The Uncomfortable Truth About Accounting Firms and Cybersecurity
Let’s start with what nobody likes to say out loud: accounting firms are among the most targeted types of small businesses in the country when it comes to cyberattacks. Not because accountants are careless — but because the data you hold is extraordinarily valuable to criminals. Social Security numbers, tax identification numbers, bank account information, business financial records, personal income details. A stolen credit card number sells for a few dollars on the dark web. A complete tax return? Worth dramatically more.
Because your firm might hold records for dozens or hundreds of individuals and businesses, a single successful attack doesn’t just compromise one person — it compromises everyone you’ve ever served. The FBI’s Internet Crime Complaint Center consistently identifies professional services firms — including accounting, legal, and financial advisory businesses — among the top targets for phishing attacks, ransomware, and business email compromise scams. The targeting isn’t random. It’s deliberate.
What the FTC Safeguards Rule Actually Requires of You
In December 2022, the Federal Trade Commission’s updated Safeguards Rule went into full effect for financial institutions — and the FTC’s definition of a financial institution includes tax preparers, accountants, and bookkeepers who handle non-public personal financial information. If you prepare taxes, perform bookkeeping, or provide financial advisory services, this rule applies to your practice.
The rule requires a written information security program, a qualified individual responsible for overseeing security, a risk assessment identifying reasonably foreseeable threats, and specific safeguards: encryption of customer information in transit and at rest, multi-factor authentication for accessing systems with customer data, secure disposal of customer information, and employee security training. The IRS has its own requirements under Publication 4557. Combined, these create a clear legal and ethical obligation for accounting firms. The question is not whether you should have a security program — the question is whether the one you have actually meets the standard.
Most small accounting firms I talk to have done something — they have antivirus installed, they use a password, they’re ‘pretty careful’ with email. But there’s a significant difference between having done something and meeting a compliance standard. The Safeguards Rule doesn’t ask whether you tried. It asks whether you can demonstrate you have specific controls in place.
— Graham Pearson, MBA · Ma3SP Technology · Goshen, IndianaThe Anatomy of How Accounting Firms Get Attacked
The most common attack vector targeting accounting firms right now is spear phishing — targeted emails where the attacker has done homework on your firm before sending. A spear phishing email might appear to come from one of your clients, asking you to open an attachment for their upcoming tax appointment. It might look like it’s from QuickBooks, telling you your account has been compromised. The email addresses are spoofed to look legitimate. The language sounds professional. The urgency feels real.
When someone on your staff clicks that link or opens that attachment, the attacker gains a foothold in your system. From there, they can move through your network, installing ransomware or quietly exfiltrating client data over days or weeks. By the time you realize something is wrong, the damage is often already done. Business email compromise is another major threat — an attacker uses a compromised email account to redirect tax refunds, request wire transfers, or manipulate financial transactions. These attacks have cost small businesses tens of thousands of dollars in single incidents.
What Multi-Layer Cybersecurity Actually Means in Practice
Multi-layer cybersecurity isn’t marketing language — it describes how effective security actually works. No single tool stops every threat. What stops threats is a series of overlapping defenses, each catching what the others miss. The outermost layer is email security: filtering tools that quarantine phishing attempts before they reach inboxes, combined with SPF, DKIM, and DMARC records that prevent criminals from spoofing your domain. Next is endpoint detection and response (EDR), which monitors for suspicious behavior patterns rather than just known threats.
Multi-factor authentication stops credential-based attacks even if someone obtains a username and password. Dark web monitoring watches for your firm’s email addresses and domains appearing in leaked credential databases — because when a breach happens somewhere else, those credentials can appear on the dark web within hours. And employee training is the layer most often skipped and most often exploited. Regular phishing simulations and security awareness training dramatically reduce the likelihood of a successful social engineering attack.
What Happens When a Breach Occurs — And Why You Need a Plan Before It Does
Indiana’s data breach notification statute (IC 24-4.9) requires businesses to notify affected individuals when a breach occurs that compromises unencrypted personal information. Combined with IRS requirements for tax preparers, a breach at your accounting firm will require specific actions within specific timeframes — and being unprepared to execute those actions will compound the damage significantly. Having an incident response plan isn’t paranoia. It’s the same logic that makes you carry insurance on your building and vehicles.
Clarity Is the First Step
Ma3SP offers a free 12-point cybersecurity health checkup specifically designed for small businesses in Goshen and Elkhart County. It takes 30 seconds to book and delivers a plain-language report that tells you exactly where your firm stands — no jargon, no sales pressure, no obligation. The checkup looks at your email security configuration, MFA practices, endpoint protection, backup and recovery capabilities, network security, and current dark web exposure. Whether you work with Ma3SP afterward or not, you’ll leave with more clarity about your security posture than you have right now. For accounting firms that hold their clients’ most sensitive financial information, that clarity is a professional responsibility.