Skip to content
Answers for Tax Professionals

Don’t underestimate your data security risk

Christina Wiseman  Product Manager, Web Services & Mobile Technologies, Thomson Reuters

Trenda Hacket, CPA  Technical Tax Editor & IRS Practice and Procedures Expert for Thomson Reuters Tax & Accounting

Christina Wiseman  Product Manager, Web Services & Mobile Technologies, Thomson Reuters

Trenda Hacket, CPA  Technical Tax Editor & IRS Practice and Procedures Expert for Thomson Reuters Tax & Accounting

Hackers are aggressively targeting CPAs, but many firms still don’t believe they’re at risk for a security breach. They couldn’t be more wrong.

The Internal Revenue Service continues to launch awareness campaigns warning that hackers are specifically targeting CPAs with ever more creative and hard-to-detect scams. Despite these repeated warnings, many tax and accounting professionals – particularly those in small to midsize firms – have yet to take the most basic steps to prevent a data-security breach, even those required by law.

Since 1999, accountants have been legally required to develop and implement a written information security plan to safeguard taxpayer information. And yet, the IRS Electronic Tax Administration Advisory Committee (ETAAC) noted in June 2018 that they believe “far fewer than half of tax professionals are aware of their responsibilities under the FTC Safeguards Rule and that even fewer professionals … have implemented required security practices.”

Those who don’t have a written security plan and up-to-date security procedures are putting their livelihoods at risk. A single access point is all that criminals need to cause unimaginable havoc, and they will do anything to get it: phishing tactics, phone scams, bribery (of a disgruntled employee, say), and many other types of deception. Anyone can steal a password if it’s attached to someone’s computer with a Post-it note, and a single password is all that a malicious hacker needs to do a great deal of damage.

Furthermore, if a bad actor does infiltrate your system, they may lie low for months, gathering information – additional passwords, client data, internal communications – and waiting for the right moment to strike. On average, it takes 200 days for organizations to recognize a data breach, and by then it’s usually too late.

Don’t get fooled

When hackers target tax professionals, they are usually looking for client information they can steal and sell, or for tax returns and payroll information they can alter to divert refund money. But the most common way criminals gain access is not through some ingenious backdoor sneak attack, it’s through employees who inadvertently click on something they shouldn’t. Posing as potential clients, or as a representative from a professional accounting association or state agency, hackers flood CPA inboxes with professional-looking emails that contain a link – to a PDF, article, website or action item – that, if clicked on, downloads some form of malware or ransomware that gives the hacker unfettered access to the user’s computer. Ransomware attacks don’t target client data; instead, they lock users out of their own computer, or entire network, until the hacker’s “ransom” demands are met. More often, the malware gives the cybercriminals access to the firm’s systems, and they patiently wait to use the firm’s own network to commit their crimes.

It’s easy to get fooled. Criminals are so good at mimicking professional communications that it’s often impossible to tell whether an email is legitimate just by looking at it.

You’ve been warned. Now what?

The accounting profession already knows all of this, of course. The IRS, FTC and the Security Summit send out similar warnings every year. The real question is: Why do tax and accounting professionals continue to ignore them?

Denial is one factor. Many practitioners are aware that they have a professional responsibility to protect their client’s data, and they see the warnings, but they still don’t think it can impact them. What they often don’t know is that hackers are specifically targeting solo practitioners and small firms because their security measures are more relaxed.

The perceived cost of compliance is another obstacle. The law requires accounting firms to have a written information security plan, but many don’t have one because they think they can’t afford it. They think it’s going to cost a lot of money to do a risk assessment and create a security plan. What they don’t know is that there are numerous ways to conduct a low-cost security assessment, and many ways to improve security without breaking the bank. In fact, the IRS specifically notes on its website that “creating and maintaining a data-security plan is key. If you can afford it, contact a cybersecurity consultant. If you can’t afford a cybersecurity consultant, review IRS Publication 4557, “Safeguarding Taxpayer Data: A Guide for Your Business.”

Indeed, the IRS has developed numerous videos, webinars and articles specifically to help tax professionals understand their legal responsibilities, protect client data and avoid being victimized by scammers – all of it free. The National Institute of Standards and Technology (NIST) also has thorough cybersecurity checklists for implementing safeguards and protocols for small businesses, as do many other professional security associations.

Many firms are afraid that if they hire a security consultant, the recommended fixes will be too expensive to implement. But a basic risk assessment does not have to cost a lot, and many security improvements are easy and free. A risk assessment can start by simply identifying common vulnerabilities:

  • Who has access to the office and facilities?
  • Who works remotely?
  • How is client data transferred?
  • What password protocols is the firm using?

Often, basic security improvements are glaringly obvious. Do employees keep passwords and client information on their desk, out in the open? They shouldn’t. Do employees share client information via unsecured email? Again, they shouldn’t.

In many cases, a few simple fixes can make an enormous difference. For example, it’s estimated that a dedicated hacker can decode any random password with eight lowercase letters in about two days. Add a capital letter and an asterisk to that string, however, and it would take the same hacker more than two centuries to decode it.

Creating a culture of vigilance

For those who do have a security budget, an increasingly popular option is outsourcing the management of accounting software and client communications to a cloud-based, third-party vendor. But even that solution can lull firms into a false sense of security because it only solves the server side of the equation.

It’s understandable, though: People figure they are paying money to a vendor, so they can relax about security. And it’s true, a trusted vendor can provide many extra layers of data security – but again, in most firms the main vulnerability isn’t in the computer system, it’s the firm’s personnel. Consequently, educating and training employees about the need for strict security protocols is often the missing link in many security plans. Because no matter how secure information may be in the cloud, it is still the firm’s responsibility to manage their people, how they access the system, and how they interact with clients. Technology can only do so much; human intelligence and diligence are the secret weapons firms must employ to properly safeguard their client’s data.

Purchasing peace of mind through cyber liability insurance is also a popular option, but that too is a partial solution at best because it only provides coverage after a firm’s system has been breached and the damage has been done. One of the key benefits of a comprehensive data-security plan is that it not only establishes protocols to prevent a breach, but also outlines what to do if an attack occurs. Planning for both is important because no system is perfectly safe.

In order to protect themselves, tax and accounting professionals need to stop thinking about data security as a sunk cost and start thinking about it as necessary protection against various bad actors who are intent on doing them harm. Those on a shoestring budget needn’t despair because extensive resources are available if one knows where to look. Data security isn’t as overwhelming as it sounds, or at least it doesn’t have to be. The most important thing is to recognize the severity of the threat and take that first step.

The IRS isn’t exaggerating: Your future may depend upon it.

The IRS recommends…

…taking these internal measures to improve data security:

  • Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.
  • Use strong passwords of 8 or more characters, use different passwords for each account, use special and alphanumeric characters, use phrases, password protect wireless devices and consider a password manager program.
  • Encrypt all sensitive files/emails and use strong password protections.
  • Back up sensitive data to a safe and secure external source not connected full-time to a network.
  • Make a final review of return information – especially direct-deposit information – prior to e-filing.
  • Wipe clean or destroy old computer hard drives and printers that contain sensitive data.
  • Limit access to taxpayer data to individuals who need to know.
  • Check your IRS e-Services account weekly for number of returns filed with your EFIN.
  • Finally, report any data loss or theft to the appropriate IRS Stakeholder Liaison.

Learn more

Explore the complete issue and archive of Answers for Tax Professionals magazine, or visit to learn more about the world’s most innovative tax and accounting solutions.

Learn more about data security for tax and accounting firms here.

More answers