Accounting Firms

Q: What cybersecurity regulations apply to accounting firms?
A: Accounting firms, especially those offering tax preparation or financial advisory services, are considered part of the financial services sector for purposes of data security regulation. The FTC’s Safeguards Rule (under the Gramm-Leach-Bliley Act) explicitly applies to professional tax preparers and many CPA firms. This rule requires firms to implement a written security plan and a set of safeguards (like risk assessments, access controls, encryption, etc.) to protect client information. In practical terms, if you prepare tax returns or provide bookkeeping, you are required to follow these regulations similarly to a bank or investment firm. The IRS also expects compliance with its guidelines – for example, IRS Publication 4557 outlines steps tax professionals must take to safeguard taxpayer data, and IRS regulations mandate having an information security plan as part of being an authorized e-file provider.

Beyond those, your firm may need to comply with state data protection laws or breach notification laws. Nearly all states have laws requiring businesses to notify affected individuals (and sometimes attorneys general) if certain personal data is lost in a breach. Some states, like California (with CCPA/CPRA), have broader privacy requirements that could affect larger accounting firms or those handling consumer data at scale. If your accounting practice has any clients from the European Union or you handle data of EU residents, the GDPR would impose strict rules on how you store and use that personal data (for instance, requiring consent for use, honoring the right to deletion, etc.). Even if GDPR doesn’t directly apply, its principles are a good benchmark for data privacy practices.

Additionally, accounting firms affiliated with or auditing publicly traded companies might indirectly be touched by the Sarbanes-Oxley (SOX) requirements for internal controls. While SOX is aimed at the audited company, not the auditor, your firm will be concerned with demonstrating high integrity and security of work papers and communications. Also, the AICPA and state Boards of Accountancy expect CPAs to maintain confidentiality – failing to protect client information could potentially lead to ethics charges or liability. In summary, the key regulations to be aware of are the FTC Safeguards Rule/GLBA, IRS data protection requirements, any relevant state or international privacy laws, and adhering to professional standards on confidentiality. It sounds like a lot, but most of these overlap on the same fundamental point: you must actively protect client information through documented policies and technical safeguards.

Q: How can we protect our clients’ financial data from breaches?
A: Protecting client data comes down to implementing multiple layers of security, both technical and procedural. Here are some of the most effective measures:

• Use strong authentication and access controls: Make sure that each staff member has their own unique login credentials for systems, and use strong passwords. Enable multi-factor authentication wherever possible (for email, cloud accounting software, remote logins, etc.) so that even if a password is stolen, an attacker can’t get in without the second factor. Also apply the principle of least privilege – each employee should only have access to the client files and systems they truly need for their work.
• Encrypt sensitive data: Encryption ensures that even if someone gains unauthorized access to a file or database, they can’t read the data without the encryption key. Use encryption for data at rest (for example, enable encryption on laptop and server hard drives, so if a device is stolen the data isn’t exposed). Also encrypt data in transit – if you need to send tax returns or financial statements to a client, use an encrypted email solution or a secure client portal rather than regular email. Many accounting software packages offer built-in encryption for backups and archives – make sure those features are turned on.
• Keep systems and software updated: Regularly install updates and patches for your office computers, servers, and any applications you use. This includes your operating systems (Windows, for instance), tax preparation software, accounting software, PDF readers, and even things like your office router’s firmware. Software updates often fix security vulnerabilities, so staying up-to-date closes doors that hackers might exploit. Where feasible, turn on automatic updates. For things that can’t auto-update, designate someone to check for updates on a schedule (e.g., weekly or monthly).
• Use security software and firewalls: Every device in your firm (PCs, laptops, servers) should be protected by reputable antivirus/anti-malware software. Modern endpoint protection can catch and block many malware attacks, including ransomware, before they execute. Also, ensure you have a properly configured firewall for your office network. The firewall can prevent unauthorized inbound connections and can be set to block known malicious outbound traffic as well. Many small businesses use the firewall that comes with their broadband router, but often a business-class firewall appliance provides more advanced threat protection features. Combining a good firewall with endpoint security and email spam filtering greatly reduces your exposure to threats.
• Establish clear policies and train your team: Sometimes the non-technical steps are just as important. Create a basic cybersecurity policy for your firm – it should cover things like acceptable use of the firm’s computers, rules for handling client data (e.g., “always use the secure portal for sending files”), requirements for using strong passwords, etc. Then train your staff on these rules and general security awareness. Make sure everyone knows how to spot a phishing email. A common example: an email might appear to come from a client or a partner asking you to click a link to view a document, but the tone or details seem off. Staff should be encouraged to double-check suspicious requests (maybe call the client to verify) and report anything odd to whoever manages IT.
• Plan for the worst (incident response): Even with good protections, no system is 100% safe. It’s wise to have a simple incident response plan so you know what to do if a breach is suspected. For example, if a staff member mistakenly sends a file to the wrong email, or clicks on malware, what’s the protocol? Typically, it would involve containing the issue (disconnecting an infected computer from the network, etc.), investigating what happened, informing affected clients if necessary, and improving controls to prevent a repeat. Having this plan thought out in advance and a relationship with IT experts who can help will significantly reduce the impact of any breach.

By implementing these measures, you create multiple hurdles for an attacker or a data thief. Most breaches in small firms occur not because of ultra-sophisticated hackers, but due to easily preventable lapses (like an employee being phished or using an old computer with no patches). Cover those basics diligently, and your clients’ data will be significantly safer.

Q: Our employees sometimes work remotely. How can we keep data secure when staff are accessing client information outside the office?
A: Securing remote work for an accounting firm involves extending your office’s security controls to wherever your employees are working. Here are some best practices to achieve that:

• Use a secure connection (VPN or cloud workspace): If employees need to access files on the office server from home or a client’s site, they should be doing so over a virtual private network (VPN) connection or a secure cloud desktop environment. A VPN creates an encrypted tunnel from the remote computer into your office network, preventing eavesdropping. It also allows you to enforce that all remote access goes through a central point (the VPN server) that you control. Alternatively, some firms use cloud-hosted desktops or applications (for example, hosting QuickBooks or tax software in a secure cloud service), which users then log into via the internet. In such cases, make sure that the cloud service itself has strong security (MFA logins, etc.). The key is not to let employees just connect over the open internet to sensitive systems – always have a secure gateway.
• Ensure remote devices are secured: If employees use laptops or home computers for work, those devices need to be as secure as your office PCs. That means they should have up-to-date antivirus protection, firewalls enabled, and the latest software patches. Ideally, your firm would provide company-managed laptops to remote workers, where you (or your IT provider) can control the security settings and updates. If staff are using personal devices, it’s a bit trickier – you should at least establish a policy that their device must have a supported OS, be password-protected, have antivirus, and not be shared with others while work data is on it. You might also consider using remote desktop software, so they’re actually just viewing a session on an office PC from home, rather than storing data on their personal machine.
• Leverage cloud solutions wisely: Many accounting applications are moving to the cloud (e.g., Xero, QuickBooks Online, practice management software, etc.). Cloud solutions can actually enhance security for remote access, because the cloud provider will handle a lot of security on their end. However, you must configure them correctly. Make sure each user has their own login (no shared accounts) and enable multi-factor authentication on these cloud accounts if available. Also use the access controls the software provides – for example, limit who can see which client data within the application based on role. And remind employees that just because work is in the cloud doesn’t mean they can slack off on local security: they should still be careful about where they log in (avoid using public Wi-Fi without a VPN, for instance).
• Protect data in transit and in public spaces: When working remotely, employees might sometimes need to work from coffee shops, airports, or client offices. Public Wi-Fi networks can be risky because others on the network could potentially snoop on traffic. Using a VPN whenever on a public network is highly recommended. Additionally, employees should be mindful of their physical surroundings – e.g., not leaving a laptop unattended, and being careful that someone isn’t looking over their shoulder at confidential information. It sounds basic, but accountants dealing with sensitive data should be cautious in public settings. There are also privacy screen filters for laptops that can make it harder for someone nearby to read the screen.
• Have a remote work policy: Clearly communicate guidelines for remote work security to your team. The policy can include things like: always connect through VPN, do not download files to unapproved devices, report any lost or stolen device immediately to the firm, etc. If employees are using USB drives or external hard drives for backup when remote, those should be encrypted. And any paperwork with client data that is taken off-premises needs to be secured or disposed of properly. Essentially, extend the same level of care and procedure you use in the office to any location.

By taking these steps, you can enable the flexibility of remote work without compromising client data. Many accounting firms successfully operate with remote staff or multiple offices by using centralized, secure systems and vigilant policies. Entre can assist in setting up things like business-grade VPNs or cloud desktops and in training your staff on safe remote computing, ensuring that your data remains just as safe as if everyone were in one building.

Q: We are a small firm without an internal IT department. How can we manage cybersecurity effectively?
A: Being a small accounting firm doesn’t mean you can’t have good cybersecurity – it just means you have to be strategic and perhaps leverage external resources. Here are a few approaches:

• Use managed security services or an IT partner: One of the most effective ways for a small firm to handle cybersecurity is to outsource to specialists. Hiring a full-time IT security professional might be beyond your budget, but you can contract a managed service provider (MSP) like Entre to take care of it at a fraction of the cost. An MSP can set up and monitor your firewalls, keep your systems updated, manage backups, and respond to any incidents. They can also provide help desk support for everyday tech issues. This way, you get the benefit of a whole team’s expertise while paying only a predictable monthly fee, rather than trying to do everything yourself. Essentially, it’s like having a part-time CIO and security team on call. Given the increasing cyber threats, many small firms find this to be a worthwhile investment that saves them money (and stress) in the long run by preventing costly breaches or downtime.
• Implement cloud-based security tools: If outsourcing isn’t an option, there are still various user-friendly security tools designed for small businesses. For example, you can use cloud-managed endpoint protection – these are services where the antivirus/anti-malware on your computers is centrally managed through a web dashboard. Even without an IT person on staff, these dashboards are usually pretty intuitive and send you alerts if any device has an issue (like an infection or outdated software). Similarly, services like Microsoft 365 or Google Workspace for email include built-in security (spam filtering, phishing protection, etc.) that you should take full advantage of by using their recommended settings.
• Follow a checklist or framework: In absence of an internal expert, let a proven framework guide you. Earlier we mentioned IRS Pub 4557 or the Safeguards Rule requirements – those can act as a checklist. Even basic ones like “install updates, use antivirus, enable MFA, do backups, train employees” – make a list and ensure each item is addressed. The IRS and FTC actually provide small firms with helpful templates and guidance; for example, the FTC has a Safeguards Rule compliance guide that breaks down exactly what measures to put in place. You can self-audit against these guides periodically to see where you stand.
• Educate and assign roles: In a small firm, everyone might wear multiple hats. You may not have a dedicated IT person, but perhaps one of the partners or a trusted staff member can be designated as the point person for technology (even if it’s not their full-time job). That person can be responsible for liaising with outside IT vendors, keeping track of software licenses, and making sure backups are running. Invest in a bit of training for them – for instance, have them attend a webinar or two on small business cybersecurity or send them to a local workshop. When the whole team is small, each person’s vigilance matters. So foster a culture where people report odd computer behavior, double-check email requests for wire transfers, and are generally mindful of security. In a way, a small tight-knit team can sometimes be even better at this because communication is direct and quick.
• Budget for the basics: Allocate some budget to essential security tools or upgrades each year. It might be tempting to squeeze an old PC or server to save money, but using outdated tech can increase your risk. Plan to replace equipment before it becomes end-of-life (for example, if a PC can’t run the latest security updates, it’s time to budget for a new one). Also, consider cyber liability insurance – many insurers provide it for small professional firms relatively inexpensively. While insurance isn’t prevention, it can provide financial protection and access to resources if a breach occurs.

In summary, even without an IT department, a small accounting firm can achieve strong cybersecurity by being proactive, using outside help when needed, and keeping everyone in the firm informed and responsible. It’s a bit like doing taxes – not every individual knows how to do it, which is why they hire an accountant; similarly, don’t hesitate to hire IT expertise for your firm’s own needs. The cost of doing nothing (in terms of a potential breach and its fallout) can far exceed the cost of implementing basic protections now.

Q: How can a managed IT service benefit an accounting firm?
A: A managed IT service (or managed security service) can be extremely beneficial to an accounting firm, providing several advantages:

• Expertise on Demand: By subscribing to managed IT services, you gain access to a team of IT professionals with a broad range of skills – including cybersecurity, networking, cloud computing, and software support. Accounting firms often use specialized software (tax prep programs, accounting software, database systems) and having experts who understand how to secure and maintain those can be invaluable. Instead of hiring one person who can’t be an expert in everything, you have a pool of experts available when you need them. For example, at Entre we have technicians well-versed in data security, and others who know server infrastructure, so collectively we can handle whatever issue or project you have.
• Proactive Maintenance and Fewer Disruptions: Managed service providers operate on a proactive model. That means we’re not just waiting for something to break – we actively manage and monitor your systems to prevent problems. This results in fewer disruptions for your firm. Software patches get applied on schedule, hardware health is tracked, and potential problems (like a failing hard drive or a malware intrusion) are flagged early. For an accounting firm, this translates to more consistent uptime, which is especially crucial during deadlines like tax season. It also frees you from the headache of remembering tasks like renewing antivirus subscriptions or checking backups; the MSP handles all that in the background.
• Enhanced Security and Compliance: A managed IT provider will implement a suite of security measures for you – firewall management, spam filtering, endpoint protection, etc. They also keep up with the latest threats and can adjust your defenses accordingly. For instance, if a wave of phishing targeting CPA firms emerges, your provider might tighten email filters or send out an alert to be cautious. Additionally, providers like Entre stay informed about relevant compliance requirements (we know about GLBA, IRS rules, etc., as discussed). We can help ensure your firm meets those requirements through the IT practices we put in place. Essentially, we act as guardians of your data, continuously watching and improving your security posture.
• Cost Efficiency: Hiring, training, and retaining in-house IT staff is expensive, especially for a small firm. Managed services are typically offered at a fixed monthly rate, which often ends up being more affordable than even a part-time IT employee – and certainly less than the cost of a major security incident or extended downtime. Moreover, MSPs often have partnerships with software and hardware vendors, which can sometimes mean cost savings on licenses or equipment for you. With a managed service, your IT costs become predictable and usually lower on average than a break-fix model (where you only call when something’s wrong, which can lead to big surprise expenses).
• Focus on Core Business: Perhaps one of the biggest benefits is peace of mind and the ability to focus on what you do best. As an accounting firm, your core business is providing accounting and advisory services, not fiddling with servers or worrying about the latest Windows vulnerability. When you have a reliable IT partner, you can trust that aspect of your operations to run smoothly. You and your staff don’t have to lose productive hours trying to troubleshoot Wi-Fi issues or virus scans – you just call your MSP and they take care of it. This reduction in distraction can improve your firm’s overall productivity and allow your team to devote their time to high-value client work.