Stransact Blog

Category: Technology

  • Cybersecurity Risks in Tax Technology and How Nigerian Firms Can Stay Protected

    Cybersecurity Risks in Tax Technology and How Nigerian Firms Can Stay Protected

    The digital transformation of the accounting industry has brought unprecedented efficiency, especially in tax preparation and filing. However, this reliance on tax technology from cloud-based software to secure client portals also introduces a critical set of cybersecurity challenges.

    For organizations handling highly sensitive financial and personal data, protecting these digital assets is no longer optional; it’s the foundation of client trust and regulatory compliance.

    Tax season, in particular, has become peak hunting season for cybercriminals, with attacks on accounting firms surging as workloads increase and vigilance drops.

    The Top Cybersecurity Risks in Tax Technology

    Cybercriminals are sophisticated, targeting both large and small firms with a variety of attack vectors. Here are the most prominent risks your firm must actively defend against:

    1. Phishing and Social Engineering

    This is overwhelmingly the initial entry point for most breaches. Threat actors send deceptive emails (phishing) or use voice calls (vishing) that mimic trusted entities like the IRS, QuickBooks, or a firm executive. Their goal is to trick employees into:

    • Clicking on malicious links that download malware or ransomware.
    • Revealing login credentials or two-factor authentication codes.

    1. Ransomware and Malware

    Once an attacker gains access, often via a phishing link or an unpatched vulnerability, they can deploy ransomware. This malicious software encrypts your files and systems, holding critical client data hostage until a ransom is paid. The disruption, downtime, and cost of recovery can be catastrophic. Malware can also be installed to steal usernames, passwords, and other confidential data over time.

    1. Third-Party and Cloud Vulnerabilities

    Modern tax practices rely on a network of external services: cloud-based tax software, e-signature platforms, and managed IT services. If one of your vendors a third-party partner suffers a breach due to an unpatched system or weak security, your firm’s data can be exposed. Furthermore, misconfigurations in cloud environments remain a significant security gap.

    1. Insider Threats

    Not all threats come from outside. Insider threats stem from employees, contractors, or other personnel. This can be malicious (intentionally leaking data) or, more commonly, accidental (negligently clicking a link, using an unsafe mobile connection, or mishandling sensitive files). Given that 95% of cybersecurity breaches are reportedly due to human error, staff training is paramount.

    1. Outdated Software and Weak Access Controls

    Failing to regularly update tax software, operating systems, and network hardware leaves systems vulnerable to known exploits. Equally dangerous is a lack of strict access controls and reliance on weak passwords, which are easily guessed or compromised, giving attackers an effortless entry into your sensitive systems.

    Read more: Cybersecurity as a Boardroom Priority: Moving from IT to Strategic Risk

    How Firms Can Stay Protected: Best Practices

    Protecting client data requires a multi-layered, proactive security strategy. A single firewall or antivirus won’t cut it.

    1. Establish an Unbreakable Digital Foundation

    • Mandatory Multi-Factor Authentication (MFA): This is the single most effective defense against unauthorized access. Make MFA mandatory for all systems email, tax software, client portals, and VPNs. It requires users to verify their identity using a second factor (like a mobile code or authenticator app) in addition to a password.
    • Encrypt Everything: Ensure all sensitive data is encrypted at rest (on your servers or cloud storage) and in transit (when being sent to a client or vendor).
    • Strong Password Protocols: Enforce the use of complex, unique passwords (at least 12 characters with a mix of types) and require the use of a secure password manager for all staff.

    1. Prioritize Data and System Resilience

    The 3-2-1 Backup Rule: To mitigate the damage of a ransomware attack, you must be able to restore your data.

    • Keep 3 copies of your data (the primary and two backups).
    • Store them on 2 different types of media (e.g., local server and cloud).
    • Ensure 1 copy is kept off-site or offline (air-gapped).

    Keep Software Patched and Updated: Implement a policy for automatic, timely patching of all operating systems, antivirus software, and tax-specific applications to close known security gaps.

    Implement Role-Based Access Control (RBAC): Limit employee access to only the specific data and systems absolutely necessary for their job function. This minimizes the scope of a breach if an account is compromised.

    1. Invest in People and Processes

    • Continuous Cybersecurity Training: Since human error is the top vulnerability, frequent, mandatory training is essential. Teach employees to spot phishing, recognize social engineering tactics, and report suspicious activity immediately.
    • Due Diligence on Vendors: All third-party software and IT providers must adhere to your firm’s security standards. Conduct regular security assessments of your vendors to manage supply chain risks.
    • Develop an Incident Response Plan: No system is impenetrable. Have a comprehensive, documented plan detailing the immediate steps to take in the event of a breach, including roles, communication protocols, data recovery steps, and client notification procedures. Test this plan regularly.

    1. Maintain Compliance and Oversight

    • Security Audits and Penetration Testing: Hire third-party experts to conduct annual security audits, vulnerability scans, and simulated attacks (penetration tests) to identify and address weaknesses before criminals exploit them.
    • Formal Written Information Security Plan (WISP): Create a formal document outlining all security policies and procedures, as this is often required for compliance with industry regulations and standards.
    • By treating cybersecurity as a year-round, top-tier priority, not just a tax-season concern, your firm can build the resilience needed to protect client data, maintain trust, and safeguard your reputation in the digital age.
    • Read more: One Law, Two Scripts: Navigating the Material Discrepancies in the Nigeria Tax Act 2025 – Eben Joels
    • Conclusion
    • The stakes are too high to leave your firm’s security to chance. At Stransact Chartered Accountants, we provide specialized cybersecurity and tax technology services designed to protect your most sensitive assets. From implementing Multi-Factor Authentication and robust encryption to developing Written Information Security Plans (WISP) and conducting staff training, we ensure your firm is defended against the latest threats.
    • Do not wait for a breach to take action. Contact us today at [email protected] to schedule a security assessment and let us help you build a secure, resilient digital environment for your tax operations.
  • How Telecom Operators, Fintech and Retail Brands Can Leverage MVNO Licenses in Nigeria

    How Telecom Operators, Fintech and Retail Brands Can Leverage MVNO Licenses in Nigeria

    In 2023, the Nigerian Communications Commission (NCC) introduced a structured licensing regime for Mobile Virtual Network Operators (MVNOs) to enhance competition and expand digital inclusion. According to BusinessDay (2025), the NCC issued 46 MVNO licenses across five tiers, representing one of the most ambitious frameworks in Africa. However, as of August 2025, only two operators: Vitel Wireless and EmoSIM have commenced commercial operations. This disparity between policy ambition and market activation prompts a critical evaluation of Nigeria’s progress in telecom liberalization.

    Understanding Mobile Virtual Network Operators

    MVNOs deliver mobile services without owning radio access networks or spectrum. Instead, they lease capacity from incumbent Mobile Network Operators (MNOs) and differentiate through customer segmentation, pricing models, bundled offerings, user experience, and distribution strategies. Globally, MVNOs have demonstrated effectiveness in:

    • Stimulating innovation through niche offerings tailored to students, rural users, SMEs, travelers, and fintech-oriented customers.
    • Enhancing affordability by exerting downward pressure on retail prices and enabling targeted bundles.
    • Deepening market segmentation through localized content and flexible service plans.

    Nigeria’s Licensing Framework: A Step Forward

    The NCC’s five-tier licensing model represents a significant advancement in liberalizing the telecommunications sector. It accommodates varying degrees of operational independence, ranging from basic resellers to full-service providers with core network capabilities. This flexible structure is designed to attract a diverse array of market participants, including startups and established technology firms.

    Furthermore, the framework aligns with Nigeria’s National Broadband Plan and Digital Economy Strategy, which aim to increase broadband penetration and bridge the digital divide. In principle, MVNOs are well-positioned to extend connectivity to underserved regions and reduce data costs. The licensing tiers include:

    • Tier 1 (Reseller MVNOs): Focus on branding, distribution, and customer service, relying entirely on MNOs for network operations.
    • Tier 2 (Service Provider MVNOs): Manage customer care, billing, and select value-added services.
    • Tier 3 (Core MVNOs): Operate critical network elements such as the Home Location Register (HLR) and Home Subscriber Server (HSS), while leasing radio access.
    • Tier 4 (Aggregator/Enabler MVNOs): Aggregate network capacity and wholesale it to smaller MVNOs, reducing the need for direct MNO agreements.
    • Tier 5 (Full MVNOs): Function nearly as MNOs, operating core networks while leasing spectrum and radio access.

    Read more: International Tax Review (ITR) Ranks Stransact Chartered Accountants Among Tier-1 Firms

    The Execution Gap

    Despite a robust framework, market activation has been limited. BusinessDay (2025) reports that only Vitel Wireless and EmoSIM have launched commercially, out of the 46 licensed MVNOs. Several challenges have impeded progress:

    • Infrastructure Bottlenecks: MVNOs depend on MNOs for network access, and negotiations over pricing and service-level agreements have proven complex.
    • Market Readiness: Many MVNOs lack the technical and financial capacity to scale operations. The Nigerian market remains price-sensitive and dominated by a few major MNOs.
    • Regulatory Ambiguity: While the NCC has issued a licensing framework, there is limited clarity regarding enforcement mechanisms, dispute resolution, and consumer protection specific to MVNOs.

    Untapped Potential

    Nigeria continues to present substantial growth opportunities. Mobile internet adoption remains low, and millions of citizens are underserved or offline. MVNOs can address this gap by offering:

    • Localized propositions, including language-specific content and regionally tailored pricing models.
    • Flexible commercial models such as family wallets, shared data plans, and SME-focused bundles.
    • Embedded connectivity for fintech, edtech, and health tech applications, bundling data with essential services.

    According to Grand View Research (2025), the global MVNO market is projected to reach USD 137.31 billion by 2030, growing at a CAGR of 7.7%. Nigeria possesses the demographic and digital appetite to capture a meaningful share of this market, provided enabling conditions are established.

    Read more: Why IFRS 18 Should Be a Strategic Priority for CFOs and Financial Leaders

    Strategic Imperatives

    To realize the full potential of MVNOs, several strategic interventions are necessary:

    • Infrastructure Sharing Mandates: The NCC should enforce equitable access terms between MNOs and MVNOs to prevent anti-competitive practices.
    • Capacity Building: Technical and financial support for MVNO startups is essential to bridge the execution gap.
    • Consumer Awareness: Public education initiatives can enhance understanding of MVNO offerings and their value proposition.
    • Policy Integration: MVNO strategy should be harmonized with broader digital economy initiatives, including rural broadband expansion and financial inclusion.

    Read more: From Traditional to Digital: How Financial Services Can Thrive in the Era of Fintech

    Conclusion

    MVNO licensing in Nigeria is a commendable initiative with transformative potential. However, without effective execution, it risks becoming a missed opportunity. The regulatory framework is in place, market demand is evident, and digital inclusion remains a national priority. A coordinated effort by regulators, operators, and innovators is imperative to translate policy into tangible progress.