Most accounting firm owners believe their security is reasonable. Antivirus is installed, there is a firewall on the router, and yet, the email system catches obvious spam. That setup feels like a defensible position, until you understand what attackers are actually coming for.
Your systems hold Social Security numbers, EFIN credentials, prior-year tax returns, payroll data, and banking details for every client you serve.
That is not just sensitive data. It is a ready-made identity theft package, valuable enough to fund fraudulent tax filings, loan applications, and direct bank transfers. Cybercriminals target small and mid-sized CPA practices specifically because the data density is high and the assumed security posture is weak.
The cybersecurity tools CPA firms need are not the same tools a retail business needs. The threat model is different, the compliance obligations are specific, and the consequences of a breach extend to every client whose tax data lives on your systems.
One convincing phishing email, disguised as an IRS verification notice or a software update from Intuit, can compromise a staff member’s credentials, lock the firm out of its systems during peak filing season, and trigger a federal compliance investigation before a single ransom demand arrives. Most partners only realize the exposure after an incident.
This article maps the seven cybersecurity tools and services that address the actual threats accounting firms face, aligned to specific IRS and FTC requirements. Each entry covers what it does, who it is best for, and what it costs.
Key Takeaways
- The seven cybersecurity solutions accounting firms need are:
- (1) managed security services,
- (2) multi-factor authentication,
- (3) email security and anti-phishing protection,
- (4) endpoint detection and response,
- (5) backup and disaster recovery,
- (6) WISP compliance documentation, and
- (7) security awareness training. Each addresses a distinct threat vector or compliance obligation the others do not cover.
- Accounting firms hold SSNs, EFIN credentials, payroll records, and prior-year tax returns, the complete package criminals need for identity fraud. That makes CPA practices high-value targets, not incidental ones.
- Antivirus and a firewall do not satisfy IRS Publication 4557 or the FTC Safeguards Rule. Both federal frameworks mandate MFA, encryption, a documented WISP, employee training, and ongoing monitoring.
- A Written Information Security Plan (WISP) is a federal legal requirement for every professional tax preparer who files electronically. PTIN renewal attestation requires confirming one is in place.
- For firms with 2 to 20 staff and no in-house IT, an accounting-specific MSSP paired with MFA and email security covers the majority of attack vectors while satisfying core compliance requirements.
- A fully protected five-person CPA firm typically spends between $500 and $1,500 per month across all seven layers.
Why Cybercriminals Target Accounting Firms Specifically
The IRS Identity Theft Tax Refund Fraud initiative consistently identifies professional tax preparers as a primary attack vector, with compromised preparer credentials documented as one of the most efficient paths to large-scale fraudulent filings (IRS Criminal Investigation Division, Dirty Dozen annual reports).
Compromising one preparer’s credentials gives attackers access to dozens or hundreds of client records simultaneously, a far higher return than targeting clients one at a time.
Small and mid-sized firms are specifically sought out. Attackers assume, correctly in many cases, that a five-person practice does not have the security infrastructure of a regional firm.
Generic antivirus, consumer routers, and shared passwords are common findings in firms that have never had a formal security assessment.
What is Actually in Your Files
A complete individual tax return includes the client’s legal name, Social Security number, date of birth, employer details, banking information, and address history.
An attacker with that profile can file a fraudulent return before your client does and redirect the refund before the IRS catches it. EFIN credentials are even more dangerous, as a compromised EFIN allows fraudulent filings under your firm’s identity, which can trigger EFIN suspension and compliance investigations. Payroll records add employee SSNs and business banking details to that exposure.
This is the documented attack pattern behind confirmed preparer fraud cases reported to the IRS every year. Understanding it is the first step in allocating a cybersecurity budget that actually addresses the risk.
Accounting Firm Cyber Protection: What IRS and FTC Actually Require
Cybersecurity for accounting firms is not just an IT decision. It is a legal obligation governed by two federal frameworks and one mandatory documentation requirement. Meeting them is the floor, not the ceiling.
1. IRS Publication 4557
IRS Publication 4557 (“Safeguarding Taxpayer Data”) outlines the minimum controls required of all professional tax preparers. Compliance is a condition of maintaining an active PTIN.
Required controls include MFA on all systems with access to taxpayer information, encrypted storage and transmission of client data, session timeouts on inactive accounts, a documented WISP, and defined incident response procedures. These are requirements, not recommendations.
2. FTC Safeguards Rule
The FTC Safeguards Rule, issued under the Gramm-Leach-Bliley Act, classifies professional tax preparers as financial institutions. The updated rule, effective June 2023, requires firms to designate a Qualified Individual to oversee the security program, conduct periodic risk assessments, implement access controls and encryption, continuously monitor security controls, and provide regular employee security training.
The QI must be someone inside the firm; vendors can support that person, but the role cannot be outsourced.
3. Written Information Security Plan (WISP)
A WISP is a formal, documented policy covering how a firm collects, protects, stores, and disposes of client data. Required by federal law under IRS Publications 4557 and 5708, it must be customized to the firm’s actual systems, staff, and risk profile.
A generic template is not sufficient. PTIN renewal requires attesting that a compliant WISP is in place. Without a valid PTIN, a tax professional cannot legally file returns electronically.
The 7 Best Cybersecurity Solutions for Accounting Firms
Accounting firm data security is a layered discipline. Each of the following solution types addresses a distinct threat vector or compliance obligation that the others do not. A firm with only antivirus and a firewall has addressed one layer of a seven-layer problem.
1. Managed Security Services (MSSP)
A managed security service provider (MSSP) is a third-party company that continuously monitors a firm’s systems, detects threats, and responds to incidents, functions that would otherwise require a full in-house security team most small CPA practices cannot staff or afford.
An accounting practice without in-house IT has no one monitoring its systems at two in the morning when an automated attack begins probing for access.
A managed security service provider fills that gap: continuous threat monitoring, incident response, compliance documentation, and FTC- and IRS-aligned security management.
The key qualifier is accounting specialization. A provider unfamiliar with Drake Tax, IRS Pub. 4557, or why a ProSeries file lock error during filing season is an emergency is not positioned to protect a CPA firm effectively.
1. Verito VeritGuard
Verito is a cloud hosting and managed IT company built exclusively for tax and accounting firms. VeritGuard, its managed security service, delivers 24/7 endpoint monitoring, CrowdStrike-powered next-generation EDR, AI-driven anti-phishing email protection, and custom WISP documentation.
Verito’s Pro and Elite tiers satisfy the technical controls required by IRS Publication 4557 and the FTC Safeguards Rule, with Elite adding a 24/7 Security Operations Center and dark web monitoring.
For firms evaluating FTC- and IRS-aligned coverage options, plan details are at Verito’s managed security services page.
Best for:
Solo practitioners to mid-sized CPA firms (2–50 staff) who need end-to-end compliance without in-house IT.
Pricing:
Essentials at $79/device/month. Pro at $149/device/month (includes WISP and anti-phishing). Elite at $199/device/month (adds 24/7 SOC and dark web monitoring). A one-time setup fee of $100/device applies.
2. Corsica Technologies
Corsica Technologies offers 24/7 SOC monitoring, vulnerability management, and compliance-aligned security policies for professional services firms, including CPA practices. Its model works best for firms with 20 or more staff that have existing IT infrastructure and need a dedicated security layer added on top.
Best for:
Larger accounting firms with established IT environments seeking an MSSP overlay.
Pricing:
Custom, requires direct consultation.
2. Multi-Factor Authentication (MFA)
MFA requires users to verify identity through at least two independent factors before accessing any system that contains client data. IRS Publication 4557 mandates it explicitly.
A firm without MFA enabled on its tax software, email, and remote access tools is non-compliant before any other vulnerability is evaluated.
1. Microsoft Authenticator and Microsoft Entra ID
Microsoft Authenticator, integrated with Microsoft Entra ID (formerly Azure Active Directory), provides MFA, conditional access, and single sign-on across the Microsoft 365 environment most accounting firms already use. Low deployment friction, no new vendor relationship required.
Best for:
Firms on Microsoft 365 that want MFA activated without a separate product.
Pricing:
Authenticator is free with Microsoft 365. Advanced Entra ID conditional access features start at approximately $6/user/month.
2. Duo Security (Cisco)
Duo adds device-trust verification to MFA: it confirms not just who is logging in, but whether the device meets the firm’s security policy. Critical for practices with remote staff or partners accessing systems from personal devices.
Best for:
Firms with distributed or remote teams needing device-level access controls.
Pricing:
Essentials at approximately $3/user/month. Advanced tiers with SSO and device trust at $6/user/month (Duo Advantage) and Duo Premier starts at $9/user/month.
For Microsoft 365 firms with office-based staff and low remote-access complexity, Authenticator covers the IRS Publication 4557 MFA requirement at no added cost. Add Duo when staff regularly log in from personal devices or off-network locations.
Its device trust verification confirms not just who is logging in, but whether the device meets your security policy, a control Authenticator alone does not provide.
3. Email Security and Anti-Phishing Protection
Phishing is the most common attack vector against accounting practices. Attackers impersonate the IRS, Intuit, Drake Software, state tax agencies, and individual clients with emails that standard spam filters do not catch.
A dedicated email security layer analyzes content, links, and sender behavior before messages reach the inbox.
1. Proofpoint Essentials
Proofpoint Essentials provides AI-driven filtering, impersonation detection, attachment sandboxing, and URL rewriting. Particularly effective against Business Email Compromise attacks, which target accounting firms for fraudulent wire transfer authorization.
Best for:
Small to mid-sized CPA firms wanting enterprise-grade phishing defense without an in-house security team.
Pricing:
Contact Proofpoint Essentials’ sales team for pricing.
2. Microsoft Defender for Office 365
Microsoft Defender extends Microsoft 365 with Safe Links (real-time URL scanning at click) and Safe Attachments (sandboxed file analysis before delivery). For firms already on Microsoft 365, this is the lowest-friction path to stronger accounting firm data security.
Best for:
Microsoft 365 firms wanting deeper email protection without a new vendor.
Pricing:
Plan 1 included in Microsoft 365 Business Premium. Plan 2 at approximately $5/user/month standalone.
Microsoft Defender is the lower-friction path for firms already on Microsoft 365. No new vendor, no new contract.
Proofpoint Essentials is worth the separate relationship for firms that need dedicated BEC detection beyond what the Microsoft bundle provides, or whose compliance documentation requires a named standalone email security vendor.
4. Endpoint Detection and Response (EDR)
Endpoint detection and response (EDR) is a security tool category that monitors device behavior continuously and flags deviations from normal baselines, catching threats based on what a process is doing, not whether its file signature matches a known virus.
Antivirus matches files against known threat signatures. Ransomware operators use fileless techniques, slow staging, and behavioral camouflage specifically to avoid those signatures.
EDR monitors device behavior continuously and flags deviations from normal baselines, catching the encryption sweep that starts at 3 in the morning before it locks your client files.
1. CrowdStrike Falcon
CrowdStrike Falcon is a cloud-native EDR platform using AI-driven behavioral analysis to detect and contain threats in real time across every endpoint in a firm’s environment. It is the endpoint protection engine underlying Verito’s VeritGuard security stack.
Best for:
Accounting firms that need enterprise-grade endpoint protection without a complex in-house EDR deployment.
Pricing:
Falcon Go starts at approximately $59.99/device/year. Managed detection available through MSSP partners.
2. SentinelOne
SentinelOne adds a patented rollback capability: if ransomware encrypts files before containment, it can restore the affected device to its pre-attack state automatically, without paying a ransom or rebuilding from scratch.
Best for:
Firms that want automated ransomware recovery with minimal manual intervention.
Pricing:
Singularity Core at approximately $69.99/endpoint/year. Advanced managed detection tiers available.
CrowdStrike Falcon is the standard for accounting-specialized MSSPs and the broadest MSSP partner ecosystem. SentinelOne is the better standalone choice when automated ransomware rollback, reverting a device to its pre-attack state without manual rebuild, is the primary requirement.
5. Backup and Disaster Recovery
Backup is the last line of defense, not the first. Ransomware operators target and destroy backup systems before deploying the main payload, specifically to remove the recovery option.
A compliant backup solution must use immutable, offsite storage with no live connection to the primary network, and must guarantee a recovery time objective short enough to survive a filing deadline.
1. Datto SIRIS
Datto SIRIS provides image-based backup, offsite cloud replication, and rapid server virtualization. If a firm’s primary environment goes down, Datto can spin up a virtual server instance within minutes, keeping the firm operational while recovery proceeds.
Best for:
Firms that need guaranteed fast recovery and cannot absorb multi-day downtime during filing periods.
Pricing:
Delivered through MSP partners. Contact Datto’s sales team for more information.
2. Veeam Backup and Replication
Veeam is the industry standard for virtual machine and physical server backup, with ransomware protection through immutable repositories and secure cloud storage.
Best for:
Firms within a managed hosting environment or those wanting an established enterprise backup standard.
Pricing:
Available through MSPs and hosting providers. Contact Veeam’s sales team for more information.
Datto SIRIS is the right choice when recovery speed is non-negotiable; spinning up a virtual server in minutes is what keeps a firm operational through a filing-season attack. Veeam is the standard for firms operating within a managed hosting environment that already provides enterprise backup infrastructure.
6. WISP Compliance Documentation
A WISP is required. Every professional tax preparer who files electronically must have a written plan customized to their firm’s actual systems, staff, and risk environment.
A downloaded template with placeholder text does not satisfy the requirement. Attesting to a non-compliant WISP at PTIN renewal does not reduce liability, it creates it.
1. Verito VeritShield WISP
VeritShield delivers a fully customized, audit-ready WISP aligned with IRS Publications 4557 and 5708. The process includes a firm-specific risk assessment, direct advisory support through the documentation buildout, and a final plan ready for PTIN renewal attestation and cyber insurance review.
The plan is customized to the firm’s actual software stack (Drake Tax, QuickBooks, Lacerte, ProSeries), staff size, and risk profile, not a generic form letter.
For VeritGuard Pro and Elite clients, VeritShield is included in the plan and the technical controls it documents are actively implemented by the same team. Note: Verito guides firms through establishing the Qualified Individual role internally, but the firm must own that designation by law.
Best for:
Any accounting practice without a current compliant WISP or whose plan has not been reviewed since the June 2023 FTC Safeguards update.
Pricing:
$999 flat fee per firm, one time. Delivered within five business days. Full plan details at Verito’s VeritShield WISP service page.
2. IRS Publication 5708 Free Template
IRS Publication 5708 provides a step-by-step WISP framework at no cost from the IRS directly. It gives smaller practices a structural starting point.
The limitation: no advisory support, no customization, and no coverage for state-level obligations that many boards of accountancy impose on top of the federal baseline.
Firms using this route should confirm their completed plan satisfies both federal and any applicable state requirements before attesting.
7. Security Awareness Training
Technical controls block most attacks. They do not block all of them. The most effective attacks bypass technology and target people. A convincing phishing page that mirrors the IRS e-services login portal does not need to defeat your EDR. It needs one staff member to click, and without training, someone almost always does.
The FTC Safeguards Rule explicitly requires covered firms to provide security training to employees. This is a named compliance obligation, not an optional enrichment program.
1. KnowBe4
KnowBe4 runs simulated phishing campaigns against the firm’s own staff, identifies who clicks, and routes those individuals into targeted training modules. Completion rates and simulation results are tracked for compliance documentation purposes, directly satisfying the FTC Safeguards training requirement in an auditable format.
Best for:
Accounting firms that need a documented, repeatable employee training program for compliance purposes.
Pricing:
Pricing is customized based on clients requirements. Contact KnowBe4’s sales team for more information.
2. Proofpoint Security Awareness Training
Proofpoint Security Awareness integrates phishing simulation into the same platform handling the firm’s email filtering, so simulated attacks mirror the actual threats currently targeting the firm in real time. One vendor, closed loop.
Best for:
Firms already on Proofpoint for email security wanting training and protection under a single relationship.
Pricing:
Bundled with Proofpoint email plans. Custom pricing based on seat count.
KnowBe4 is the standalone choice for any firm that needs an auditable, repeatable training program satisfying the FTC Safeguards Rule independently of their email security vendor.
Proofpoint Security Awareness is the right call only for firms already on Proofpoint email, as it closes the loop between live threats hitting the inbox and what scenarios staff are training against.
Putting the Stack Together
No single solution protects against everything. EDR without MFA leaves credential theft unaddressed. A WISP without monitoring is documentation without defense. The value is in how the layers work together.
| Solution | Threat Addressed | Compliance Requirement |
| Managed Security Services | All-layer monitoring and response | FTC Safeguards (ongoing monitoring) |
| Multi-Factor Authentication | Credential theft, unauthorized access | IRS Pub. 4557 (explicitly required) |
| Email Security | Phishing, BEC, spear-phishing | FTC Safeguards (access controls) |
| Endpoint Detection and Response | Ransomware, fileless malware, lateral movement | IRS Pub. 4557 (system protection) |
| Backup and Disaster Recovery | Data loss, ransomware extortion | FTC Safeguards (incident response) |
| WISP Documentation | Documentation compliance gaps | IRS Pub. 4557 and FTC Safeguards (both required) |
| Security Awareness Training | Human error, phishing susceptibility | FTC Safeguards (training requirement) |
For most CPA firms with 2 to 20 staff and no in-house IT function, the right starting configuration is an accounting-specific MSSP combined with MFA and email security. Those three layers address the majority of breach vectors and satisfy the core technical requirements of both IRS Pub. 4557 and the FTC Safeguards Rule.
WISP documentation should run parallel, regardless of which technical solutions are in place, an absent or non-compliant WISP is its own enforcement risk.
Where to Start: Priority Order for Firms with No Existing Security Program
For a CPA firm building a security program from scratch, sequence matters. Spending budget on training before the technical controls exist wastes money and does not satisfy the FTC Safeguards Rule’s intent.
Start with MFA on every system that touches client data: tax software, email, and remote access tools. It is an explicit IRS Publication 4557 requirement and the highest-impact control per dollar spent. Firms on Microsoft 365 can enable it today at no added cost.
Next, engage an accounting-specialized MSSP. This consolidates the evaluation and management of the subsequent layers and provides the continuous monitoring that neither MFA nor EDR alone delivers.
Add email security, then EDR, then immutable backup, in that order if resources require phasing. WISP documentation should run parallel from day one, not after the technical controls are in place, since PTIN renewal attestation does not wait for implementation to finish.
Security awareness training is the final layer and must be ongoing. A single annual session does not satisfy the FTC Safeguards Rule’s training requirement.
Frequently Asked Questions
1. Is antivirus enough to protect a CPA firm?
No. Antivirus addresses a narrow category of known threats but does not satisfy the monitoring, access control, documentation, or training requirements of IRS Publication 4557 or the FTC Safeguards Rule. Protecting client data at an accounting firm requires a layered stack. Antivirus is one component of one layer.
2. What does the FTC Safeguards Rule require for accounting firms?
The FTC Safeguards Rule classifies professional tax preparers as financial institutions under the Gramm-Leach-Bliley Act. The updated rule, effective June 2023, requires designating a Qualified Individual, conducting regular risk assessments, implementing MFA and encryption, continuously monitoring security controls, and providing employee cybersecurity training. Non-compliance can result in FTC enforcement and civil penalties.
3. Do accounting firms need a WISP?
Yes. A Written Information Security Plan is required by federal law for all professional tax preparers who file electronically. PTIN renewal attestation requires confirming one is in place. Filing returns without a valid PTIN is not legal.
4. How much does cybersecurity cost for a small accounting firm?
MFA costs approximately $3 to $6/user/month. EDR runs roughly $60 to $70/device/year. Email security adds $3 to $5/user/month. Managed security services range from $79 to $199/device/month. A WISP documentation service is typically a one-time fee of $499 to $999. A fully protected five-person CPA firm generally spends $500 to $1,500 per month across all layers.
5. What cybersecurity tools do accounting firms need?
Accounting firms operating under IRS Publication 4557 and the FTC Safeguards Rule need seven core layers: multi-factor authentication, email security and anti-phishing protection, endpoint detection and response, backup and disaster recovery with immutable storage, a Written Information Security Plan, security awareness training, and managed security monitoring.
MFA and a WISP are explicit federal requirements. The remaining five layers address specific attack vectors, such as credential theft, phishing, ransomware, data loss, and human error, that the compliance frameworks are designed to close but do not specify a product for.
6. How do I protect my CPA firm from ransomware and phishing?
Ransomware protection requires endpoint detection and response (EDR) on every device, not just antivirus, which signature-based detection cannot reliably catch modern fileless ransomware. Immutable, offline backups are the essential second layer: ransomware operators typically destroy connected backup systems before deploying the encryption payload, specifically to eliminate the recovery option.
Phishing protection requires a dedicated email security platform that scans links and attachments before delivery, combined with regular staff training. One staff member clicking a convincing IRS-impersonation email is the most common documented entry point in IRS-reported preparer fraud cases.
7. What are the best managed security providers for accountants?
The best MSSPs for accounting firms are accounting-specialized: providers with engineers trained on tax software platforms such as Drake Tax, ProSeries, and Lacerte, with working knowledge of IRS Publication 4557, the FTC Safeguards Rule, and what a firm going offline during filing season actually means operationally.
Evaluation criteria should include whether 24/7 monitoring is standard, whether WISP documentation is included in the plan, and whether the provider has demonstrable experience with the specific compliance frameworks your PTIN renewal requires. A general IT provider repurposed for the accounting market cannot fully satisfy either the IRS or FTC requirements.
8. Is cybersecurity for accounting firms different from general business cybersecurity?
Yes, in two material ways. First, the data accounting firms hold, such as Social Security numbers, EFIN credentials, prior-year tax returns, payroll records, makes them a specifically high-value target for tax fraud, not incidental victims of general cybercrime.
Second, accounting firms are subject to specific federal compliance frameworks that mandate explicit controls: IRS Publication 4557 requires MFA, encrypted storage, and a documented WISP as conditions of maintaining an active PTIN. The FTC Safeguards Rule adds a designated Qualified Individual, periodic risk assessments, and employee training.
Most small businesses face none of these specific obligations. A generic cybersecurity vendor unfamiliar with these frameworks cannot fully satisfy them.
Before spending on any of these solutions, the most useful first step is an honest assessment of your firm’s actual gaps.
A risk you have not mapped cannot be fixed, regardless of budget. Verito offers a free cybersecurity risk assessment designed specifically for tax and accounting professionals: an instant risk score, prioritized gap breakdown, no commitment required.
The firms that get breached are rarely the ones that never heard of cybersecurity. They are the ones that assumed they had already handled it.
