Cybersecurity for Professional Services Firms in Australia: Accountants, Lawyers, Consultants

Cybersecurity for Professional Services Firms in Australia: Accountants, Lawyers, Consultants
Cybersecurity for Professional Services Firms in Australia: Accountants, Lawyers, Consultants
Cybersecurity for Professional Services Firms in Australia: Accountants, Lawyers, Consultants
Cybersecurity for Professional Services Firms in Australia: Accountants, Lawyers, Consultants
Cybersecurity for Professional Services Firms in Australia: Accountants, Lawyers, Consultants

A Melbourne accounting firm discovered last year that a staff member’s email had been silently monitored for six weeks. The attacker — who had accessed the account using credentials stolen in a third-party data breach — waited patiently, watching invoice cycles, learning client names, and ultimately redirecting a $67,000 payment to an overseas account. The firm had antivirus software. They had a firewall. They had an IT support contract. None of it caught the intrusion.

This is not an isolated incident. Professional services firms — accountants, lawyers, financial advisers, management consultants — sit at the intersection of two things cybercriminals prize most: sensitive data and financial transactions. In our experience working with Australian SMEs, professional services firms are among the most targeted and least protected sectors.

Why Professional Services Firms Are High-Value Targets

It comes down to what you hold. A typical professional services firm of 20 staff might manage tax returns for 500 businesses, hold wills and trust deeds for hundreds of families, or advise on M&A transactions worth tens of millions. The data is extraordinarily sensitive, and the trust relationship means clients share things they share with nobody else.

Attackers know this. The motivations for targeting professional services firms include:

  • Business Email Compromise (BEC): Monitor email communications, intercept payment instructions, redirect funds. The accounting and legal sectors are the most heavily targeted for BEC in Australia.
  • Ransomware: Encrypt client files and demand payment. Professional services firms are ideal targets because they cannot afford even hours of downtime.
  • Data theft for secondary extortion: Steal client data and threaten to publish it unless a ransom is paid — particularly damaging for firms bound by confidentiality obligations.
  • Supply chain access: Compromise a firm to gain access to its clients. Attackers increasingly target advisors as a pathway into larger organisations.
Key point: The ACSC reports that professional services is consistently one of the top five sectors reporting cybersecurity incidents. The combination of sensitive data and financial transaction authority makes these firms uniquely attractive targets.

The Most Common Security Gaps We Find

When we conduct penetration tests and security assessments for professional services firms, we see the same gaps repeatedly. Not because these firms are negligent — but because the security industry has done a poor job of communicating what actually matters.

Gap Why It Matters How Common
Credentials in dark web breach databases Attackers use these to log in without any hacking required Very common — affects most firms
No MFA on email A stolen password gives full email access Common in smaller firms
Former staff accounts still active Ex-employees retain access to client files and systems Extremely common
No email authentication (DMARC/SPF/DKIM) Your domain can be spoofed for phishing attacks on clients Very common
Shared passwords for practice management software No audit trail, no way to revoke access for departing staff Common
Client data in personal email or cloud storage Outside firm control, unencrypted, unmonitored Common

Your Legal and Regulatory Obligations

Beyond the practical security risks, professional services firms have specific compliance obligations that create legal exposure if a breach occurs.

Privacy Act 1988 (as amended): If you hold personal information about clients — which every professional services firm does — you are subject to the Australian Privacy Principles. The 2024 amendments increased penalties substantially, with serious or repeated breaches now attracting fines of up to $50 million. You are required to notify the OAIC and affected individuals of eligible data breaches.

For accountants: Tax Practitioners Board requirements include adequate records management and data security. ASIC guidance increasingly references cybersecurity as part of operational risk for registered company auditors.

For lawyers: Legal Professional Conduct Rules in each state impose confidentiality obligations. Trust account obligations create additional exposure — a BEC attack targeting a trust account is both a financial and a professional conduct matter.

For financial advisers: ASIC has issued specific guidance on cybersecurity for AFS licence holders. The guidance makes clear that cybersecurity is an operational risk that licensees must manage as part of their licence obligations.

Key point: A data breach at a professional services firm is not just a security incident — it is a potential professional conduct matter, a potential licence breach, and a Privacy Act notification obligation. The regulatory consequences compound the direct financial damage.

Practical Security Measures That Actually Work

1. Find out what is already on the dark web about your firm. Run a Cybernod scan at fort1.com.au. It checks dark web breach databases for credentials connected to your domain — takes 5 minutes and is free. Most professional services firms have at least one set of staff credentials exposed from a third-party breach they were never told about.

2. Enable MFA on everything, starting with email. Multi-factor authentication blocks the vast majority of credential-based attacks. Priority order: email first, then your practice management software, then any cloud file storage, then remote access.

3. Audit and deactivate former staff accounts. Run a report of all active user accounts in your email system and practice management software. Compare against your current staff list. Deactivate any accounts belonging to people who have left.

4. Set up email authentication. Configure DMARC, SPF, and DKIM for your domain. This prevents attackers from sending emails that appear to come from your firm. Your IT provider can typically set this up in under an hour.

5. Establish a payment verification process. Any request to change bank account details should be verified by phone using a number already on file — not one provided in the email. This single control stops the majority of BEC attacks.

What a Penetration Test Finds in Professional Services Environments

When we conduct external penetration tests for professional services firms, here is what we typically find in the first 24 hours: staff credentials in dark web breach databases (almost always present); an email domain without proper DMARC configuration; at least one internet-facing portal with weak authentication; and former staff accounts still active in at least one system.

None of this requires sophisticated hacking to exploit. It requires a leaked credential and patience.

Find Out What Is Already Exposed About Your Firm

Run a free Cybernod dark web scan on your domain. See exactly what credentials and data threat actors can find about your firm — in under 5 minutes. If anything surfaces, we will walk you through what it means and what to do next.

Run a Free Cybernod Scan

Fort1 works with accountants, lawyers, financial advisers, and management consultants across Australia on penetration testing, compliance assessments, and dark web monitoring. We understand the specific regulatory obligations and client confidentiality requirements that professional services firms operate under. Reach out at info@fort1.com.au or call +61 1300 294 089.

Fort1 is an Australian cybersecurity firm based in Sydney. We provide penetration testing, compliance advisory, and dark web monitoring. Contact us at info@fort1.com.au or +61 1300 294 089.