10 Cybersecurity Practices Every Tax Firm Should Run
Not 47 best practices. Not a 200-item checklist. The 10 things that close the most realistic risk to a small tax firm, written for owners who do not have a full-time IT team.
The 80/20 of small-firm security
Cybersecurity for accounting firms got mythologized into something that requires a security team and a six-figure budget. It does not. The realistic risk profile of a 1 to 20 person tax firm is narrow, and the controls that close it are well-understood.
These ten practices, run consistently, close roughly 90 percent of the breach scenarios a small firm actually faces. They also satisfy most of what IRS Publication 4557 and the FTC Safeguards Rule require. None of them need an in-house IT team. All of them produce evidence a regulator will accept.
1. Vet your tax software vendor's security
Your tax software is the highest-value target in your stack. It holds every Social Security number, every bank account, every dependent, every income source for every client.
Before renewal, ask for the vendor's SOC 2 Type II report and read the exceptions section. Confirm MFA is enforced (not just available). Confirm the vendor maintains a documented incident response plan and will notify you within 24 hours of any breach affecting your data. If they cannot produce those answers, your renewal conversation is also your replacement search.
2. Multi-factor authentication on everything
Email. Tax software. Practice management. Document portal. Cloud storage. Bank logins. QuickBooks. Every system that touches client data, MFA enforced, no exceptions.
Use an authenticator app (Microsoft Authenticator, Google Authenticator, Duo) rather than SMS. SMS-based MFA is vulnerable to SIM-swap attacks, which the IRS has specifically warned tax professionals about. The setup time per system is under 10 minutes. The protection is enormous.
3. Force client uploads through a secure portal
Stop accepting client documents over email. Email attachments are the leading cause of accidental client data exposure in tax firms. A secure client portal (most modern tax software includes one, and standalone options like SmartVault, ShareFile, and TaxDome are inexpensive) routes every document upload through encryption, audit logging, and access controls.
Tell clients in their engagement letter that uploads happen through the portal. Then enforce it. The first season is a small adjustment for clients. The second season they expect it.
4. Kill USB drives and removable media
Some clients still hand preparers USB drives with last year's books or supporting documents. Do not plug them in. They are a primary vector for malware, and any malware they carry will execute the moment the drive mounts.
Replace the workflow. Have the client upload to your portal, drop documents into a shared folder, or print the records and scan them yourself. The new workflow is slower for one season and safer forever.
5. Encrypt every device that leaves the office
Full-disk encryption (BitLocker on Windows, FileVault on Mac, native encryption on iOS and Android) on every laptop, desktop, tablet, and phone that touches client data. The setup is a single toggle. The default is usually off.
A laptop stolen from a car is an embarrassing mistake if the disk is encrypted. It is a reportable breach affecting every client whose data was on the laptop if it is not. The difference is one configuration setting.
6. Run quarterly phishing simulations and document the results
Phishing is the entry point in roughly 90 percent of tax-firm breaches. Annual training is the floor. Quarterly simulated phishing campaigns are the practice. Inexpensive providers (KnowBe4, Hook Security, Proofpoint Security Awareness) automate the simulations and produce reports your WISP can reference.
Anyone who fails a simulation gets a 5-minute remediation video and a flag for the next round. Repeat offenders get a one-on-one with the owner. The pattern works because it is concrete, immediate, and documented.
7. Maintain a vendor-only access list
Write down every vendor with access to your client data. Tax software, payroll, portal, cloud storage, every one. For each, document what data they touch, what their security certification is (SOC 2 Type II is the floor), and the date of the most recent agreement.
Review the list quarterly. Remove vendors you no longer use, and confirm their agreement specified data deletion at termination. The list is also the answer to the FTC Safeguards Rule's vendor management requirement.
8. Same-day offboarding
When an employee or seasonal contractor leaves, all access is revoked the same day. Email, tax software, practice management, portal, cloud storage, VPN, every system. Plus return of company devices and a final reminder of the confidentiality agreement they signed.
The most common breach in small firms is not an external attacker. It is a former employee whose access was never revoked, who clicks something on their personal device a year later, and exposes their old credentials. Same-day offboarding kills that risk.
9. Replace consumer antivirus with business-grade EDR
Norton, McAfee, and Windows Defender are not adequate for a business holding client tax data. Business-grade endpoint detection and response (EDR) tools watch for behavioral patterns, not just file signatures, and they integrate with a 24/7 security operations center that responds to alerts.
For a small firm, this typically means a managed security provider who installs the EDR, monitors the alerts, and responds when something fires. The cost is $30 to $80 per device per month. The protection is qualitatively better than anything the consumer market sells.
10. Daily backups, quarterly restore tests
Every system that holds client data backs up daily, encrypted, to a destination separate from the production system. Once a quarter, restore one client's records from backup and confirm it works.
The restore test is the part that matters. Most firms have backups. Few firms have ever restored from one. The first time you find out your backups are corrupted should not be the day a ransomware attack hits.
What this looks like in a calendar
Run as a 12-month cycle, the practices above are not overwhelming.
- Monthly: review access list, confirm new staff onboarded with MFA, check backup logs.
- Quarterly: phishing simulation, vendor list review, restore test.
- Annually: WISP review and signature, training refresh, full risk assessment.
- As-needed: incident response (rare if the rest is in place), same-day offboarding (whenever someone leaves).
A solo preparer can run this in roughly 4 hours per quarter. A 10-person firm in roughly 8 hours per quarter. Either way, the time investment is smaller than one billable client engagement, and it covers the realistic exposure.
If your current security program is shorter than this list, you have gaps. If it is longer, you may be over-engineering for the risk profile of a tax firm. The 10 practices above are the operating floor, calibrated to what actually goes wrong in the field.
