Every tax preparer in the United States — from a solo enrolled agent to a 30-person CPA firm on High Street in Hamilton, Ohio — is legally required to maintain a Written Information Security Plan. The IRS mandated it under Publication 4557, the FTC Safeguards Rule extended the obligation further, and yet a significant share of accounting practices in Butler County still operate without a documented WISP, unencrypted backup, or any formal incident response procedure. That is not an oversight. It is a liability.
The IRS began enforcing WISP requirements in earnest after a wave of tax-preparer data breaches that leaked hundreds of thousands of taxpayer records. The playbook attackers use is straightforward: accounting offices hold Social Security numbers, W-2 data, bank account details, and prior-year filings for every client they serve. A single successful ransomware deployment or credential theft against a mid-size CPA firm yields more exploitable PII per intrusion than most other small-business targets. Hamilton practices running Drake Tax, QuickBooks, or Sage on workstations without endpoint detection are operating at a risk level that most of their clients would find alarming if they knew.
What the IRS Actually Requires
Publication 4557 and the FTC Safeguards Rule together define a baseline that includes: a designated information security coordinator, a written risk assessment, technical safeguards commensurate with firm size and data sensitivity, vendor oversight procedures, and an employee training program. The WISP must be reviewed and updated annually. Firms that use cloud-based tax software are not exempt — the cloud platform may handle encryption in transit, but it does not cover endpoint compromise, phishing, or insider access.
The FTC's revised Safeguards Rule, fully in effect since June 2023, added teeth: tax preparers are now classified as financial institutions under Gramm-Leach-Bliley and must implement multi-factor authentication on any system that accesses client financial data. For most Hamilton accounting firms, that means MFA on Microsoft 365, on Drake or Lacerte, on remote desktop access, and on any cloud portal used for document exchange. Firms that haven't done this audit are almost certainly non-compliant on at least one of those points.
The Specific Technical Gaps Most Firms Have
When Titan Tech assesses a typical small-to-mid accounting practice, the same gaps appear repeatedly. Workstations are running Windows Defender as the sole endpoint protection — adequate for consumer threats, insufficient for the targeted intrusion kits now deployed against professional services firms. Backup configurations exist but haven't been tested; a restore from a Veeam-protected environment takes minutes, but discovering mid-incident that backups stopped replicating six weeks ago is a different situation entirely.
Network segmentation is almost universally absent. Staff workstations, a NAS storing scanned client documents, the firm's VoIP system, and a guest Wi-Fi network all share the same flat network. A compromised laptop can traverse to the file server without restriction. In a practice running Sage 50 or QuickBooks Enterprise, the accounting database sits on that same network segment. Lateral movement from a phishing-delivered payload to a full data exfiltration can happen in under an hour on a flat network.
Titan Tech's managed IT services for accounting firms address this systematically — network segmentation, patch management cadences aligned with tax season windows, and documented change control that supports WISP compliance.
Endpoint Protection Is Not Optional for Tax Practices
Standard antivirus is not the same as endpoint detection and response. The distinction matters because the threat actors targeting CPA firms are not relying on known malware signatures — they're using living-off-the-land techniques, legitimate remote management tools, and credential-stuffing attacks against M365 tenants. SentinelOne EDR with Huntress MDR provides behavioral detection and 24/7 human-led threat hunting that catches what signature-based tools miss.
Titan Tech deploys managed cybersecurity including SentinelOne on all endpoints, Huntress for active threat response, and DNS filtering to block C2 communication and phishing domains. For accounting firms, we also layer in SIEM log retention that satisfies the IRS requirement for audit trail documentation — a single dashboard showing who accessed what client data, when, and from where.
Backup and Business Continuity in a Tax Practice Context
The calculus around ransomware recovery is different for an accounting firm than most businesses. A law firm hit in August can negotiate delays. A CPA practice hit in late March — during peak filing season — faces a choice between paying a ransom or watching clients miss deadlines with real IRS penalty exposure. That asymmetry is exactly what ransomware groups count on.
Immutable, offsite backup with tested recovery procedures is the only position that removes that leverage entirely. Titan Tech's backup and disaster recovery implementations for accounting practices use Veeam with air-gapped copies and quarterly tested restores. The WISP can document this procedure; the test logs become the evidence of due diligence.
Getting the WISP Written — and Maintained
The IRS provides a WISP template that firms can use as a starting point. The harder part is ensuring the technical controls described in that document actually exist and are functioning. A WISP that says "we use multi-factor authentication" when MFA has been disabled on a service account is worse than no WISP — it documents a compliance gap under oath. The security posture has to match the written plan, and both need to be reviewed when staff changes, software changes, or new services are added.
For Hamilton, Ohio accounting and CPA firms that want to close the gap — build a real WISP, implement the underlying technical controls, and stop operating on the assumption that a mid-size practice in Butler County isn't a target — contact Titan Tech for a no-cost security assessment. We work with accounting practices across Greater Cincinnati and can typically identify and prioritize the critical gaps within a single discovery call.