title: 7 Mistakes You’re Making with Tax Practice Security (and How to Fix Them)
description: Identify common security pitfalls in tax practices and learn actionable steps to protect client data and comply with IRS regulations.
keywords: tax practice security, cybersecurity for tax professionals, WISP, data encryption, IRS security requirements, tax software security
Tax professionals handle highly sensitive personal and financial data. This makes tax practices primary targets for cybercriminals. Federal law, specifically the Federal Trade Commission (FTC) Safeguards Rule and IRS Publication 4557, requires tax preparers to implement specific security measures. Failure to secure data can lead to legal penalties, loss of EFIN, and reputational damage.
The following sections identify seven common security mistakes and provide direct instructions for remediation.
1. Using Weak or Reused Passwords
Many tax professionals use simple passwords or the same password across multiple platforms. If one account is compromised, every account using that credential is at risk.
The Risk
Credential stuffing attacks use leaked passwords from one site to gain access to others. If your email password matches your tax software password, a single breach exposes all client files.
The Fix
Implement a firm-wide password policy requiring complex passwords.
- Use a minimum of 12 characters.
- Include a mix of uppercase, lowercase, numbers, and symbols.
- Require unique passwords for every service.
- Use a professional password manager to store and generate credentials securely.
2. Neglecting Multi-Factor Authentication (MFA)
Relying solely on a password for access to tax software, email, or cloud storage is insufficient. Passwords can be stolen via phishing, keyloggers, or data breaches.
The Risk
Unauthorized users can access client data remotely if MFA is not active. The IRS now requires MFA for many professional tax software logins, but many preparers disable it where optional or ignore it on secondary accounts.
The Fix
Enable Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) on every possible account.
- Prioritize app-based authenticators (like Google Authenticator or Microsoft Authenticator) over SMS-based codes.
- Apply MFA to email accounts, tax software, and any administrative portals.
- Ensure all staff members have MFA enabled on their individual workstations and accounts.
3. Sending Unencrypted Client Data via Email
Email is fundamentally insecure. Standard email transmits data in plain text, meaning it can be intercepted during transit. Sending tax returns, Social Security numbers, or financial statements as standard PDF attachments is a significant security failure.
The Risk
Interception of unencrypted emails allows hackers to steal identities and file fraudulent returns. This also violates the TIG Tax Pros privacy policy standards and federal data protection laws.
The Fix
Stop sending sensitive documents through standard email.
- Use a secure client portal for all document exchanges.
- If email must be used, encrypt the file with a strong password and provide the password via a different communication channel (e.g., phone call or SMS).
- Ensure your firm’s services include secure file-sharing infrastructure.
4. Operating with Outdated Software
Security vulnerabilities are frequently discovered in operating systems and applications. Developers release patches to fix these holes. If you do not update your software, your system remains vulnerable to known exploits.
The Risk
Malware can automatically infect systems running outdated versions of Windows or tax preparation software. This can lead to ransomware attacks that lock you out of your firm's data.
The Fix
Automate your update processes.
- Enable automatic updates for Windows or macOS.
- Verify that your tax software, such as Unlimited Tax Software, is running the latest version before every session.
- Decommission hardware that can no longer receive security updates.
- Update browsers and PDF readers regularly, as these are common entry points for malware.
5. Lack of Employee Security Awareness Training
The human element is often the weakest link in security. Employees may inadvertently download malware or reveal credentials through phishing emails designed to look like official IRS or software provider communications.
The Risk
A single staff member clicking a malicious link can compromise the entire network. Phishing attacks specifically targeting tax pros often use "urgent" messaging regarding EFIN status or account verification.
The Fix
Conduct regular security training.
- Train staff to identify phishing red flags: mismatched URLs, poor grammar, and suspicious sender addresses.
- Establish a protocol: No employee should provide credentials or download attachments from unsolicited emails without internal verification.
- Run simulated phishing tests to evaluate staff readiness.
6. Absence of a Written Information Security Plan (WISP)
The IRS and FTC require tax preparers to have a Written Information Security Plan (WISP). Many small practices assume this is only for large firms.
The Risk
Lack of a WISP is a compliance violation. During an IRS office visit or an investigation following a data breach, the absence of this document can result in immediate sanctions and the suspension of your EFIN.
The Fix
Create and implement a WISP immediately. A compliant WISP must:
- Designate an employee to coordinate the security program.
- Identify internal and external risks to client data.
- Evaluate the effectiveness of current safeguards.
- Outline procedures for responding to a data breach.
- For more information on professional requirements, see our guide on tax preparer certification in 2025.
7. Inadequate Data Backup Procedures
Practices often rely on a single backup method, such as an external hard drive or a basic cloud sync. If this single source fails or is encrypted by ransomware, the practice loses all data.
The Risk
Ransomware specifically targets backup files to ensure the victim has no choice but to pay. Without a "cold" (offline) or immutable backup, your practice cannot recover from a cyberattack.
The Fix
Follow the 3-2-1 backup rule.
- 3 copies of your data (the original and two backups).
- 2 different media types (e.g., local server and cloud storage).
- 1 copy offsite and offline (completely disconnected from your network).
- Test your backups monthly to ensure data can be successfully restored.
Summary of Infrastructure Requirements
Securing a tax practice requires a combination of hardware, software, and procedural controls. If you are starting a new practice, use a structured approach to ensure compliance from day one. You can review the essential ERO services checklist for a breakdown of necessary tools.
| Security Component | Required Action |
|---|---|
| Passwords | Use a password manager and unique 12+ character strings. |
| Authentication | Enable MFA on all professional accounts. |
| Data Transfer | Use secure portals; never send plain text SSNs via email. |
| Maintenance | Set all software and OS updates to automatic. |
| Training | Conduct quarterly phishing awareness sessions for all staff. |
| Documentation | Maintain a current Written Information Security Plan (WISP). |
| Recovery | Implement the 3-2-1 backup strategy with offline copies. |
Adhering to these standards protects your clients and ensures your practice remains compliant with IRS regulations. For more updates on tax practice management, visit our blog. If you need to upgrade your current infrastructure, explore the SaaS options available through TIG Tax Pros.
Review your current security posture against this list today. Identify which of these seven mistakes you are currently making and apply the fixes immediately to mitigate risk. Failure to act increases the likelihood of a data breach and professional liability.