Information security

As an accountant information security is one of the issues which is absolutely critical to our business, but which we are loathe to talk about. Our professional training is all about producing financial statements or calculating tax, and we tend to leave the technology side to the IT professionals. However nowadays securing computer systems is as important as locking the front door to secure the premises on your way out. Our clients trust us with their personal and financial information, and it behoves us to honour that trust. The audit profession has responded to the centrality of computer systems by requiring auditors to develop an appreciation of their clients IT systems and controls. As business advisors we feel a need to provide basic advice about this increasingly crucial area of business.


  • Don’t use the same password on different website. One of the criminals’ favourite tricks is to attack a small, unprofessionally run website and then harvest millions of passwords from unsuspecting customers to try out on email, social media and banking sites. My own personal email account was hacked as I had used the same password on LinkedIn. It’s very hard to remember hundreds of passwords, which is my second recommendation is :
  • Use a good password manager. Some may be averse to putting all their cyber eggs into one password manager basket, and in fact it probably is more secure overall to simply write down passwords on old fashioned paper and keep it under secure lock and key.
  • Use longer, complicated passwords. Prior guidance encouraged the use of numbers, upper and lower case letters, and symbols as well as letters in passwords, but recent government guidance is more focussed on the overall length to ensure security.
  • Where possible use individual logins rather than a group shared password – it ensures accountability. If you must share passwords, try to send the username separately, I often email a username and text a password to clients.
  • Where available use “multi-factor” log-ins for your important accounts. These will require a password and some other proof of identification, such as sending you an SMS message, or use of a handheld authentication device to produce an authentication code.
  • Change passwords regularly. Yes, it’s tiresome. But it helps secure your system from cybercriminals who auction off lists of illicitly obtained passwords. This applies especially if you access your computer remotely without two factor authentication.
  • Don’t be one of those people who use “pa$$w0rd123” or other common variations on the same!


  • An email does not necessarily originate from where it purports to come. It is easy to “spoof” the sender of an email. This can be partially addressed by ensuring that your email “sender policy framework” records are correctly configured –a job for professionals.
  • Likewise, it is entirely compliant with email standards for a “reply to” to be directed to someone other than the original (claimed) sender. In a previous job, I received an email purporting to come internally from my boss at the time (whose details were presumably gleaned from the firm’s website or social media), but where the reply to address was somewhere in Russia. You can configure email servers to filter or quarantine suspicious emails of this nature.
  • Don’t click on strange attachments. Even excel files or PDFs can contain viruses – if it doesn’t smell right, check with the sender.
  • Fraudsters try to use psychological or character vulnerabilities against you. The state minister of oil hasn’t written to you personally for your help in laundering his ill-gotten gains – the fraudsters are appealing to your greed and prejudices about the greed of others. Other common targets include using your own desire to please a boss. The subject line of the email purporting to come from my boss read “urgent: I need this payment processed today.” Take your time, don’t be rushed into anything, and double check in person. If in doubt, do nothing.


  • Older versions of Windows are far more susceptible to attack as Microsoft doesn’t update them for newly emerging security threats. Keep your software up to date and apply updates as they become available. This is good advice for non-Windows users too.
  • If you are involved in the software industry yourself – whether through an app, an online website, or software you sell – you have an added responsibility. If you are using third party developers, check their security credentials. It isn’t fair to expect web designers to be security experts. Have your site checked over by “penetration testers”, and deal with any vulnerabilities they identify promptly.
  • In general popular software such as WordPress, which this website uses, tends to be well tested both by malicious hackers; and by security experts – there’s no clear advantage in either arrangement.


  • Taking regular backups of your data is vital to your business. In recent years “ransomware” attacks, which encrypt your files and demand payment to restore them have become very common. If you can revert to a recent backup, the problem is negated. Paying scammers to release your files is a very dubious decision. Notwithstanding the anti-social aspects of encouraging criminals to destroy the data of others, often payment simply results in increased demands, and many of the viruses have irreversible effects.
  • You should regularly test backup arrangements to make sure they work in time of need.