It’s a question that not many accountants are asking, but if neglected, it’s something that can have disastrous consequences.

It’s not enough anymore to sit there and say “hackers only target hard cash, like banks and credit cards” because whilst they may still be true to some extent, let’s look at all the data accountants tend to have: The financial data of your clients’ businesses.

That’s your clients’ livelihood and hackers have caught on this. They’ve realised that they can monetise all kinds of data, especially sensitive data belonging to your clients’, which means we have some catching up to do to make sure this is all protected!

We’ve already covered ways to stop using email to send sensitive information, and now it’s time to look at how you can continue to improve your firm’s internal security.

Look at who has access, and to what

When you’re sending sensitive documents to someone, be it through Dropbox, Google Drive or a client portal, you of course need to give your client access to then view that information.

That’s great, but how do you continually manage this? If access management is left unchecked, you could find that clients have access to areas they no longer need access to, or worse, they’re not entitled to have access to, but because it was left unchecked, they still do.

The problem here is that you need to consistently make sure that your clients only have access to the things they need access to, so that they don’t have the wrong privileges when they don’t (or no longer) need them. Better yet, if someone needs a higher level of access, it’s always a great idea to communicate any special or higher risks associated with that, so that they are educated on the policies and procedures you have in place to protect their accounts and their data.

Check your passwords

When talking about security, one of the most popular questions I’ve seen is “how often do you change your password?” But a more pertinent question would be “how many accounts do you have that re-use the same password?” The answer always surprises me.

Often, password re-use is one of the biggest security issues people have. Do you remember the LinkedIn hack of 2012? Hundreds of millions of users had their account passwords breached, but it presented a bigger problem for those who were using that password for other systems like Dropbox, Facebook and Outlook. Worse, a lot of the times, the hacker succeeded because of this.

Because of the beauty of password managers like LastPass, you don’t necessarily need to remember all your passwords, which gives you the opportunity to make them more complex without the pressure of potentially forgetting which letter was capitalised, or which letter was substituted for a number. A trusted system to manage all of your passwords gives you far more security that before.

Also, with two-factor authentication, you can add an extra layer of security to your password. This has become much more prominent with companies like Google and even Xero. Because banks have been using it for a long time, we’ve become much more accustomed to using two-factor authentication on a daily basis.

Another thing to be particularly careful of is usernames and passwords of past employees. It’s highly recommended that you delete these and change passwords so that any past employees, disgruntled or otherwise, aren’t tempted to log in again remotely.

Bringing your own device to work

Ever since the iPhone first launched, the way we work has been transformed. Instead of bringing your own laptop to work, people are now bringing what is practically a computer in their pocket!

The problem with this is if your personal device has got malware on it (which you may not be aware of in the first instance), as soon as you connect to the company wi-fi, you’re at risk of transferring that malware to everyone else. That’s the servers, the files, the emails, everything.

Now I’m not saying you need to implement a rule where people have to leave their phones at home, but it’s worth having the conversation with your employees so that they’re aware of the risks and the steps they can take to make sure their own devices are protected.

Give everyone training

Everything I’ve said so far ties back to training, and make sure you have firm-wide policies and training on security. That way you’re making sure your entire team is on the same page when it comes to how to handle data, how to keep data secure and what steps to take if things go wrong.

Why risk the vulnerability of data, when there are tools and support out there to keep your firm secure?


With technology-driven change accelerating, Kevin Reed looks past the acronyms to set out the state of play on key tech topics of interest at the moment – and what you need to know to keep up

Accountants know that getting a handle on the latest tech acronyms is just the start of the learning process. These strangely-titled pieces of legislation or ‘next new thing’ will impact on their clients – or how they serve them. We take a look at four of the key topics.

Making Tax Digital (MTD)

Many of you will be weary of the sight of the acronym ‘MTD’, but it’s worth keeping track of key dates and developments. VAT-registered businesses over the VAT threshold will file quarterly returns from April 2019, while it is likely that those with income over £85,000 will need to file under the regime from April 2020. Effectively, HM Revenue & Customs is looking to digitise the filing system and gain access to information on a more regular basis.

Understanding which clients fall into which ‘box’, as far as MTD is concerned, is a priority for accountants. Setting a plan for moving away from using HMRC’s systems and taking on a commercial solution is another crucial step, as the taxman phases out its own delivery platform. Educating clients to this change, and through the process, must also be carefully considered.

There is concern about whether HMRC’s £2.1bn transformation plan (to become a digital provider of public services, while reducing costs) is feasible, fears that have again been raised following the publication of a report by the Public Accounts Committee.

Brexit is likely to see a 15% increase in projects undertaken by the taxman – on top of 250 outlined as part of its transformation plan. HMRC is now ‘re-prioritising’ its workload and will reveal more by the end of 2017/18 as to the likely impact.

However, as the committee is putting pressure on HMRC to manage the so-called SME ‘tax gap’, it seems unlikely that MTD will disappear off the radar – but it does raise the risk that a shift in focus away from digital transformation onto other projects will adversely affect any technology-focused changes. And a cautionary note: HMRC told the committee that it expects to work with tax advisers to encourage their clients’ compliance.

Accounting app ‘ecosystems’

Perhaps the most intriguing technology development in recent times has been that of the ‘app’, and associated ‘app market’. Think Apple Store or Google Play Store, and the multitude of tools and games that has been borne or reincarnated through these platforms.

Now we have accounting technology providers enabling accessibility and integration in the cloud. Xero, Quickbooks and Sage have followed the ‘app’ approach in the small business space, and extended it out into practice management. Their online app stores offer a multitude of add-ons. For accountants in practice, this development opens up lots of opportunities – and issues to be resolved.

First, is it worth making the leap from your current technology platform? Some practitioners will work with ‘best-of-breed’ software and go through the painful process of extracting data from one tool to another. Others will used integrated suites of products – but some parts of the suite may not be the best tool for that particular practice. Again, this may require extra software purchases and fiddly data transfers.

Carl Reader, director at Bristol accountants d&t, says the ‘platform and apps’ approach is tempting in comparison to the alternatives. “Traditional integrated accounting platforms are quite clunky, particularly as there’s no such thing as the ‘stereotypical accounting practice’ anymore,” he explains.

It is worth noting that the new cloud-based platforms are also expanding their remit, and offering deeper functionality. However, unlike the traditional integrated platforms, you have more flexibility to opt out and instead use another bolt-on app if you prefer – without a painful manual integration. A major concern, in a world where the app market is expanding rapidly, is knowing which of the add-on apps are right for your practice. “The options seem to increase on a daily basis and it is almost impossible to keep on top of what is happening,” according to Blick Rothenberg partner Bobby Lane. The practice has worked with a consultant who helps constantly monitor the latest developments in the accounting and business app space. But, as previously mentioned, the platform providers are developing their service further, which Lane believes will remove much of the need for picking and choosing add-ons.

“There seemed to be an add-on developed for every area and businesses believed that they had to have everything,” he says. “The reality is that when you break down the actual requirements of the business, most of what they need can be carried out with the basic platforms. These will continue to develop and replace the need to add on.”

PSD2 (aka Open Banking)

This is the acronym that has probably had the least traction in the media.

It sounds like a droid from the new Star Wars movie – it actually stands for Second Payment Services Directive. While neither the acronym or the full title will mean that much to anyone, you may have heard reference to its alternative moniker: Open Banking.

Put simply, banks will have to make available, upon your request, direct feeds of account information to third parties. These third parties will provide a range of financial and corporate services based on you allowing them access to your data.

Clearly, some of these products and services won’t just be for the consumer – corporate and business-focused offerings will also become available. Tim Fouracre, founder of Clear Books, has launched Countingup. This app will enable small businesses to open a current account via their smartphone, while undertaking your accounting. It will be able to submit VAT returns, generate a P&L, create invoices and do the bookkeeping. He says it’s no surprise that the banks are “dragging their heels” on being ready for Open Banking (it’s believed five of the nine big banks missed the 13 January kick-off date).

“It’s no surprise HSBC et al are dragging their heels into Open Banking. It’s going to kill them,” he says. “We already know their point of contact with customers is on the decline as the branch network erodes away. But as the banks move to a predominantly online model, Open Banking is about to remove their point of contact with customers in the digital world too.”

Blick Rothenberg partner Bobby Lane urges patience – as far as practitioners are concerned. He believes the new regime “will not make a huge difference” to dealings with clients in the short term. He does predict new services to arise around the lending decision-making process for SMEs, which may influence how practices work with clients in finance-raising. Accountants serving clients in the fintech space must also be aware of the opportunities presented by Open Banking.

“At the current time, the role of the accountant will be more education-based, letting clients know what is happening and what this will mean for them,” says Lane.


Like MTD, GDPR is an acronym that – by casting an eye over it – will automatically make you feel weary, anxious, or both.

We broached the thorny topic in our April 2017 issue of InsideOutsourcing – but it’s still well worthy of a reprise.

The UK’s Data Protection Act 1998 will be superseded by the EU-driven legislation. The new law intends to bring up to date provisions to deal with the explosion of personal and business data – along with how it is used, stored and deleted (or not). GDPR is enforceable from 25 May.

Personal data will require stronger consent from the individual for that information’s use and storage, the ‘right to be forgotten’. Some organisations will have to appoint a ‘data protection officer’ in certain circumstances. Encryption of personal data is expected to be undertaken. Accounting practices hold much sensitive personal and corporate data. The misuse, or lack of robust measures to protect that data will see much larger fines issued by the Information Commissioner’s Office than previously.