Save content
Have you found this content useful? Use the button above to save it to your profile.
worker at a computer holding a padlock

The data accountants forget to keep safe

2nd May 2017
Save content
Have you found this content useful? Use the button above to save it to your profile.

Accountancy firms hold some of the most sensitive data of all businesses; data that could reveal product and marketing strategy, revenue and profit forecasts, and that could highlight weaknesses which could potentially wipe a company off the face of the earth.

But of course, accountants know this – they have a duty of care to safely and securely manage and store their customers’ data, particularly with the incoming EU general data protection regulations (GDPR). Firms are also aware of the cyber security implications and threats as it has become a mainstream topic that is being discussed at the highest level in many organisations.

However, as Adrian Barrett, CEO of GDPR advisory company Exonar, suggests, firms still have a huge target on their systems.

“If I was a hacker looking to gain access to a large company’s sensitive information I’d look for the weakest link. What would be easier, targeting a heavily protected FTSE 500 company with their myriad of security controls and strict data management processes, or targeting their less tech-savvy accountants?”

It’s not the key corporate systems where sensitive data is stored that is often the problem – as companies are investing more and more in order to protect this information. Instead, it is the other ways that information is shared and stored that can have a devastating effect.

Email insecurities

For instance, email is one of the easiest forms of communication, but it is also notoriously insecure.

“It’s not universally encrypted, so messages can be intercepted and modified in transit by a dedicated and well-positioned attacker, and email senders can be successfully spoofed if your organisation does not use properly configured email security features like DKIM and SPF,” said David Yates, information security consultant at IT security company MWR InfoSecurity.

Other forms of communication such as WhatsApp and instant messaging apps make it even easier for accountants to share information with each other and other departments, and despite being labelled as ‘encrypted’ could cause issues if a personal or corporate mobile was stolen – this means firms should ensure their employees aren’t sharing sensitive information over these platforms, and have remote wiping capabilities for mobile devices.


Meanwhile, firms should also ensure that metadata – essentially data about data that is automatically generated in the background of a document – is secured. This could include information such as hidden text, cells and fields, email addresses, names of contributors, the server or hard disk where the document is saved, attachments, dates of revisions and different versions, computers’ names on the network and company names. Essentially, every document has metadata attached to it, and if the documents are sent via emails or uploaded onto the internet, this metadata is shared too – unless it has been removed.

It is vulnerable to hackers and can lead to personal and financial information being stolen – particularly if it is sent to another firm whose data management practices are not as sophisticated or well thought out.

For Daniel Stachowiak, MD at MyDocSafe, the supply chain is indeed the biggest weakness when it comes to data protection.

“An accounting firm can protect its most important, sensitive data with a private army, but if an ancillary system is exposed or a supplier or client is not using effective security checks then the accounting firm is going to be under threat,” he said.

“The information supply chain should be a major concern, especially for smaller and emerging firms that do not have huge budgets,” he added.

Conference calls

Another area where information could spread if not properly secure is over the phone.

“Tax season is the busiest time of the year for many accountants and during this time communication will be highly sensitive and confidential,” said Steve Flavell, co-CEO of conference calling company LoopUp, who suggests that hackers could use conference calls as a way to gather information to gain a competitive advantage, or be blackmailed or worse.

Although the majority of people may think it is the norm to be unsure of who has dialled in to a call, Flavell suggested that the conference line should ‘dial out’ to its participants to avoid ‘professional phishers’ or hackers to hear something they shouldn’t.

Physical data

Finally, there is physical data; it’s not only ‘cyber’ criminals that can attempt to retrieve data remotely, there are people who may try to get hold of physical files or information.

The point is – it’s not as easy to secure data within the organisation by buying an IT security product, there are so many different aspects to data protection that need to be taken into account. All of which need to be looked at ahead of the new EU data protection regulations being enforced.


Replies (5)

Please login or register to join the discussion.

Elliott Chandler Picture
By elliottchandler
04th May 2017 10:25

A very helpful article which highlights the risks to all business owners. Being aware of these pitfalls is now essential in operating a small business today. You cannot be too careful.

Thanks (0)
Replying to elliottchandler:
By johnjenkins
04th May 2017 10:42

This has always been a problem. If someone really wanted info they used to burgle now they hack.

Thanks (0)
By mjnieburg
04th May 2017 13:26

While slightly off subject, it is worth noting that the use of Excel by itself presents most of the same risks. Folks interested in data security in general may find EASA's ability to make Excel completely secure (and reliable) of interest.

Thanks (0)
By The Black Knight
04th May 2017 13:26

At the end of the day anything can be hacked.

Wiki leaks ?

Just the government doing the psycho behaviour thing and blaming others for their own wrongdoing.

all a storm in a tea cup

In actual fact someone has to understand the information too. It's already encrypted LOL

The best way is to feed disinformation into the system if you are that worried and want to play MI6

We are forced to use digital then told its not secure. In fact HMRC tell you their email etc is not secure and ask you to sign a disclaimer.

Hopefully intercepting the royal mail is still a criminal offence and they can catch some of these criminals rather than passing the buck for their rubbish law enforcment. Fed up with this nonsence.
If it's sensitive don't have it on a computer simple!

Accountants have lived in this environment for ever thats why you have a client meeting not discuss it on the phone.

I believe the larger practices used to have the office swept for bugs too.

At the end of the day this is just more oppressive nonsence just like all the money laundering rubbish. Designed to sell a few crap courses and make some more pointless paperwork.

Thanks (0)
By kentd
04th May 2017 23:47

What about actually securing cloud accounting & financial data - such as customer data entered into Xero?

Thanks (0)