At a glance
- Many small businesses lack cyber policies, despite increasing and more sophisticated threats.
- Accounting firms are prime targets due to valuable data and weak defences.
- Implement a robust cyber policy with clear staff and management responsibilities.
- Advise clients on basic security and direct them to free online resources.
For years we’ve been told that every client file in your system represents a potential payday for cyber criminals. Tax returns, payroll records, banking details – it’s all there, often spanning years.
But the evidence is that we’re tuning the message out. auDA, the .au domain administrator, reported in 2025 that just 20% of small businesses have cyber security policies or offer staff training. That’s actually down on 2021’s number.
Yet at the same time, 83% of Australians believe cyber criminals are getting more sophisticated, and two-thirds of people are avoiding certain online activities because of security fears.
As an accounting professional, you don’t have the luxury of going offline. And you have both professional and legal duties to protect information shared by your clients.
Michael Davison is the Institute of Public Accountants’ general manager of advocacy & emerging policy. He ranks cybersecurity as accounting’s number one non-tax compliance concern. And he notes that cloud-based information storage and systems have made it even more important for accountants to protect client data.
Why cyber criminals target accounting firms
For cyber criminals, accounting firms which neglect data protection represent a perfect combination: valuable information and weak defences.
Shameela Gonzalez, Financial Services Industry Lead at CyberCX, explains that the high-value information firms store are a potent lure for threat actors. “This data is highly lucrative for criminals, and can be sold on the dark web, used to steal identities and commit fraud or leveraged in ransomware or extortion,” she notes.
Accounting firms also serve as gateways to their clients. Email is the primary communication channel for most practices. So one particularly effective attack is the Business Email Compromise attack, where criminals hijack email accounts to intercept financial transactions. Such attacks accounted for 28% of cyber incidents last year, with finance among the hardest-hit sectors.
Gonzalez notes this vulnerability is compounded by budget. “Most accounting firms operating in Australia are considered small to medium enterprises that, due to their resource constraints, tend to have minimal security strategies in place to prepare for or defend against cyber incidents,” she says.
Any damage from an attack extends beyond immediate business disruption. Firms face strict Privacy Act obligations around how information is collected, stored, used and disclosed. And additional requirements are in place for handling tax file numbers. Privacy Act breaches may trigger mandatory reporting and potential penalties.
“Cyber security practices don’t have to be complex and, when done right, will support a culture of cyber awareness.”
Dr Bruce Tonkin, CEO, .au Domain Administration
12 essential elements of a robust cyber policy
It may be tempting to approach cyber security as a compliance box to tick. But experts consulted by Financial Accountant say effective protection requires consideration of the business purpose and vision.
Gonzalez warns that accounting firms face two major threats – loss of access to their systems, and the theft of significant sensitive data. In either case, she says, “cyber strategy must address how the business will respond to financial, legal, operating and other risks associated with a cyber attack.”
The good news? Robust security doesn’t require a massive budget. Dr Bruce Tonkin, CEO of .au Domain Administration, says “cyber security practices don’t have to be complex and, when done right, will support a culture of cyber awareness.”
The basic list of protections that all staff should know includes:
- using complex passphrases and two-factor authentication across all systems;
- a policy against sending sensitive data via email;
- secure device storage when devices are not in use;
- automatic software updates and regular device restarts;
- methods to identify suspicious emails (often requiring training); and
- independent verification of supplier banking details on invoices.
Gonzalez also recommends management best practices:
- define the cyber policy’s scope;
- assign clear roles and responsibilities for cyber security;
- ensure role-based access so staff only see information necessary for their job;
- set up data handling protocols, incident response plans, and backup procedures;
- institute regular reviews to adapt to new threats; and
- implement third-party risk management.
This last point requires management to identify and mitigate risks from external vendors, suppliers, and partners who have access to the firm’s information or systems.
How accountants can help clients improve cyber readiness
While you’re strengthening your own defences, your clients may still be vulnerable. As trusted business advisors, accountants can help clients avoid becoming victims of cyber crime.
Gonzalez suggests a practical approach, noting that as criminals constantly advance their techniques, those who remain close to their financials can act fast. “Accountants can talk to their clients about the importance of having a line of sight on their financials and their transactions, so that they can pick up on anything that looks anomalous,” she says.
Beyond monitoring, experts suggest guiding clients toward basic security measures like secure email services and document sharing platforms such as DocuSign.
Tonkin recommends sharing free, trustworthy online resources:
- auDA’s five Ps of website security are simple, practical steps that small businesses can implement to keep their websites secure.
- Cyber.gov.au: the Australian Government’s official home of cyber security advice and resources, includes education packs designed for small businesses.
- The Council of Small Business Organisations Australia’s Cyber Wardens program offers free online cyber security courses for small businesses.
With cyber criminals growing more sophisticated and most small businesses still unprotected, the 80% without a cyber policy won’t stay lucky forever. The accountants who treat security as seriously as they treat their clients’ financials are more likely to thrive in today’s digitally enabled world.
Explore the IPA’s online CPDs to enhance your skills, from self-managed superannuation funds to tax updates.
