You are currently viewing E-mail Security and Web Security for Accountants and Accounting Firms

E-mail Security and Web Security for Accountants and Accounting Firms


In this article we shall discuss why E-mail Security and Web Security is important for Accountants and Accounting Firms irrespective of their size.

When it comes to security breaches, many small businesses believe threats are reserved for banks and large corporations. In reality, nothing could be further from the truth. Web security is important to all companies, regardless of size. Any business that handles sensitive, personal client information via the Internet is at risk of security breaches. Among the most at-risk businesses are accounting firms — even small firms. When it comes to businesses that are handling the most sensitive personal information, they certainly top the list.

On a daily basis, accountants are in possession of clients’ social security numbers, tax ID numbers, income information, addresses, dates of birth, death certificates, medical information, credit card numbers, bank account numbers, etc. Any one of those pieces of information in the wrong hands could have devastating implications — and a breach of all that information could be downright devastating for an Accountant and/or an Accounting firm.

While identity theft is widely perceived as the top threat — largely due to the amount of publicity it generates — in reality, it represents just one piece of the bigger puzzle in terms of potential threats to accounting firms. As more and more business is conducted online with greater amounts of sensitive information shared via the Internet, it is imperative for accountants to make network security a top priority.

Regulations to Uphold

Aside from an ethical obligation to safeguard clients’ private tax information, accounting firms are bound by certain regulations with which they must comply, including protecting personal information from unauthorised access, managing sensitive information and keeping personal information secure. The Payment Card Industry – Data Security Standards (PCI-DSS) also requires the secure transmission of cardholder data to prevent interception and unauthorised disclosure, as well as protection against malware and other threats to the integrity of cardholder data.

Regulatory compliance requires a significant amount of time and resources for which owners need to budget. Federal regulations are often believed applicable only to large public companies, but regulations have elements that apply to private and small firms, as well. Regulations can also change quickly and require significant resources for firms of all sizes to understand and implement compliant procedures and infrastructure.

“All of these regulations contain sections and standards that small firms can’t afford to ignore,” said Scott Paul, Senior Director for AppRiver’s Microsoft Alliance. “If it’s a piece of regulation that is officially written to apply to publicly held financial services firms, it can also apply to small ones.”

These regulations are not the only motivation for accounting firms to protect personal client data. If sensitive data is lost to hackers or client data is encrypted by ransomware, other consequences may be encountered, including:

  • Significant fines
  • Lawsuits
  • Embarrassing data breaches
  • Expensive damage control

Within the complexity of identify theft, many types of attacks can occur, including cyber extortion (where data is essentially held for ransom), third-party attacks, mobile attacks, phishing attacks and targeted malware attacks.

Why Smaller Businesses are Softer Targets?

It has been well-documented recently that security attacks are shifting from large corporations to smaller businesses. Even though smaller targets do not potentially represent as large of a payoff for hackers, smaller businesses are often better targets that are much easier to breach. The primary reason for this shift is that many SMEs don’t have the necessary security in place because they do not believe that they are large enough to attract an attack. The fact that hackers are aware of this mindset actually makes smaller firms the perfect target because these “bad guys” know that proper security measures are not likely to be in place. Security software provider Symantec reports that 70 % of all attacks target small businesses. Spear-phishing campaigns targeting employees increased 55% in 2015 (Source: National Cyber Security Alliance), and it is ever-increasing. Ransomware is another favourite tool because it allows cyber-criminals to access a system quickly and extort a small amount of money, typically an average of £3,500.

According to The Guardian, a UK survey found that 74% of small organizations — with less than 350 employees — reported a security breach in 2015. Meanwhile, the Attorney General of California reported that the financial business sector claimed the
second-largest number of breaches behind retail businesses. With the advent of chip cards, retail breaches are on the decline, making it feasible that the financial sector could soon account for the largest number of breaches.

“Accounting firms will remain targets regardless of where the threat or trends are because of the large amount of sensitive information they’re handling,” said Paul.

The sad reality is that attacks on small firms are more often catastrophic than for their larger counterparts. In fact, 60% of small companies that suffer a security attack are out of business within six months. With an average cost to recover from a cyber attack hovering around $36,000 (Source:, it is not surprising that firms simply cannot recover from
such a capital loss.

Most Common Security Gaps

Smaller firms are vulnerable to any number of threats, and it is largely due to the fact that they are far less likely to have even the most basic safeguards in place, e.g. small accounting firms are less likely than their larger counterparts to:

  • Encrypt e-mail: Tools to protect e-mail communications have been historically difficult to use for both sender and receiver. These tools can also be cost-prohibitive and require a lot of discouraging smaller investing in encryption.
  • Have a security policy in place: Smaller firms, by virtue of their size, often adopt a false sense of security due to fewer employees and fewer people accessing sensitive information.
  • Have a trained staff: Among the biggest cybersecurity risks to an accounting firm is its own people. Not because of malicious intentions, but because employees fail to adopt secure passwords, maintain updated anti-virus software, insecure e-mail because links they open or unintentionally download malware on company computers.

Another, even more catastrophic vulnerability to consider is that end users who do not secure their devices or fail to accept or prioritise discipline related to company security policies. It is imperative that security becomes a habit and part of a firm’s daily routine.

More than 40 Percent of SMEs are Unaware of the Risk from Unintentional Human Error

Human error is the largest single cause of data loss. Security starts with an end-user. It is estimated that more than 75% of employees leave their systems unsecured. Adding to the problem is the fact that only 22% of SMEs have prioritised security concerns that were identified within the previous year. (Source: Symantec)

They know they are under-resourced, under-prepared and unprotected, but they have difficulty adding it to their budget when preparing for the future. The bottom line is that small firms under-estimate security exposure and grossly under-estimate the costs of a breach.

Cloud Vs On-premise Systems

The Cloud is more secure than On-premise systems. Small Accounting firms fail to realise that cloud-based systems offer the best and most secure options for safeguarding sensitive client information. When security is in place in conjunction with on-premise systems, they are typically poorly maintained on site. But cloud-based security systems offer extra layers of security that in-house servers and other on-premise systems cannot match. Embracing the technology of moving to the cloud enables small firms to secure their roles as trusted advisors and heightens security as more employees work remotely. Cloud-based systems also provide more efficiencies for automating processes and services, and often reduce the cost of an in-house infrastructure and the personnel necessary to maintain it.

Not all cloud solutions are created equally, however. “Microsoft is going to spend more than smaller firms, obviously,” Paul said. Ultimately, if a company is touting low-cost as its main selling point and security is not mentioned early on, that is generally a red flag that they are not a reputable or secure company to work with. The problem for small Accounting firms is that Microsoft’s cloud-based security can be extremely cost-prohibitive for SMEs. That is where Microsoft partner providers like Nishtha come into play. Nishtha, in partnership with AppRiver, offers a complete library of compliant resources and has demonstrated time and again that small firms can benefit from the enterprise grade security that Microsoft offers through an affordable partner.
“We are all in this cloud situation together,” Paul said. “The good news is that cloud beats the bad guys most of the time — whereas small, lightly maintained, on-premise machines are much easier to get into.”

What To Do?

So what are small Accounting firms to do when it comes to addressing their security needs? First and foremost, SMEs need to abandon the mindset that they are too small to be targeted and make the necessary investments to protect themselves and their clients.

Firms of all sizes must make security a top priority. If needs have been identified, they must be addressed. If no security measures have been taken yet, these firms must conduct an audit of vulnerabilities and immediately take steps to close those gaps.

When responding to a data breach or to avoid a potential breach, it is crucial to use industry best practices and procedures. At the minimum, every firm should take the following security measures:

  • Encrypt Personal and Employee Information: Encryption of financial information sent via e-mail is necessary to ensure data integrity, unauthorised disclosure or loss.
  • Require and/or Create Strong Passwords
  • Protect Against Viruses and Malware
  • Encrypt E-mails and Attachments when Transmitting Client Data


The many aspects of securing data can often feel overwhelming to smaller firms that lack IT staff, but firms do not have to go it alone. For the majority of small vendors, the best way to address all of these security needs and put a secure infrastructure in place is by partnering with a third-party provider, such as Nishtha.

Contact Us

To find more about how Nishtha can help strengthen your E-mail and Web Security needs, please Contact Us now.