Free trial

Why members of INAA choose a different approach to cybersecurity

January 8, 2026

INAA (International Network of Accountants and Advisors) is a global alliance of independent accounting and advisory firms. Lupasafe and INAA partnered several years ago to provide INAA members with best-in-class cybersecurity awareness training and phishing protection, helping accounting firms across the network safeguard their practices and clients against evolving cyber threats. This article is for
accounting and audit firms navigating ISO 27001, NIS2, and increasing client scrutiny

The problem isn’t technical—it’s trust

A fundamental question is keeping accounting and audit firm leaders up at night in 2026: “How do we prove to our clients—and our auditors—that we’re actually secure?”

Your clients aren’t asking about your firewall configuration. They’re asking: “Can we trust you with our financial data?” Your auditors aren’t satisfied with policies on paper. They want evidence. Real data. Proof that your team can recognize a phishing email. Documentation that you’ve tested your incident response plan. Metrics showing improvement over time.

And here’s the uncomfortable truth: most accounting firms don’t have good answers.

The four challenges facing INAA members

1. Client due diligence is getting serious

Five years ago, clients accepted “Yes, we take security seriously” as an answer. Not anymore.

Now they ask:

  • “When did your team last complete security awareness training?”
  • “Can you show us your phishing test results?”
  • “How quickly would you detect a data breach?”
  • “What’s your incident response plan?”

These aren’t paranoid questions. These are standard due diligence questions from corporate clients who’ve seen too many headlines about accounting firms losing client data.

The consequence: Firms without solid answers are losing bids to competitors who can demonstrate their security posture with evidence, not promises.

2. NIS2 & ISO 27001 auditors want proof, not policies

Many INAA members we speak with are frustrated with their ISO 27001 auditors. The feedback they get is vague. “You need better security awareness.” “Your incident response needs work.” “We need more evidence of continuous improvement.”

But what does “better” look like? What evidence, specifically? How do you demonstrate continuous improvement in security awareness?

One INAA member told us: “Our auditor keeps pointing out gaps, but never tells us exactly what we need to fix or how to document it. It feels like they’re just checking boxes without actually helping us get better.”

This creates a dangerous cycle: firms spend time and money preparing for audits, get told they’re missing something, scramble to fix it, and repeat the process every year without really improving their security posture.

3. Your team is your biggest risk (and your biggest asset)

Here’s what keeps us as clients up at night: every person in your firm has access to incredibly sensitive information. Payroll data. Tax returns. Financial statements. Client banking details.

A single employee clicking a phishing link can compromise:

  • Years of client financial records
  • Confidential tax strategies
  • Sensitive M&A discussions
  • Personal information of thousands of employees

But here’s what most firms miss: security awareness training fails when it’s generic.

Standard cybersecurity training talks about “never click suspicious links” and “verify sender addresses.” That’s not helpful when your team receives 200+ legitimate emails daily from clients, banks, tax authorities, and partners.

What your team needs is training on the specific threats targeting accounting firms:

  • Fake invoice emails that look exactly like your client’s AP department
  • Phishing emails pretending to be from tax authorities during filing season
  • Business email compromise targeting payroll processing
  • Impersonation attacks using your partners’ domains

4. NIS2 is creating confusion (and opportunity)

The NIS2 Directive (new EU regulation that requires firms serving critical supply chains directly or indirectly, to be compliant) has many INAA members worried—and confused. Does it apply to us? Does it apply to our clients? How does it relate to ISO 27001? What do we need to change? (read more here )

More importantly, your clients are asking you these questions. And if you can’t answer them confidently, they’ll find someone who can.

NIS2 isn’t just another compliance headache. It’s a chance to position your firm as a trusted advisor on cybersecurity and compliance—not just accounting and audit.

What INAA members actually need

After working with 10+ INAA member firms across the Netherlands, Belgium, Spain, and Germany, we’ve learned what works and what doesn’t.

Start with evidence-based security

Skip the 50-page security policy no one reads. Start with measurable, demonstrable security:

Phishing simulations Run realistic phishing tests quarterly. Not to “catch” your team, but to measure improvement. Your auditors want to see:

  • Baseline click rates
  • Improvement over time
  • Targeted training for vulnerable users
  • Documentation of the program

Progressive training Generic one-time training doesn’t work. Your team needs:

  • Ongoing education (we use a 36-month cycle)
  • Scenarios specific to accounting/audit work
  • Just-in-time training when they make mistakes
  • Certificates for compliance documentation

Independent assessments Your IT provider is great, but auditors and clients want independent verification:

  • Cloud security assessment (Microsoft 365)
  • Endpoint security visibility
  • Email security analysis
  • Gap analysis against ISO 27001 and NIS2

Get audit-ready (Before the audit)

The best time to prepare for an NIS2 or ISO 27001 audit is continuously, not two weeks before the auditor arrives.

What auditors actually want to see:

  • Security awareness training completion records
  • Phishing simulation results over time
  • Incident response documentation and testing
  • Risk assessments with actual data
  • Evidence of continuous improvement

What we help INAA members maintain:

  • Automated evidence collection
  • Real-time compliance dashboards
  • Historical trend data
  • Audit-ready reports that can be generated on demand

Turn security into a client differentiator

Some INAA members are going further. They’re not just securing their own firms—they’re offering security awareness as a service to their clients. For example member Schuiteman https://schuiteman.com/themas/cybersecurity/

Think about it: you already have trusted relationships with 100+ SME clients. Many of them are asking about NIS2, struggling with ISO 27001, and worried about ransomware. They trust you for financial guidance. Why not security guidance too?

The business case:

  • One INAA member firm has 130 clients with approximately 3,200 total employees
  • Delivered as a white-label service under your brand
  • Strengthens client relationships instead of referring them elsewhere

We’re not suggesting every INAA member should become a cybersecurity company. But many firms are finding that offering security awareness training is a natural extension of their advisory services—and a meaningful revenue stream.

The “Get safer first” approach

Here’s our philosophy: before becoming a partner, secure your own firm. Get your NIS2 or ISO audit sorted. Build confidence with your clients. Then, if it makes sense, we can discuss whether offering security services to your clients fits your business model.

This approach works because:

  1. You experience the platform firsthand before recommending it to clients
  2. You become genuinely knowledgeable about security awareness and compliance
  3. Your team becomes your best case study when talking to clients
  4. You’re not selling something you don’t understand or use yourself

Real talk: What implementation actually looks like

Let’s be specific about what working with Lupasafe involves:

Time Investment:

  • Initial setup: ~2 hours of your IT provider’s time
  • Your time: 1-2 hours for initial consultation and configuration decisions
  • Ongoing: Mostly automated, quarterly reviews recommended

Cost Structure:

  • €7.99 per user per month
  • Minimum 2-year commitment
  • 30-day evaluation period to ensure it’s a good fit

What happens during setup:

  1. We coordinate with your IT provider for Microsoft 365 read-only access
  2. Configure phishing campaigns and training in your preferred languages
  3. Set up compliance dashboard aligned with your ISO 27001 requirements
  4. Initial baseline phishing test (optional)
  5. Launch progressive training program

What you get:

  • Quarterly phishing simulations
  • 36-month progressive training curriculum
  • Pre-audit gap analysis for NIS2 & ISO27001
  • Cloud security assessment
  • Compliance dashboard with audit-ready reports
  • Incident response plan templates
  • Optional: Expert consultation from ex-NATO cybersecurity specialists

Questions INAA members ask us

“We already have an IT provider. How does this work with them?”

We coordinate with your IT provider—we don’t replace them. Most IT providers appreciate that we handle the security awareness and training side, which isn’t their core expertise. Setup requires about 2 hours of their time, and we work directly with them to ensure smooth integration.

“Our auditor has never mentioned needing this level of documentation.”

Many auditors don’t provide specific guidance—they just note gaps. But when you proactively present comprehensive security awareness metrics, incident response documentation, and continuous monitoring data, it changes the conversation. You’re no longer defending your security posture; you’re demonstrating it with evidence.

“What if our team is resistant to training and testing?”

This is common. The key is positioning: this isn’t about “catching” people making mistakes. It’s about protecting the firm and making everyone’s job safer. We’ve found that when training is relevant (accounting-specific scenarios), concise (10-15 minute modules), and continuous (not a once-a-year marathon), participation improves dramatically.

“How do we explain to clients that we’re doing this?”

Many INAA members proactively share their security program with clients as a differentiator. Something like: “We run quarterly phishing simulations and continuous security training for our team. Here’s our latest report showing 94% of our staff correctly identified and reported simulated phishing attempts.”

That statement builds more confidence than any security policy document.

“What about smaller firms? Is this overkill for a 10-person practice?”

We work with firms from 10 to 100+ employees. The threats are the same regardless of firm size. In fact, smaller firms are often targeted because attackers assume they have weaker security. Plus, smaller firms often have higher percentages of senior staff with access to the most sensitive information.

The INAA difference

We specifically focus on accounting and audit firms for a reason. Your challenges are unique:

  • Seasonal pressure: Tax season, audit season, year-end all create vulnerability windows
  • Client access: Your team legitimately receives sensitive documents from hundreds of sources
  • Regulatory complexity: You’re navigating multiple compliance frameworks (ISO 27001, GDPR, NIS2, etc.)
  • Trust-based business: Your entire business model relies on clients trusting you with their most sensitive information

Generic cybersecurity platforms don’t account for these nuances. They’re built for tech companies or manufacturing or healthcare—not for firms that process payroll for 130 clients and need to demonstrate ISO 27001 compliance while serving clients across multiple countries.

Next steps

If you’re an INAA member dealing with any of these challenges:

  • Client pressure for security evidence
  • Frustrating audit feedback
  • Concerns about your team’s phishing awareness
  • Questions about NIS2/ISO27001 compliance
  • Interest in offering security services to clients

Let’s talk. Not a sales pitch—a genuine conversation about your specific situation.

We offer a 30-day evaluation period because we want you to experience the platform and see real results before committing. Many INAA members start with a simple phishing test to baseline their team’s awareness, then expand from there.

Contact: han at lupasafe.com
Member: INAA – International Association of Accountants and Auditors

Lupasafe (Skopos Security Labs B.V.) serves 1,000+ organizations across Europe with security awareness training, phishing simulations, and NIS-2 compliance solutions. We’re proud to serve INAA member firms and are recognized as a Mastercard Strive Innovation Fund winner.

MSPsArticles
Company