Cyber Security in Accountancy

Where to focus your Cyber Security

Following on from our overview of the research we conducted on IT in Accountancy published in November 2020 (you can access the article here), we’re now going to take a deeper dive into one of the key themes to come out of this study, cyber security.

We were surprised that cyber security didn’t feature highly in the research in terms of ‘wishes’ with only a few respondents’ wants being a ‘bulletproof security system’, ‘data security’ or ‘incident management’. It was also quite alarming that the majority rated themselves highly at 8 out of 10 for their awareness of cyber threats and how secure they are. The study highlighted as many as 70% of firms feel secure enough, although 25% don’t have a communication plan in place if they do get breached. Here’s a breakdown by size of firm based the number of clients they have:

Number of clients

Including Personal Tax

How aware are you of the extent of cyber threats?

10 highest

How secure are you?

10 highest

Do you feel you are secure enough? Do you have a communication plan in place if you do get breached? Do you have a disaster recovery plan in place?
Less than 500 8 9 Yes 100% Yes 33%
No 67%
Yes 100%
500-1500 7 8 Yes 67%

No 33%

Yes 67%
No 33%
Yes 83%
No 17%
1501-2500 9 8 Yes 60%

No 40%

Yes 80%
No 20%
Yes 100%
2501-5000 9 8 Yes 50%

No 50%

Yes 100% Yes 75%
No 25%
Greater than 5000 10 9 Yes 100% Yes 100% Yes 100 %

This highlights the need to ensure everyone in the firm is educated on cyber security. We’ll take a look at employee education and the tools available to make you more secure.



Employee education

Employees are your greatest asset and your greatest liability, especially when it comes to keeping your systems secure. Staff pose the biggest risk as people make mistakes. Thankfully we haven’t been replaced with robots quite yet, so we need to ensure everyone in the firm remains vigilant at all times. Cyber training should be an ongoing process including running simulated phishing attacks. We need to ‘Stay Alert’!


If you’re caught off-guard you could easily be the victim of a phishing attack. Chances are you, or one of your colleagues, have seen one, if not been hit by one in the past. This is where scammers send fake emails asking for sensitive information (such as bank details) or containing links to bad websites. A common one to watch out for is asking you to enter your Microsoft account credentials into a screen that looks very similar to the real thing. You should always check the email address and full hyperlink of a message that asks you to click a link or download an attachment. If you have our M365 Secure support package, this incorporates Microsoft Defender which includes:

  • Safe Links This helps protect your business against malicious sites when people click links in Office apps. When a user receives an email with links, the links will be scanned. If the links are deemed safe, they’ll be clickable. However, if the link is on the blocked list, users will see a message that it’s been blocked.
  • Safe Attachments Provides an additional layer of protection for email attachments by using a virtual environment to check attachments in email messages before they’re delivered to recipients (a process known as detonation).
  • Anti-phishing protection Detects attempts to impersonate your users and internal or custom domains. It applies machine learning models and advanced impersonation-detection algorithms to avert phishing attacks.


Gone are scheduled password changes, to be replaced with only changing passwords if there’s been a suspected compromise. Everyone should abide by your firm’s password policy which should now recommend a longer passphrase. Longer passphrases, even consisting of simpler words or constructs, are better than short passwords with special characters. Logins and passwords should never be shared. You could make use of a password manager tool to store complex passwords.

Multi-Factor Authentication

Your passwords can be easily compromised. MFA immediately increases your account security by requiring multiple forms of verification to prove your identity when signing into an application. It’s free and easy and makes your account up to 99.9% less likely to be compromised. For your Microsoft account, MFA can be easily deployed across your firm enabling you to add a safe and secure two-step verification method for your online credentials from a range of authentication options (such as phone call, text message, or mobile app notification) to access your applications.

MFA is now widely available across many applications and should be switched on whenever you are given the option to do so. It is recommended to use an authenticator app over text message where possible.

Administrator Accounts

Everyday tasks should not be performed while logged into your computer with local admin rights. If the machine was to become compromised, this would allow the hacker to run malicious software. There are relatively few tasks that require administrator privileges, so why risk it!

Security breaches of a Microsoft 365 subscription, including information harvesting and phishing attacks, are typically done by compromising the credentials of a Microsoft 365 global administrator account. To protect your global administrator accounts, create dedicated admin accounts and use them only when necessary. Configure multi-factor authentication for your dedicated Microsoft 365 global administrator accounts and use the strongest form of secondary authentication.


Firms should have an approved list of software that employees can install, with anything additional needing business case approval. This reduces the risk by only allowing supported software, making it easier to manage updates.

It’s vital all operating systems are up to date, including servers, desktops, laptops, tablets and phones. All Windows 7 and Windows Server 2008/R2 customers received an update on 14th January 2020 as the operating systems were in support until then and should no longer be in use. Once a Microsoft operating system reaches the end of support, customers will no longer receive security updates, leaving them exposed to hackers.

Web browsers, Office software, desktop software and anti-virus should all be set to automatically update. Users may have disabled, defer or decline updates, so it’s important to regularly check all devices that access corporate information are up to date. Updates should be installed promptly but, be aware, if the device is low on storage, the update may not complete.

Device Lock

To remain secure and GDPR compliant, lock your own device when you leave your screen whether you’re working in the office or at home. On Windows hit the Windows key + L on your keyboard. On a Mac press Control + Command + Q. You can also set your screen to automatically lock after a very short time of inactivity.

Home Working

The current COVID-19 lockdown measures make it a legal requirement to stay at home, meaning everyone must now work from home where they can. Being in the more relaxed home environment, employees may be more inclined to let their guard down when it comes to security. This is when cyber criminals attack, whether it’s fake emails about getting the vaccine or bogus emails asking to pay a supplier, when your colleague isn’t easily contactable to verify the transaction. Keep reminding everyone to stay vigilant while supporting them through this difficult time.

With a global chip shortage threatening production of laptops, employees may still be using their personal devices to access corporate information. The risk with using home devices is not being on the latest security updates and saving corporate data to personal hard drives. If the device was to fail or a file be deleted, the chances are this wouldn’t be backed up. With Microsoft Remote Desktop Services, the user can take control of a remote computer or virtual machine over a network connection to enable them to work as they would in the office. That means all work will be backed up on the corporate network as normal.

Office-based employees are usually protected by a firewall and traditional antivirus. To enhance security while working remotely, we include technology such as Endpoint Detection & Response and Cloud Security in our support package. Staff need to be protected even if their network traffic is going directly to the internet. These advanced technologies provide the first line of defence against threats on the internet, wherever users go. It is the fastest and easiest way to protect all of your users in minutes.

Now is the perfect time to utilise Microsoft OneDrive or SharePoint, where your team can collaborate remotely on files, meaning no more emailing different versions of spreadsheets or documents. However, many organisations mistakenly believe that Microsoft 365 data is automatically backed up. With our M365 Secure support package, SaaS Backup is included. An astonishing 1 in 3 companies report losing data stored in cloud-based applications. The reason for this is human error. Users remain the biggest risk to your company data, no more so than at the moment when it’s being accessed from more locations than usual.

Outrunning the bear

It can be daunting when there are so many ways your systems and data can become compromised. If you’re doing something to protect your systems, you’re doing more than someone who has their head in the sand. Criminals will always go for the low hanging fruit, so the more you do to protect your firm, the less likely you are that you will fall victim to an attack.

No matter how many different layers of security you utilise, you can still be the victim of cyber crime. Don’t forget that cyber criminals are just that, criminals. Don’t punish yourself or a colleague for falling victim. Lugo partner with the Scottish Business Resilience Centre who, in partnership with the Scottish Government and Police Scotland, have launched the UK’s first Cyber Incident Response Helpline for the SME community and the third sector to help victims of cyber crime understand what support is immediately available to them and help them recover. They can help organisations confirm if they have been the victim of an attack and, if so, provide expert guidance to get them back to secure operations. Businesses can reach the Cyber Incident Helpline by calling 01786 437 472 weekdays 9am-5pm.


You don’t have to run faster than the bear,

you just have to run faster than the guy next to you.


Look out for more insight into the key themes from our research in future articles. If you’d like to discuss any element of this research or enhance your own cyber resilience, please email

Huge thanks to the participants from accountancy firms across Scotland who gave up their valuable time to take part in this research.

#LugoLove Liz 💙