Growth is thrilling. Your accounting firm is gaining traction, new clients are onboarding, and your team is expanding, and you hit the wall—not the productivity wall, but the security wall.

That’s when fear creeps in. One wrong click. One accidental email. One piece of client data was sent to the wrong “John,” and everything you’ve built is at risk.

At WorkflowCon 2024, cybersecurity expert and seasoned tax professional Brad Messner dropped some real-world wisdom for firms navigating this growth-security paradox. “It’s not just about compliance,” Brad said. “It’s about implementation. It’s about execution.”

Let’s break Brad’s strategic roadmap to create a secure, scalable workflow without sabotaging client trust or team efficiency.

Step 1: Understand and Apply the CIA Security Triad

When it comes to cybersecurity, most accounting professionals freeze up, not because they don’t care, but because they don’t know where to start. That’s exactly why Brad Messner urges firms to master a foundational, three-part system he calls the CIA Triad—Compliance, Implementation, and Audit.

We are required to understand this now. Pleading ignorance is no longer possible; The FTC Safeguards Rule expects us to know this. That’s the new reality."

Compliance: The Security Non-Negotiables

Compliance is your legal obligation. But don’t confuse compliance with paperwork.

Here are the minimums your firm should already have in place:

  • WISP (Written Information Security Plan)
    A regulatory must-have. This document outlines how your firm collects, stores, protects, and disposes of client data.
    Tip: The IRS provides a rough starter template. Brad says, “It’s better than nothing—but expect to spend 20 to 30 hours customizing it to your firm.”
  • Cybersecurity Insurance
    Yes, it’s another cost—but as Brad bluntly puts it:
    “The average breach costs $4.3 million. Insurance buys you sleep.”
  • Client Consent and Disclosure Forms
    Especially if you’re working with offshore labor or third-party tools. “Disclose everything. If you’re outsourcing, make sure your clients know and approve,” Brad advised.

I — Implementation: Turning Policies into Muscle Memory

Here’s how to shift from theory to action:

  • Train Your Staff (Regularly)
    One-time security training isn’t enough. Your team needs regular, scenario-based simulations, especially for phishing and email misfires.
  • Restrict Email Usage
    “We don’t email documents. Period,” Brad stated. “We use secure portals. Email is where security dies.”
  • Multi-Factor Authentication (MFA)
    Even if your clients complain (and they will), MFA is a must.
    “Yes, they’ll groan. But it’s safer—and once it’s normal, they’ll adapt,” Brad explained.
  • Access Control and Permissions
    Implement tiered access. Not every employee needs access to every client folder.

A — Audit: Stay Sharp, Stay Safe

This includes:

  • Quarterly System Reviews
    Are your tools still up-to-date and patched? Is data being stored securely? Do your vendors meet your security standards?
  • User Access Reviews
    Who has access to what? When was the last time you updated permissions?
  • Incident Response Drills
    Don’t wait for a breach to figure out your plan. Run simulated events to stress-test your response.
  • WISP Review and Updates
    Just like tax code, your WISP can’t stay static. Update it at least annually—or when introducing new software, staff, or services.

Step 2: Normalize Security in Your Client Communications

In many accounting firms, cybersecurity is relegated to the IT team or buried deep in policy manuals. Clients rarely hear about it until something goes wrong. But this passive approach is risky. Brad emphasized,

If you’re only talking about security when something goes wrong, you’re already too late."

Communication is the frontline defense in cybersecurity. By making security a consistent part of client interaction, firms transform it from a fear-inducing barrier into a sign of competence and care.

Security as a Value Proposition, Not a Hindrance

Most clients perceive security protocols like multi-factor authentication, password changes, and encrypted portals as frustrating. “It’s like applying for a mortgage,” Brad quipped. “Full of hoops, and nobody explains why they matter.” This mental hurdle stems from poor communication, not the protocols themselves. Reframing security as part of the client value experience changes perception. Resistance drops when clients understand that these systems are in place to protect their identity, not inconvenience them.

Embed Security in Everyday Communications

The shift starts small. “Just include security tips in the stuff you’re sending,” Brad advised. Here’s how:

  • Monthly Newsletters: Add a “Security Corner” with quick, relatable tips—how to recognize phishing emails, what to do if you suspect identity theft, or reminders about secure document uploads.
  • Tax Season Updates: Reinforce safe file-sharing practices, explain why email is discouraged, and highlight the benefits of secure accounting client portals.
  • Client Onboarding: Create a one-page welcome sheet explaining how your firm protects their data and what’s expected of them (e.g., using MFA, avoiding unsecured email).
  • Quarterly Security Briefings: Offer summaries of new threats, recent breaches, or evolving best practices that clients should know about.

The goal is to make security feel like a normal, helpful part of the client relationship, something they come to expect and appreciate.

Use Stories to Build Empathy and Retention

Facts and rules are forgettable. Stories aren’t. Brad stressed the power of sharing relatable experiences: “Tell them about the time you almost sent a file to the wrong ‘John.’ It’s a human moment, but it teaches a lesson.” By sharing real or hypothetical incidents always with tact, you help clients understand the risks without overwhelming them. This method builds empathy, illustrates consequences, and fosters mutual responsibility.

Step 3: Upgrade from Free Tools to Trusted Platforms

The Hidden Cost of “Free”

Accounting firms love efficiency. Understandably, many gravitate toward free or low-cost tools for managing e-signatures, document sharing, or team communication. But Brad Messner issued a clear warning: “We love the free and low-cost options, but those often come at the highest price, security.” The reality is that free platforms often lack the critical encryption, authentication protocols, or support structure necessary to secure sensitive financial data. And when something goes wrong, the cost is no longer zero, potentially millions.

If the Tool Frustrates Clients, It Fails Security Too

One of the most overlooked aspects of security is usability. If a tool is clunky or confusing, clients find workarounds, and those workarounds are where breaches occur. “There’s an e-signature platform out there that’s super cheap,” Brad shared. “But it’s such a challenge for clients to use that we abandoned it. If the tool isn’t intuitive, people won’t use it securely.” The takeaway is clear: user experience is a hidden but vital component of cybersecurity. Clients should be able to follow your processes easily and without resistance. If they can’t, they’ll default to insecure behaviors, emailing documents, skipping verifications, and using weak passwords.

Ease of Use = Fewer Complaints and Stronger Compliance

Brad revealed a telling statistic: “If the tool is easy to use, you’re 64% less likely to hear complaints about security.”

This insight changes the conversation. Security doesn’t have to be an obstacle. It can be invisible when designed correctly. Tools that integrate secure practices behind the scenes (such as encrypted communication or automatic backups) empower firms to protect clients without requiring those clients to jump through endless hoops.

That’s why Brad openly endorsed certain platforms, citing Financial Cents as one example.

It makes it so easy that you don’t even notice the security is there. You want protection that works behind the scenes and doesn’t make your clients miserable."

Match Tools to Your Firm’s Needs and Scale

Not every solution is right for every firm. Brad emphasized that technology decisions should be made with your firm’s structure, team size, client base, and service model in mind. A high-growth firm with remote staff and nationwide clients will need very different solutions than a local, in-person tax practice. “Find the tool that fits your firm—not just your budget,” Brad advised. It’s not about choosing the most expensive platform; it’s about choosing the right one that delivers the security, scalability, and simplicity your team and clients need.

Recommended:

The 10 Best Secure File-Sharing Tools for Accountants

Ditch What Doesn’t Work

This may be the hardest part: letting go of tools not serving your firm. Whether it’s a low-cost signature app, an outdated document storage system, or a team chat app that lacks encryption, if the tool is putting your firm at risk, it’s no longer “affordable.” “We moved away from a cheap tool just because our clients weren’t using it correctly,” Brad noted. “It created too many gaps.” The real cost isn’t the subscription fee, it’s the liability you carry every time the tool underperforms.

Stop Thinking in Expenses

Here’s the mindset shift Brad champions: security tools aren’t overhead; they’re insurance. Every dollar you spend on a well-vetted, intuitive, secure platform reduces your firm’s exposure to human error, client frustration, and reputational damage. In an era where one misplaced file or poorly configured app can cost millions, the “cheap” route is often the most expensive mistake you can make.

Security Is a Value Your Firm Can Live By

Your clients aren’t thinking about security until it’s too late. But you? You don’t have that luxury.

You’re growing. Scaling. Taking on more clients, more data, and more risk. That’s exactly why now is the moment to get proactive about your security workflow. You don’t need a tech background or a fancy cyber team.

Don’t wait for a breach to force your hand. Use this moment as the spark that transforms how your firm approaches cybersecurity.

Bake it into your workflows. Automate it. Educate your clients. Lead with it.

Step 4: Convert Security Into a Revenue Stream

Accounting firms typically view cybersecurity as a cost center—necessary, non-negotiable, but never profitable. Brad Messner, however, challenged that narrative. “We always see security as overhead,” he said, “but what if it could actually be a revenue stream?” This idea isn’t just provocative, it’s practical. As security threats multiply and client anxiety about identity theft grows, firms have an opening to offer something rare in professional services: peace of mind. And they can charge for it.

Clients Want Protection; They Just Don’t Know Where to Get It

In the wake of high-profile breaches and daily scam attempts, consumers are more aware than ever that their data is vulnerable. Yet few have a trusted advisor guiding them on how to safeguard it. “Your clients don’t have someone looking out for them on this,” Brad explained. “You already have their trust so be the one to step in.” That’s where identity protection services come in. Tools like Identity Guard, TrustID, and similar platforms offer monitoring, alerts, and restoration services but most clients don’t even know they exist, let alone how to evaluate them.

This is your opportunity to educate, guide, and resell.

Resell Identity Management Services: Low Effort, High Trust

By partnering with an identity protection provider, your firm can offer these services to clients under your umbrella. Brad’s firm does just that. “We offer it as an add-on. It costs us maybe six to eight dollars per client per month, but we charge ten to fifteen, sometimes twenty. Clients are grateful for it. They feel safer. And it’s passive revenue for us.” This isn’t about nickel-and-diming clients. It’s about bundling real value—especially for clients who lack in-house IT support or don’t know where to start. When you offer a vetted, curated solution, they see it as a service, not a sale.

Establish Yourself as the Trusted Advisor for Security

This strategy positions your firm as more than just a compliance partner. You become your client’s first line of defense in a digital world, not just their bookkeeper or tax strategist. “They already call us when they get a scam email or weird text from the IRS,” Brad said. “Now we can say, ‘You’re covered. Here’s how to activate your protection.’ That builds loyalty.” Over time, clients come to see security as part of your core offering—not a one-off conversation. That increases retention, boosts referrals, and opens the door for higher-value advisory services.

It’s Scalable, Repeatable, and Differentiates Your Firm

This is not a one-time upsell. Done right, identity protection services can become part of your recurring revenue model. The process is scalable across dozens or even hundreds of clients. Once the framework is in place—disclosures, marketing materials, and onboarding guides—you can replicate it firm-wide. Better yet, it differentiates you in a crowded market. Many firms claim to be “modern” or “tech-forward,” but few are proactively offering client-facing security solutions. That makes your firm stand out, especially to clients who’ve already been burned elsewhere.

Start a Free Trial Book a Free Demo