ComplyWise brand logoComplyWiseonline

Guide

Cybersecurity checklist for accounting firms

A practical 10-step checklist built around the workflows accounting firms actually run — client document exchange, tax portals, payroll, and remote work. Walk through it with your team and tick off what's already covered.

  1. 1

    Turn on multi-factor authentication everywhere

    Enforce MFA on email, your practice management software, cloud storage, payroll and the tax filing portals. Email and tax-portal takeover are the two most common attack paths against accounting firms — MFA stops the vast majority of them.

  2. 2

    Lock down email and stop client-data phishing

    Configure SPF, DKIM and DMARC on your sending domain, enable anti-phishing protection in Microsoft 365 or Google Workspace, and warn staff about fake 'change of bank details' emails that target client refunds.

  3. 3

    Move client document exchange off plain email

    Use an encrypted portal for sending and receiving tax records, ID documents and financial statements. Plain email attachments are routinely intercepted or forwarded by mistake and are a recurring source of regulatory complaints.

  4. 4

    Patch and update every device, every month

    Enable automatic updates on Windows, macOS, browsers and your tax software. Replace any device that no longer receives security updates — including the partner's old laptop. Unpatched endpoints are the easiest way ransomware gets in.

  5. 5

    Use a password manager and kill shared logins

    Give every staff member a password manager and stop sharing logins between bookkeepers and partners. Each person needs their own account so you have an audit trail when something goes wrong.

  6. 6

    Back up client data — and test the restore

    Keep at least one backup copy off your main network (a separate cloud account or offline drive). Once a quarter, actually restore a file. A backup you've never restored is a hope, not a control.

  7. 7

    Control who can access what

    Apply least-privilege access in your practice management and accounting software. Junior staff don't need admin rights; ex-employees should be removed on their last day, not three months later.

  8. 8

    Secure remote work and personal devices

    If staff work from home or use personal laptops, require disk encryption, screen lock and an up-to-date antivirus. Treat coffee-shop Wi-Fi as hostile — use the firm VPN or a mobile hotspot for client work.

  9. 9

    Train the team on the scams that actually hit firms

    Run a 20-minute session every quarter on the current threats — fake HMRC / IRS emails, invoice fraud, deepfake voicemails from 'the partner', and bogus client referrals. People are your first line of defence; keep them sharp.

  10. 10

    Write down an incident response plan

    Document who to call, which clients to notify and how to isolate a compromised machine if something goes wrong. Most regulators (ICO, FTC, state boards) expect a documented plan and a 72-hour breach notification window — don't improvise it on the day.

Want this walked through for your firm?

Register for ComplyWise Office Hours — a live Q&A where our team helps you apply this checklist to your own setup.

Register interest