Accounting firms in Perth handle some of the most sensitive data imaginable — client tax returns, payroll records, bank account details, and director identities. A breach at an accounting practice doesn't just expose the firm; it cascades to every client. Yet many Perth accounting practices still operate with cyber security measures that wouldn't pass an Essential 3 audit, let alone the higher maturity levels the Australian Cyber Security Centre (ACSC) recommends.
This guide covers what Perth accounting firms need to know about the Essential 8 framework, how to protect client data, and where to start if your practice hasn't addressed cyber security seriously.
Why Accounting Firms Are a Prime Target
Cyber criminals specifically target accounting practices because they hold the keys to multiple businesses. A single compromised login gives attackers access to BAS statements, payroll runs, and direct debit authorities across dozens or hundreds of client companies. The ACSC's Annual Cyber Threat Report identified professional services — including accounting — as one of the most targeted sectors in Australia in 2025.
The risks go beyond data theft. A ransomware attack that locks your practice management software can stop you from lodging BAS, processing payroll, or accessing trust account records. The OAIC's Notifiable Data Breaches scheme also means you're legally required to notify affected clients and the regulator if client data is compromised — with significant reputational damage when it happens.
The Essential 8: What Perth Accounting Firms Need to Achieve
The ACSC's Essential Eight is the baseline cyber security framework recommended for all Australian organisations. It consists of eight mitigation strategies designed to prevent attacks and limit damage when they occur. The official Essential 8 guidance breaks these into three maturity levels, and for accounting firms handling financial data, Maturity Level 2 should be the minimum target.
The Eight Strategies
- Application control — prevent unauthorised executables from running on your systems
- Patch applications — keep your practice management software, Office 365, and accounting tools updated within 48 hours
- Configure Microsoft Office macro settings — block macros from untrusted sources (a common vector for ransomware in accounting firms)
- User application hardening — block Flash, Java, and other vulnerable web technologies
- Restrict administrative privileges — no-one should run daily tasks with full admin rights
- Patch operating systems — deploy critical OS patches within 48 hours
- Multi-factor authentication — MFA on all remote access and cloud services, including your accounting platform
- Daily backups — offline or isolated backups tested regularly
Need help auditing your Essential 8 readiness?
We assess your current security posture, identify gaps, and create a roadmap to Maturity Level 2 and beyond — starting with a free health check.
Get Your Free Cyber Health CheckSpecific Threats Facing Perth Accounting Practices
1. Business Email Compromise (BEC)
Attackers impersonate a partner or director to request urgent payment of a "supplier invoice" or redirect a BAS payment. According to the ACCC's Targeting Scams report, BEC losses in Australia exceeded $80 million in 2025. Robust cyber security measures — including MFA and strict payment verification processes — are essential to defend against this.
2. Ransomware Targeting Practice Management Software
A growing trend in 2025-2026 is ransomware specifically targeting Xero, MYOB, and QuickBooks integrations. Attackers encrypt the database files and configuration that link your practice management tools to client records. Comprehensive backup and disaster recovery is your last line of defence — the ACSC recommends offline or air-gapped backups tested at least monthly.
3. Supply Chain Attacks via Third-Party Add-ons
Accounting firms use dozens of third-party tools — document management systems, practice management platforms, client portals, and AI-assisted bookkeeping tools. Each integration is a potential attack surface. The Australian Signals Directorate has warned that supply chain compromises are increasing. Proper managed IT services include vetting and monitoring all third-party integrations.
Compliance Obligations Beyond the Essential 8
Perth accounting firms face additional regulatory requirements that make cyber security non-negotiable:
- ATO digital service provider obligations — the ATO requires tax practitioners to maintain "adequate data security measures" under the Digital Service Provider obligations
- ASIC regulatory guides — if your practice handles SMSF audits or financial advice, ASIC's cyber resilience requirements apply
- Privacy Act 1988 (Cth) — the notifiable data breaches scheme requires mandatory reporting if client data is compromised
- CPA Australia and CA ANZ practice standards — both professional bodies now include cyber security in their practice review frameworks
Meeting these obligations doesn't have to be overwhelming. With the right cyber security approach and proper security baselines, you can satisfy most requirements while giving your team the flexibility to work from anywhere.
Practical Steps to Get Started This Week
- Enable MFA everywhere — every cloud service your firm uses should have multi-factor authentication enabled. Start with Microsoft 365, Xero/MYOB, and your practice management platform.
- Run a backup test — don't just check that backups are running; try restoring a file and a full database. The ACSC recommends testing at least quarterly.
- Audit admin accounts — list every staff member with admin rights. Most accounting firms can reduce this by 80% in a single afternoon.
- Patch priority systems — check that your core systems (practice management, document management, email) have had all security patches applied in the last 30 days.
- Review integration permissions — audit every third-party tool connected to your practice management software. Remove anything unused.
Not sure where your firm stands?
Our IT security assessment maps your current posture against the Essential 8 and identifies the quick wins that will make the biggest difference. No obligation, no sales pitch — just practical advice for Perth accounting practices.
Book Your AssessmentFrequently Asked Questions
Is Essential 8 mandatory for accounting firms?
While Essential 8 is not explicitly legislated for private accounting firms, the ATO's Digital Service Provider obligations effectively require equivalent security measures. Firms that cannot demonstrate adequate cyber security risk losing their ATO lodgement privileges. Many Perth practices choose to adopt Essential 8 as their compliance framework because it aligns with both ATO expectations and cyber security best practices.
How much does Essential 8 compliance cost a Perth accounting practice?
The cost varies significantly depending on your current infrastructure. For a 10-person practice, achieving Maturity Level 1 typically costs between $3,000 and $8,000 in upfront work (audit, remediation, training) plus ongoing managed IT support. Level 2 requires additional investment in endpoint detection, advanced patching processes, and enhanced backup systems. Our health check assessment gives you a firm-figure quote before any work begins.
What happens if our practice experiences a data breach?
Under the Privacy Act, you must notify the OAIC and affected clients if the breach is likely to cause serious harm. The average cost of a data breach for an Australian accounting firm is estimated at $180,000 when you factor in remediation, notification, legal fees, and lost client trust. The OAIC's Notifiable Data Breaches page has the full guidelines on what constitutes a reportable breach.
Next Steps for Your Practice
Cyber security for accounting firms isn't a one-off project — it's an ongoing process. The Essential 8 framework gives you a clear roadmap, but implementing it effectively requires someone to own it. Whether that's an internal IT manager, a dedicated cyber security partner, or a managed IT provider who handles security as part of your managed IT services, the key is to start now rather than after an incident forces your hand.
Related reading: Check out our guides on Essential 8 compliance for WA businesses and cyber security checklists for Perth SMEs for more detail on specific strategies.