CPA and EA firms are entrusted with some of the most sensitive financial and personally identifiable information (PII) an individual or business can possess. Because this data is highly lucrative to identity thieves, federal regulators treat cybersecurity failures as strict compliance failures rather than simple technical oversights.
The IRS, along with the Federal Trade Commission (FTC), expects all tax professionals, regardless of whether they work in solo or multi-partner firms, to maintain basic, enforceable protections for client repositories. The technical baseline for these expectations is known as the IRS "Security Six."
While many accounting firms can easily draft internal behavioral policies, the true challenge lies in executing, monitoring, and demonstrating that these technical controls work consistently over time. Let's break down what the Security Six technical protections actually require and how to operationalize them across your practice.
The IRS "Security Six" Safeguards Explained
1. Antivirus / Endpoint Protection
Every workstation, server, and endpoint that accesses or stores client data must run continuously updated security software. Traditional antivirus software blocks known malicious files, but modern threat environments demand advanced Endpoint Detection and Response (EDR). This ensures that if a malicious script runs on a laptop, it is automatically isolated and contained before it can spread laterally through the office network.
2. Firewalls
A firewall forms a secure barrier between your private internal network and the public internet. While your operating system contains a basic built-in software firewall, your office network requires a professionally configured and maintained hardware firewall. This blocks unauthorized external connection attempts, monitors inbound and outbound data transfers, and closes ports that are not required for your daily business operations.
3. Two-Factor Authentication (2FA / MFA)
Passwords alone are entirely insufficient to stop modern cyber threats. Multi-factor authentication requires an individual to verify their identity using at least two factors: something they know (a password) and something they possess (a physical token or a secure code generated by an authentication app). Under the FTC Safeguards Rule, MFA is mandatory for anyone accessing systems that contain customer information, including your email, cloud tax software, and client portals.
4. Backup Software and Data Recovery
The IRS emphasizes that backups are your single best line of defense against devastating ransomware attacks. However, a backup system that is continuously connected to your primary network can be encrypted by hackers alongside your live data. Your backups must be encrypted, automated, and stored in a secure, isolated off-site or offline location. Furthermore, federal guidance requires periodic verification and testing of your restore capabilities; backups that exist but fail to restore do not meet compliance expectations.
5. Drive Encryption
If a team member laptop is left in a vehicle, lost traveling, or stolen from an office, simple password protection won't stop a malicious actor from pulling the hard drive and extracting local data. Drive encryption uses advanced cryptographic algorithms to encrypt the drive's data, rendering it completely unreadable to unauthorized users without the specific decryption key. Enforcing full-disk encryption across all business endpoints ensures client PII remains safe even if physical security fails.
6. Virtual Private Network (VPN)
With remote work and hybrid scheduling common among modern accounting practices, secure remote access pathways are critical. A VPN creates a secure, encrypted "tunnel" for transmitting data over public or unmanaged home networks back to your office network. Allowing staff to connect via default, unprotected Windows Remote Desktop Protocols (RDP) without a secure VPN or MFA is one of the leading causes of catastrophic, EFIN-suspending ransomware attacks.
Compliance is a Shared Responsibility
Navigating the intersection of tax law and corporate network security can be overwhelming for a busy tax practice. It is important to understand that compliance is a shared framework, not an outsourced checklist.
Your accounting firm owns the administrative safeguards: creating internal policy expectations, setting rules of staff behavior, and enforcing password discipline. A Managed Service Provider (MSP) like LaunchIT operates alongside your firm to manage, enforce, and log the complex technical controls that enable those expectations to be functional, repeatable, and auditable.
Partnering with an IT team that thoroughly understands IRS expectations allows you to turn compliance from a stressful annual project into an invisible, highly resilient operational system.
Want to cross-reference your current network safeguards against official federal data guidelines?
LaunchIT has simplified the administrative burden for tax professionals.
- Download the official IRS WISP Publication 5708 Guide and the official Safeguarding Taxpayer Data Guide.
- Evaluate Your Strategy: If you want to see how budgeting for specialized IT protection fits your business model, check out our upfront managed IT services pricing and use our interactive pricing calculator.
- Don't wait for a compliance audit to catch a technical gap. Schedule a free consultation with our certified compliance specialists today to review your current posture.