The accounting cybersecurity checklist

minute read

Last Updated September 29, 2023

Category Cybersecurity


If cybersecurity isn’t embedded in your firm’s culture, you’re putting your firm at risk. Security can’t be merely a part of your IT operation if you have one. It has to be at the heart of everything you do. Every time you make a decision about your firm, you need to think about how it will impact your security setup.

Of course, running critical applications in the cloud and letting experts take care of cybersecurity for you is the best way to ensure that your clients’ data is safe. Between what you turn over to experts and what you need to do for yourself, there is a set of security responsibilities to which you must make sure you always adhere.

Put data protection at the center of your firm’s culture with this cybersecurity checklist

Broken down by category, here are the cybersecurity essentials your firm must keep up to date at all times.

1. Data security and remote access

Multifactor authentication (MFA)

MFA is a security measure that sends a passcode or confirmation to a mobile device to verify the identity of the person who is attempting to sign in. The person must acknowledge the login on the second device.

You can use other security methods with MFA, including a physical security fob, facial recognition or fingerprint recognition. A good cloud provider will include MFA in a standard security package.

Protected remote access

Only trusted, validated users and equipment should be allowed to connect to your firm’s IT infrastructure and cloud services. Your employees need to use a virtual private network (VPN) with mobile device management (MDM) applications, which require each workstation, tablet and smartphone to be registered to connect to your firm’s network.

You also need to remind your staffers of the importance of using automatic updates to keep their mobile devices’ operating systems and security applications current.

Minimized administrative privileges

Cyberattackers who obtain administrative access privileges to networks and workstations have an open door to steal your data. You should minimize the number of users who have administrator privileges and only let other users access the applications or files they absolutely need to use.

Secure web and Wi-Fi connections

Make sure your employees know how to find secure connections to websites, which are often signified with a green padlock image and https: in the web address bar. When working remotely, staffers should utilize a VPN connection. Rather than connecting via Wi-Fi remotely, employees should use a 5G mobile hotspot.

Safe password policy

Passwords should have at least 12 characters with each password being unique. Employees should not reuse the same passwords across applications. Passphrases, or a series of connected words, work well as passwords. Password wallets can help staffers keep their credentials in one secure location.

Any time an employee leaves for any reason, you need to terminate that person’s access to the firm’s network and data resources immediately.

Secure client transmission

Your employees should use a cloud portal set up by a hosting provider to share messages and files with clients. Email is generally not a safe option, especially for file sharing. Staffers might need some simple training on saving files to cloud folders rather than to their individual computers.

2. Data organization, backup and recovery

Proper data asset disposition

You can use inventory tags to track equipment and document acquisitions, assignments and dispositions. You also need procedures for properly disposing of any devices that might contain client data.

As you transition from manual documents to digital files, make sure you have procedures in place to properly shred and dispose of all physical documents.

Data mapping and employee access

You need to know where all your client data resides so you can prioritize it and know which files to bring back first in case of a system outage. Creating a data map includes documenting not only what is stored on internal servers, workstations and mobile devices but also in backup storage systems and with cloud providers.

Ideally, you’ll reach the point of storing everything with a cloud provider. Only those staffers who need access to those systems should have it. Limiting access minimizes the risk of a data breach.

Protected backups

Data backups protect the firm from lost or corrupted data and are critical in recovery after a ransomware attempt. You should make sure to create shadow copies of all changed files throughout the day and then store them separately offsite. A hosting provider should be able to take care of that for you.

Your firm’s IT team should regularly review backup logs to verify that data backups are complete and randomly restore files to verify that data is accessible. Encrypt all backup data, including files to be stored offsite via the internet or on physical storage media. Again, a cloud provider should be able to offer significant backup protection, so you won’t have to do any of this yourself.

3. System updates

Updated operating systems

Cyberattackers find a lot of success in exploiting identified vulnerabilities in operating systems. That’s why updating your operating system is so important.

Set all digital devices to automatically update the operating system and key workstation applications. Turn off computers at night and reboot them to put the updates into effect and increase efficiency by clearing out system clutter.

Current network operating systems

You should regularly review operating systems for all equipment comprising the network—including file servers, firewalls, routers and Internet of Things (IoT) peripherals—to make sure they’re running the most current system updates.

It’s also critically important to update the firmware and change the default passwords on all devices connected to the firm and home networks. That includes updating firmware for wireless printers as well as for IoT devices, including security cameras, connected home appliances and voice-activated devices. peripherals—to make sure they’re running the most current system updates. It’s also critically important to update the firmware and change the default passwords on all devices connected to the firm and home networks. That includes updating firmware for wireless printers as well as for IoT devices, including security cameras, connected home appliances and voice-activated devices.

Antivirus and anti-malware applications

Each fileserver, workstation and mobile device should have antivirus software installed that automatically updates and actively scans for malware on a pre-set schedule. These applications have expanded capabilities to include intrusion detection and prevention in addition to blocking known threats.

A good hosting provider will offer antivirus and anti-malware applications and update them for you. Never use flash drives, thumb drives or other forms of portable storage. Instead, use a client portal to share files.

4. Management of physical equipment

Automatic screen locking

Workstations should be set to automatically lock their screens after being idle for 5-10 minutes. Putting a computer to sleep or virtually locking the screen is adequate during the day, but employees should shut down computers at night and restart them the next day to put updates into place.

Secure physical access

The physical theft of a file server, workstation or tablet containing firm and client data can trigger a cybersecurity breach. You need to protect these assets—including when you send them out for repairs.

Store onsite file servers in an unmarked, locked room. Any workstations containing data should have encrypted storage disks. Better yet, run everything on a secured server or in the cloud so there’s no local data to be compromised.

Office alarm systems should be capable of creating a unique code for each employee or contractor accessing the office, which can be disabled when access is terminated. When you run applications in the cloud, you can generally stop using in-office servers completely. That’s the safest option.

Procedures for office visitors

Your employees need to ask unrecognized visitors how they can help them—and then escort them directly to the right person. If there are any concerns about the validity of the visitor’s response, a staffer should notify a member of the management or administrative team immediately.

5. Employee education and policies

Screening for employees and contractors

A surprising number of breaches occur through the actions of a firm’s staff, so it’s important to conduct background checks on anyone who will have access to the firm’s office, workstations and computer network.

Make sure to give users only the level of access they need to do their work. Also, you should monitor network access and terminate it when an employee no longer needs a particular application or file. A cloud provider can help you set up employee login policies.

Cybersecurity expertise

Your firm should partner with external security-focused integrators to review your network security and provide direction and implementation assistance. Look specifically at intrusion detection and prevention, and ongoing system monitoring.

Breach response plan

The worst time to develop a cybersecurity incident response plan is after a cyberattacker has stolen your data. Firm leadership and IT employees should document a breach response in writing as part of the firm’s information security plan, including how you plan to educate employees on what to do if they suspect a breach.

This training should also cover the steps the IT team will take to verify and mitigate the breach, which includes listing external resources and meeting insurance requirements. A hosting provider that offers security training for employees can help with this process.

Updated IT policies

Your firm should review IT policies annually and notify users of changes along with updated internet and computer usage policies.

Security education

Proactive and ongoing security training to protect client data should be part of your firm’s annual learning curriculum. In addition to providing an annual update on IT policies, you should educate employees on current security threats, including ransomware, phishing, SMishing (SMS phishing), vishing (voicemail phishing) and other social engineering attacks.

You should remind employees to be careful handling unsolicited support calls and to never provide login, password or financial information. They should also know to never download a file without first confirming the identity of the person sending it. A cloud provider that offers security awareness training can be a huge help here.

Phishing training

Phishing schemes are constantly growing in sophistication. Cyberattackers address spear-phishing emails to a specific recipient. The message often seems to come from a known colleague whose email the attacker has spoofed or compromised.

Employees should be familiar with current phishing schemes and the red flags that invite additional scrutiny. They also need to know what to do if they receive a suspicious email or phone call. A hosting partner that provides comprehensive services should offer security training and tests of employees’ responses to phishing emails.

Cybersecurity insurance

The reality today is that even the best protected firms are not immune to constantly evolving cybersecurity threats. It’s important that you review your firm’s insurance policies to understand what’s covered for a ransomware event and the lost productivity resulting from a cybersecurity breach.

Firms should also include coverage for damages caused to any clients whose data may have been compromised and who have subsequently become victims of identity theft because of the breach.


Ready to put these cybersecurity checklist items into place? Get started today with a highly experienced and trusted cloud provider.

Recommended next

Accounting firms: 4 best practices for online security

Subscribe to our blog

Get Rightworks articles delivered straight to your inbox.