Accounting firm security: How to go beyond the IRS Security Six

minute read

Last Updated February 6, 2024


Client data protection is mandatory

As if data security weren’t already important enough, firms must follow specific IRS rules for keeping client information safe. That’s why the IRS defined the “Security Six.” It’s a list of areas in which firms must comply with security regulations in order to operate legally.

Data security isn’t just a bonus or an extra feature accounting firms can offer clients. It’s absolutely essential, and it’s the law. It’s not simple, either. A firm’s data is constantly under threat, literally.

A recent study conducted by the business school at the University of Maryland found that there’s a hacking attempt every 39 seconds. That means that one in three Americans are affected by mischievous activity every year.

It also means that with nearly 1.26 million accountants and auditors currently practicing in the United States, it’s reasonable to conclude that more than 400,000 of them will be the victim of an attempted hack this year.

Failure to meet IRS requirements can lead to fines, legal costs and other financial losses for firms. Beyond what the IRS requires, data breaches can lead to a loss of both potential and existing clients. They can also lead to a damaged reputation. Put simply, failure to adequately implement data security protocols and protect client data can destroy a firm.

Data leak exploit found security breach
Failure to adequately implement data security protocols and protect client data can destroy a firm.

IRS requirements for client data protection are just the beginning

The IRS Security Six serve as essential rules for how firms should lay out their strategies for protecting data. However, those rules are just the beginning.

At face value, each element of the Security Six seems obvious and straightforward enough:

  1. Antivirus software
  2. Firewalls
  3. Two-factor authentication
  4. Backup software services
  5. Drive encryption
  6. Virtual private network (VPN)
Lock around clients' sensitive information
Following common data protection security tips might not be enough to safeguard your client data.

Why accounting firm data security must go beyond IRS requirements

But a closer look reveals what successfully implementing each security element requires. The process involves making critical decisions, planning carefully and committing to at least some level of investment. It’s important to consult IRS Publication 4557.

Following common data protection security tips might not be enough. For instance, installing antivirus software on your firm’s computers isn’t near enough in today’s highly distributed and mobile environment. There are employees’ personal computers as well as mobile devices to consider.

Or consider firewalls, which require regular updating to be effective. Those updates aren’t always necessary at easily scheduled intervals. They can be necessary at random and inconvenient times.

Security is a constant, daily challenge, from the top of the Security Six to the bottom. Just ask these anonymous tax professionals turned cybercrime victims. Also, the IRS list isn’t comprehensive.

Firms need to manage other areas of data protection, including server security, password security, system patches and even voicemail. Each of those areas of security comes with its own challenges and potential pitfalls.

Man typing at a server
Firms need to manage other areas of data protection, including server security, password security, system patches and even voicemail.

How accounting firms can protect sensitive data beyond IRS requirements

Managing security can seem overwhelming, but it doesn’t have to be. Complying with the IRS Security Six and protecting client data is possible. It requires careful planning and the right partner.

Outsourcing elements of data security to a trusted partner can help firms. With partners, firms can mitigate the logistical, financial and legal challenges involved with staying compliant with the Security Six. Outsourcing can also help firms keep client data locked up tight.

Achieve Smart Security Management with Rightworks

Smart Security Management represents a new model for handling security—one where firms take a holistic approach to security both inside and outside of the cloud. And who better to help you achieve this than Rightworks—a leading provider of cloud and security services with more than two decades of experience? Rightworks security tools allow firms to go beyond IRS Security Six requirements and reach a higher level of security overall. Achieve Smart Security Management by adopting the right set of Rightworks products, including:

  • Secure and reliable cloud hosting that safeguards your data with end-to-end redundancy across all systems. It also provides real-time data replication and multi-layer security systems fit for the enterprise—24/7/365.
  • A comprehensive, secure endpoint solution to safeguard your most critical data. You can have peace of mind with added security for all your employees with one solution.
  • An employee education program that provides best practices for staying safe online. Security awareness training from Rightworks uses a gamified training program developed by experts.

Are you ready to take your firm’s security strategy beyond where it is today? Contact Rightworks.

Recommended next

5 Things You Can Do to Up Your Cybersecurity Game


Subscribe to our blog

Get Rightworks articles delivered straight to your inbox.