Key takeaways:
- No business is too small for a cyber-attack – Small accounting firms are often targeted precisely because they lack the resources for strong cyber defences. Assuming you are not a target is one of the biggest risks.
- Your people are the first line of defence – Most breaches start with human error such as clicking a phishing link. Regular staff training, access controls, and verification processes are essential to reduce risk.
- Cybersecurity requires proactive planning – From biometric logins to least-privilege access and off-system backups, firms must invest in layered, evolving strategies to stay ahead of increasingly sophisticated threats.
Many accountants believe they are too small or insignificant to be targeted by cybercriminals.
According to Caillin Goss, Business Development Manager at Priority Networking, small businesses are actually more likely to be targeted precisely because they often lack the resources to defend themselves effectively.
“The average time it takes for a business to realise someone has accessed their systems is 300 days,” said Goss. “These are professional criminals, just like you are professional accountants and advisers.”
Staff and click-throughs open the door to cyber
Most cyber incidents don’t start with sophisticated hacks, but rather a simple click as staff unknowingly open malicious links or attachments, giving attackers access to sensitive systems.
This is what happened to Sydney-based accounting and wealth firm, Prime Advisory which was hacked after an employee clicked a phishing link in an email that appeared to be from a client.
The attacker requested reauthentication via Microsoft credentials, which the employee provided. When nothing happened, they asked the client to resend the link.
Ten days later, the firm was contacted by an unknown IT specialist who called to raise concerns of a potential data breach and reported receiving a call from someone claiming to be from the business who tried to sell them a gold investment. “From there, it all happened so fast, I just felt like a bobbing head,” said Ben Norval, Director, Prime Advisory.
The incident led to three months of disruption and a cost of $350,000, which was covered by cyber insurance. Since then, the business has implemented geo-blocking, device identification, and daily cyber monitoring.
“Once you’ve been through the pain, you don’t want to go through it again,” said Norval.
Biometrics emerge as accessible mitigation strategy
SuperGuardian also shared an example of a phishing attempt, received by a new staff member within days of starting with the company. The email appeared to come from a company director, but it was evidently suspicious and reported by the staff member.
This is why SuperGuardian begins cyber training on day one and repeats it regularly. “Cybercriminals are constantly evolving their strategies,” said Josh Williams, Chief Operating Officer, SuperGuardian.
“Although it can be confronting for new staff to spend their first day going through IT training, it is necessary in order to protect them from the strategies used by cybercriminals.”
With the rise of voice replication and other advanced tactics, businesses are being urged to move beyond two-factor authentication. Biometrics such as fingerprint or facial recognition are becoming essential.
SuperGuardian has adopted biometric keys to access systems, eliminating the need for passwords. While the transition was relatively smooth, Williams noted it does require dedicated IT support.
Need to know basis offers a practical approach to cyber security
Another key strategy is the principle of “least privilege.” This means giving employees access only to the systems and data they need to do their jobs. Goss stressed the importance of limiting access to client files, saying, “Give access only to their clients not across all of financial advice.”
Other practical tips include reducing access to data paths, archiving backups every six to twelve months, and keeping the archives separate from live systems. Prime Advisory has also introduced verbal confirmation for all client requests to add an extra layer of security.
While these measures can sometimes feel restrictive, they are necessary. “The reality is, it can’t all be easily accessible and that can be frustrating,” admitted Williams. But the alternative, exposing your business and clients to a cyber breach, is far worse.
