Skip to content

This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our privacy policy to learn more.

Close
AICPA-CIMA
  • AICPA & CIMA:
  • Home
  • CPE & Learning
  • My Account
Journal of Accountancy
  • TECH & AI
    • All articles
    • Artificial Intelligence (AI)
    • Microsoft Excel
    • Information Security & Privacy

    Latest Stories

    • AI-driven spreadsheet tools — what CPAs need to know
    • Is spending on technology spinning out of control?
    • Using 3 Excel View tools to manage large spreadsheets
  • TAX
    • All articles
    • Corporations
    • Employee benefits
    • Individuals
    • IRS procedure

    Latest Stories

    • Social Security Administration head to also serve in new IRS role
    • AICPA calls for fully staffed IRS regardless of shutdown length
    • Job cuts mean strong 2025 tax season may be hard to repeat, IRS watchdog warns
  • PRACTICE MANAGEMENT
    • All articles
    • Diversity, equity & inclusion
    • Human capital
    • Firm operations
    • Practice growth & client service

    Latest Stories

    • Social Security Administration head to also serve in new IRS role
    • AICPA calls for fully staffed IRS regardless of shutdown length
    • PCAOB publishes guidance related to Audit Evidence amendments
  • FINANCIAL REPORTING
    • All articles
    • FASB reporting
    • IFRS
    • Private company reporting
    • SEC compliance and reporting

    Latest Stories

    • SEC accepting Professional Accounting Fellow applications
    • SEC names new chief accountant
    • SEC ends legal defense of its climate rules
  • AUDIT
    • All articles
    • Attestation
    • Audit
    • Compilation and review
    • Peer review
    • Quality Management

    Latest Stories

    • PCAOB publishes guidance related to Audit Evidence amendments
    • AICPA unveils new QM resources to help firms meet Dec. 15 deadline
    • 8 steps to build your firm’s quality management system on time
  • MANAGEMENT ACCOUNTING
    • All articles
    • Business planning
    • Human resources
    • Risk management
    • Strategy

    Latest Stories

    • Business outlook brightens somewhat despite trade, inflation concerns
    • AICPA & CIMA Business Resilience Toolkit — levers for action
    • Economic pessimism grows, but CFOs have strategic responses
  • Home
  • News
  • Magazine
  • Podcast
  • Topics
Advertisement
  1. newsletter
  2. Cpa Insider
CPA INSIDER

Top cyberthreats targeting accounting firms

Accounting firms face threats from cyberthieves using malware, phishing expeditions, and data theft to steal treasure-troves of client and financial information.

By Malia Politzer
March 16, 2020

Please note: This item is from our archives and was published in 2020. It is provided for historical reference. The content may be out of date and links may no longer function.

Related

February 3, 2020

3 ways to defeat ransomware: Plan, prevent, not pay

January 1, 2020

2020s vision: Tech transformation on tap

TOPICS

  • Technology
    • Information Security & Privacy
  • Firm Practice Management
    • Firm Operations

No industry is immune to the harmful effects of cybercrimes, and the financial damage can be devastating.

Cybersecurity breaches are estimated to cost businesses around the world a staggering $1.5 trillion annually, according to a report from the U.K.’s Bromium cybersecurity firm. Additionally, nearly three-quarters of the more than 500 business leaders companies surveyed for Grant Thornton’s 2019 Cyber Security: The Board Report relayed revenue losses of up to 25% following cybersecurity attacks.

Accounting firms — which have access to sensitive financial and other personal client data — are a top target for cybercriminals, according to Vijay Rathour, partner in the Digital Forensic Group at the London office of Grant Thornton. Many small and medium-sized companies and firms might believe themselves to be at a lower risk than the bigger, higher-revenue firms, but this simply isn’t the case, Rathour said.

“It may seem counterintuitive, but the risk of cyberattacks is disproportionally higher for smaller and medium-sized organizations, which tend to be much more reactive than proactive,” said Rathour. “They need to realize that this can happen, and they are a target.”

In fact, small and medium-sized accounting firms are often deliberate and primary targets for data theft. This is because they often host sensitive client data and can act as gateways to larger or more prominent parties. They also often lack the sophisticated defense infrastructure of larger firms. That’s why it’s more important than ever for accounting firms to understand which risks they might be vulnerable to, and to take steps to protect themselves. 

In a recent interview, Rathour outlined three of the top external cyberthreats accounting firms face and provided pointers on how to reduce a firm’s risk of becoming a victim.

Malware and ransomware. Ransomware is a type of malware designed to take computers, networks, files, and sensitive data hostage by encrypting files and blocking owners’ access. Once data is encrypted, the attacker will typically demand payment (often preferring to be paid via anonymous cryptocurrency such as bitcoin) to restore access to files. According to a 2019 Ponemon and Accenture report on cybersecurity, the number of organizations experiencing ransomware attacks had increased by 15% over one year, and attacks had more than tripled in frequency over the previous two years. It’s critical to invest in aggressive prevention strategies, according to Rathour. “Malware can infect your system on Monday, map out every other computer it can reach through the network, and will encrypt every file it can access — every Excel document, health records, everything,” said Rathour. “By the time you come into office on Wednesday, your entire business has been immobilized. And that’s when you get a message demanding the ransom.” Whether a company should entertain paying the ransom will vary based on the situation.

Advertisement

Phishing schemes. Most ransomware is delivered via phishing schemes, which are often deployed via emails that contain malware hidden in seemingly innocent file attachments. More sophisticated phishing schemes include “spear phishing,” which uses personal information to target a specific individual, and “whaling,” which is used to target high-ranking corporate officials — such as a CFO (or the CFO’s secretary). For example, few accountants might think twice about opening an email with a subject line about an invoice for a conference they knew that people in their company would be attending the following week. “Cybercriminals socially engineer emails to make it more likely that someone will open them, and quite often, people do,” said Rathour.

Data theft. Cyberbreaches can have huge financial consequences, with the global average cost of a data breach coming in at $3.92 million between July 2018 to April 2019, (for larger organizations, the average cost was $5.11 million, whereas for smaller organizations with between 500 and 1,000 employees, the average cost was $2.65 million), according to an IBM and Ponemon report.

This total cost includes aspects such as the cost of investigation and forensics to determine the root cause of the data breach, organizing the incident response teams, determining the victims of the breach, legal and consulting services, lost business, to name only a few. For organizations, which can include accounting firms, the average time between when a data breach occurred and when the breach was contained is approximately 279 days, according to the IBM and Ponemon report.

How to protect the firms’ data

The most effective protection strategies begin with prevention, according to Rathour. Employee training regarding the risks of cyberthreats and basic protective measures, such as not opening every email that comes in, are considered the gold standard for cybersecurity hygiene. But training alone is unlikely to reduce a firm’s risk of falling victim to cybersecurity threats, according to Rathour.

“We aren’t saying, ‘Don’t train your people’ but that it’s important to take a multilayered approach,” he said.

There are a number of practices firms can and should put into place to protect themselves from cyberthreats.

For small to medium-sized firms that have limited resources, however, the following practices can make big differences in preventing damage from cyberattacks, according to Rathour.

Advertisement

Have a good backup regime. Most large organizations should have multiple backup strategies, up to and including real-time backups and full-capacity replication, according to Rathour. However, as this is costly, he said smaller organizations should retain different generations of backup — one for each of the last seven days, one for each week of the last month, one for each month of the year, and one for each calendar year. That way, if a problem strikes they can restore to a suitable backup.

The backup should also be physically removed from the network, to ensure that in case of a malware infection, the backup doesn’t also become infected. As an example of good backup hygiene, Rathour suggested that the head of the IT department deliver the backup every Friday to the office manager, who can then store the backup in an off-site safe. It’s also a good idea to periodically test backups for recoverability, he said.

“You want to make sure you have a complete off-site copy,” said Rathour. “It may be redundant for years, but the one day you need it, you’ll be grateful to have a backup that allows you to go back to business as usual as quickly as possible. Business interruption is the major risk.”

Create an environment of “security by design.” Most accountants are familiar with the practice of segregated duties, as a part of standard internal controls. Similarly, Rathour suggested that it’s equally good practice for firms to segregate access to data. Such data segregation is both virtual and physical.

“Make sure the majority of your people only have access to the data they actually need to do their jobs,” Rathour said. “That way, if one person’s computer is breached, all the company data won’t be compromised.”

According to Rathour’s recommendations, an organization should physically segment an environment, virtually segment the computers within it, and then practically segregate the datasets. For example, a personal assistant shouldn’t need access to an executive’s private files, but they should have access to an executive’s calendar. By adopting a “least privileges security” approach, each staff member has the minimum clearance required to do their job, and nothing more.

Delete old, irrelevant data files. Data breaches can be extraordinarily expensive, costing a company an average of approximately $150 per record, according to the IBM and Ponemon report. Given that the average size of a data breach is 25,575 records, according to the same report, that quickly adds up. To minimize loss in case of a breach, Rathour suggested engaging in strategic pruning, which is when firms review their data and delete records they are no longer legally or commercially obligated to keep.

Advertisement

“Many firms have a legal obligation to hold on to records for seven years, but why do we have it for eight years?” said Rathour. “You have to think, why am I holding on to data which, if lost, would create commercial harm?”

Data breaches, malware, and ransomware attacks are not just expensive — leading to potential losses in millions — but they can also mar the reputation of an accountancy firm for years.

By putting in place these simple prevention strategies — a good backup regime, security by design, and periodically deleting old files — firms can mitigate the risks of becoming targets.

— Malia Politzer is a freelance writer based in Spain. To comment on this article or to suggest an idea for another article, contact Drew Adamek, a JofA magazine senior editor, at Andrew.Adamek@aicpa-cima.com.

Advertisement

latest news

October 7, 2025

Social Security Administration head to also serve in new IRS role

October 6, 2025

AICPA calls for fully staffed IRS regardless of shutdown length

October 3, 2025

PCAOB publishes guidance related to Audit Evidence amendments

October 2, 2025

Job cuts mean strong 2025 tax season may be hard to repeat, IRS watchdog warns

October 2, 2025

Is spending on technology spinning out of control?

Advertisement

Most Read

Why accountants need to master the art of reading the room
MAP Survey finds CPA firm starting pay on the rise
IRS finalizes regulations for Roth catch-up contributions under SECURE 2.0
Paper tax refund checks on the way out as IRS shifts to electronic payments
NASBA, AICPA release proposed revisions to CPE standards
Advertisement

Podcast

October 2, 2025

Car talk: M&A, AI and EVs changing the dealership landscape

September 25, 2025

Professional liability risks related to Form 1065, CPA firm acquisitions

September 18, 2025

‘We’re still the thinkers’ — a reminder for tax pros in the AI era

Features

AI-powered hacking in accounting: ‘No one is safe’
AI-powered hacking in accounting: ‘No one is safe’

AI-powered hacking in accounting: ‘No one is safe’

Building a better firm: How to pick the proper technology
Building a better firm: How to pick the proper technology

Building a better firm: How to pick the proper technology

Why accountants need to master the art of reading the room
Why accountants need to master the art of reading the room

Why accountants need to master the art of reading the room

How BI and analytics enhance management accountants’ partnering role
How BI and analytics enhance management accountants’ partnering role

How BI and analytics enhance management accountants’ partnering role

SPONSORED REPORT

Preparing clients for new provisions next tax season

Preparing clients for new provisions next tax season

As the 2025 filing season approaches, H.R. 1 introduces significant tax reforms that CPAs must be prepared to navigate. These legislative changes represent some of the most comprehensive tax updates in recent years, affecting both individual and corporate taxpayers. This report provides in-depth analysis and guidance on H.R. 1.

From The Tax Adviser

September 30, 2025

Current developments in taxation of individuals: Part 1

August 30, 2025

2025 tax software survey

August 30, 2025

Are you doing all you can to keep the cash method for your clients?

July 31, 2025

Current developments in S corporations

MAGAZINE

October 2025

October 2025

October 2025
September 2025

September 2025

September 2025
August 2025

August 2025

August 2025
July 2025

July 2025

July 2025
June 2025

June 2025

June 2025
May 2025

May 2025

May 2025
April 2025

April 2025

April 2025
March 2025

March 2025

March 2025
February 2025

February 2025

February 2025
January 2025

January 2025

January 2025
December 2024

December 2024

December 2024
November 2024

November 2024

November 2024
view all

View All

http://JofA_Default_Mag_cover_small_official_blue

PUSH NOTIFICATIONS

Coming soon: Learn about important news

CPA LETTER DAILY EMAIL

CPA Letter Logo

Subscribe to the daily CPA Letter

Stay on top of the biggest news affecting the profession every business day. Follow this link to your marketing preferences on aicpa-cima.com to subscribe. If you don't already have an aicpa-cima.com account, create one for free and then navigate to your marketing preferences.

Connect

  • X Logo JofA on X
  • facebook JofA on Facebook

HOME

  • News
  • Monthly issues
  • Podcast
  • A&A Focus
  • PFP Digest
  • Academic Update
  • Topics
  • RSS feed rss feed
  • Site map

ABOUT

  • Contact us
  • Advertise
  • Submit an article
  • Editorial calendar
  • Privacy policy
  • Terms & conditions

SUBSCRIBE

  • Academic Update
  • CPE Express

AICPA & CIMA SITES

  • AICPA-CIMA.com
  • Global Engagement Center
  • Financial Management (FM)
  • The Tax Adviser
  • AICPA Insights
  • Global Career Hub
AICPA & CIMA

© 2025 Association of International Certified Professional Accountants. All rights reserved.

Reliable. Resourceful. Respected.