one account, and make sure you update them at regular intervals. Set a calendar reminder for every quarter to change your passwords.

Where possible, use multi-factor authentication to secure your accounts. This requires you to complete two steps before you can access your accounts, and usually means inputting a password and receiving a code via text or email. The extra step means that even if someone cracks your password, they can’t get in without the code sent to your phone or email.

Access management and user roles

Modern software lets you customize levels of access for different people. This is a great tool for cybersecurity, because it means you can limit how much information people have access to based on their role. Broadly speaking, the fewer people that have access to data in the first place, the fewer chances for a breach.

Many software applications will flag when a user is signing in from a different location or device. This can help you stop security threats before they breach your system. With Xero accounting software, you can customize user roles and permissions for every person with access.

As a general rule, you should also avoid using public wi-fi networks for work purposes. Public wi-fi often has a low level of security, attracting cybercriminals who can more easily access your devices. Using a VPN (Virtual Private Network) can protect you on public wi-fi, but it may not prevent all types of cybercrime.

Software updates, firewalls, anti-virus updates

Software developers regularly update programs to be more secure. No doubt, you’ve received notifications from your software, asking you to download and install updates. Old versions of software can be more susceptible to cyber attacks, so make sure you keep on top of updates.

If your practice also has an internal network, you should set up a firewall. This monitors incoming and outgoing traffic on your network, and can block malware and other suspicious movement. Think of it as the security guard standing between your network and the public internet, monitoring who comes through.

Another tool to explore is anti-virus software. This can protect your practice against some of the nastier attacks mentioned earlier, like malware, spyware, and ransomware. This software also needs to be updated regularly.

Training employees

Cybersecurity threats are constantly evolving as criminals come up with new ways to infiltrate businesses. Keeping your team up to date with the latest cybersecurity trends is essential for protecting your practice. Regular cybersecurity training is a must, and you should also deliver one-off sessions when new threats or solutions are identified.

If you do come up against a cybersecurity threat in your practice, this can provide a useful training opportunity to see how you might deal with the risk more effectively in the future.

Using secure software or applications like Xero

The software you use to run your practice impacts your level of cybersecurity. Look for software that has built in security features that provide an additional layer of protection, alongside any anti-virus software and security tools you’re using.

Xero accounting software uses encryption to protect data, along with user management and permissions, and multi-factor authentication to help keep your practice and clients safe.

Developing a cybersecurity plan for your practice

Improving your cybersecurity is an ongoing process. The landscape is constantly evolving, with new types of crime and new tools for protection impacting your approach to cybersecurity. But, the sooner you start improving protections, the safer your practice and clients will be. Here’s a cybersecurity plan you can adapt to your practice.

Identify assets and risks

Accounting and bookkeeping practices deal with all kinds of private and confidential data. The first step in your cybersecurity plan should be to identify the assets and information you have. This includes things like client data, financial records, and proprietary software.

Next, conduct a risk assessment for the hardware and software you’re using. Check for risks and vulnerabilities, such as outdated software packages containing private data, or weak passwords.

Establish security policies and procedures

Keeping your practice secure involves every member of the team. Having a security policy and plan in place will help you uphold practice protections, mitigate cyber risks, and – worst case scenario – resolve a breach more effectively.

Here are some things to include in your policy:

• Data protection processes
• Password management
• Device usage
• Remote work
• Incident response
• Reporting security incidents and breach notification procedures (in line with state law requirements)
• What to do after a breach
• Training frequency for teams

Make sure you outline clear expectations for each point, and ask your team if there’s anything they feel is missing from your policy. Team members will often have their own view of different parts of the business, so make sure you include them.

While a security policy gives you and your team principles to follow, you also need a security plan that sets out what to do in specific circumstances. Having a Written Information Security Plan (WISP) outlining your policies, procedures, and safeguards for data protection, is also a requirement to comply with the Graham-Leach-Bliley Act.

Implement access controls

One of the easiest ways to reduce cybercrime in your practice is to limit access to sensitive data. Introduce role-based access controls where you can, so that sensitive data can only be accessed by a small number of people.

For every user account, make sure passwords are strong and unique, and that multi-factor authentication is in place. Only give teams access to the information they need to do their job, to limit the spread of data.

Secure network infrastructure

As an increasing number of practices embrace the cloud and digital systems, protecting your network infrastructure is essential. Firewalls, intrusion detection systems, and encryption protocols can help prevent and mitigate cybercriminal activity.

Software developers sometimes release ‘patches’ that plug security gaps – this is another reason to keep up with updates, to maintain the best security with the tools you use.

Secure physical environment

Cybersecurity isn’t just about the virtual world. You also need to protect hardware and physical assets, like servers, computers, and storage devices. You can draw on a number of physical security tools here, like locks, surveillance systems, and access control mechanisms to help keep information out of the wrong hands.

Backup and recovery

Having a backup and recovery system in place is essential for business continuity, not just security. Under the Graham-Leach-Bliley Act, financial institutions are required to maintain data integrity, so your practice needs reliable document backups to ensure you’re keeping accurate data.

Establish a regular data backup procedure, and test the system to make sure you can recover data in the event of a cyberattack or system failure. Store back-ups off site or in the cloud, so they’re safe from physical damage or theft.

Stay informed and updated

Cybercriminals are always coming up with new ways to infiltrate businesses. You can stay ahead of the curve by researching the latest cybersecurity trends and best practices, and new technologies for prevention.

For example, you might want to explore emerging technologies and how blockchain technology can enhance security. You could also check out webinars and conferences, or participate in professional networks. The Cybersecurity & Infrastructure Security Agency (CISA) offers free cybersecurity training for those looking to upskill.

Regularly review your cybersecurity policy and plan to ensure they’re airtight. Update these documents to address new risks and changes in technology at your practice.

Perform regular audits and assessments

Auditing your cybersecurity measures can help you spot weaknesses before cybercriminals can. An annual risk assessment is also a requirement of the FTC Safeguards Rule, but this is something you could do more regularly given the rate of technological development.

Pull in a third-party expert or consultancy for independent assessments, penetration testing, and advisory support. They’ll give you an objective view of the potential vulnerabilities and overall effectiveness of your strategy.

Cybersecurity is about more than regulatory compliance

Accounting and bookkeeping practices run on trust. Clients depend on you for expert advice, talk about sensitive parts of their business, and entrust you with their financial data. Investing in your cybersecurity practices shows them you can be trusted to deliver essential services.

The cybersecurity tips and best practices in this guide are a strong starting point, but make sure you’re also selecting software providers that also take data protection and cybersecurity seriously – like Xero. Protecting your practice is an ongoing journey, but it’s not something you have to do alone.

For more information on how we help keep your practice safe, check out our security page.

FAQs on cybersecurity best practices

Let’s take a closer look at some of the finer details on cybersecurity for business and practices.

Do I need to comply with the FTC Safeguards Rule?

Yes. The rule applies to financial institutions, which is defined a little differently under the Gramm-Leach-Bliley Act, and includes businesses engaged in activities that are financial in nature – like accounting and bookkeeping.

The rule requirements include developing a written information security plan, designating a qualified individual to oversee your security program, and conducting regular risk assessments.

FTC Safeguards Rules

How can I tell if an email or message is a phishing attempt?

Phishing attacks are becoming increasingly sophisticated. But, there are often tell tale signs you can look out for, like:

• Urgent requests for sensitive information, especially around tax time
• Slight misspellings in email addresses or domain names
• Generic greetings instead of personalized messages
• Unexpected attachments or links

When in doubt, don’t click on any links in the messages. You can go to the sender’s website by typing in the URL yourself. If you think the sender is impersonating someone you know, contact the real person using a trusted communication channel you’ve used for them before.

As a general rule, the IRS will not initiate contact via email.

Do smaller accounting firms need cybersecurity plans too?

Absolutely. Tax preparers are required to have a Written Information Security Plan (WISP) in place, under the Gramm-Leach-Bliley Act, as part of the FTC Safeguards Rule.

It’s a legal requirement, but also in your best interests to keep clients and practice data safe. Of course, your cybersecurity plan might look a little different to that of a large organization. What’s important is that you take the steps required to mitigate risks that affect your practice.