Breaking Bad Habits: 5 Ways to Keep Hackers Out of Your Books

Walter White in Breaking Bad evaded capture using a multitude of methods including: his family's loyalty, manipulation of evidence, science and sheer luck. When dealing with your client's data accounting data your firm cannot do the same: loyalty, technology and luck. there is phishing, ransomware, and insider threats and accounting firms must recognize the risks. In this short post we'll uncover 5 must have technical safeguards to protect sensitive financial information. This is fundamental for maintaining client trust and adhering to today's evolving legal compliance.

Protective Measures for Accounting Data

The first three items are technical but people related in that it is the human doing the work and how they interact with technology.

1. Multi-factor authentication (MFA) - this is painful but today folks are used to using it for all financial transactions and applications. In an optimal world this will be used on email, any type of tax software whether "in the cloud" or hosted locally at the firm. Two musts when implementing this is for remote users and any type of admin accounts.

2. Secure client communication - This should be done via encrypted portals. Never should their be email attachments for tax returns or other sensitive data like checking/savings data or payroll.

3. Zero-trust access. This does not mean we don't trust our employees. We do. It means we, when giving out the "keys" to our systems, verify. We verify that they have the proper role and rights to see the data. We verify that it is our employees touching the data. Thinks of the different modes of transportation, just because I have a license to drive a car does not mean I should be driving a bug rig.

4. Strong encryption (i.e. AES-256). All data that is residing on your systems in house or in the cloud should be encrypted at rest and in transit. Including backup like a USB drive or an external drive! This is where I personally have seen companies fail an audit. Which is costly and damages the firm's reputation.

5. Patching and vulnerability management. You may have a server in house. Ensure that it is getting critical updates and have a written process to monitor and then a playbook to remediate any exploited vulnerabilities. Small firms don't typically have an IT staff, it is critical that your systems be maintained. Think of it as keeping your house in order or like an oil change for the car. Preventative maintenance.

Training employees about cybersecurity best practices is also fundamental. It can be simple, even fun. Employees should be aware of how to recognize phishing attempts and other cyber threats.

Practical Next Steps

For a typical CPA or accounting firm in 2025, a practical roadmap looks like this:

1. Perform a focused risk assessment on your tax, audit, bookkeeping, and payroll workflows, including remote work and AI tools, then update or create your WISP! Don't know what a which is: See our blog post here.​ Implement a framework such as the one Sonareon has to address this. Call us at 248-602-2682 so we can help you with that.

2. Enforce MFA everywhere, deploy a password manager, ensure full‑disk and backup encryption, and review vendor security and contracts for all core applications.​

3. Implement regular staff training and phishing simulations, formalize an incident response plan, and coordinate with your cyber insurer to align controls with policy expectations.

Finally, break the bad habits which come from being busy and ignoring the problem until it causes you pain. Be proactive and mitigate risks early. It will cost less and having these 5 protective measures addressed will allow your firm to flourish safely.