Cybersecurity for tax accounting firms, Man with a Cybersecurity Readiness Checklist

Cybersecurity Readiness Checklist for Tax Accounting Firms

Use this checklist to assess whether your firm is prepared to defend against common cyber threats—especially during tax season.

  1. Governance & Planning

☐ Written cybersecurity policy in place

☐ Cybersecurity responsibilities clearly defined

☐ Incident response plan documented and accessible

☐ Pre–tax season security review completed annually

  1. Employee Training & Awareness

☐ Cybersecurity awareness training required for all new hires

☐ Annual cybersecurity refresher training completed by all staff

☐ Phishing and social engineering training included

☐ Simulated phishing tests conducted periodically

☐ Additional training scheduled before tax season

  1. Email & Communication Security

☐ Advanced email filtering and threat detection enabled

☐ External email sender warnings in place

DMARC, SPF, and DKIM configured

☐ Staff trained to report suspicious emails

☐ Sensitive data discouraged from being sent via plain email

  1. Identity & Access Management

☐ Multi-Factor Authentication (MFA) enabled for:

☐ Email

☐ Tax software

☐ Client portals

☐ Remote access

☐ Role-based access controls enforced

☐ Access removed immediately for terminated employees

☐ Privileged/admin accounts separated from daily-use accounts

  1. Endpoint & Device Security

☐ Endpoint Detection & Response (EDR) deployed on all devices

☐ Automatic OS and security updates enforced

☐ Antivirus alone is not relied upon

☐ Lost or stolen device response procedures documented

  1. Hardware & Infrastructure

☐ Workstations within 3–5 year lifecycle

☐ Servers within 4–5 year lifecycle

☐ Network equipment within 5–7 year lifecycle

☐ Hot-swap desktop/laptop available during tax season

☐ On-prem servers protected by BDR with failover (if applicable)

  1. Data Protection & Client Information

☐ Secure client portal in use

☐ Encryption used for sensitive data at rest and in transit

☐ File-sharing permissions reviewed regularly

☐ Staff trained on proper handling of SSNs and tax data

  1. Backup & Disaster Recovery

☐ Automated backups running daily

☐ Backups encrypted

☐ Test restores performed regularly

☐ Offsite or cloud replication enabled

☐ Recovery time objectives defined

  1. Remote Access & After-Hours Work

☐ Secure VPN or approved remote access solution in place

☐ MFA required for remote access

☐ Home office security expectations documented

☐ Remote access performance tested before tax season

  1. Incident Response & Insurance

☐ Incident response plan tested or tabletop-reviewed

☐ Cyber insurance policy in place

☐ Breach notification responsibilities understood

☐ Client communication plan documented

If You Answered “No” to More Than a Few Items

You have identifiable cybersecurity gaps that should be addressed before the next tax season—not during

If you’d like a assistance with your cybersecurity assessment, or how additional questions, click here contact Skyline IT Services today!