NerdNumbers

Cybersecurity Checklist for Accounting Firms

A practical checklist covering the essential security controls every UK accounting firm should have in place to protect client data and meet regulatory obligations.

Tip: use your browser's print function (Ctrl+P / Cmd+P) to save or print this checklist for offline use.

1.Password & Authentication

  • Enforce unique passwords of 12+ characters for all business accounts
  • Enable multi-factor authentication on all cloud applicationsXeroQuickBooks OnlineDext
  • Use a password manager for team credential sharing
  • Disable shared logins and create individual user accounts
  • Review and revoke access for departed staff quarterly

2.Email Security

  • Enable SPF, DKIM, and DMARC records on your domain
  • Train staff to recognise phishing and CEO fraud emails
  • Use email filtering to block known malicious domains
  • Implement a policy for verifying bank detail change requests by phone
  • Disable auto-forwarding rules on all mailboxes

3.Device Security

  • Encrypt all laptops and mobile devices (BitLocker or FileVault)
  • Enable remote wipe capability on all work devices
  • Keep operating systems and software automatically updated
  • Use endpoint protection (antivirus) on all devices
  • Implement a mobile device management policy

4.Data Backup & Recovery

  • Maintain daily automated backups of critical data
  • Store backups in a separate location from primary data
  • Test backup restoration at least quarterly
  • Document your recovery time objectives for key systems
  • Keep offline copies of essential client records

5.Client Data Handling

  • Use encrypted file sharing for client documents (never email attachments)
  • Implement data retention and deletion policies
  • Ensure all cloud providers have appropriate data processing agreements
  • Classify client data by sensitivity level
  • Restrict access to client data on a need-to-know basis

6.Team Training

  • Conduct cybersecurity awareness training at least annually
  • Run simulated phishing exercises quarterly
  • Document an acceptable use policy for company devices and data
  • Train staff on secure handling of client financial data
  • Include cybersecurity in new joiner induction

7.Incident Response

  • Create a written incident response plan
  • Designate an incident response lead and backup
  • Know your ICO notification obligations (72-hour window)
  • Maintain an up-to-date contact list for key vendors and insurers
  • Conduct a post-incident review after any security event

Want a professional security review?

This checklist gives you a solid foundation. For a tailored security assessment and implementation plan, book a free discovery call with our team.

Book a Free Call
Cybersecurity Checklist for Accounting Firms | NerdNumbers | NerdNumbers