Preparing a Cybersecurity Plan for the 2025 Tax Season

Cybersecurity is a year-round concern that requires vigilance no matter the time, day or date on the calendar. However, financial organisations may be particularly vulnerable during tax season, when more data is typically being handled than at any other time of the year and when accountants and CPAs are at their busiest. Although cybersecurity may feel like an additional burden during these periods, failing to strengthen and maintain your firm’s data protections leaves the door open to significant risk – and the potential to make a stressful time far more harrowing.

Most financial professionals don’t moonlight as cybersecurity experts, which can make data threats and the responsibility of protecting client information a daunting prospect. Because cyber threats are always changing and growing more sophisticated, partnering with a cybersecurity consultant and perhaps employing a security operations center (SOC) is one solution for staying a step ahead and putting a plan in place in the event of a data-breach incident. 

To begin the process of establishing cybersecurity best practices at a financial firm with tax season on the horizon, consider the following factors: 

• Device security 
• Mobile device management and encryption 
• Secure file-sharing, backup and data recovery 

Work computers, phones, storage media and network hardware are all targets for cybersecurity attacks. Employees should be instructed to view and share materials with client information only on and through work devices, and those devices – including hard drives and USB drives – should be encrypted to prevent data loss and theft.

Endpoint security software such as antivirus, anti-malware and intrusion detection should be installed on all company devices that access firm networks and client data.

Firms should always consider creating separate networks for employees and clients to avoid the risk of impropriety. Strong passwords and segmentation of the wi-fi network are common best practices. Additionally, hiding the guest network’s SSID (network name), blocking guest access to printers and other devices and creating a separate access point from the firm’s main employee network provide more firewalls of cybersecurity protection. 

One of the best steps a financial firm can take to thwart information theft is implementing mobile device management (MDM) solutions to ensure that company-issued mobile devices remain secure. With a private, secure portal, firms can minimise risk via a controlled, encrypted environment for file sharing. Access controls provide additional protection, allowing firms to control who has access to what with permission settings. Many portals log network activity, providing an audit trail that can help identify cybersecurity weaknesses and bad actors while aiding in recovery should an incident occur.

Any file-sharing discussion for financial firms should start with email. Both employees and clients should be strongly advised about best practices in this area. Email is a poor choice for the exchange of sensitive financial documents and a primary target for phishing. An employee or client with no ill intent may accidentally open malicious attachments or click on links in well-disguised phishing emails. Email size limits may also move a client to use insecure methods (unencrypted file-sharing services or multiple emails) that are inherent security risks.

Beyond email protections, firms should use data loss prevention (DLP) tools such as secure file-sharing platforms and encrypted email for internal and external communication to protect sensitive data from being extracted from the network without proper clearance. If all else fails, a data backup and recovery plan can help keep business operations on track and control damage after an adverse event. 

Securing company devices and networks, and protecting client information require a combination of technology, policies and training. Access controls, encryption and data backups are must-haves, as are – to varying extents – physical security measures. Employees and clients should be advised and regularly updated on cybersecurity threats and risk-prevention best practices. Plenty of steps can be taken by a tech-savvy financial firm or its IT department to improve cybersecurity systems. But consideration should be given to working with experts to build a reliable, evolving security program that provides an organisation and its clients with lasting peace of mind.