Password management is still one of the most important foundations of business security.
Employees need strong, unique passwords. Firms need a secure way to store and share credentials. IT teams need policies, reporting and controls that reduce the risk of weak, reused or unmanaged passwords.
None of that has changed.
But the way accountancy firms work has.
Client data is no longer accessed through one or two core systems. It now moves across cloud accounting platforms, payroll systems, client portals, document-sharing tools, e-signature platforms, practice management software, CRM systems, Microsoft 365, browser-based applications and, increasingly, AI tools.
That means the access challenge has grown bigger than passwords.
For accountancy firms, the question is no longer simply:
“Are our passwords secure?”
It is:
“Can we see and control access across the tools our people actually use?”
The access landscape has changed
Most accountancy firms now rely on a wide range of SaaS applications to deliver client work quickly and efficiently.
That flexibility has clear benefits. Teams can collaborate more easily, serve clients faster and adopt tools that remove friction from day-to-day tasks.
But there is a trade-off.
Every additional application creates another place where access needs to be understood, protected and reviewed.
A cloud accounting platform may hold sensitive financial records. A payroll system may contain employee data. A client portal may store confidential documents. An e-signature tool may process contracts and approvals. An AI assistant may be used to draft, summarise or restructure information.
Each tool creates access questions:
- Who is using it?
- What data does it contain or process?
- Is it approved for client work?
- Is multi-factor authentication enabled?
- Are credentials stored securely?
- Do users still need access?
- Are leavers removed quickly?
- Are there duplicate or underused licences?
If those questions cannot be answered confidently, the issue is not just password security. It is access visibility.
Password management is still the foundation
Strong password management remains essential.
Accountancy firms still need to reduce weak, reused and shared passwords. They still need a safer way for employees to store credentials. They still need controls around password sharing, user policies and reporting.
Without this foundation, firms are more exposed to credential-related risk.
A password manager helps by giving employees a secure, convenient way to manage access to the tools they use every day. It can also help IT teams apply policies, improve visibility over credential hygiene and reduce risky behaviours such as storing passwords in browsers, spreadsheets or shared documents.
But password management alone does not answer every access question.
It can help secure the login, but firms also need to understand the wider environment around that login.
That is where secure access becomes the next step.
Secure access means going beyond the vault
For many firms, password management has traditionally been the starting point.
But modern secure access needs to cover three broader areas: discovery, control and simplicity.
1. Discover What Is Being Used
Before a firm can secure access, it needs to know which applications employees are actually using.
That includes approved tools, but also unapproved SaaS apps, browser-based platforms, AI tools, free trials and department-led software that may not have gone through a formal review.
This is where many firms face a visibility gap.
Employees are not always trying to create risk. Often, they are trying to work faster, reduce admin or solve a client delivery problem. But if the firm cannot see which tools are being used, it cannot properly assess the access, data protection or cost implications.
Discovery matters because it gives firms a clearer view of the real working environment, not just the official technology list.
For accountancy firms handling sensitive client data, that visibility is essential.
2. Control access more effectively
Once a firm knows what is being used, it can make better decisions about access.
This includes making sure the right people have access to the right applications, and that access is appropriate for their role.
It also includes reviewing admin accounts, removing leavers, checking permissions after role changes and making sure policies such as multi-factor authentication are applied consistently.
This is especially important in accountancy environments where employees may move between client accounts, service lines or project teams.
Access that was appropriate six months ago may no longer be appropriate today.
Without regular review, firms can end up with users who are over-permissioned, former employees who still have access, or shared credentials that make activity difficult to trace.
Secure access is not only about getting people into systems. It is about making sure access remains appropriate over time.
3. Simplify secure access for employees
Security controls only work well if employees can follow them without constant friction.
If secure access feels too difficult, people may find workarounds. They may reuse passwords, share credentials informally, store passwords in unsafe places or adopt tools outside approved processes.
That is why simplicity matters.
The goal is not to make access harder. The goal is to make secure access easier to use and easier to manage.
For lean IT and operations teams, this is particularly important. Many accountancy firms do not have large internal security teams. They need practical tools that improve control without creating unnecessary complexity for employees or administrators.
A secure access approach should help people work safely, not slow them down.
Why this matters now
SaaS and AI adoption are accelerating.
Accountancy firms are under pressure to deliver faster, more efficient client service. Teams are experimenting with new tools to improve productivity, automate manual tasks and reduce admin time.
That is understandable. But it also means firms need to keep pace with how access is changing.
A password-only view of security may miss important questions:
- Which AI tools are employees using?
- Are client documents being uploaded to unapproved platforms?
- Are there duplicate SaaS tools across teams?
- Are inactive users still assigned to paid licences?
- Are shared credentials being used for client-facing systems?
- Can the firm evidence who has access to sensitive data?
These questions sit at the intersection of security, governance, operations and cost control.
For Operational Leaders, this is about client trust, efficiency and risk reduction.
For IT Owners, it is about visibility, policy enforcement and practical control.
Both groups need the same thing: a clearer view of the access environment.
Where LastPass fits
Secon has partnered with LastPass to help organisations strengthen secure access in a practical and manageable way.
For accountancy firms, LastPass should not only be seen as a password manager. Its newer Secure Access Essentials positioning is built around a broader access challenge: helping lean teams discover apps and AI usage, control access and simplify secure logins.
That makes it relevant for firms that have outgrown basic password management and now need to understand where SaaS, AI and access risk may be developing.
For organisations that need deeper capability, LastPass Business Max includes SaaS Monitoring and SaaS Protect, supporting visibility across SaaS usage, Shadow IT, Shadow AI and access management.
The value is not just storing passwords more securely.
It is helping firms understand what is being used, who is using it and where access may need to be tightened.
A simple secure access maturity model
A useful way to think about this is as a maturity ladder.
Level 1: Credential Control
The firm has a secure password manager in place. Employees can generate, store and share credentials more safely. This reduces reliance on weak passwords, spreadsheets, browsers or informal sharing.
Level 2: Policy and Reporting
The firm applies security policies, uses reporting and monitors credential hygiene. There is more structure around how passwords and access are managed.
Level 3: Access Visibility
The firm can see which apps and AI tools employees are using. It can identify unapproved tools, understand user activity and spot potential access gaps.
Level 4: Access Control
The firm regularly reviews who has access to which applications. Leavers are removed, role changes are checked and admin privileges are limited.
Level 5: Simplified Secure Access
Employees have a smoother secure login experience across the tools they need, while the firm maintains stronger visibility and control.
Not every firm needs to reach the highest level immediately. But every firm should know where it currently sits.
Questions Accountancy Firms Should Ask
If your firm already uses a password manager, that is a positive step.
The next question is whether your access security has kept pace with how your teams now work. You can begin by using our Accountancy Firm SaaS Visibility Checklist.
If several answers are unclear, the firm may not have a password problem alone. It may have a secure access visibility gap.
Final Thoughts
Password management is not outdated.
It is still essential.
But for accountancy firms, it now needs to sit within a broader secure access strategy that reflects the reality of SaaS, AI, hybrid working and client data protection.
The firms that handle this well will be the ones that can see what is being used, control who has access and make secure working simple for employees.
That is the shift from password management to secure access essentials.
Secon is working with LastPass to help firms strengthen secure access without unnecessary complexity.
If your firm wants to improve visibility across SaaS usage, AI tools, credential security and access control, speak to the Secon team about whether LastPass could support your next step.

