Accounting firms in Melbourne hold a richer concentration of attack-worthy data than most law firms or medical practices: TFNs, bank details, payroll files, BAS lodgement credentials, trust account balances, and SMSF records. The real threats are business email compromise during EOFY, ransomware on practice management servers, and departing staff exporting client lists. None of these are theoretical.
This is a security-focused post. If you want the broader operational picture, see our guide on IT support for Melbourne accounting firms. Here we’re staying in the security lane: the controls that actually matter, the regulators that actually audit, and the insurers that actually pay out.
What accounting firm data security actually means in 2026
The phrase gets thrown around loosely. For a Melbourne accounting firm with 5 to 50 staff, accounting firm data security is the set of technical and procedural controls that protect three asset categories: client financial records (tax returns, BAS, financial statements), authentication credentials to lodgement and banking platforms (myGovID, ATO Online Services for Agents, Xero, MYOB, bank portals), and trust account ledger data where applicable.
Three regulators care about how you handle this. The OAIC enforces the Privacy Act and the Australian Privacy Principles (APPs), with mandatory data breach notification under the Notifiable Data Breaches scheme. The Tax Practitioners Board (TPB) sets the Code of Professional Conduct, which includes obligations around confidentiality, conflict management, and reasonable care of client records. The ATO sets technical requirements for Online Services for Agents access, including a hard MFA requirement and operational security controls. If you handle SMSF audits or AFSL-adjacent work, ASIC and APRA obligations layer on top. AML/CTF accountants (tax agents providing designated services) sit under AUSTRAC.
The point: data security is not optional and it’s not just “an IT thing”. It’s a partnership-level risk that determines whether the firm keeps its registration, its PI insurance, and its clients.
Trust account protection: separation of duties at the IT level
Where firms hold trust money (commonly auditors, insolvency practitioners, and some tax practitioners with statutory deposits), the IT controls around the trust account need to mirror the financial controls. This is where most firms slip up. The bookkeeper has the trust account password saved in their browser, the principal “needs” override access, and there’s no audit trail when transfers happen out of hours.
What proper IT-level separation of duties looks like:
- Dedicated identities for trust account access. Not a shared “office@” login. Each authorised person has their own credential.
- Hardware-backed MFA on those identities. SMS codes are not sufficient for trust account roles. We deploy authenticator apps or FIDO2 keys.
- Conditional access policies that restrict trust account portals to managed devices on Australian IP ranges. Travelling staff get a documented exception process, not a permanent bypass.
- Privileged Access Management (PAM) so that the principal’s elevated access requires a second approver and is logged. This is an Essential Eight maturity-level-two control and it stops the most common trust account fraud vector: a single compromised principal account.
- Immutable audit logging retained for seven years to align with TPB record-keeping requirements. Logs sitting on the same server as the data are not audit logs; they’re evidence the attacker will delete.
A Hawthorn accounting firm we onboarded last financial year had a single Office 365 account being used by three partners for trust correspondence. There was no MFA on it because “the partners share the phone code anyway”. Within two months of remediation we’d split it into three identities, deployed conditional access, and pushed audit logs into a separate tenant. Three weeks after that, one of the partner accounts had a credential-stuffing attempt from Eastern Europe. It was blocked at the conditional access policy and we had the full sign-in log to give to their cyber insurer.
Client data classification: not all client data is equal
One of the most useful exercises we run with new accounting firm clients is a data classification workshop. Most firms treat everything the same, which means either everything gets expensive top-tier protection (wasteful), or sensitive data gets the same controls as the office lunch roster (negligent).
A workable three-tier model:
| Tier | Examples | Required controls | Retention |
|---|---|---|---|
| Tier 1 — Highly sensitive | TFNs, bank credentials, SMSF documents, trust ledger, signed financial statements | Encryption at rest and in transit, MFA-gated access, DLP egress controls, full audit logging, restricted-share-only | 5–7 years per ATO/TPB rules |
| Tier 2 — Client confidential | Working papers, draft returns, engagement letters, correspondence | Encryption at rest, MFA, role-based access, standard audit logging | 5–7 years |
| Tier 3 — Internal/admin | Internal policies, marketing material, supplier invoices | Standard access controls, backup | Per business need |
Once classification is in place, the security tooling actually has something to enforce. Microsoft Purview Information Protection (or equivalent) can auto-label documents containing TFNs as Tier 1 and block them from being emailed to external addresses. Without classification, DLP rules are guesswork.
Business Email Compromise: the EOFY scenario
BEC is the dominant fraud threat against Melbourne accounting firms. Not ransomware. Not data theft for sale. Plain old “trick the bookkeeper into changing the bank account number on a supplier payment” fraud, weaponised around tax time when everyone is busy and inboxes are flooded.
The classic EOFY scenario: it’s late June, a senior accountant is finalising a client’s return. An email lands purporting to be from the client, sent from a lookalike domain (the legitimate domain is client-co.com.au, the fake is clientco-com.au). The email says “we’ve changed our bank for the refund — here’s the new account”. The accountant updates the ATO refund nomination. The refund — sometimes $40,000, sometimes $400,000 — lands in the fraudster’s account.
The other variant: the firm itself gets compromised. An attacker phishes a junior accountant, sits in their inbox for two weeks reading client conversations, then sends invoices for “outstanding fees” to clients from the legitimate firm address with the firm’s logo and the partner’s email signature. Clients pay. By the time anyone notices, the money is gone and the firm’s reputation is on the line.
Controls that actually stop this:
- DMARC at policy
p=reject. Stops your domain being spoofed. Most accounting firms we audit are still onp=noneor have no DMARC record at all. - External email banners with prominent visual warning. Cheap. Works.
- Mailbox audit logging turned on. Default in newer M365 tenants but not always enabled in older ones. Without it you cannot determine breach scope when the OAIC asks.
- Inbox rule monitoring. Attackers create rules to auto-delete or forward security alerts. Alerting on new rule creation catches this within minutes.
- Out-of-band verification for any bank account change. Written policy: bank detail changes require a phone call to a known number, never the number in the email.
- Impossible-travel and risky-sign-in detection. If a Hawthorn-based accountant signs in from Lagos at 3am, the session should be blocked, not just flagged.
For a deeper look at our broader posture, see our cybersecurity services for Melbourne businesses.
Xero, MYOB and QuickBooks integration security
Accounting software is the single most concentrated point of value in the firm. A compromised Xero Practice Manager session gives an attacker access to potentially hundreds of client files, bank feed credentials, and payroll data. Most firms underprotect this.
| Platform | Minimum security baseline | Recommended uplift |
|---|---|---|
| Xero Practice Manager / Xero HQ | MFA on every user, individual logins (no sharing), removed-staff offboarding within 24 hours | SSO via Microsoft Entra ID, conditional access, session timeout reduction, login alerts to security inbox |
| MYOB AccountRight / MYOB Practice | MFA enforced, role-based permissions reviewed quarterly | SSO integration, IP allow-listing where supported, regular audit log review |
| QuickBooks Online Accountant | MFA on master admin and all team members, no client-shared logins | Intuit SSO, custom user roles, integration audit (third-party app review) |
| ATO Online Services for Agents | myGovID Standard or Strong identity strength, RAM permissions reviewed | Strong identity strength for all client-impacting operations, RAM authorisations reviewed quarterly, offboarding procedure for departing staff |
Two specific issues we see constantly: third-party app sprawl in Xero (every tool a previous staffer integrated still has API access years later), and ATO RAM permissions never being revoked when staff leave. The RAM one is particularly dangerous because a former employee with active RAM authorisation can still lodge BAS or update bank details on behalf of the firm’s clients.
Secure document portals for engagement letters and signed financials
Emailing signed engagement letters and PDF financial statements is still the default at most Melbourne firms. It shouldn’t be. The risks: email-in-transit interception is rare but possible; mailboxes are persistent attack targets, so signed docs sitting in Sent Items for years are loot for any future breach; and there’s no audit trail of who actually opened the document.
A proper secure portal (FuseDocs, Suralink, FYI Docs, Annature for signing, or Microsoft SharePoint with sensitivity labels) provides:
- Encrypted upload and download with per-client access control
- Audit trail showing who opened what and when
- Document expiry — links don’t live forever
- MFA on client access (not always implemented by default, ask)
- Watermarking for sensitive financial statements
The compliance angle: if a client engagement letter is breached via your unsecured email channel, the OAIC will ask why you didn’t use available technical controls. “It’s how we’ve always done it” is not a defensible answer under APP 11.
Backup strategy: 3-2-1-1-0 for accounting data
Backup for accounting firms isn’t about RTO bragging rights. It’s about whether you can restore a client’s 2024 working papers when the ATO audits them in 2028, and whether you can do that after a ransomware event without paying. We won’t repeat the whole rule here — read our detailed breakdown in why the 3-2-1 backup rule is not enough in 2026.
What’s specific to accounting firms:
- Practice management database backups need to capture the full database, not just user documents. APS, CCH iFirm, Xero Practice Manager (where applicable), HandiSoft — each has its own backup procedure and most need scheduled exports beyond what the vendor provides by default.
- Workpaper retention beyond active client period. A client who leaves in 2026 still needs their 2024–25 records retained until at least 2030 for ATO purposes. That data must be on backup, not just on the departed-clients folder of a single fileserver.
- Immutable backups — the “1” in 3-2-1-1-0. Ransomware variants in 2025 routinely targeted backup repositories first. Immutability prevents the attacker from deleting your last lifeline.
- Tested restores — the “0” errors. We test client restores quarterly for accounting clients. The number of firms that discover their backups have been silently failing for six months is depressing.
For backup and recovery specifically, see our data backup and recovery service page.
Insider threat: departing staff with client data
This is the one nobody wants to talk about. The single most common data loss event at an accounting firm isn’t a hacker — it’s an accountant taking client contact details, working papers, or template documents on their way out the door, often to a competing firm or to set up their own practice.
The controls:
- USB and removable media controls via endpoint policy. Disabled by default, with documented exception process.
- Cloud egress controls — blocking personal OneDrive, Dropbox, Google Drive sign-in from work devices. Microsoft Defender for Cloud Apps does this well.
- Email auto-forwarding rules disabled at tenant level and alerted on creation.
- Print logging — yes, this still matters. Accountants print client lists.
- Formal offboarding checklist — credentials revoked same day, RAM permissions removed, Xero access removed, mobile devices wiped, signed declaration that no firm data is retained.
- UEBA (User and Entity Behaviour Analytics) — detecting unusual download volumes by users in their final two weeks. We’ve caught two departing senior accountants this way in the past 18 months.
Essential Eight non-negotiables for accounting firms
The Essential Eight is the ASD/ACSC’s mitigation strategy framework. For accounting firms, we treat Maturity Level One as table stakes and push toward Maturity Level Two for firms with trust account or SMSF audit exposure. Full breakdown on our Essential Eight compliance page.
| Essential Eight control | Accounting firm priority | Common gap |
|---|---|---|
| Application control | High — stops ransomware execution | Not deployed; relying on AV alone |
| Patch applications | High — practice software is a top target | APS, CCH and HandiSoft updates deferred for “stability” |
| Configure Microsoft Office macro settings | High — spreadsheet macros are an active attack vector | Macros enabled tenant-wide for “convenience” |
| User application hardening | Medium — reduces browser-based attack surface | Java, Flash legacy plugins still installed |
| Restrict administrative privileges | Critical — principals running as local admin is the norm | Daily-use accounts have admin rights |
| Patch operating systems | High | Windows 10 machines past EOL still in use |
| Multi-factor authentication | Critical — every system, every user | MFA on M365 only, not on Xero/MYOB/banking |
| Regular backups | Critical — see backup section above | Untested restores, no immutability |
You can self-assess to Maturity Level One in a workshop. Maturity Level Two requires technical configuration that most firms don’t have in-house. We help firms close the gap as part of our security and compliance service.
Cyber insurance requirements: what your insurer actually checks
Cyber insurance renewal questionnaires in 2026 are not the box-ticking exercise they were in 2021. Insurers now require evidence — not attestation — for the controls that drive their loss ratios. If you sign the questionnaire claiming you have MFA on all admin accounts and you don’t, you’ve given the insurer grounds to decline the claim. We’ve seen it happen.
What every Australian cyber insurance application we’ve seen in the last 12 months requires:
- MFA evidence — screenshots of MFA enforcement policy, list of accounts covered, exception register
- EDR/endpoint security — name of product, coverage percentage, last quarterly review
- Backup proof — last successful restore test date, immutability configuration, offsite copy verification
- Email security — DMARC policy state, anti-phishing platform, user training cadence
- Privileged access — separation of admin accounts, no shared credentials, just-in-time elevation
- Incident response — documented IR plan, named IR provider on retainer, tabletop exercise within last 12 months
- Vulnerability management — patch cadence, vulnerability scanning evidence
Firms that can’t demonstrate these are either declined or quoted with sub-limits that make the policy near-useless for ransomware (e.g., $50,000 sub-limit on a $5m policy). For accounting firms that means ransomware recovery comes out of partnership cash.
How TechAssist works with Melbourne accounting firms
We’re a Melbourne MSP with 13 Australian-employed engineers, a 24/7 NOC, sub-15-minute response on critical-severity tickets, and Essential Eight-aligned standard builds. We’re ISO 27001 capable, which matters when your professional indemnity insurer or your largest audit clients ask about your supply chain. We work with accounting practices from Hawthorn, Camberwell, Box Hill, South Yarra and across metro Melbourne.
For accounting firms specifically, our standard onboarding includes a security baseline assessment against Essential Eight, MFA rollout across every business-critical system (not just M365), backup architecture review against the 3-2-1-1-0 standard, and a documented cyber insurance evidence pack so renewal is straightforward rather than terrifying.
FAQ
Do we need ISO 27001 certification as an accounting firm?
Almost certainly not — and the cost of full certification (typically $40,000 to $80,000 over two years for a firm your size) is rarely justified unless you’re servicing ASX-listed audit clients or government work that mandates it. What you do need is the substance of an Information Security Management System: documented policies, risk register, access reviews, incident response plan, supplier risk assessments. We deliver that without the certification overhead for most accounting clients. If a tender or major client actually requires ISO 27001, we’ll get you there; otherwise, the Essential Eight at Maturity Level Two delivers more practical security per dollar.
Is MFA enough?
No. MFA is necessary, not sufficient. MFA stops the majority of credential-based attacks but does nothing about endpoint compromise, malicious insider activity, phishing-resistant attacker-in-the-middle attacks (which bypass non-phishing-resistant MFA), or ransomware delivered via supply chain. Treat MFA as the foundation and build EDR, application control, backup immutability, and email authentication (DMARC) on top. For high-risk roles like principals and trust account signatories, move to phishing-resistant MFA — FIDO2 hardware keys or platform passkeys.
What does our cyber insurer actually require?
Each insurer differs, but the consistent minimum is: MFA on all remote access and admin accounts, EDR (not just AV) on all endpoints, immutable or air-gapped backups with documented restore tests, DMARC and email filtering, a written incident response plan, and security awareness training at least annually. The insurer will ask for evidence at renewal and after any claim. Firms that produced evidence pre-incident settled claims significantly faster than firms that scrambled to assemble it post-incident — and several firms in the past two years had claims declined because their stated controls didn’t match reality.
How long should we retain client data after the engagement ends?
The minimum is generally five years from the date the relevant transaction or act was completed, per ATO record-keeping rules, but TPB obligations and Limitations of Actions Act considerations often push this to seven years. For SMSF and audit work, retention can be longer. The IT implication is that “departed client” data still needs to be on protected, backed-up storage — not a USB drive in the partner’s bottom drawer.
What’s the single biggest security gap you see at Melbourne accounting firms?
Shared logins. A senior partner’s M365 credentials shared with two other staff “for convenience”. Trust account portal credentials in a shared password manager folder. ATO Online Services accessed via a colleague’s myGovID because their own setup is “still being sorted”. This is the gap that causes the most regulatory pain when a breach occurs, because you cannot prove who did what. Individual identities with MFA, full audit logging, and a real offboarding process fixes it.
Next steps
If you’re a partner or principal at a Melbourne accounting firm and you want a frank assessment of where your security sits against Essential Eight, TPB expectations, and current cyber insurance requirements, get in touch via our contact page. The first conversation is a security posture review — no obligation, no sales pitch dressed as a free audit. We tell you what’s actually exposed and what to fix first.
