Cyber Security for Accountancy Practices: The Complete Guide

This guide covers the complete cyber security landscape for accountancy practices in the UK — the specific threats, professional and regulatory obligations, and practical controls that every practice should have in place. It is written for managing partners, practice managers, and compliance leads who need a clear, actionable view of what security looks like for a firm that holds the financial data of its clients and their employees.

Your Highest-Risk Assets

HMRC Government Gateway agent credentials. These provide access to client tax accounts and are the single highest-value credential a practice holds. Compromised agent credentials have been used to redirect tax repayments, submit fraudulent returns, and harvest client financial information at scale. They require unique passwords, MFA, and immediate revocation when staff with agent access leave.

Practice management system. IRIS, CCH, Xero Practice Manager, TaxCalc, or similar systems hold the complete client record, fee agreements, work in progress, and completed file documentation. Their unavailability makes the practice unable to service clients during one of the profession's highest-pressure periods — tax filing deadlines. Their compromise provides the complete intelligence picture of the practice's client portfolio.

Payroll databases. Employee personal data for client businesses — bank accounts, NI numbers, salary details, tax codes, and pension contributions — for potentially hundreds of individuals who have no awareness that the practice holds their data. This is among the most directly actionable personal data for financial fraud.

AML customer due diligence records. KYC documentation, source of funds evidence, and risk assessments held under the Money Laundering Regulations. These records contain high-quality identification documents and are subject to mandatory retention requirements. Their destruction or encryption creates a regulatory emergency.

The Essential Controls

HMRC Agent Account Security

Every staff member with HMRC agent access must use: a unique password (stored in the practice password manager), authenticator app MFA on HMRC's Government Gateway, and a separate work device or browser profile for HMRC access. When a staff member leaves, HMRC agent access must be revoked within 24 hours — not when the IT provider next visits, not at the end of the month.

Review the list of staff with HMRC agent access quarterly. Remove access for staff who no longer require it. Monitor for any unusual activity — submissions outside normal working hours, access from unfamiliar IP addresses, changes to client repayment bank details.

Practice Management System Backup

Tax filing deadlines are the worst time for a ransomware incident. A practice whose system is encrypted in late January, or in the days before a corporation tax deadline, faces both the recovery challenge and the professional obligation to meet statutory deadlines for its clients.

Back up the practice management database daily. Confirm the correct backup procedure with your software vendor — database-level backup, not just file copy. Test a restore quarterly. Maintain at least one backup copy that is completely offline — a physically disconnected external drive stored securely. This offline copy is what distinguishes a recoverable incident from a business-ending one.

Cloud Accounting Platform Access Management

For each client cloud accounting platform the practice accesses — Xero, QuickBooks, FreeAgent, Sage — maintain credentials in the practice password manager with unique passwords. Enable MFA on each platform. When a staff member leaves, revoke their access to every client platform they worked with — not just the practice management system, but each individual client cloud platform.

Maintain a log of which staff have access to which client platforms. At its simplest, this is a spreadsheet maintained by the practice manager — updated when new staff join, when existing staff change roles, and when staff leave. Without this log, the leavers process is incomplete and former staff may retain access to client financial systems indefinitely.

Email Security: Protecting Clients from Impersonation

Configure DMARC at p=reject for the practice's email domain. This prevents criminals from spoofing the practice's email address when targeting clients with fraudulent invoices or payment instructions. A client who receives a convincing email from the practice's domain requesting payment of a fee or authorising a bank transfer should be protected by the knowledge that spoofed emails from the practice domain are rejected before delivery.

Establish a written procedure for sending client fee invoices via a secure portal rather than unencrypted email where the fee is above a threshold. This reduces the risk that a genuine invoice is intercepted and used as a template for a fraudulent one.

Deadline Season Planning

January self-assessment season and the weeks before corporation tax deadlines are both high-pressure periods when staff are under time pressure, working extended hours, and more susceptible to social engineering. These are also periods when attackers specifically target tax professionals — phishing emails impersonating HMRC with urgent deadline-related content are deliberately timed to peak filing periods.

Reinforce phishing awareness training at the start of each busy season. Remind staff of the HMRC impersonation patterns that are most common during filing periods. Ensure that the incident response contact is available during extended working hours — a compromised system discovered at 9pm during January should not have to wait until the next morning for a response.

The Investment Case

A practice with 5 to 15 staff typically operates 15 to 30 networked assets. The monthly cost of SOC in a Box at the Small plan is less than the billing rate for one working day of a senior accountant — and it provides the security monitoring, Cyber Essentials certification, and compliance evidence that protects the practice, its clients, and the professional obligations that underpin the entire firm's ability to practise.