Cybersecurity Mistakes Accounting Firms Keep Making (And How to Fix Them)

Tax season brings a predictable surge in phishing emails targeting accounting professionals. The messages look like client requests, IRS notifications, or software update alerts. They are crafted specifically for firms that handle sensitive financial data under deadline pressure, because attackers know that pressure creates mistakes.

But phishing campaigns are only one piece of a much larger problem. Accounting firms sit on some of the most valuable data in any local economy: personal tax returns, business financials, payroll records, banking credentials, and Social Security numbers for thousands of clients. That makes them a high-priority target year-round, not just in April.

The firms that get breached are rarely the ones that ignored cybersecurity entirely. Most of them had something in place. The problem is that what they had was not enough, and in several cases, it was giving them a false sense of protection that made them less cautious than they should have been.

This article covers the cybersecurity mistakes that show up most frequently in accounting environments, why each one carries more risk than it appears, and what a real fix looks like in practice.

Mistake One: Treating Antivirus as a Complete Security Solution

Antivirus software has its place. It catches known malware based on recognized signatures and provides a baseline layer of protection that every device should have. What it does not do is protect against the full range of threats that accounting firms face today.

Modern attacks increasingly use fileless malware, credential harvesting, and social engineering techniques that antivirus tools are not designed to detect. An attacker who gains access through a compromised password or a manipulated employee does not need to install anything on your system. They walk in through a legitimate access point and operate quietly for weeks before anyone notices.

Firms that rely on antivirus alone and believe their security posture is covered are, in practice, operating with a significant gap between their perceived protection and their actual exposure. A layered approach that includes endpoint detection and response, email filtering, DNS protection, and network monitoring is what modern threat defense actually requires.

Mistake Two: No Multi-Factor Authentication on Client-Facing Portals

Client portals have become a standard part of accounting operations. They allow firms to share documents, collect signatures, and exchange sensitive files without relying on email attachments. They are also a direct entry point to some of the most sensitive data your firm manages.

If a staff member's portal credentials are compromised through a phishing email or a data breach at another service where they reused the same password, an attacker with those credentials can access every document in that portal. Client tax returns. Business financials. Bank statements. Without multi-factor authentication, the only barrier between an attacker and that data is a username and password.

The IRS has made MFA a requirement for tax professionals accessing certain federal systems, and the FTC Safeguards Rule, which applies to firms handling consumer financial data, includes authentication controls as part of its updated requirements. Beyond compliance, MFA is simply one of the most effective controls available for preventing unauthorized access. Enabling it on every external-facing system your firm uses is not optional at this point.

Mistake Three: Sharing Credentials Among Staff

This one is common in smaller firms and almost always starts as a practical convenience. A shared login for the document management system. A single admin password that three people know. A client portal account that gets handed off when someone is out of the office.

Shared credentials eliminate accountability. When something goes wrong, and eventually something will, there is no way to determine which user account was active, what actions were taken, or whether the access was legitimate or malicious. It also means that when a staff member leaves, revoking access requires changing a password that multiple people know, which creates its own chain of risk.

Every staff member should have their own individual credentials for every system they access. Access should be tied to their role and revoked immediately upon departure. This is not bureaucracy. It is the baseline of a defensible security posture.

Mistake Four: Keeping Client Data Longer Than Necessary

Accounting firms accumulate data over years of client relationships. Old tax returns, historical financial statements, documents from clients who left the practice a decade ago. Much of this data sits in folders on a server or in cloud storage, never accessed, never reviewed, never deleted.

Every piece of client data your firm holds is data that could be exposed in a breach. Retaining records beyond your legal or contractual obligation does not serve your clients. It expands your liability. A data minimization policy, one that establishes clear retention schedules and enforces deletion of records that no longer need to be kept, reduces the blast radius of any future incident.

This is also increasingly relevant from a regulatory standpoint. State-level privacy laws are expanding across the country, and the FTC Safeguards Rule requires covered financial institutions, which includes many accounting firms, to have policies governing the handling and disposal of customer information.

Mistake Five: No Written Information Security Plan

The FTC Safeguards Rule requires firms that qualify as financial institutions under the Gramm-Leach-Bliley Act to maintain a written information security program. Many accounting firms that fall under this requirement either do not have a written plan or have one that has never been updated since it was drafted.

A written information security plan is not a compliance checkbox. It is the document that defines who is responsible for security in your firm, what controls are in place, how risks are assessed, and how incidents are handled. Firms that have gone through the process of creating one, and keeping it current, tend to have a clearer picture of where their actual gaps are.

If your firm does not have a current written security plan, that gap is worth addressing before a regulator or a breach forces the conversation.

Mistake Six: Assuming a Breach Would Be Obvious

Many business owners picture a cyberattack as something dramatic and immediately visible. Systems go down. Files disappear. A ransom message appears on screen. Some attacks do look like that. Many do not.

Credential theft and data exfiltration can happen quietly over an extended period. An attacker with legitimate access credentials can move through your systems, copy files, and observe activity without triggering any visible alarm. By the time the breach is discovered, the attacker may have had access for weeks or months.

This is why continuous network monitoring matters. Not periodic reviews. Not occasional check-ins. Ongoing visibility into what is happening on your network, what accounts are active, what data is moving where, and whether any behavior looks anomalous. Without that visibility, you are relying on luck to catch a quiet intrusion.

What a Better Approach Looks Like

The accounting firms that manage cybersecurity well are not necessarily the largest ones. They are the ones that have made a deliberate decision to treat security as an ongoing operational responsibility rather than a one-time setup.

That means working with an IT partner who understands the specific compliance obligations that apply to firms handling consumer financial data, who actively monitors the environment rather than responding only when called, and who can help the firm navigate the gap between where their security posture is today and where it needs to be.

Entre works with accounting firms across Montana, Idaho, Washington, and Wyoming to build IT and cybersecurity programs that address exactly these gaps. If you are not confident your current setup would hold up against a targeted attack or a regulatory review, their cybersecurity services are a practical place to start that conversation. For firms that want a faster read on where they stand, the IT and cybersecurity readiness quiz takes a few minutes and surfaces the gaps most accounting practices do not know they have.

The firms that avoid serious breaches are not the ones that got lucky. They are the ones that stopped treating security as something to revisit later.