Cybersecurity Lessons CPA Firms Learned the Hard Way This YearCybersecurity Lessons for CPA Firms: What This Year Taught (and What to Do Next)Cybersecurity Lessons CPA Firms Learned the Hard Way This Year

Every year, CPA firms learn the same cybersecurity lessons.

The difference is how they learn them.

Some firms learn proactively—through assessments, planning, and incremental improvements. Meanwhile, others learn reactively, in the middle of tax season, during an insurance claim, or after a client asks a question no one wants to answer.

This year was no different. The incidents changed slightly. The tools evolved. The tactics became quieter. Even so, the underlying failures were remarkably consistent.

The firms that struggled most didn’t lack good intentions. Instead, they lacked preparedness.

So, here are the cybersecurity lessons CPA firms learned the hard way this year—and what resilient firms are doing differently.

Lesson #1: “We Haven’t Had a Problem Yet” Is Not a Strategy

Many CPA firms entered the year confident because nothing bad had happened yet. Systems were working. Clients were happy. IT issues were minimal.

However, cybersecurity does not reward historical luck.

In fact, several firms discovered—often too late—that credentials had been compromised weeks or months earlier. Attackers weren’t noisy. Instead, they logged in, observed workflows, and waited for the right moment.

By the time the firm realized something was wrong, the damage had already extended beyond IT:

• Client data exposure
• Reputational risk
• Insurance scrutiny
• Regulatory questions

In other words, “we’re too small to be a target” is still alive and well. (It’s also still wrong.) Read: Why small firms still think they’re not cyber targets (and why that needs to change).

Lesson #2: Credential Theft Is the New Front Door

This year reinforced what regulators and insurers already know: most CPA firm breaches no longer begin with ransomware.

Instead, they begin with credentials.

Stolen usernames and passwords—often obtained through phishing—were the most common entry point. Once attackers had access, traditional defenses were irrelevant. Firewalls didn’t matter. Antivirus didn’t alert. The login was valid.

As a result, firms learned the hard way that:

• Optional MFA is ineffective
• Inconsistent enforcement creates gaps
• Shared or over-privileged accounts magnify damage

Ultimately, the most painful incidents were not the most sophisticated. They were the most preventable.

Lesson #3: Cloud Does Not Mean “Backed Up”

One of the most common and costly misunderstandings we saw this year involved cloud platforms.

For example, many CPA firms assumed their Microsoft 365 data was automatically protected. When email, OneDrive, or SharePoint data was deleted—sometimes intentionally by attackers using valid access—recovery options were limited or nonexistent.

That’s because availability is not the same as recoverability.

Consequently, firms learned—often during an incident—that:

• Native retention is not a true backup
• Compromised accounts can delete data permanently
• Recovery without independent backups is uncertain

If you want a practical blueprint, see our guide: The complete guide to building a modern cyber-resilient CPA firm.

Lesson #4: Busy Seasons Create Perfect Cover

Tax season pressure doesn’t just strain staff—it creates ideal conditions for attackers.

During peak weeks, phishing emails blend in more easily. Urgent requests feel normal. Staff move faster and verify less. Not surprisingly, attackers time their actions accordingly.

Specifically, several incidents this year were traced back to:

• Fake document requests
• Impersonated clients or internal staff
• Payment or payroll changes slipped through during peak workload

To be clear, cyber resilience isn’t about slowing work—it’s about supporting good decisions under pressure.

Because of that, firms that fared better invested in:

• Ongoing awareness training
• Clear verification processes
• Leadership reinforcement that “pause and verify” is acceptable

Lesson #5: Detection Matters as Much as Prevention

Another hard lesson: you can’t respond to what you can’t see.

Unfortunately, many firms had no visibility into login behavior, mailbox rule changes, or unusual access patterns. As a result, breaches were often discovered externally—by clients, vendors, or insurers.

By then, the narrative had already shifted from “incident” to “failure to detect.”

Therefore, cyber-resilient firms prioritize:

• Monitoring for suspicious logins
• Alerts for abnormal behavior
• Faster awareness of potential compromise
• In short, early detection turns incidents into manageable events instead of crises.

Lesson #6: Incident Response Plans Aren’t Optional

In several cases, the most damaging factor wasn’t the attack—it was confusion.

Without documented response plans, firms lost critical hours deciding:

• Who was in charge
• What systems were affected
• Whether clients needed to be notified
• When to involve insurance or legal counsel

On the other hand, prepared firms weren’t perfect—but they were decisive.

For instance, they had:

• Written response plans
• Defined decision-makers
• Established relationships with insurers and forensic partners

In cybersecurity, clarity beats speed. As a bonus, planning creates both.

Lesson #7: Cybersecurity Is Now a Business Risk Issue

Perhaps the most important lesson of the year is this: cybersecurity is no longer just an IT concern for CPA firms.

Today, it affects:

• Client trust
• Regulatory exposure
• Insurance coverage
• Firm valuation and reputation

In addition, frameworks like the FTC Safeguards Rule, evolving state privacy laws, and tighter insurance underwriting have changed expectations. Firms are no longer judged solely on outcomes—they are judged on reasonableness and preparation.

After incidents, the question is rarely: “Were you breached?”
Instead, it is: “Were the safeguards in place reasonable, given what is widely known?”

What Resilient CPA Firms Are Doing Differently

The firms that navigated incidents successfully this year shared common traits:

• Mandatory MFA everywhere
• Independent cloud backups
• Visibility into account activity
• Ongoing staff education
• Leadership involvement in risk decisions

Importantly, they didn’t eliminate risk—but they contained it.

Put simply, cyber resilience is not about avoiding every problem. It’s about ensuring problems don’t define the firm.

Wire Fraud Still Hurts (and It’s Still Preventable)

Wire fraud remains one of the fastest ways to turn a normal day into a bad quarter. The tactics keep evolving. Even so, the pattern stays the same: urgency + authority + a payment change that bypasses verification.

If your firm touches payments, escrow, trust accounts, or any client funds, make this required reading: Protecting your business from wire fraud. For broader trend data, the FBI’s IC3 has a solid overview here: Business Email Compromise (BEC).

Why IT Fusion Focuses on Resilience, Not Fear

At IT Fusion, we approach cybersecurity as ongoing risk management—not a collection of tools.

Specifically, for CPA firms, that means:

• Identifying the most likely and impactful risks
• Prioritizing safeguards that actually reduce exposure
• Providing continuous visibility—not one-time reports
• Helping leadership make informed, defensible decisions

If you’d like to know who you’re working with, start here: About IT Fusion.

(And if you serve both CPAs and law firms, you may also like this related blueprint: The complete guide to building a modern cyber-resilient law firm.)

Start the New Year Informed, Not Reactive

If your firm learned something this year—directly or indirectly—that’s not a failure. Rather, the real risk is carrying those lessons forward without action.

That’s why our complimentary cybersecurity assessment helps CPA firms understand where exposure exists today and what practical steps improve resilience—without jargon or pressure.

Request your free network assessment

Cybersecurity lessons are inevitable. Thankfully, learning them the hard way is not.

Ultimately, being Always on Guard means turning experience into preparation.