Data breaches are a growing concern for businesses across all industries, and accounting is no exception.

According to an ITRC data breach report, the financial services industry had the second-highest number of data breaches in 2023, with 744 compromises. The number of reported data compromises in the US was also the highest ever.

A separate IBM study showed that the average cost of a breach in the financial industry is over $6 billion in 2024, an increase from $5.9 billion in 2023.

If you believe you’ve never experienced a data breach because a hacker hasn’t directly infiltrated your system, you may overlook other breaches. Data breaches aren’t limited to hacking incidents; they can also occur through physical theft, accidental exposure, or misdelivery of sensitive information.

A data breach doesn't always involve a malicious hacker from abroad trying to infiltrate a firm. It can simply be a mistake, like accidentally emailing the wrong document or uploading the wrong file to a client’s folder. It means that information was shared with an individual who was not authorized to see it, and it happens very frequently."

Brad D. Messner, MBA, EA.

Given these risks and implications for your firm, you must be security-conscious when sharing files internally and with clients. You need to ensure the environment is safe and protect clients’ data so it doesn’t fall into the wrong hands.

In this guide, we share the common security risks when sharing files and how you can mitigate them.

Why File Sharing Security Matters for Accountants

Accounting and bookkeeping firms handle some of the most sensitive client information, including tax returns, financial statements, and payroll data. This makes them more susceptible to attacks and prime targets for cybercriminals.

A single breach can expose this information to unauthorized parties, leading to identity theft, fraud, or even financial ruin for your clients. It can also cause reputational damage or increased scrutiny of your firm.

Case in point: In July 2023, the public accounting firm Wright, Moore, DeHart, Dupuis & Hutchinson (WMDDH) experienced a data breach affecting over 127,000 individuals. The compromised data included names, Social Security numbers, financial account details, and medical information.

The firm identified the breach after detecting unusual network activity, but it took them nearly a year to fully assess the impact and notify affected individuals. Following the incident, the law firm Federman & Sherwood is investigating WMDDH and how it handled it.

This increased scrutiny from regulatory bodies and the breach can damage clients’ trust in their ability to protect their information. That’s why you must carefully secure your files properly to prevent breaches.

Beyond the risks, accountants also have legal and ethical obligations to protect client information. Regulations like the General Data Protection Regulation (GDPR) set stringent standards for handling personal data, such as only collecting data for a specific purpose, collecting the minimum necessary data, not storing it for longer than necessary, implementing security measures to protect it, etc.

There’s also the FTC safeguards rule, which requires accountants to appoint qualified individuals to manage their security program, conduct risk assessments, implement safeguards, etc.

Similarly, professional standards like the CPA Code of Ethics emphasize how important confidentiality is to client relationships. You’re obligated to keep client information confidential unless disclosure is authorized or legally mandated.

You must be familiar with these regulations, as ignorance of the law is not an excuse.

We can't just sit back and say, 'I don't understand this' or 'I'm going to plead ignorance.' Ignorance is no longer an excuse,"

says Brad

The consequences of a security breach can be severe. Consequences include:

Loss of Client Trust

Trust is the foundation of any accountant-client relationship. Clients expect you to handle their financial and personal data carefully. A security breach exposes this sensitive information and signals a failure to meet that expectation.

Clients may feel betrayed and choose to take their business elsewhere. Rebuilding that trust can be nearly impossible, especially in a competitive market where trust and reputation play a major role in client acquisition and retention.

Governments and regulatory bodies impose heavy penalties on businesses that fail to protect personal and financial data.

For example, Non-compliance with the GDPR can result in fines that can reach up to $21 million or 4% of a business’s global annual turnover, whichever is higher. Lesser violations can incur fines of up to $10.3 million or 2% of global turnover.

Damage to Your Firm’s Reputation

In an industry where reputation is critical, data breach news can spread quickly and permanently damage your firm’s standing. Clients are less likely to recommend a firm with a history of security lapses, and potential clients may avoid your services altogether.

Moreover, the cost of repairing reputational damage — through public relations campaigns, enhanced security measures, or client outreach — can be substantial and time-consuming, taking resources away from the firm’s core operations.

Common Security Risks in File Sharing

No doubt, you need to exchange files with your clients. They need to send documents to you, and you need to send completed work or files for their review, such as financial statements, tax returns, or business reports. However, while file sharing is a routine part of your workflow, it also presents significant security risks if not done properly. Risks  include:

Phishing and Social Engineering Attacks

Cybercriminals often impersonate trusted entities, such as clients or software vendors, to deceive accountants into revealing sensitive credentials or granting access to file systems. These attacks can result in unauthorized data access or malware infections.

For example, an attacker might impersonate a client or software provider, requesting login credentials or access to shared files. Once they access client data, they can steal financial information or disrupt your operations through extortion.

Clients That Do Not Care

“I think we all get that our clients are our biggest challenge when it comes to security,” Brad says. “For starters, they typically don’t understand technology, especially security.”

So many clients are unaware of the implications of some of their actions, and others are indifferent to the best practices for file sharing.

Many view it as a hurdle, and this, I think, is the challenge"

Brad D. Messner, MBA, EA.

They may resist using secure platforms, rely on outdated methods like email attachments, or fail to follow password policies.

These behaviors can expose sensitive data to unauthorized access and increase your firm’s liability. A simple action like emailing an unencrypted financial statement could lead to attacks to intercept the data.

Manual Processes That Lead To Errors

Manual file-sharing workflows, such as downloading, renaming, and emailing documents, are prone to human errors. A study found that 84% of organizations have experienced a security incident caused by human error, and it’s the leading cause of serious insider data breaches.

These manual processes can cause you to send files to the wrong recipient (this represents 55% of all error-based breaches and 13% of all breaches for the year) or retain outdated versions in insecure locations. Such errors, while unintentional, can result in confidentiality breaches or compliance violations.

Insecure File-Sharing Methods

Some firms use email attachments or free file-sharing platforms, but this is risky because 23% of malware is sent via email, and these platforms often have weak encryption.

A lot of us love using the free or low-cost solutions. To be honest, those are not always going to have the proper security, and they're not always going to be the easiest to use"

Brad D. Messner, MBA, EA.

When you share sensitive financial documents through these channels, there’s a chance unauthorized parties or hackers can intercept and access them.

Weak Passwords or Credentials

Number one on the list of the world’s most common passwords is “123456”. Over three million people use it, and it takes less than one second to crack it. Number two to five passwords on the list are 123456789, 12345678, password, qwerty123, and hackers can crack all of them in less than a second.

These are examples of weak and simple passwords. Cybercriminals can easily guess and access client data if you use any of these or reuse your passwords.

Unauthorized Access

Unauthorized access occurs when you don’t implement proper access controls. When you share files without setting role-based permissions or account restrictions, even individuals who shouldn’t have access to them can view and download them.

Internally, this might mean employees accessing files outside their job roles, while externally, it could mean hackers exploiting weak security measures. For instance, an improperly secured client portal could allow someone with a basic URL link to download confidential files.

Malware and Ransomware Risks

Malicious files disguised as legitimate documents can spread malware or ransomware. It’s a very common attack, and a Verizon study shows that the majority (70%) of system intrusions involve malware (whether ransomware, Magecart attacks, or general malware).

When accountants unknowingly download or share these files, they risk infecting their systems and compromising client data. For example, a shared file from an unverified source could unleash ransomware that encrypts all client records or locks up your systems until you pay the ransom.

How Accountants Can Avoid Security Risks in File Sharing

Here are a few ways to reduce the security risks of file sharing so you can safely exchange files with clients and team members.

Start with the CIA (the Accounting Cybersecurity Triad)

Accountants can reduce security risks in file sharing by focusing on the cybersecurity triad for accounting: Compliance, Implementation, and Audits (CIA). These three components, as discussed by Brad, create a practical framework for ensuring data security in accounting and financial services.

the accounting cybersecurity triad - CIA

Compliance

Compliance ensures accountants meet the baseline legal and regulatory requirements for cybersecurity. “These are items that we are required to have or do,” he says.

Key compliance measures include:

  • A written information security plan (WISP) — is a requirement for anyone in financial services. It outlines your policies and procedures for protecting sensitive data.
  • A cyber breach insurance plan protects you against the financial and operational fallout from a data breach.
  • Tier A level of understanding of cybersecurity and FTC safeguards. Brad notes that accountants can no longer claim ignorance about cybersecurity:

The FTC Safeguards Rule requires that we understand this topic at a base competency level."

Implementation

Being compliant without taking any action is meaningless. “It’s not just about having the compliance we have to truly implement this,” Brad shares. This brings us to the second pillar: implementation.

Key implementation actions include:

  • Staff/self-training on cybersecurity practices, including recognizing phishing attempts and handling sensitive files securely.
  • Client management and education so they can use more secure methods to send files.
  • Breach management policy detailing the steps to take if a breach occurs, including communication plans and containment strategies

Audit

The final pillar of the CIA triad is audit. “An audit doesn’t refer to a financial audit. It means we must regularly review our policies, ensure updates are applied, and verify that we’re maintaining our systems properly,” Brad explains.

Key audit practices include:

  • Regularly review information security policies to ensure they are up-to-date with current threats and regulatory changes.
  • Updates/maintenance of systems like firewalls and antivirus software to ensure they remain effective.
  • Log review to track system activity and verify compliance.

Use Secure File-Sharing Platforms

Invest in the right security tools and technology. Don't settle for cheap, low-end options. Choose the tools that best fit your firm's specific needs,"

Brad D. Messner, MBA, EA.

In other words, use secure file-sharing tools designed specifically for financial services. These tools provide encryption, role-based access controls, and other essential security features that protect sensitive data during storage and transmission.

One such tool is Financial Cents.

Financial Cents folder structure snapshot

It allows you to request, store, and retrieve files automatically, all in the same software, so you don’t have to use multiple tools simultaneously.

Financial Cents complies with FTC safeguard rules and protects your information with data encryption, cybersecurity protocols, transport layer security, two-factor authentication, access control, user permissions, multinational data privacy, residency, etc.

We implement all of this quietly so you remain undisturbed and don’t have to take any action. Brad corroborates this. He says:

One of the reasons why I love Financial Cents is they make security so easy you don't even recognize that they're applying it behind the scenes at every step."

Educate Your Team

A well-informed team is one of the strongest defenses against file-sharing security risks. Brad says, “We have to be training our staff.”

Train your employees regularly on cybersecurity best practices to ensure they understand the latest threats and know how to prevent them.

Start by teaching them to recognize phishing emails, avoid clicking suspicious links, and use secure file-sharing platforms effectively. Many breaches occur due to human error, so providing clear guidelines on handling sensitive data can significantly reduce risks.

Incorporate training sessions focusing on password management, secure file sharing, and incident response. Also, update your training programs to reflect regulation changes or emerging cyber threats. “We have to be training our staff. It’s not just about having the compliance; we have to truly implement this,” says Brad.

A trained team helps protect your firm from security breaches and reassures clients that their sensitive information is in safe hands.

Educate Your Clients

Clients play a key role in maintaining file-sharing security, and educating them about best practices is essential.

Brad emphasizes the importance of making security a regular conversation point in client communications.

Integrate security into all of your regular communications. If you send out a monthly newsletter, have a security corner at the bottom where you give them tips and examples like: Here’s something to watch out for with phishing emails. Here’s how to protect your identity if you believe you’ve been a victim of a phishing attack."

You can also send out quarterly updates, as Brad’s firm does. These updates can include brief summaries of recent threats, tips for recognizing phishing attempts, and actionable advice for clients to safeguard their data. For instance, explain how to spot suspicious emails or what steps to take if they suspect their information has been compromised.

In addition to general education, encourage clients to adopt specific practices like Multi-Factor Authentication (MFA). MFA adds an extra layer of security by requiring users to verify their identity through multiple methods, such as a password and a one-time code sent to their phone. This will reduce the risk of unauthorized access to shared files.

Automate To Reduce Errors

When you automate tasks, you reduce the chances of human errors that can compromise security. “Automate as much as you can. Every time we add automation, we reduce manual tasks. If I don’t have to type something or go to a client for approval, I save time and effort,” says Brad.

He shares a real-life example from his firm where they automated their extension process, filing 412 extensions — including communicating with the client, receiving permission to file the extension, calculating it, and moving on — completely through automation. The results?

The accuracy level was within two to 3% of the correct result. The previous year, with our human intervention, we were more in the 70 to 80% range."

Applying automation to file sharing can produce similar benefits. For example, secure file-sharing platforms like Financial Cents enable automated document requests, reminders, and notifications. This eliminates manual follow-ups, reduces the chance of miscommunication, and ensures that documents are shared securely and promptly.

Automation also strengthens compliance efforts by standardizing processes like encryption, access control, and audit logging. These features operate in the background, requiring little to no manual intervention, which decreases errors and ensures data remains protected.

Have Strong Password Policies

Weak passwords remain one of the easiest ways for attackers to access sensitive systems and files. That’s why you need to enforce strict password guidelines to enhance security in your firm.

Your policy can be that all passwords must be complex (a combination of uppercase and lowercase letters, numbers, and special characters), at least 12 characters, and not reused across accounts. You can also encourage them to change their password every 60-90 days to minimize risks.

Use Financial Cents’ Client Vault to securely store and share client passwords, security questions, and other sensitive information with your team. Custom encrypted fields store additional information, such as security questions. This ensures that your staff can access what they need without compromising security.

Our encrypter uses OpenSSL to provide AES-256 and AES-128 encryption. We also use a message authentication code (MAC) to sign all encrypted values so that no one can modify their underlying value once it has been encrypted.

Monitor and Audit Access

Regular monitoring and auditing ensure that only authorized personnel can access sensitive information, allowing you to address any anomalies immediately.

To do this, use role-based access control (RBAC) to limit file access based on job responsibilities. Consider setting up alerts for specific activities, such as access to highly sensitive files or attempts to log in from unusual locations.

Also, regularly review access logs to identify any unusual activity or unauthorized attempts to access files. Audits can help detect patterns, such as repeated failed login attempts, which may indicate a brute-force attack.

Avoid Public Wi-Fi

Public Wi-Fi networks, such as those in coffee shops, airports, or hotels, are inherently insecure and pose significant risks for file sharing. These networks are often not encrypted, making it easy for hackers to intercept sensitive data transmitted over the connection. For accountants, sharing files or accessing client information over public Wi-Fi can expose confidential data to cybercriminals.

Turn off automatic WIFI connections and avoid accessing or sharing sensitive files on public Wi-Fi. Use your smartphone’s hotspot feature for a safer connection if it’s unavoidable. Or use a Virtual Private Network (VPN) to encrypt communications.

Regularly Update Software

Keeping your software up to date can protect your firm against security risks. Updates often include patches that address vulnerabilities in previous versions, helping defend against malware, ransomware, and other cyber threats.

They also enhance performance, usability, and compatibility, ensuring your tools remain effective.

To maintain security and efficiency, enable automatic updates, set a regular schedule, or periodically review your firm’s tools and platforms to ensure they are using the latest versions.

Use Financial Cents To Share Files Securely And Manage Your Clients

Protecting client data while managing your firm efficiently doesn’t have to be complicated. Financial Cents offers a comprehensive solution that combines security, productivity, and ease of use so you can focus on delivering exceptional service.

Some of its features include:

  • Secure File Sharing with Built-in Data Encryption: Financial Cents ensures all file exchanges remain encrypted and protected, giving you peace of mind that sensitive client data stays secure.
  • Client Management System: “One of the biggest challenges for accounting firms as they grow is organization. This is because all their client information gets stored in so many random places, making it impossible to find,” says Shahram Zarshenas, CEO of Financial Cents. Our tool solves this problem with its accounting CRM, which centralizes client data, communication, and tasks into a single, organized platform, making collaboration with clients and team members seamless.
  • Secure Client Portal: Enhance client collaboration through features like secure client chat, encrypted file requests, and magic login, simplifying access while maintaining strict security protocols.
  • Workflow Management and Automation: Track client work seamlessly and automate repetitive tasks to reduce errors, improve efficiency, and meet deadlines.
  • Multinational Data Privacy and Residency: Stay compliant with global data privacy regulations and ensure your client’s data is stored securely based on their residency requirements.

Why not sign up for our 14-day free trial to test these features?

Share files securely with your clients and team and manage your firm with Financial Cents.

Start a Free Trial Book a Free Demo