5 Cybersecurity Tips for CPAs

Every day, CPAs handle documents populated with their clients’ most sensitive personal details. Names; addresses; Social Security Numbers; bank or savings account details; credit card numbers; tax information.

These details and others are there on the paperwork that CPAs work with and store in their files. In the wrong hands, any of this information could be used for fraud and identity theft, among other crimes.

CPA firms have a responsibility to keep all this information confidential and secure, and if they fail in that duty, they may be vulnerable to legal action.

It used to be that CPAs kept their client information stored in physical file cabinets. Some firms still have paper files, but most CPAs have moved their files into cloud-based databases or on premise accounting systems.

These digital systems make file discovery, review, retention, and preservation far easier than they used to be. However, they also put CPA firms at risk for hacks and cyber attacks.


To protect your files from hackers (and to protect yourself and your firm from lawsuits), think about implementing these cybersecurity strategies.

Get Cyber Insurance: All the cybersecurity in the world can only lessen your risk for breaches, not eliminate it entirely. On the off chance that your firm does get hacked compromising client information, you need protection.

A robust cyber insurance policy will help protect your business from multiple consequences of a hack, such as data loss, cyber extortion, and business interruption.

Perhaps most importantly, your cyber policy will act as digital liability insurance, covering legal costs related to compromised client data, as well as other expenses such as credit monitoring and computer forensics.

Protect Your Computers and Network: Don’t overlook the importance of firewall and antivirus protection.

Even if you don’t have a dedicated IT department, you need to make sure that any computer or network that is hosting client data is as protected as possible.

A firewall helps secure your network traffic, while a substantial antivirus program will catch most viruses, spyware, and malware. Neither solution will guarantee 100% cyber safety, but both will reduce your risk.

Educate Your Team: If you are an independent CPA, you’re in luck: you only need to educate yourself about cyber threats.

Larger firms should take the time to schedule at-work seminars that educate employees about how to spot and avoid cyber threats. Most data breaches happen because an employee visits a malicious site or opens a suspicious email.

Training your team about how to recognize these risks will minimize the likelihood of someone clicking on something they shouldn’t.

Be Smart about Your Passwords: Password training should be part of your cyber threat awareness seminar. However, passwords are so important that they also deserve their own bullet point.

Using passwords that are easy to guess—such as default passwords (“admin,” “guest,” “password,” etc.) or obvious personal details (initials, birthdates, spouse names, etc.)—makes it all too easy for hackers to gain access to client information.

Every password on your firm’s computers and network should follow smart password protocol. A mix of uppercase letters, lowercase letters, symbols, and numbers is the best practice.

Longer passwords are also better. Reusing one password for multiple sites or purposes is a big no-no. Being aware of these password “rules” will help you and your fellow accountants keep everything as secure as it can be.

Establish a Mobile Device Policy: Accessing cloud databases via a mobile device is a convenient way to consult client information while on the go. Unfortunately, mobile devices are almost never as secure as an office computer—especially if they are accessing the internet via a public, unsecured network.

Every CPA firm needs to contend with these risks, whether that means banning the use of mobile devices for accounting system access or figuring out ways to secure smartphones or tablets.

Individual CPAs and firms will have to make their own decisions here, but every firm must make some decision. Mobile devices are so commonplace today that you can’t count on your team members not to misuse them.

A cyber breach can devastate a CPA firm. Even firms that can weather the client loss and litigation that often follows a data breach might not be able to overcome the reputational damage.

As such, avoiding a hack and its consequences is always the best option. The five strategies discussed above should help your firm protect itself from hackers while simultaneously insuring you against cyber threats.

©2020 by Dawn Fotopulos

56 Broadway, New York, NY 10004