Accounting firms are trusted with the financial data of hundreds of small businesses. The platforms that data flows through — Microsoft 365, Xero, MYOB — are usually running with default security settings that have never been reviewed. One compromised account can expose every client in your practice.
The numbers in 2026
The ACSC’s 2024–25 Annual Cyber Threat Report recorded over 84,700 cybercrime reports — one every six minutes. The average self-reported cost per incident for small business rose 14% to $56,600. Business email compromise remains the single most common attack vector for Australian businesses.
Business email compromise works like this: an attacker gains access to a legitimate email account (usually through a stolen password and no MFA), monitors correspondence for invoices or payment instructions, then sends a fraudulent email from that compromised account directing payment to a different bank account. The recipient trusts the email because it genuinely came from the sender’s real address.
Why accounting clients are high-value targets
For accounting firms, the implications are direct. If one of your clients has a compromised M365 account, the attacker can see every email between that client and your firm — including tax file numbers, financial statements, and payment instructions. If your own firm’s M365 tenant is compromised, every client’s data is exposed simultaneously.
The concentration of sensitive financial data across your client base is what makes this different from a typical small business breach. An attacker who compromises a plumbing company gets that company’s data. An attacker who compromises an accounting firm gets the financial data of every business that firm manages.
What most accounting firms don’t check
Most accounting firms have their own IT sorted to a reasonable standard. The gap is in their clients’ environments. When a client connects their Xero account to your practice, you trust that their systems are secure. But have you ever asked whether their Microsoft 365 has MFA enforced? Whether legacy authentication is disabled? Whether their SharePoint external sharing is restricted?
In most cases, the answer is no — because it is not seen as the accountant’s responsibility. But increasingly, it is becoming part of the conversation. Clients who lose money to invoice fraud or business email compromise look at everyone in the chain — their IT provider, their accountant, their bank — and ask why nobody flagged the risk.
The eight things that matter most
The eight critical settings in a client’s M365 setup are straightforward: MFA enforcement, legacy authentication disabled, admin accounts limited to 1–2, conditional access configured, external sharing restricted in SharePoint, auto-forwarding blocked for external recipients, unified audit logging enabled, and Defender for Office 365 turned on. Most of these are toggles in the admin console. None of them are enabled by default.
For a detailed walkthrough of each setting, see our Microsoft 365 security checklist for Australian small business.
What accountants can do right now
You do not need to become a cyber security expert. You do not need to hire a security team. You need a simple way to help your clients understand where their biggest risks are — and a trusted partner who can fix what needs fixing.
A free M365 security check takes 2 minutes and gives your client a personalised risk score with a prioritised fix list. No signup, no cost, no obligation. Share it with your clients as a value-add. If the results show gaps (they almost always do), a qualified consultant can fix them at a fixed price in 3–5 days.
The accountants who are already doing this — proactively recommending security reviews alongside their tax and advisory work — are differentiating themselves in a market where most firms still treat cyber security as someone else’s problem. The ones who wait will eventually have a client lose money to a preventable attack, and the conversation that follows is uncomfortable for everyone.
Frequently asked questions
Are accounting firms responsible for their clients’ cyber security?
Legally, no — each business is responsible for its own systems. But practically, accounting firms that handle sensitive financial data are increasingly expected to flag security risks as part of their advisory role. Proactively recommending security reviews differentiates your firm and protects your client relationships.
What is the biggest cyber risk for small business clients?
Business email compromise. Attackers compromise a Microsoft 365 account, monitor email conversations, and send fraudulent payment instructions from a legitimate email address. The average cost per incident for Australian small businesses is $56,600 according to the ACSC’s 2024–25 report.
How can accountants help without becoming security experts?
The simplest approach is to share a free M365 security check tool that gives clients a personalised risk score in 2 minutes. For clients who need remediation, partner with a security consultant who delivers fixed-price engagements. No need to build security capability in-house.
Want to help your clients get secure?
SecureLoop partners with accounting firms to bring cloud security to their clients. Co-branded landing page, free M365 checks for your clients, no referral fees.