As the digital landscape evolves, the frequency and sophistication of cyber attacks continues to rise. UK small and medium-sized enterprises (SMEs) and small accounting firms are at the forefront of these threats. 

According to data published by the Information Commissioner’s Office (ICO), every quarter approximately 100 UK-based accountants report data breaches attributed to cyber attacks. As this figure is only those incidents reported to the ICO (due to an identified risk of access to personal data), the actual number of attacks is likely to be much higher. These statistics reveal a critical issue within the accounting profession, highlighting why this sector is such an attractive target for cybercriminals. Not only are attacks taking place, but their success rate is high due to limited defences in place.

I came across a firm recently that did not have appropriate defences and it resulted in a worse-case scenario. Attackers breached the network, encrypted all the data and backups and the firm was left with the difficult choice of paying a ransom, despite this going against advice published by the National Cyber Security Centre (NCSC). 

This resulted in weeks of downtime due to poor backup and disaster recovery processes, which in turn led to significant lost fees and client disruption. Even though the ransom was paid, the criminals still leaked stolen data onto the dark web, resulting in a breach of UK General Data Protection Regulation (GDPR). 

Accountants manage a treasure trove of data

Accounting firms handle a wealth of sensitive information, including clients’ personal data, financial statements, tax records and payroll details. This makes them a lucrative target for cybercriminals seeking financial gain. 

Bank account details, national insurance numbers and personal identification numbers are of immense value on the black market; they can be used for identity theft, financial fraud and other criminal activities.

SMEs and small accounting firms are often viewed as soft targets by cybercriminals because they are perceived as having weaker defences compared with larger organisations. Many accounting practices are reliant on legacy systems or basic IT infrastructure, which may not offer the sophisticated security protections required to defend against modern cyber threats. 

Lack of awareness

One of the main vulnerabilities facing small firms is a lack of understanding of the importance of cyber security. Many SMEs mistakenly believe that because they are small, they are not likely to be targeted by hackers. In reality, size does not matter when it comes to cybercrime. Small firms are often easier to infiltrate as they may not have dedicated IT teams or robust cyber-security protocols in place.

The accounting sector’s low awareness of cyber-security risks contributes to lax security standards. Some firms may be unaware of the latest threats, such as ransomware, phishing and social engineering attacks. 

This lack of awareness can lead to a failure to implement basic cyber-security measures such as encryption, multi-factor authentication, or regular data backups. Furthermore, many firms do not regularly update their systems or train employees on recognising cyber threats, making them prime targets for opportunistic hackers.

Compliance obligations

Beyond the immediate financial and reputational risks, non-compliance with data protection regulations, such as the GDPR and the Data Protection Act 2018, can result in significant fines. As custodians of large amounts of personal and financial data, accounting firms are legally obligated to protect this information. A data breach can lead to severe penalties from the ICO, in addition to the cost of rectifying the breach and the damage to client trust.

Although the cyber threat landscape is daunting, small accounting firms can take several proactive steps to protect themselves and their clients. Here are a few essential measures:

1. Employee training

Educating staff on cyber security is critical. Employees should be trained to recognise phishing emails, avoid clicking on suspicious links and use strong passwords. Regular training sessions can help keep cyber security top of mind for all employees.

2. Proactive 24/7 security monitoring

Encrypting sensitive data ensures that even if cybercriminals gain access to your systems, they cannot easily decipher the information. Firms should encrypt both stored data and data in transit to provide comprehensive protection.

3. Multi-factor authentication (MFA)

MFA adds an extra layer of security by requiring users to provide two or more verification methods to gain access to systems or data. This could include something the user knows (password), something they have (a mobile device), or something they are (fingerprint or facial recognition).

4. Regular software updates

Many cyber attacks exploit vulnerabilities in outdated software. It is essential to keep all systems, software, and applications up to date with the latest security patches to close any potential loopholes that hackers might exploit.

5. Data backups stored securely offsite

Regularly backing up critical data ensures that if a cyber attack occurs, firms can restore their data with minimal disruption. Cloud-based backups that are encrypted provide additional security. Backups should be stored in a location separate to the main system so that if the system is breached, the backup remains secure.

6. Cyber-security Insurance

Cyber insurance can help mitigate the financial impact of a cyber attack. This type of insurance covers a range of risks, including the cost of data restoration, legal fees and the potential loss of business. Similar to above, details of the insurance policy should be kept separately to the systems it refers to. Criminals are becoming increasingly skilled at obtaining insurance policy details during a hack and using the information to make it harder for firms to make a claim by exploiting its exclusions.

7. Annual review and Cyber Essentials Plus (CE+) Certification

Having an independent annual review of your cyber position is crucial. This should be completed by an independent firm and work towards the CE+ standard. 

As cyber threats continue to rise, it is clear that no firm is too small to be targeted. Small and medium-sized accounting firms must recognise the risk and take steps to bolster their cyber-security defences. 

By investing in training, adopting best practices and staying informed about the latest threats, firms can significantly reduce their vulnerability to attacks. Protecting sensitive client data is not just a legal requirement; it’s a fundamental aspect of running a trustworthy and resilient accounting practice. 

The ICO’s quarterly statistics serve as a stark reminder: firms that fail to take cyber security seriously are putting their businesses, clients and reputations at risk. Now is the time for action.

Daniel Teacher is Managing Director of T-Tech.