According to Sophos’s 2024 State of Ransomware in Financial Services report, 65% of financial services organizations were hit by ransomware last year. When breaches do occur, IBM’s 2024 Cost of a Data Breach Report puts the average cost in financial services at $6.08 million — 22% above the global average. And for small firms, the consequences go beyond money: lost client trust, regulatory scrutiny, and reputational damage that a one- or two-partner practice may not survive.
Accounting firms are high-value targets for a simple reason: you hold Social Security numbers, tax returns, bank account details, payroll records, and years of confidential financial history — often for hundreds of clients simultaneously. Attackers know this, and they know that tax season creates a predictable window of maximum pressure and minimum vigilance.
The federal government knows it too. That’s why accounting firms face a compliance framework that most small businesses don’t:
IRS Publication 4557 lays out the security standards every tax preparer must follow. The FTC Safeguards Rule, enacted under the Gramm-Leach-Bliley Act, requires all professional tax return preparers — regardless of firm size — to maintain a Written Information Security Plan (WISP) . This is federal law with enforcement mechanisms including civil penalties, loss of your PTIN, and potential criminal liability. The IRS provides a WISP template in Publication 5708, but the document must be customized to your practice, regularly updated, and actively enforced. And as of January 1, 2024, the AICPA’s revised Statements on Standards for Tax Services (Section 1.3) explicitly requires CPAs to make “reasonable efforts to safeguard taxpayer data.”
For a small accounting firm in Maryland, the question isn’t whether you need managed IT. It’s which services are non-negotiable.
The Services Accounting Firms Can’t Operate Without
| Service | What It Does for Your Firm | Why It’s Essential |
|---|---|---|
| Email Security | Phishing protection, spam filtering, encryption, attachment scanning | Email is the primary attack vector. A single compromised message can expose client SSNs, tax returns, and financial records. |
| Endpoint Detection & Response | Real-time monitoring of every workstation and laptop for threats | Stops ransomware before it encrypts client files — especially critical during tax season when a lockout can mean missed filing deadlines. |
| Multi-Factor Authentication (MFA) | Requires a second verification step beyond passwords | IRS Publication 4557 recommends MFA. The FTC Safeguards Rule requires it for accessing information systems ( 16 CFR §314.4(c)(5)). Most cyber insurance policies mandate it. |
| Encrypted Backup & Disaster Recovery | Automated daily backups stored offsite with tested recovery procedures | Your WISP must document backup procedures. If ransomware hits during April, tested backups are the difference between recovering in hours and losing an entire filing season. |
| Patch Management | Automated updates for operating systems, applications, and firmware | Unpatched systems are the most exploited entry point. IRS Publication 4557 explicitly calls for keeping software current. |
| Security Awareness Training | Regular staff training on phishing, social engineering, and safe data handling | Required as part of your WISP. According to Verizon’s 2024 DBIR, 74% of breaches involved a human element. |
| 24/7 Network Monitoring | Continuous surveillance of servers, firewalls, routers, and traffic | Your WISP must include monitoring and detection capabilities. Threats don’t wait for business hours. |
| Access Controls | Role-based permissions limiting who can access which client files | The FTC Safeguards Rule requires limiting access to authorized personnel only. Seasonal staff and departing employees create risk if permissions aren’t managed. |
What This Looks Like in Practice
Helen Nelson, a CPA and longtime ForeverOn client, described what managed IT means for her practice: “I’ve been working with ForeverOn Technology for years, and have always been very satisfied with the IT services they provide. As a CPA, I work with financial information for many clients, and good security and backup of all my information is an absolutely crucial element for my clients. ForeverOn has also been very helpful with wireless networking and helping me out whenever I have any kind of IT issue.”
That phrase — “an absolutely crucial element for my clients” — gets at what makes accounting firms different from most small businesses. Your clients aren’t just trusting you with a transaction. They’re trusting you with their Social Security numbers, their bank accounts, their entire financial identity. The security of that data is the foundation of the client relationship — and a WISP-documented managed IT program is how you prove it’s protected.
Where Firms Fall Short — And What Closes the Gap
| What the Regulation Requires | Where Firms Typically Fail | What Managed IT Does |
|---|---|---|
| Designated security coordinator (FTC Safeguards Rule §314.4(a)) | No one is formally assigned. A partner “handles IT” with no documented authority or security training. | Your MSP serves as your outsourced security team or provides vCISO guidance so the designated person has real support. |
| Written, current WISP (IRS Pub 4557; FTC Safeguards Rule) | No WISP exists, or it’s a generic template downloaded years ago and never updated. | Your MSP builds and maintains your WISP based on your actual environment and updates it as your firm and threats change. |
| MFA on all information systems ( §314.4(c)(5)) | No MFA on email, tax software, or cloud storage. Staff use passwords only. | MFA deployed and enforced across all systems that touch client data. |
| Encryption at rest and in transit ( §314.4(c)(3)) | Files sent via unencrypted email. Laptops with client data have no drive encryption. | Full disk encryption on all endpoints. Encrypted email and secure client portals for document exchange. |
| Tested backup and recovery (IRS Pub 4557) | Backups run but haven’t been tested for successful restore. Nobody checks completion logs. | Automated daily backups with monitored completion, offsite redundancy, and scheduled recovery testing. |
| Employee security training ( §314.4(e)) | One-and-done training, or none. No phishing simulations. Seasonal staff get no security onboarding. | Ongoing training with simulated phishing, quarterly refreshers, and documented completion for your WISP. |
| Vendor oversight ( §314.4(f)) | No review of cloud tax software, payroll providers, or IT vendor security practices. | Your MSP evaluates vendor security and documents oversight procedures in your WISP. |
| Monitoring and incident detection ( §314.4(c)(6)) | No monitoring. Breaches go undetected for weeks or months. | 24/7 network monitoring, endpoint detection, and alerting. |
| Access controls ( §314.4(c)(1)) | Former employees and seasonal staff still have active credentials. | Role-based access, automated deprovisioning, and regular audits. |
| Incident response plan ( §314.4(h)) | No written plan. No one knows who to call or what to report. | Documented playbook including FTC notification requirements, IRS reporting, and client communication protocols. |
If You Do Nothing Else: The Minimum Compliant Stack
Every accounting firm subject to IRS Publication 4557 and the FTC Safeguards Rule must have:
✅ A designated security coordinator with documented authority
✅ A Written Information Security Plan — customized, current, and enforced
✅ Multi-factor authentication on all systems accessing client data
✅ Encrypted, tested backups with verified recovery procedures
✅ Endpoint monitoring on every device that touches client files
✅ Annual employee security training with documented completion
If any of these are missing, your firm is not compliant — regardless of whether you’ve experienced a breach.
See Where You Stand
ForeverOn Technology Solutions has been providing managed IT services to accounting firms, law offices, and professional practices in Hagerstown, Frederick, and the surrounding Maryland region since 2002. If you’re not sure whether your firm’s current IT meets the standard the IRS and FTC expect, we’ll show you exactly where you stand.
Request a Free Security Assessment or call us at (301) 739-7311 .