Avoiding the cyber crime threat from Making Tax Digital

Introduced in 2019 ahead of a wider roll-out, Making Tax Digital (MTD) is a government initiative which aims to transform the UK tax system.

Putting the traditional tax return to an end, the initiative requires businesses to keep digital records and submit returns online using MTD compatible systems.

Ultimately, Making Tax Digital aims to leverage digital technology to make taxation easier, more transparent and more efficient - but the scheme has also given rise to concerns over cyber security.

That’s because the introduction of MTD is forcing many firms to implement and use new digital systems they’re not familiar with, while at the same time mandating the sharing of sensitive financial data online.

Those two factors hand in hand create clear potential for problems - particularly with opportunistic cyber crime at an all-time high.

In this blog post, we’ll look more closely at the vulnerabilities MTD could expose, and identify the steps you can take to mitigate any risk.


Unfamiliar foes - why new MTD software represents a risk

At present, Making Tax Digital applies only to VAT, so it’s only mandatory for businesses that earn over the £85,000 per year VAT threshold. 

However, more taxes will be incorporated into the scheme from 2020, and soon enough, all businesses (including sole traders and freelancers) will have to comply.

That means businesses not yet making use of digital accounting platforms are going to have to change their ways.

While it’s unclear exactly how many businesses will have to invest in new technology to meet MTD requirements, latest figures from the British Chambers of Commerce (BCC) show that a third of UK firms have already done so.

That’s a third of businesses implementing and using new software to report their financial data - potentially failing to follow data-security best practice due to unfamiliarity with their new system.

Even more worryingly, the report suggests that a further 19% of VAT-registered companies don’t even know what Making Tax Digital is. These are likely to be more traditional, less digital-savvy organisations, even more ill-prepared to make the sudden leap to online filing.

Tax administration is already a popular cyber crime target, and the increase in digital records and data transfers, coupled with the lack of data security expertise in many businesses, could mean MTD presents easy pickings for data theft.

And in the era of GDPR, a breach of data security could come at great cost to your business.

Indeed, alongside the considerable expenses businesses are incurring as a result of Making Tax Digital (the cost of new software and training for instance), the real financial damage could come from the crippling effects of data loss.


Three steps to help you avoid a costly cyber crime…

1) Choose your software wisely

There’s no getting around it. If you currently record your financial data on spreadsheets, or perhaps even just on paper, you’ll need to invest in some MTD-compatible software to help you fulfil your obligations.

To aid your search, HMRC has compiled a full list of compliant software providers, which includes today’s most popular accounting packages (the likes of Xero, Sage and Quickbooks). 

Each solution will of course have its pros and cons, but cyber security should be a key factor in your decision. Look into the data storage protocols of each platform, hunt out any ISO security accreditations, and make sure you understand each provider’s approach to ongoing ‘patching’ or bug fixes.

After all, keeping your software regularly updated will be critical to warding off potential threats.


2) Protect your data

Once your software is up and running, it’ll be storing a lot of valuable data - so you’ll need to ensure it’s only accessible to the right people.

Restrictions should be put in place to limit data access to the staff who need it, and to keep out prying eyes. Permissions settings within the software should allow you to do this with relative ease.

If you’re working with cloud accounting software, your data will be accessible via any internet-connected mobile device, so you’ll also need to be aware of the devices that your staff are using to connect.

Vulnerabilities in these devices (for instance an out of date operating system or browser) could potentially compromise your data.

Consider your approach to third-party access, too. Whether it’s an accountant or an IT worker, some people may from time to time need access to your system, and you’ll need to make sure they follow the same data protection obligations as you do.


3) Train your staff

When working with new technology, human error arguably poses a greater risk than any vulnerability in the software itself. And, with MTD being such a new initiative, cyber criminals may well take the opportunity to test out that theory.

As various MTD deadlines loom, your staff should therefore be made aware of the potential for phishing attacks (one of the most common causes of a data breach) from cyber criminals attempting to impersonate official HMRC communications, or those of your software supplier.

Such attacks are becoming increasingly sophisticated, so staff should be adequately trained to help them spot malicious emails, not just encouraged to remain vigilant. 

This training should be delivered as part of a wider education programme that fosters a culture of cyber security in your business, also including clear guidance on best-practice password policies. 



Another sure-fire step towards the digitised business world, Making Tax Digital will transform taxation for the better - but firms must be wary of the data security implications that come with it. 

Selecting the right software will be key to both a smooth transition and to ongoing security, yet the education of your staff will be just as essential in keeping your data safe.

As a minimum, employees must be made aware of how they could be manipulated by cyber criminals into divulging sensitive data or providing access to systems - a topic explored further in our webinar, Social Engineering - how your firm can minimise the threat.

With 97% of phishing attacks targeting users through social engineering tactics, educating your staff is essential to safeguarding your firm - through Making Tax Digital and beyond.

Posted by Wayne Barber

Related articles

Securing the legal hybrid working experience
Cybercrime has been a thorn in the side of businesses for years now, but the move towards remote and hybrid working has made things a whole lot worse.
Case study: Clarkson Wright & Jakes Solicitors
Law firms face daily pressures in dealing with detailed documentation that must not only be in the correct formats, but that also must be fully
How to get your partners on board with cyber security
In the typical law or accountancy firm, it’s always the partners who are looked upon to spearhead change and keep the practice moving forward with

Prepare your firm for the future of work. Register for a demo today.