Accounting firms hold some of the most sensitive data in the UK economy: client bank details, payroll records, tax returns, VAT submissions, Companies House filings, and correspondence with HMRC. A breach does not just expose your practice to regulatory action from the ICO; it can destroy client trust, trigger professional body investigations, and result in substantial financial losses.
This guide covers the core principles of data security for UK accounting practices, including what the law requires, what ICAEW and ACCA recommend, and how to build a defensible security posture whatever the size of your firm.
Why accounting firms are targets
Cybercriminals regard accounting firms as high-value targets for several reasons. You hold direct access to client bank accounts through payment run authorisations. You use HMRC's Agent Services Account and Companies House WebFiling, both of which carry significant privileges. Your clients range from wealthy individuals to sizeable limited companies, making impersonation and fraud highly lucrative.
The National Cyber Security Centre (NCSC) has consistently identified professional services firms, including accountants, as among the most frequently targeted sectors in the UK. Ransomware attacks, business email compromise, and supply-chain attacks through poorly secured software integrations are the three most common attack vectors.
Smaller practices are not immune. Attackers often deliberately target smaller firms precisely because they assume security postures are weaker than those of large accountancy networks.
Encryption: at rest and in transit
Encryption is the foundation of data security. It protects data in two states.
Encryption at rest
Data at rest refers to files stored on hard drives, servers, USB sticks, and cloud storage. Enable full-disk encryption on every device used by your firm. On Windows, use BitLocker; on macOS, use FileVault. Both are built-in and free. If a laptop is stolen, encrypted data is unreadable without the correct credentials.
Cloud accounting platforms such as Xero, QuickBooks, and Sage all encrypt data at rest using AES-256, which is the current industry standard. Check that any third-party tools and integrations you use offer the same standard.
Encryption in transit
Data in transit refers to information moving between systems, for example when a client uploads documents to your portal, or when your practice management software syncs with HMRC. Always ensure connections use TLS 1.2 or TLS 1.3. Avoid any service that uses plain HTTP rather than HTTPS, and never transmit client financial data via unencrypted email attachments.
Consider using a secure client portal rather than email for document exchange. Email is not encrypted by default, and attachments can be intercepted, forwarded accidentally, or accessed if an account is compromised.
Access controls and identity management
Access controls ensure that only the right people can reach sensitive data, and only as much of it as their role requires.
Role-based access
Apply the principle of least privilege: every staff member should have the minimum access needed to do their job. A junior bookkeeper does not need access to all client tax files. An administrator does not need access to client bank account credentials. Configure access levels in your accounting software, practice management system, and shared drives accordingly.
Multi-factor authentication
Enable multi-factor authentication (MFA) on every system that supports it: HMRC's Agent Services Account, Xero, QuickBooks, Sage, your email provider, and any cloud storage. MFA means a stolen password alone is not enough to access an account. Use an authenticator app such as Google Authenticator or Microsoft Authenticator rather than SMS codes, which can be intercepted via SIM-swapping attacks.
Leavers and joiners
Maintain a joiners and leavers process. When a member of staff leaves, revoke their access immediately, including email, shared drives, software licences, and any HMRC authorisations they held. Failing to do this is a surprisingly common source of data breaches.
Device management and endpoint security
Every device that accesses client data is a potential entry point for attackers. This includes laptops, desktops, tablets, and mobile phones.
- Operating system updates: apply security patches promptly. Most attacks exploit known vulnerabilities that have already been patched but not yet applied.
- Antivirus and anti-malware: use reputable endpoint protection software. Microsoft Defender (built into Windows) is effective for most small practices; larger firms may prefer a managed endpoint detection and response (EDR) solution.
- Remote wipe capability: enrol mobile devices and laptops in a mobile device management (MDM) platform so you can remotely wipe them if lost or stolen.
- USB and removable media policy: restrict the use of USB drives, which can introduce malware or be used to exfiltrate data. Most modern practice workflows can avoid USB drives entirely.
- Screen lock: require automatic screen lock after five minutes of inactivity on all devices, and enforce strong passwords or biometric authentication to unlock.
Staff security training
Technology controls alone are not sufficient. The majority of successful cyberattacks begin with a human error: clicking a phishing link, using a weak password, or sending a document to the wrong email address.
Train all staff on the following areas:
- How to identify phishing emails, including HMRC and Companies House impersonation scams
- Safe password practices and the use of a password manager
- How to handle requests for urgent payments or bank account changes, which are common signs of business email compromise
- Your firm's data handling policies, including what client data can and cannot be stored on personal devices
- What to do if they suspect a breach or click a suspicious link
Run training at induction and at least annually thereafter. Consider phishing simulation exercises, where staff receive a simulated phishing email and their responses are recorded. The NCSC's free Cyber Essentials scheme provides a practical framework for small firms and is worth pursuing as a baseline certification.
Incident response planning
Even well-protected firms can suffer a breach. Having a documented incident response plan means you can act quickly and limit the damage.
Your plan should cover:
- Detection: how will you know a breach has occurred? Audit logs, unusual account activity alerts, and staff reporting are all key.
- Containment: who is responsible for isolating affected systems? Do not simply pull the plug; follow a defined process to preserve evidence.
- Notification: if personal data has been compromised, you may have a legal obligation to notify the ICO within 72 hours (see below). You may also need to notify affected clients.
- Recovery: how will you restore systems and data from clean backups? Test your backups regularly.
- Review: after the incident, conduct a post-mortem to understand what happened and prevent recurrence.
Document the plan, ensure all senior staff know their roles, and review it at least annually.
UK GDPR obligations and ICO registration
Under UK GDPR and the Data Protection Act 2018, accounting firms are data controllers. You are legally required to process client personal data lawfully, keep it secure, and not retain it longer than necessary.
Key obligations relevant to data security include:
- ICO registration: most accounting firms must register with the ICO as a data controller and pay the annual data protection fee (typically £40 or £60 per year for small organisations).
- Appropriate technical and organisational measures: UK GDPR requires you to implement security measures proportionate to the risk. This means encryption, access controls, and staff training are not optional extras but legal requirements.
- Breach notification: a personal data breach that poses a risk to individuals must be reported to the ICO within 72 hours of discovery. Failing to report within this window is itself a compliance failure.
- Data retention: HMRC requires records to be kept for six years from the end of the relevant tax year for most purposes. Companies Act 2006 requires accounting records to be kept for six years (private companies) or three years (public companies). Do not retain data indefinitely; have a documented retention and deletion policy.
ICAEW's data protection guidance and ACCA's practice management resources both provide practical checklists aligned with UK GDPR. Consult them alongside ICO guidance at ico.org.uk.
Data security checklist for accounting firms
Use the following checklist to assess your current security posture:
- Full-disk encryption enabled on all devices (BitLocker or FileVault)
- MFA enabled on all critical systems: HMRC Agent Services, Xero/QuickBooks/Sage, email, cloud storage
- Role-based access controls configured in all software
- Joiners and leavers process documented and followed
- Operating systems and software patched promptly
- Endpoint protection software installed on all devices
- Secure client portal in use for document exchange (not unencrypted email)
- Password manager in use across the firm
- Staff phishing awareness training completed in the last 12 months
- Documented incident response plan in place and tested
- ICO registration current and fees paid
- Data retention and deletion policy documented
- Offsite or cloud backups tested and verified
- Cyber Essentials certification obtained or in progress
No firm achieves a perfect security posture overnight. Work through this list systematically and prioritise the controls that address the highest risks first: MFA, encryption, and staff training will have the greatest impact for most practices.