The Hidden Cyber Risks in Your Firm: It’s Not the Tech, It’s the Habits
In accountancy firms, the greatest cybersecurity threats often don’t come from hackers’ sophisticated tools, they come from everyday human habits. A password shared in a hurry. A file downloaded on an unsecured Wi-Fi connection. A phishing email opened between client calls.
These small actions go unnoticed until they trigger a breach, by which time the damage is done.
Why Traditional Training Fails
Most firms rely on annual, tick-box training modules. They satisfy compliance requirements but fall short for three reasons:
Generic and forgettable
One-size-fits-all training ignores individual behaviours and is quickly forgotten once the box is ticked.No link to daily workflow
Staff aren’t shown how risks connect to their real-world tasks, client emails, reconciliations, and document sharing.No behavioural change
Cybersecurity isn’t a knowledge problem; it’s a habit problem. Without reinforcement and accountability, bad habits persist.
The New Approach: Behaviour-Centric Security
To build resilience, leaders need to focus on changing daily behaviours, not just delivering information. That means:
1. Personalised Risk Awareness
Not all employees present the same risk. A payroll assistant handling sensitive PII has a very different risk profile to a partner working on M&A transactions. Leaders must:
Use risk assessments and monitoring to identify where human vulnerabilities are concentrated.
Tailor training and interventions to individual roles and behaviours, rather than issuing generic content.
2. Continuous Micro-Learning
Instead of “one and done” annual training, firms should adopt year-round reinforcement:
Bite-sized learning modules linked to real scenarios employees face (e.g., spotting a fake invoice).
Just-in-time nudges delivered at the moment of risk, for example, a reminder when accessing data remotely.
Ongoing phishing simulations and gamified testing to keep awareness fresh.
3. Embed Security in Culture
Security should become part of the firm’s identity, not a compliance chore:
Make cyber hygiene as routine as balancing a ledger.
Celebrate and reward good security behaviours just like you would great client service.
Encourage staff to speak up without fear if they make a mistake, faster reporting reduces damage.
4. Leadership by Example
Culture flows from the top. Partners and managers must:
Consistently model strong practices (e.g., never emailing sensitive files unencrypted).
Share openly how they manage risks in their own work.
Demonstrate that no one is exempt from following protocols, not even senior leaders.
The Leadership Call to Action
As a leader, it’s time to reframe cybersecurity. It’s not just about firewalls and software, it’s about people and behaviours. Here’s your starting point:
Audit human risks: Map out where risky habits live in your firm. Look beyond IT systems to daily workflows.
Rebuild your training strategy: Scrap generic annual modules. Shift to tailored, continuous, and habit-focused learning.
Invest in culture change: Position cybersecurity as a shared responsibility tied directly to client trust, not just IT’s job.
Measure what matters: Don’t just count training completions. Track reductions in phishing click rates, password hygiene improvements, and speed of incident reporting.
Communicate confidence: Make cybersecurity part of your client value proposition. A firm that can prove its resilience has a competitive edge.
The firms that thrive in the next decade won’t just have the best compliance frameworks, they’ll have the safest habits. Your role as a leader is to make cybersecurity a living, breathing part of firm culture.
Now is the time to ask:
“Are our people prepared to be our strongest defence? Or will hidden habits remain our biggest risk?”