Blog

The IRS “Security Six”: What They Are & How to Implement

IRS requirements for client data protection are just the beginning. Learn how the IRS Security Six serve as essential cybersecurity rules for firms.

minute read

By

Last Updated September 25, 2025

Category Security & Compliance

Close-up image of the IRS Treasury building.

Share

Key Takeaways

  • The IRS Security Six are mandatory cybersecurity requirements for all tax professionals handling taxpayer data
  • All six controls must be implemented to comply with IRS Publication 4557 guidelines
  • Non-compliance risks fines up to $100,000 per violation, legal action, and loss of client trust
  • While these six controls form the foundation, comprehensive security requires ongoing commitment beyond minimum requirements

Assuming you’re secure and actually meeting IRS requirements are two very different things. The IRS Security Six provides the framework for genuine protection, and after years of helping accounting firms navigate cybersecurity challenges, these requirements have proven to be essential safeguards, not mere suggestions.

In this post, we’ll break down exactly what the IRS Security Six requirements are, why they matter to your practice, and how to implement them.

Table of Contents

What Is the IRS Security Six?

The IRS Security Six are mandatory cybersecurity requirements outlined in IRS Publication 4557 that all tax professionals must implement to protect taxpayer data. These six controls—antivirus software, firewalls, multifactor authentication, backup services, drive encryption, and VPN—form the baseline security standards for legally handling tax information.

Why Is the IRS Security Six Important?

Firms often underestimate the importance of these requirements until facing the consequences. The IRS Security Six represents more than bureaucratic requirements; it’s essential protection against catastrophic losses that can destroy established practices.

For Professional Compliance

First and foremost, these requirements are the law. Every tax preparer with a PTIN must comply. Period. The IRS doesn’t care if you’re a sole proprietor working from your kitchen table or a 50-person firm—if you touch taxpayer data, you need all six controls in place.

Not convinced? Consider this:

  • It’s a legal requirement under IRS Publication 4557
  • Essential for maintaining your PTIN and practicing legally
  • Required by the FTC Safeguards Rule

For Business Protection

Beyond compliance, let’s talk about what really matters – protecting your business:

  • Financial devastation: Fines up to $100,000 per violation (each missing control counts as a separate violation).
  • Client exodus: One data breach, and watch how fast your client base evaporates.
  • Reputation destruction: Twenty years building trust, twenty minutes to lose it all.
  • Insurance nightmares: Most (if not all) cyber insurance providers won’t take you on as a client if you don’t have the basic cybersecurity measures in place.

The Six Security Requirements Explained

1. Antivirus Software

What it is: Software that detects and removes malicious programs before they can wreak havoc on your systems.

Why it’s required: It’s your first line of defense against malware that can steal, corrupt, or lock your data.

Implementation basics:
The common error involves installing antivirus only on primary computers. Comprehensive coverage requires protection on:

  • Every single workstation
  • All laptops (including personal ones used for work)
  • Mobile devices accessing firm data
  • Server systems

2. Firewalls

What it is: Your network’s bouncer—monitoring and controlling incoming and outgoing traffic based on security rules.

Why it’s required: Prevents unauthorized access to your internal network where all that sensitive data lives.

Implementation basics:
Effective firewall protection requires both hardware firewalls (protecting network perimeters) and software firewalls (on individual devices). Regular updates remain critical – those update notifications during business hours require prompt attention, despite their inconvenient timing.

3. Multifactor Authentication (MFA)

What it is: Additional verification steps beyond passwords—think codes sent to your phone or biometric scans.

Why it’s required: Because “TaxPro123!” isn’t the fortress you think it is. MFA is now mandatory under FTC regulations, not just recommended.

Implementation basics:
MFA must be enabled for:

  • All tax preparation software
  • Email systems (where all those tax documents flow)
  • Cloud storage platforms
  • Remote desktop connections

Pro tip: Skip SMS codes if possible. Authenticator apps are more secure and often more convenient.

4. Backup Software/Services

What it is: Systems that create copies of your data for recovery when (not if) something goes wrong.

Why it’s required: Because ransomware doesn’t care about your deadlines, and hardware failures happen at the worst possible moments.

Implementation basics:
Follow the 3-2-1 rule proven effective for countless firms:

  • 3 copies of important data
  • 2 different storage media types
  • 1 offsite backup

Testing restore processes regularly proves essential. Backups without verified restore capabilities provide false security rather than genuine protection.

5. Drive Encryption

What it is: Technology that scrambles data on your storage devices, making it unreadable without the proper key.

Why it’s required: That laptop left in an Uber? If it’s encrypted, it’s an inconvenience. If it’s not, it’s a catastrophe.

Implementation basics:
Enable full-disk encryption on:

  • All workstations and laptops
  • External hard drives
  • USB drives
  • Mobile devices with access to client data

6. Virtual Private Network (VPN)

What it is: A secure tunnel for internet connections, protecting data as it travels between locations.

Why it’s required: Remote work isn’t going away, and neither are hackers intercepting data on public Wi-Fi.

Implementation basics:
Business-grade VPN solutions provide necessary security for professional environments. Consumer VPN services lack the features and reliability required for tax professional use. Mandate VPN usage for all remote access to firm resources without exceptions.

Who Needs to Implement the IRS Security Six?

All tax professionals with a PTIN must implement these requirements. This includes:

  • All tax return preparers
  • Enrolled agents
  • CPAs handling tax matters
  • Firms processing taxpayer information
  • Anyone with a PTIN who touches tax data

There’s no “small firm exemption” or “I only do a few returns” loophole. The requirements apply equally whether you prepare 10 returns or 10,000.

How to Implement the IRS Security Six

Implementing these requirements requires a systematic approach. The following roadmap provides a structured path to compliance:

  1. Conduct a security audit
    Start by identifying gaps. What do you already have? What’s missing? Be honest—wishful thinking won’t protect you from hackers or IRS penalties.
  2. Create an implementation timeline
    Rome wasn’t built in a day, and neither is a secure firm. Phase in requirements systematically, for example:

    • Week 1-2: Antivirus and firewall upgrades
    • Week 3-4: MFA rollout and training
    • Week 5-6: Backup system implementation
    • Week 7-8: Encryption and VPN deployment
  3. Choose business-grade solutions
    Professional security requires appropriate investment. Consumer-grade products may reduce upfront costs but expose firms to significant risks and potential losses. Select solutions designed for professional environments with comprehensive support.
  4. Document policies and procedures
    The IRS loves documentation, and so should you. Create written policies for each security control, including who’s responsible for maintenance and monitoring.
  5. Train all staff
    The best security tools in the world won’t help if your team doesn’t know how to use them.

Common Mistakes to Avoid

Experience shows that firms repeatedly make similar security implementation errors. Understanding these common pitfalls helps avoid costly mistakes:

  • The “Office Only” Fallacy: Implementing security measures only on office computers while ignoring laptops, home computers, and mobile devices. Hackers don’t care where you work from.
  • Consumer-Grade Shortcuts: Using free antivirus or your internet provider’s basic firewall. These aren’t designed for businesses handling sensitive financial data.
  • Update Procrastination: “We’ll install those patches after tax season.” Famous last words. Hackers don’t take breaks during busy season.
  • Backup Theater: Having backups you’ve never tested. If you haven’t successfully restored data, you don’t have a backup – you have hope.
  • Executive Exceptions: “The managing partner doesn’t need MFA.” Yes, they do. In fact, they need it most because they’re high-value targets.

Beyond the Security Six: Additional Considerations

The Security Six forms a foundation, not a complete security strategy. Modern threats require comprehensive defenses beyond minimum requirements. Consider implementing these additional layers:

Security Awareness Training

Your team is either your strongest defense or your weakest link. The IRS strongly recommends ongoing security training, and honestly, it should be mandatory. Teach your staff to:

  • Recognize phishing attempts (they’re getting scary good)
  • Practice safe browsing habits
  • Handle client data appropriately
  • Report suspicious activity immediately
  • Understand social engineering tactics

Additional Security Measures

Don’t stop at the minimum:

  • Email security: Advanced spam filtering and phishing protection
  • Physical security: Locked file cabinets still matter
  • Access controls: Not everyone needs access to everything
  • Incident response planning: Know what to do when (not if) something happens
  • Regular risk assessments: Threats evolve, and so should your defenses

Closing

Security requirements may seem overwhelming when managing client demands, deadlines, and evolving tax laws. However, successful firms recognize that proactive security implementation provides essential protection before incidents occur.

The IRS Security Six represents more than a compliance requirement – it establishes minimum viable protection in an increasingly dangerous digital landscape. These six controls create an integrated security foundation protecting data, reputation, client trust, and professional standing.

Cybercriminals specifically target accounting firms due to the valuable sensitive data they maintain. Implementing proper security measures transforms your firm from an easy target into one that criminals will bypass for more vulnerable alternatives.

Begin with an honest assessment of current security status, develop a comprehensive implementation plan, and commit to exceeding minimum requirements. This investment in security infrastructure pays dividends in client confidence and business continuity.

Ready to take your firm’s security to the next level?

Download “The Ultimate Cybersecurity Guide For the Modern Accountant” for expert strategies that go beyond compliance to create a truly secure practice.

Subscribe to our blog

Get Rightworks articles delivered straight to your inbox.
Privacy(Required)

About the author

Kiara Williams

Kiara Williams

Kiara Williams is the Content Strategy Manager at Rightworks.

She's been writing for the accounting profession for over seven years, developing eBooks, infographics, articles, and whitepapers on topics ranging from cybersecurity to culture. She’s passionate about getting the inside scoop from accounting and tax pros on Reddit and X, is constantly hunting for accounting’s “next big thing,” and prides herself on making data central to every story.

More articles by Kiara Williams

Related Posts

WISP 101: Goals, Components, & Best Practices

What exactly is a WISP, why do you need one, and what should it include? All that and more, here.

7 Security Awareness Training Tips for Accounting Firms

Learn why security awareness training is critical for accounting firms. Discover 7 proven strategies to protect against breaches caused by human error.

How Much Is an IRS WISP? The True Cost of Compliance

Learn the true cost of a Written Information Security Plan (WISP), from DIY options to professional services.