IT Expert Shares 5 Cybersecurity Tips for Accountants

By: Andrew Conrad on January 17, 2023
On this page:

While every modern business has data that needs to be protected from cyber criminals, accounting professionals must be especially vigilant about protecting their data. Because of the amount and value of personal and financial data that accountants possess: 

  1. A data breach could be especially devastating to a small firm and its clients, and

  2. Small accounting firms are high priority targets because of the value of this data.

But as an accounting professional for a small business, your resources may not allow you to deploy the same level of technology and outside support that a larger firm might have available.

In this article, we’ll go over a step-by-step cybersecurity plan based on a three-pronged approach consisting of software tools, organizational training, and maintenance policies. This plan is designed so that even small firms can ensure effective protection against cybercriminals.

To inform this guidance, we spoke to Tony Wang, director of IT Risk Management for Williams Adley CPA and management consulting firm [1].

Let’s begin.

How should accountants approach cybersecurity?

At its heart, Wang says, cybersecurity for accountants is really no different than cybersecurity for other types of organizations.The stakes may be higher when a lot of sensitive financial information is on the line, but the methods of protecting that data are essentially the same.

And while technology is an important piece of any cybersecurity plan, as we’ll explore below, it ultimately comes down to the people in your organization.

“We call it PPT: the people, process, and technology approach. You’ve got to have the right people who actually understand both the business and the technical side,” Wang said. “Then you need to have a process in place, so you can integrate it with your technology to defend your environment.”

Tony Wang

director of IT Risk Management for Williams Adley CPA and management consulting firm

Now, let’s look at how you can put this plan into action.

A cybersecurity plan for accountants

1. Start with training and education

According to our Data Security survey (methodology below), careless employees are the number one security vulnerability for businesses. This means you need to train your employees to adopt a culture that understands and practices data protection (not opening suspicious email attachments, not giving away passwords, etc.) as the most important and effective way to keep your firm’s data safe.

“It doesn't take a lot to breach a company, especially a small business,” Wang said. “Sophisticated hacking tools aren’t required because you have humans involved.”

Our research backs this up. Our survey also found that the rate of employees clicking on phishing links in emails has increased by 88% in the past three years.

Graphic Showing Stats for Rising Occurrence of Phishing Emails and Malicious Links Clicked

As cyber criminals get more creative and manipulative [2] with their tactics, it’s especially important that all of your employees go through cybersecurity training during onboarding, and then refresh this training periodically. The best way to organize this training is through your LMS (learning management system). Most LMS platforms generally include course libraries.

2. Use regular vulnerability assessments

Vulnerability scans are a bit like security guards for your digital property, systematically patrolling your computer systems on the lookout for anything suspicious.

A vulnerability assessment is an automated test that scans your entire network to identify weak points that would allow malicious actors to gain access to your system. A vulnerability assessment can also classify vulnerabilities based on their severity to help with prioritization. 

This is also known as risk assessment. For example, one vulnerability might have a very small chance of becoming a problem, while another vulnerability might require immediate attention upon discovery.

What is a vulnerability assessment? [3]

Remember that the purpose of a vulnerability assessment is not to fix vulnerabilities, it’s to identify them so that they can be addressed by a network administrator or engineer before becoming a bigger issue. For example, the assessment might identify out-of-date software that needs to be updated to ensure the integrity of your system, or it might call for installing a new firewall [4].

A full vulnerability assessment should cover onsite servers and connected devices, wireless networks, databases, and all applications used by employees on your network.

So, how exactly do you perform a vulnerability assessment? One method is to ask your network service provider to run the assessment and share the results with you. Wang says that his firm’s service provider runs quarterly vulnerability assessments. For smaller, self-managed networks, your network security software should include vulnerability scanning as a standard feature.

“If you can do those two things (employee training and vulnerability assessments),” Wang says, “You can lower the temperature and reduce a lot of cybersecurity risk. It's not easy. It’s got to become part of your culture, and it has to be driven by the top leaders.”

3. Use password generation tools

As we mentioned in the first section, people are the biggest vulnerability to any network. But even with proper training and education, a predictable password is essentially an unlocked back door for cybercriminals to walk through. The most obvious solution to this problem is to create longer, more complicated and less predictable passwords. As anyone who uses passwords knows, password fatigue is a real issue and can cause even the most well-intentioned employee to save passwords on sticky notes.

This is where password generation, also known as password management, tools come in. These tools are essentially secure lockers for passwords. Your employee just needs to remember one long but easy-to-remember master password to access the tool, and then the tool creates complex, random, unique passwords for all of the accounts that the employee needs to access.

What is a password manager? [5]

Not sure whether your company can afford a password management tool? Some of the best options are affordable or even free.

4. Use two-factor or multi-factor authentication

In the arms race between cyber criminals and data protectors, multi-factor authentication (MFA) has been a major advance for organizations trying to protect their data.

Multi-factor authentication requires users to regularly confirm their identity via a second source in addition to their password, such as clicking a button in an email, entering a code received in a text, or even scanning their face on their phone camera.

A few years ago, multi-factor authentication was more of an “extra-mile” kind of consideration for security conscious businesses. But in the year 2022 it has become so prevalent that it’s virtually a must have. In fact, our Data Security survey* found that 92% of U.S. companies are now using two-factor authentication (2FA) for at least some of their business applications.

A stacked bar chart showing how business use of two-factor authentication has increased from 64% to 92% in three years

Of course, even with multi-factor authentication it’s still important to ensure regular training. Cyber criminals haven’t simply raised the white flag when faced with multi-factor authentication, and especially persistent and persuasive thieves have been known to badger victims into sharing their MFA one-time codes.

5. Have a data breach action plan in place

So now you've trained your employees to not fall for phishing scams, you’ve set up regular vulnerability assessments to uncover potential weak points, and ensured strong passwords and access control through password generation tools and multi-factor authentication. Your data is safe, right? Not necessarily. In fact, an IBM survey found that 83% of U.S. companies have fallen victim to multiple data breaches [6].

This is why it’s so important to have a plan in place and ready to go before a data breach happens rather than scrambling in a panic when one does occur. And if you do discover that your data security has been breached, through a vulnerability scan for example, take solace in knowing that just discovering the breach puts you ahead of the game.

“If your firm was able to detect this threat and confirm you actually have a data breach, I would say that's really good,” Wang says. “That means you have a pretty mature organization.”

Once you’ve detected the threat, it’s time to start cleaning up the mess. This means completely securing the vulnerability that allowed the threat so that it doesn’t happen again, containing the damage by recovering any lost data from backup, and then resuming normal business operations.

For more details on creating a data breach action plan, check out our complete guide here [7], with steps informed by Gartner [8].

Key highlights

Here’s a summary:

  1. Create a document listing all the potential attacks (malware, phishing, denial of service, stolen device, etc.) that your business could face. This will help you have a response ready if and when one of those potential threats is realized.

  2. Prioritize types of attacks based on potential fallout. It’s natural to panic a little bit when you first realize that you’ve been breached, but all breaches aren’t the same. For example, an employee clicking on a phishing email might be easily contained by your IT team while a denial of service attack that brings down your entire website might require immediate outside assistance.

  3. Create an incident response flowchart. Having an easy-to-read flowchart that helps everyone involved in an incident response know exactly what to do can be a lifesaver in the event of a data breach. For example, who will inform customers that their data may have been compromised, and how and when will they be contacted?

  4. Conduct training drills to test your incident response plan in action. Divide your IT team into red and blue teams, and have one team test out different attacks (on a controlled set of data, of course) while the other plays defense and uses the flowchart to respond to successful attacks.

  5. Update your data breach action plan regularly. Cyber criminals are always trying to get one step ahead of their victims, so it’s important that you update your action plan to keep pace. Update your list of potential attacks and your flowchart regularly based on the latest information and weaknesses exposed by training exercises.

More resources to keep your accounting firm safe

In this article, we looked at tips for protecting your accounting firm from cyber criminals, from regular training to having an incident response plan in place. Since you can never be too prepared to defend your business from cyber criminals, we’d like to leave you with an additional resource: our eBook on Common Cybersecurity Threats and How to Keep Your Small Business Safe.


  1. Tony Wang, Williams Adley

  2. Social Engineering Techniques that Hack Your Employees, GetApp

  3. What is a vulnerability assessment? (YouTube), Hitachi Systems Security

  4. Definition of Firewall, Gartner IT Glossary

  5. What is a password manager? (YouTube), All Things Secured

  6. Cost of a data breach report 2022, IBM

  7. How To Create a Cybersecurity Incident Response Plan, GetApp

  8. Ignition Guide to Developing a Security Incident Response Plan, Gartner

Survey methodology

* GetApp's 2022 Data Security Survey survey was conducted in August 2022 among 1,006 respondents who reported full-time employment. 289 respondents identified as their company's IT security manager.