Cybersecurity Best Practices for CPAs and Accounting Firms

Cybersecurity has become a pressing concern for businesses across all industries, including accounting firms. The sensitive financial and personal data held by CPAs and accounting firms make them prime targets for cyberattacks. This makes it crucial for them to not only be well-versed in cybersecurity best practices but to actively coach their clients and team members on these best practices as well.

In this guide from Harness Tax, we’ll explore why cybersecurity is increasingly important in the accounting industry, delve into the types of cybersecurity risks, and offer a set of best practices for risk management. We’ll also discuss how CPA firms can implement and maintain robust cybersecurity measures.

Table of Contents

1. Why Cybersecurity Matters in Accounting
2. The Many Different Types of Cyber Threats
3. A Cybersecurity Checklist for CPAs and Accounting Firms
4. Running a Modern Accounting Firm with Harness Tax

Why Cybersecurity Matters in Accounting

Cyberattacks can have lasting and detrimental impacts on accounting firms, and the threat only continues to increase. According to a 2023 report from the Deloitte Center for Controllership, 34.5% of surveyed executives reported “that their organization’s accounting and financial data was targeted by cyber adversaries.” In fact, cybersecurity has become such an important issue for the accounting industry that, starting in 2024, the CPA exam will include a new section specifically focusing on information systems and controls, ensuring all new accountants have the technological knowledge needed to properly protect sensitive information.

The Financial Impacts of Cyber Attacks

The financial repercussions of cyberattacks are escalating at an alarming rate. According to Statista, for 2023, the average data breach on an American company causes nearly $9.5 million in damages. And by 2025, cybercrime is projected to cause global damages amounting to $10.5 trillion annually. For accounting firms, these figures are not just statistics; they represent a real and present danger that could significantly impact your bottom line and client trust.

Source: statista.com/statistics/273575/us-average-cost-incurred-by-a-data-breach/

A Competitive Advantage

In today’s competitive landscape, robust cybersecurity is not just a cost center—it’s a strategic advantage. A 2017 survey by PwC revealed that 85% of consumers would switch to a competitor if they felt their data was being handled more securely. For accounting firms, this means that investing in top-notch cybersecurity measures can not only differentiate you from competitors, it can also help you attract new clients who prioritize data security.

Building Trust with Clients

Trust is the cornerstone of any successful accounting practice, and a cyber attack against your tax firm can put your client relationships in jeopardy. A study from Centrify found that 65% of consumers lose trust in a business that experiences a data breach. By investing in robust cybersecurity, you’re not only protecting your business–you’re protecting your reputation.

Business Continuity

Cybersecurity is not just about data protection; it’s also about ensuring the uninterrupted operations of your accounting firm. A single cyberattack can cripple your operations, leading to costly downtime and reputational damage. By implementing strong cybersecurity measures, you ensure that your services remain uninterrupted, and that even during the busy season, your tax firm remains operational.

The Many Different Types of Cyber Threats

Understanding the diverse landscape of cyber threats is crucial for building and maintaining a robust security posture. In the accounting industry, where sensitive personal and financial information is the lifeblood of your business, you must be prepared for a variety of risks.

Phishing Attacks

A phishing attack occurs when a cybercriminal pretends to be someone else in an attempt to obtain valuable information from you. Within accounting, an example of a phishing attack could be an email that appears to have been sent to you by the IRS, asking you to click a link and provide personal information. Phishing can also take the form of a text message or even direct mail, and it’s important to closely examine any messages before clicking any links or providing any sensitive information.

Source: michigan.gov/ag/consumer-protection/consumer-alerts/consumer-alerts/scams/irs-phone-email-tax

Malware, Ransomware, and Viruses

Malware is malicious software developed by cybercriminals to steal data and/or damage, destroy, or take control of a computer or computer system. One of the many ways that a computer can be infected with malware is through a phishing attack. One example of a malware attack in the accounting industry is from 2019, when Wolters Kluwer suffered a ransomware attack that shut down its systems, including CCH Axcess, leaving many accountants unable to work until the outage was resolved.

Insider Threats

An insider threat is a cyber attack that originates from within your company. In such cases, an employee, contractor, or other individual with access to company systems either knowingly or unknowingly engages in activities that compromise confidential information. Insider threats happen all the time, and while they can be honest mistakes, they can just as easily be completely intentional.

Understanding the various types of cyber threats is the first step in creating a robust cybersecurity strategy for your accounting firm. From phishing and malware to insider threats, each threat requires a unique set of defensive measures. By staying informed and vigilant, accounting firms can better protect themselves and their clients from the ever-evolving landscape of cyber threats.

A Cybersecurity Checklist for CPAs and Accounting Firms

It can be difficult to know where to start when creating a cybersecurity plan, especially if you lack firsthand experience in that field. To help you get started, we’ve put together a checklist of best practices to help you build a strong cybersecurity posture for your accounting firm.

1. Assess Your Current Cybersecurity Posture: Before implementing new security measures, understand your existing vulnerabilities. Conduct a risk assessment, review access controls, and ensure compliance with industry standards. Regularly update this assessment to stay ahead of emerging cybersecurity risks.
2. Educate Your Clients: In a service-based industry such as accounting, your clients need to be just as security-conscious as you. Avoid sending and receiving financial data and other sensitive information over email whenever possible, and encourage your clients to take a closer look if an email, text message, or other request for personal information looks suspicious. And encourage your clients to use strong passwords and multi-factor authentication on all their financial accounts.
3. Use Strong Passwords, and Never Share Them: In 2023, there is no excuse not to use strong passwords. Google Chrome and Apple’s Safari web browsers both have built-in password generators and password managers, and there are numerous paid options for password managers as well. Additionally, ensure you change the passwords for your computers, phones, and other devices, too–not just for your online accounts. Finally, use multi-factor authentication whenever possible to prevent any unauthorized access in the event that your password ends up in the wrong hands.
4. Secure Client Communications: Choose a secure client portal that integrates with your existing cloud accounting software. Make sure the portal uses end-to-end encryption and multi-factor authentication to ensure the confidentiality and integrity of your communications.
5. Implement Regular Software Updates: Enable automatic updates for all your software to ensure you’re protected against known vulnerabilities. Regular updates not only fix security flaws but can also add new features and improve performance.
6. Establish a Data Backup Protocol: In accounting, there is no room for error when it comes to maintaining accurate records. Cyber attacks and other disasters can cause data loss, and it is important to be prepared at all times. While external hard drives can provide a simple solution, consider a cloud-based service that will regularly and automatically back up your devices, ensuring you have the paper trail and backups you need to stay operational and protected.
7. Train Your Employees: Stress the importance of cybersecurity with your employees and team members, and consider making cybersecurity awareness training a mandatory part of onboarding.
8. Secure Your Vendor Relationships: Regularly assess the security measures of your software and platform providers to ensure they maintain appropriate levels of protection for your client’s data.
9. Monitor and Review: Conducting regular cybersecurity assessments will help you identify vulnerabilities and potential threats. Use an established framework, such as the SOC for Cybersecurity or the AICPA Cybersecurity Risk Management Reporting Framework, to guide your assessment process.

Implementing these best practices will not only help you meet AICPA and other regulatory requirements but also provide a solid foundation for a cybersecurity strategy tailored to the unique needs of your accounting firm. Regularly updating and reviewing this checklist will ensure that you stay ahead of emerging cybersecurity risks, safeguarding both your practice and your clients.

Running a Modern Accounting Firm with Harness Tax

Harness Tax understands the importance of cybersecurity in the accounting industry. Our holistic platform is designed to help solo CPAs and accounting firm owners run a modern tax practice by providing access to leading practice management software, in-house operational support, and marketing and sales support.

• A Modern Software Suite: When you join Harness Tax, you gain access to all the leading software needed to run your modern tax firm. From HubSpot to SurePrep, we choose tools that are well-vetted for their security features, helping you run your accounting practice in a cyber-secure environment.
• A Secure Client Portal: To protect client communication and sensitive information, and improve the client experience, advisors who join Harness Tax also gain access to our secure client portal, which makes use of two-factor authentication and other security features.
• In-House Support Team: Our in-house support team is dedicated to assisting you with operational and administrative tasks, tax filing, and other client service needs. With all communication stored in a cloud environment, you’ll have peace of mind knowing that your information is well-protected.
• A Community of Experts: You also gain access to a community of tax and accounting experts who share best practices, including those related to cybersecurity. This collective wisdom can be invaluable in helping you fortify your own practice and learn from a supportive group of peers.

As cyber threats continue to evolve, accounting firms must stay ahead of the curve to protect both their clients and their business. With Harness Tax, you’ll have the tools and support you need to build a secure, efficient, and user-friendly accounting practice.

Interested in joining Harness Tax? Schedule a call with our team today.

Tax services provided through Harness Tax LLC. Harness Tax LLC is affiliated with Harness Wealth Advisers LLC, collectively referred to as “Harness Wealth”. Harness Wealth Advisers LLC is an internet registered investment adviser. This should not be considered tax or legal advice. Please consult a tax and/or legal professional for advice specific to your individual circumstances.