In my decades of working with CPA firms, one troubling constant has always been present: while firms are well-versed in protecting client financial data through traditional means, many still lack a formal security approach.

Despite mounting evidence to the contrary, many professionals continue operating under three dangerous assumptions:

1. “My small to mid-sized firm isn’t an interesting or big enough target.”
2. “My off-the-shelf antivirus is enough.”
3. “My IT person has security handled.”

All assumptions are wrong.

Accounting firms are increasingly targeted specifically for their access to tax applications and data, which can be quickly monetized by hackers. Plus, hackers know many accountants maintain a somewhat lackadaisical attitude toward security, making them prime targets.

The Security Blueprint Every Firm Needs

When you renew your PTIN, you confirm awareness of your "legal obligation to have a data security plan." This Written Information Security Plan (WISP) isn't just regulatory compliance—it's your firm's roadmap for protecting sensitive information.

What Does a Comprehensive WISP Include?

A comprehensive WISP needs to include several key components to ensure comprehensive protection of sensitive information. Completing a compliant WISP is a feat that most firms, in my experience, would not be able to manage on their own...unless they have a dedicated IT department.

For this reason, my recommendations vary by your firm’s staffing demographics.

Firmographics Should Determine Your WISP’s Development

Solo practitioners and small firms
External expertise is essential, as developing a compliant plan requires specialized knowledge most small practices lack.

Mid-sized firms with IT support
Your current IT provider may assist with gathering information, but unless they specialize in accounting firm security compliance, supplemental expertise may be necessary.

Larger firms with dedicated tech teams
Internal resources might suffice, but expect a multi-week development process with mandatory annual reviews and updates.

One Wrong Click Undermines Even the Best Safeguards

The most sophisticated technical safeguards can be undermined by a single staff member clicking a malicious link. Effective security requires both technological and human components working in concert.

Beyond documenting training required in your WISP, I recommend signing up with a security program that’s CPA-specific.

How to Bolster Your Human Defenses

Look for a provider offering:

• Scenario-based learning modules relevant to accounting practices.
• Simulated phishing campaigns mimicking threats CPAs would see.
• Regular updates on emerging tactics targeting financial professionals.
• Clear incident response protocols for potential breaches.

Schedule security refreshers regularly, and strategically. Remind your staff about the increased frequency during vulnerable periods (like tax deadlines) when attackers capitalize on practitioner stress.

Creating a Culture of Protection

While no security approach guarantees absolute protection, combining technical measures with ongoing education dramatically reduces vulnerability. The most resilient firms integrate security awareness into their professional culture rather than treating it as a separate IT function.

Begin by assessing your current security posture, identifying gaps between regulatory requirements and existing practices, and developing a prioritized implementation roadmap. Remember that security is not a destination but a continuous process requiring regular attention and adaptation.

COCPA members: Get help developing your WISP and learn more about CPA-tailored security solutions.

Rightworks, a COCPA Preferred Partner, empowers clients to run a modern business via our award-winning and secure intelligent cloud—Rightworks OneSpace. Author Roman H. Kepczyk, CPA.CITP, CGM, is the Director of Firm Technology Strategy, and partners exclusively with accounting firms on production automation, application optimization, and practice transformation. For more information, visit their webpage, or click here to schedule a time to discuss your needs.