Why Accounting and Legal Firms Are Prime Targets
Ransomware attackers are not random. They target organisations with two specific characteristics: valuable, sensitive data and a high willingness to pay to get it back. Accounting and legal firms tick both boxes decisively.
For an accounting firm, a successful ransomware attack means encrypted client tax records, inaccessible MYOB or Xero databases, and the potential exposure of thousands of clients' financial information — including tax file numbers, which cannot be changed. The regulatory consequences under the Tax Agent Services Act and Privacy Act are severe.
For a law firm, the stakes are even higher. Trust account data is regulated by the Legal Services Board. Privileged client communications, if exfiltrated, can be used for extortion. A breach involving client funds can result in the firm being struck off the roll.
The ACSC received over 94,000 cybercrime reports in 2023–24 — one every six minutes. Professional services firms (legal, accounting, consulting) were among the top five most targeted sectors. The average cost of a ransomware incident for an Australian SMB exceeded $71,000, not including regulatory fines or reputational damage.
How Ransomware Actually Gets In
Understanding the attack vectors helps explain why the defences below are so targeted. Ransomware enters professional services firms through a small number of well-documented pathways:
The most common entry point. An email arrives appearing to be from the ATO, a client, or a court — with an attachment or link that delivers a malware dropper. During tax season, ATO-themed phishing emails targeting accounting firms spike significantly.
Attackers obtain credentials through phishing or credential stuffing, log into a staff member's M365 account, and use it to move laterally through the organisation or deploy ransomware via SharePoint or OneDrive synchronisation.
MYOB, Xero, LEAP, and other practice management applications all have documented vulnerabilities. Attackers actively scan for firms running unpatched software. A single unpatched system on your network can be the entry point for a full network compromise.
Many professional services firms enabled RDP during COVID for remote access and never properly secured it. Exposed RDP is one of the most common ransomware entry points in Australia — attackers use automated tools to find and brute-force RDP connections.
IT support providers, bookkeepers, or other third parties with remote access to your systems represent an indirect attack surface. If your IT provider is compromised, attackers can pivot directly into your environment.
The Specific Controls That Stop Ransomware
Ransomware protection isn't a single product — it's a layered set of controls that make each attack pathway progressively harder. Here are the controls every Melbourne accounting and legal firm should have in place:
Multi-Factor Authentication on All Accounts
MFA stops credential-based attacks cold. Even if an attacker obtains a staff member's password through phishing, they cannot access the account without the second factor. This is the single highest-impact control for professional services firms and takes hours to deploy across a Microsoft 365 tenant.
Immutable, Tested Backups
If ransomware encrypts your data, a clean, recent backup is your recovery path. But the backup must be immutable (attackers cannot delete or encrypt it) and regularly tested. Many firms discover their backups have been failing silently for months when they actually need to restore. Backups should be stored in a separate environment — ideally offline or in a separate cloud tenant — and tested monthly.
Endpoint Detection & Response (EDR)
Traditional antivirus detects known malware signatures. EDR detects suspicious behaviour — which is how modern, fileless ransomware operates. Microsoft Defender for Business (included in M365 Business Premium) provides enterprise-grade EDR at no additional cost for most firms. It must be actively configured and monitored to be effective.
Patch Management — Including Practice Software
All software must be kept current — not just Windows, but MYOB, LEAP, Best Practice, Xero desktop, and any other practice management applications. Critical patches should be applied within 48 hours of release. This aligns with Essential Eight Control 2 (Patch Applications) and Control 6 (Patch Operating Systems).
Disable or Secure RDP
If you don't need RDP, disable it. If you do, it should be accessible only via a VPN with MFA, never exposed directly to the internet. Run a firewall audit to confirm RDP (port 3389) is not publicly accessible. This is one of the quickest wins for reducing ransomware risk and takes minutes to check.
Email Filtering & Anti-Phishing
Configure Microsoft Defender for Office 365 with Safe Links, Safe Attachments, and anti-impersonation policies. This scans every link and attachment before it reaches your staff — blocking the vast majority of phishing-delivered ransomware before it ever executes. Supplement with staff training — your team is the last line of defence.
Restrict Administrative Privileges
Ransomware needs admin rights to encrypt network shares and spread laterally. If a staff member's account has admin privileges and is compromised, the attack can quickly spread to your entire network. Most staff should have standard user accounts only, with admin rights reserved for IT operations and protected with dedicated admin accounts.
Incident Response Plan
When ransomware hits, the first 30 minutes determine the outcome. A documented incident response plan — who to call, what to disconnect, how to preserve evidence, when to notify the OAIC — means your team acts decisively rather than panicking. Under the Notifiable Data Breaches scheme, you may have as little as 30 days to notify affected individuals.
Regulatory Consequences for Accounting Firms
A ransomware attack on an accounting firm isn't just an IT problem — it's a professional liability event. The consequences can include:
- Privacy Act obligations — If personal information is accessed or exfiltrated, you may have mandatory notification obligations under the Notifiable Data Breaches scheme, with fines of up to $50 million for serious or repeated breaches under the 2024 amendments.
- Tax Agent Services Act — Tax agents have obligations around the security of client tax information. A breach involving TFNs or tax records can trigger a Tax Practitioners Board investigation.
- Professional indemnity exposure — Clients who suffer loss as a result of a breach of their data may have claims against the firm. Cyber insurance is increasingly essential — and increasingly demanding of security controls as a condition of coverage.
Regulatory Consequences for Law Firms
- Legal Services Board obligations — Victorian law firms have specific obligations around the security of trust account data. A breach involving trust records must be reported to the LSB.
- Professional conduct rules — Solicitors have duties of confidentiality to clients. A breach of privileged communications may constitute professional misconduct.
- Cyber extortion risk — Some ransomware groups exfiltrate data before encrypting it, then threaten to publish client communications unless a second ransom is paid. This is particularly damaging for law firms whose value rests on client confidentiality.
Insurers are increasingly requiring evidence of security controls — MFA, EDR, patching, backups — as a condition of coverage. A firm that suffers a ransomware attack without these controls in place may find their claim denied. The Essential Eight provides a clear framework for demonstrating security maturity to insurers.
Getting a Ransomware Readiness Assessment
The fastest way to understand your firm's exposure is a ransomware readiness assessment — a structured review of your IT environment against the controls above. At Melbits, we work with accounting and legal firms across Melbourne and understand the specific software, regulatory obligations, and risk profile of professional services practices.
We offer a free initial consultation that includes a high-level review of your ransomware exposure and a prioritised list of quick wins. For firms wanting a formal assessment against the ACSC Essential Eight, we can provide a full gap assessment with a written report suitable for professional indemnity insurers and regulatory purposes.