Last updated March 10, 2026.
Your social security number, address, and DOB might go for a few bucks on the black market. Sadly, when sold in bundles, $2 per record is enough to bring in a legitimate cash prize for hackers—giving them ample motivation to hack into your accountant’s network.
Is your accountant as motivated to protect your information as hackers are eager to steal it? Do they have the proper cybersecurity and IT support for accounting firms?
Summary
Hackers prize accountants’ data, so it’s crucial to verify how your firm protects your information. These five questions help you assess security: secure file transfer methods; tight access controls with MFA; layered, managed network protections; frequent, verified backups; and clear, enforceable policies and training. Use the answers to gauge your risk this tax season and prompt improvements if needed.
Here are 5 questions to ask your accountant about their cyber security practices. Use them to evaluate your level of safety this tax season.
1. How will we transfer private files this year?
This basic question allows you to A.) easily initiate the conversation and B.) quickly take the temperature of your accountant’s awareness of data theft risk.
Solid answers:
- Digital files will be emailed as encrypted and password-protected files (not using public wi-fi), or…
- Files will be uploaded to an encrypted, password-protected online portal (not using public wi-fi), or…
- Files will be delivered in person.
You should be concerned if you hear:
- Email. (Simply emailing files with no encryption, even password-protected files, can be risky. If you must email, your files should be encrypted.)
- Whatever works for you. (A security-minded CPA would have at least some suggestions to help protect you–discouraging uploading your files on an itty-bitty USB drive that you could easily misplace, for example.)
Do you need to know the strength of your company’s cyber security solution?
2. How many individuals have permission to view my personal information?
Employees are the primary target of hackers, whose clever phishing emails can be terabytes more successful than a brute force attack. A successful phish can result in the hacker obtaining the employee’s credentials—and gaining access to everything the employee has permission to view.
Once that occurs, it can take minutes before all of that data is copied, stolen, or altered.
To lower the potential impact of stolen or sloppy passwords (like CompanyName2017!), accounting firms should structure data so that it is accessible only by those that need it to perform their duties. Your accountant should be able to account for exactly how many people have permission to see your data.
Bonus question: Must the people that have access to my data enter more than one password (or other method of authentication) to see it? “Yes” is the answer you want to hear.
3. What types of network security have you implemented?
Find out if your CPA has implemented the following—and don’t forget to follow up by asking who is managing these things on their behalf:
- Security awareness training for all staff
- Firewall
- Spam Filter
- Anti-virus
- Anti-malware
- VPN
- Regular patching
- HIDS, or Host-Based Intrusion Detection System, or NIDS, Network Intrusion Detection System (More advanced)
- Managed Security Services by Qualified Vendor with an SOC (Can be more advanced, recommended)
4. How do you back up your data?
Regular data backups are critical to ensure your information is protected in case of system failure or manipulation.
Your accountant’s data should be updated at least once a day (more is preferred) into both cloud and physical storage devices. Read more about the backup technology we recommend here.
Backups should also be tested regularly to ensure they’re working correctly. Ask: When was the last time you verified your backups were working?
5. May I see a copy of your documented cyber security policies?
This is perhaps the most telling question about your identity risk this tax season. Without policy documentation, there is no real way for your CPA to prove or enforce solid security practices.
If you’re able to see your CPA’s policies, look for:
- Mandatory and paid employee security training (held at least once a year, but twice a year is preferred)
- Social media policy and training
- Password protocol
- Web browsing, clicking, and download protocol
- Patching protocol
- How safe data handling is monitored, reported, and enforced
- Incident response plan
Get an executive summary of your cyber risk—and the steps you can take to protect your customers.
Learn About Cyber Security Risk Assessments
It’s Worth It
You have permission to feel awesome for verifying your data is being handled correctly. After all, you’ve got a responsibility to yourself to keep cyber criminals from profiting little and costing you much. Most accountants will be happy to provide this information and to take action if they’re lacking.
If you have questions or comments about cyber security, tax season, and your business, email us!
