Why accounting firms are targets
Attackers don't pick targets by size. They pick by what a breach is worth, and a CPA firm is unusually rich for its footprint. In one small office you have Social Security numbers, dates of birth, bank-account and routing numbers, brokerage details, payroll data, and a year-by-year financial portrait of every client. That is a complete identity-theft and fraud kit, multiplied by your entire client list.
Two things make it worse. First, accounting firms move money and authorize transactions — which makes them a natural fit for wire-fraud and invoice schemes. Second, the calendar. For four months a year your team is heads-down, working long hours under deadline pressure, processing a flood of email from clients and the IRS. Urgency plus volume is precisely the environment social-engineering attacks are built for.
The threats that actually hit accounting practices
- Business email compromise (BEC). An attacker gets into a mailbox — or spoofs one — and inserts themselves into a real conversation about a payment, a refund, or updated banking details. It has been the FBI's highest-loss cybercrime category for years, and accounting workflows are the textbook setting for it.
- Ransomware during busy season. Timing is the leverage. Locking up a firm's files in mid-March, with returns due, turns "we'll restore from backup" into "we'll pay to make this go away." Tested, isolated backups are what take that leverage away.
- Credential phishing. Fake Microsoft 365 or tax-portal logins harvest passwords. Without multi-factor authentication, one harvested password is full mailbox access — and the start of the BEC above.
- Client-data theft. Even without ransomware, quietly exfiltrated client PII becomes fraud, fraudulent returns filed in your clients' names, and a breach-notification obligation that lands on your firm.
What good IT support covers for a CPA firm
The baseline isn't exotic, and most of it is inexpensive relative to a single incident:
- MFA on everything — email, the tax software, the document portal, remote access, and banking. This is the single highest-impact control and the one most firms only half-finish.
- EDR with monitoring, not legacy antivirus. Endpoint detection and response watches behavior and is backed by a team that can act at 2 a.m. Signature antivirus alone no longer clears the bar — your cyber-insurance carrier likely already requires EDR.
- Email security that catches impersonation, not just spam — the layer that blunts BEC and credential phishing.
- Encrypted devices and mobile management. Laptops leave the office during busy season; full-disk encryption means a lost laptop is a lost laptop, not a reportable breach.
- Backups you have actually restored. A backup that's never been test-restored is hope, not a plan. The restore is the test.
- A secure client file exchange — a portal, not email attachments — so SSNs and returns aren't sitting in inboxes.
- Tax-software environment ownership. Whether you run UltraTax, Lacerte, CCH, ProSeries, or Drake, someone needs to own its updates, performance, and backups — not just the hardware it runs on.
The written plan the IRS now expects
Here's the part most small firms miss: a security plan is no longer optional. Under the FTC Safeguards Rule — which implements the Gramm-Leach-Bliley Act — tax and accounting firms are treated as "financial institutions" and must maintain a Written Information Security Plan (WISP). The IRS spells this out in Publication 4557, "Safeguarding Taxpayer Data," around its "Security Six" basics, and now ties having a plan to PTIN renewal for paid preparers.
A real WISP names a responsible person, documents a risk assessment, lists the specific safeguards you've implemented, and shows that staff are trained. The value isn't the document — it's that writing it forces you to confirm the controls above are actually in place. If an examiner, an insurer, or a client asked to see your plan tomorrow, could you produce one that's true?
What to look for in a provider
Most general IT shops can manage your laptops. Fewer understand an accounting practice. Before you sign:
- Ask for a guaranteed response time, and confirm it holds during their busy periods, not just yours.
- Confirm they'll help build and maintain your WISP, not just hand you a template.
- Make sure they have experience with your tax software and treat it as part of the environment.
- Ask how they handle busy-season change freezes — a good provider doesn't push risky changes the week before a deadline.
The right setup should feel like a quiet partner: the deadlines get met, the client data stays protected, and you have one number to call when something looks wrong.