Cybersecurity Guide Compliance for Accounting Firms

Why Cybersecurity is Critical in Modern Accounting

If you run an accounting firm, your cybersecurity risks are no longer hypothetical. You're holding sensitive financial data, tax filings, payroll records, W-2s, Social Security numbers, and banking information. That makes you an obvious target for attackers. And they’re not just going after large firms anymore.

In Ohio, small and mid-sized firms in cities like Painesville, Medina, and Cleveland have been caught off guard by phishing attacks, ransomware incidents, and email compromise. Many of these firms assumed they were too small to be noticed. They weren't. In most cases, the breach started with something basic: a reused password, an unprotected email account, or an unvetted software vendor.

The stakes are rising because accounting firms are now subject to overlapping compliance rules. The Sarbanes-Oxley Act (SOX) affects firms working with public companies. The Gramm-Leach-Bliley Act (GLBA) applies if you handle consumer financial data. And the FTC Safeguards Rule now covers virtually all tax professionals. These frameworks don’t just recommend security controls, they expect them. Regulators want to see access logs, encryption policies, written security programs, and vendor risk assessments.

The problem? Most accounting firms weren’t built with cybersecurity in mind. You’ve invested in tools like QuickBooks, Drake Tax, SmartVault, and Microsoft 365 to run your practice. But unless those systems are properly configured and secured, they can become liabilities. Misconfigured access controls or missing multi-factor authentication are still common, even among firms that are otherwise well-managed.

That’s where Securafy comes in. We support small and mid-sized accounting firms across Ohio with cybersecurity services that are built for compliance. We help firms meet regulatory expectations without adding unnecessary complexity. You don’t need an enterprise budget to meet industry standards, you just need a partner who knows what to prioritize.

In this guide, we’ll break down the compliance rules that apply to accounting firms, the top threats you face in 2025, and the tools and tactics that help firms stay protected. We’ll also explain how co-managed cybersecurity works, and why so many Ohio firms are moving toward specialized, compliance-first support.

What Compliance Standards Apply to Accounting and Finance Firms?

Compliance is no longer just a concern for large financial institutions. If you run an accounting firm, even a small one, you’re expected to follow specific data security rules tied to your services. Whether you're preparing tax returns, advising on financial plans, or managing payroll, you're handling sensitive data that falls under regulatory oversight.

Three major standards apply to most accounting and tax firms in the U.S., including those operating in Ohio:

Sarbanes-Oxley Act (SOX)

If your firm audits or provides financial services to publicly traded companies, the Sarbanes-Oxley Act likely applies. SOX is focused on protecting the integrity of financial reporting, and part of that includes IT system controls.

What this means for you:
You must be able to prove who accessed what data, when, and why. You also need a record of system changes, logins, and updates that could impact financial records.

Auditors may ask for:

• Access logs from systems like QuickBooks Enterprise or Sage Intacct
  
  
• Proof that staff can’t change financial data without approval
  
  
• Documentation of backups, audit trails, and retention policies

These controls aren’t just technical, they’re part of how you demonstrate accuracy and transparency in financial reporting.

Gramm-Leach-Bliley Act (GLBA)

The GLBA Safeguards Rule applies to firms handling personal financial information. That includes solo CPAs, tax prep firms, bookkeeping services, and financial advisors.

GLBA requires firms to develop a Written Information Security Program (WISP). This program must be documented, reviewed regularly, and cover several areas:

• Risk assessments
  
  
• Employee training
  
  
• Access controls
  
  
• Encryption
  
  
• Vendor management

Most smaller firms are out of step with GLBA because they haven’t created a written security plan. That’s one of the first things we help firms build at Securafy. It's not optional anymore, FTC enforcement is getting stricter.

FTC Safeguards Rule (Updated 2023)

The Federal Trade Commission has clarified that the Safeguards Rule now applies to virtually all tax professionals. If your firm prepares taxes or offers related financial services, you're expected to meet specific cybersecurity requirements.

Key rules include:

• Multi-factor authentication (MFA) for all systems with client data
  
  
• Encryption of data in transit (email, file sharing) and at rest (servers, cloud tools)
  
  
• Disposal policies for customer information
  
  
• Continuous monitoring or regular penetration testing
  
  

This affects how you use tools like Drake Tax, Lacerte, UltraTax, and Thomson Reuters CS. Using these tools isn’t enough, you need to configure them securely and document your processes.

If you skip these steps and there’s a breach, you may be held responsible under federal enforcement guidelines. In some cases, even client contracts now reference GLBA or FTC expectations.

Where Ohio SMB Firms Fall Behind

Most small and mid-sized accounting firms in Cleveland, Akron, and Columbus aren’t ignoring security, they just don’t know where their gaps are. They rely on general IT support or default software settings, assuming those are enough. They’re not.

Compliance is about process, not just tools. Securafy helps firms document and implement those processes without adding unnecessary overhead. That includes creating your WISP, configuring MFA, reviewing vendor security, and preparing for an audit or breach event.

The Top Cybersecurity Threats Facing Accounting Firms in 2025

Cyber threats against accounting firms are more frequent and targeted than ever. Attackers know you’re handling sensitive financial data, and that many small firms lack the time or technical staff to maintain secure systems.

In 2025, threat patterns are shifting from generic attacks to industry-specific tactics. That includes targeting popular tax software, exploiting remote work setups, and impersonating financial institutions. Here’s what your firm should expect, and how to prepare.

1. Ransomware Targeting Tax Platforms and File Servers

Ransomware remains the top threat for accounting firms. Attackers encrypt your client files and demand payment for access. These incidents often strike during tax season, when your workload is highest and your tolerance for downtime is lowest.

We’ve seen attacks launched through malicious email attachments or unpatched vulnerabilities in platforms like:

• Drake Tax
  
  
• Lacerte
  
  
• UltraTax CS
  
  
• Local network file shares

In some cases, attackers also steal data before encrypting it, then threaten to leak it publicly unless the firm pays.

Ohio firms that lack secure backups or segmented networks are especially vulnerable. Without protections like endpoint detection and recovery systems, you may have no way to recover.

2. Phishing Emails Impersonating the IRS or Financial Institutions

Phishing tactics have evolved. Attackers now spoof IRS emails, refund notices, or bank statements with realistic branding and urgent calls to action. They may send:

• Fake “e-file” error alerts with malware
  
  
• Spoofed client messages with infected attachments
  
  
• IRS-style messages linking to credential-stealing websites

These emails often bypass basic spam filters and land in Microsoft 365 or Gmail inboxes. Firms without advanced email security (like Microsoft Defender or Proofpoint) are more likely to fall for them.

Phishing simulations and training can reduce click rates, but detection tools are just as important.

3. Business Email Compromise (BEC)

BEC is when someone gains access to your firm’s email account and uses it to commit fraud. For example, they may:

• Send fake wire instructions to a client
  
  
• Approve an internal transfer
  
  
• Redirect payroll or invoice payments
  
  

Attackers often wait silently after breaking into an account. They monitor conversations, then strike at the right moment.

This has happened to firms in Columbus and Akron, where outdated Microsoft 365 settings lacked multi-factor authentication. Once inside, attackers forwarded emails and deleted alerts to cover their tracks.

4. Insider Threats from Staff or Contractors

Insider threats don’t have to be malicious. Accidental actions by untrained team members are one of the most common causes of data exposure.

We’ve seen examples where:

• A junior accountant sent tax records to the wrong email address
  
  
• A remote contractor saved client files to an unsecured Dropbox folder
  
  
• A team member clicked a link that installed a remote access trojan

Without policies, logging, or alerts in place, these actions often go unnoticed until it’s too late.

5. Unsecured Remote Access

Firms using remote staff, seasonal workers, or virtual office setups may lack consistent security controls. Common issues include:

• Remote desktop access without MFA
  
  
• Inconsistent antivirus coverage on home devices
  
  
• VPNs without split tunneling controls

These gaps make it easy for attackers to move laterally into your systems. In Ohio, we’ve worked with firms that had no visibility into contractor devices, even though those devices were handling live client data.

Securafy's Response

We help firms across Ohio defend against these threats by:

• Deploying managed detection tools (EDR) across all workstations
  
  
• Hardening Microsoft 365 and Google Workspace environments
  
  
• Running phishing simulations and staff training quarterly
  
  
• Creating real incident response plans customized for accounting firms
  
  
• Monitoring cloud platforms like QuickBooks Online, Xero, and Drake for suspicious activity
  
  

Most threats are preventable when the right controls are in place. But reacting after a breach is far more expensive, and more damaging to client trust.

Building a Compliance-Driven Cybersecurity Program

If you're running an accounting or tax firm, your cybersecurity program isn’t just about keeping hackers out, it’s about meeting documented expectations from regulators and clients. SOX, GLBA, and the FTC Safeguards Rule all require controls around data access, security planning, and incident response. But most small firms don’t know where to start.

You don’t need dozens of tools. You need the right ones, configured properly, supported by documented processes. Here's what that looks like.

A. Risk Assessments and Written Security Plans

Start with a basic risk assessment. This is required under both GLBA and the FTC Safeguards Rule. You need to understand:

• What data you store (tax returns, payroll files, account numbers)
  
  
• Where that data is stored (local servers, QuickBooks, cloud apps)
  
  
• Who has access (staff, contractors, vendors)
  
  
• What could go wrong (phishing, ransomware, insider error)

This assessment forms the basis for your Written Information Security Program (WISP). If you’re audited, this is one of the first things they’ll ask for.

Securafy provides templates and advisory support to help small firms build compliant WISPs without wasting time on fluff or irrelevant documentation.

B. Access Controls and Monitoring

Regulations expect you to control and monitor who can access client data.

At minimum, your firm should:

• Use role-based access controls (not everyone needs access to everything)
  
  
• Separate admin accounts from daily use
  
  
• Turn on audit logging for file access and email activity

You can implement this with:

• Microsoft 365 Business Premium (with Conditional Access policies)
  
  
• QuickBooks Enterprise (with user roles and permissions)
  
  
• Endpoint monitoring platforms like SentinelOne or Datto RMM

Without logging or alerts, you won’t know when something goes wrong, and you’ll have no proof that your firm took reasonable steps to protect data.

C. Encryption and Secure Storage

Regulators expect encryption of data both “at rest” and “in transit.”

That means:

• Files stored on your computer or cloud should be encrypted automatically
  
  
• Emails and file transfers should be encrypted end-to-end

Common tools include:

• SmartVault or ShareFile for client file sharing
  
  
• Microsoft Purview or Virtru for encrypted email
  
  
• Built-in encryption in CaseWare Cloud, CCH Axcess, or Thomson Reuters CS Suite
  

Don’t rely on Dropbox or Google Drive unless you've configured security settings carefully. Many breaches happen because staff assume “cloud = secure” by default.

D. Incident Response Planning

If something does go wrong, and eventually it will, you need a plan. Regulators and clients will expect you to act quickly and document your actions.

A basic incident response plan should include:

• How you detect and confirm a breach
  
  
• Internal roles and contact list for escalation
  
  
• Notification templates for clients and regulators
  
  
• Backup and recovery steps

Securafy helps firms create realistic, audit-ready IR plans that map to your systems, team size, and risk exposure. We also test these plans with simulated breach scenarios.

Practical Reality for Ohio Firms

In cities like Cleveland, Akron, Medina, and Columbus, many firms assume they’re too small to need this level of planning. But it’s these same firms that face the most risk, because they often run lean, rely heavily on seasonal staff, and haven’t reviewed their systems in years.

A compliance-driven cybersecurity program doesn’t have to be complex. It just has to be specific, documented, and aligned to your actual operations.

Cloud & Vendor Risk Management for Accounting Firms

Accounting firms rely on software and cloud platforms to operate. From tax prep tools and file sharing systems to outsourced bookkeeping and payroll apps, third-party vendors are everywhere. But when those vendors are compromised, or misconfigured, you’re still the one responsible for the data.

If your firm uses platforms like QuickBooks Online, Drake Tax, or SmartVault, you need a way to evaluate and manage their security. This isn’t just a best practice. Under GLBA and the FTC Safeguards Rule, it’s required.

The Risk Isn’t Just Technical, It’s Contractual

Every vendor you use to store, process, or transmit client financial data should be reviewed. This includes:

• Tax software providers
  
  
• Document storage tools
  
  
• Payroll or HR systems
  
  
• Remote bookkeeping services
  
  
• IT service providers with access to your network

What you’re looking for is whether their security practices meet your obligations under compliance rules. That includes encryption, access control, breach notification timelines, and subcontractor use.

Key Questions to Ask Every Vendor

1. Do you encrypt data at rest and in transit?
   
   
2. Do you support and enforce MFA for all user logins?
   
   
3. Where is data stored, U.S. only, or internationally?
   
   
4. Do you have a current SOC 2 Type II certification?
   
   
5. What’s your process if there’s a data breach involving our client data?
   
   
6. Can we restrict or audit your staff’s access to our files?

If vendors can’t answer these questions clearly, or try to dodge them, that’s a red flag.

High-Risk Vendor Scenarios We See Often

• Firms using tax software that stores data on local machines with no encryption
  
  
• Shared logins between staff and contractors in QuickBooks or Xero
  
  
• Remote contractors accessing SmartVault via personal devices with no antivirus
  
  
• File sharing through Dropbox with public links enabled
  
  
• Third-party IT firms with admin-level access and no security documentation

You don’t need to eliminate these vendors, but you do need to document your expectations and restrict how data flows through their systems.

Tools to Help

• Vendor risk register (track vendors, their access, and their certifications)
  
  
• Contract language specifying breach response and compliance requirements
  
  
• Annual review of vendor security documentation (SOC reports, policies, certifications)

Securafy helps firms maintain a vendor risk program that fits the real world. We provide templates, review checklists, and advice on contract language that aligns with FTC and GLBA expectations.

Ohio Firms Are Especially Vulnerable

In smaller firms across Medina, Painesville, and Columbus, we often see vendors chosen based on cost or convenience, with no security review at all. That’s understandable. But it creates real liability. If one of these vendors gets breached, you’ll be the one explaining what steps were, or weren’t, taken.

Managing vendor risk doesn’t mean avoiding third-party tools. It means asking the right questions, getting documentation, and limiting access where possible.

Training & Security Culture for Accounting Teams

Most cybersecurity breaches start with a person, not a piece of software. That’s why employee training is not optional. It’s a requirement under the FTC Safeguards Rule, the GLBA, and every modern cybersecurity framework.

Training helps your team recognize threats before they turn into incidents. It also shows auditors and regulators that you’ve taken “reasonable steps” to protect client data. But for it to work, the training must be specific, ongoing, and part of your firm’s daily operations, not just a once-a-year checkbox.

Why Training is Now a Compliance Requirement

If your firm handles financial data, you’re required to educate your staff about security risks. The FTC and GLBA rules specifically reference training as a control for:

• Phishing and social engineering
  
  
• Password management
  
  
• Secure access to client data
  
  
• Use of encryption and secure communication channels
  
  
• Safe handling of sensitive documents

In small firms, this applies to everyone, not just CPAs. Admin staff, part-time bookkeepers, and remote contractors must also be included.

What Good Training Looks Like

You don’t need long lectures or corporate-style LMS platforms. The most effective training is short, focused, and repeated regularly.

At a minimum, cover:

• How to spot phishing emails (with real examples)
  
  
• How to send client documents securely (no Dropbox or Gmail attachments)
  
  
• Why MFA is required and how to use it
  
  
• What to do if a device is lost or compromised
  
  
• When and how to report suspicious activity

Include internal policies too. Your team should know your firm’s stance on personal device use, cloud storage, and password reuse.

Tools That Work for Small Firms

For SMBs in Ohio, the goal is fast deployment and consistent results, not big training budgets.

We recommend:

• KnowBe4 – Industry leader in phishing simulations and video training
  
  
• Curricula – Story-based cybersecurity lessons designed for non-technical teams
  
  
• Trainual or Clio Grow – For creating custom firm-specific policy trainin

Securafy offers these tools bundled with our cybersecurity support. We help you set the schedule, track participation, and adjust based on real risks.

How Often Should You Train?

• At onboarding (non-negotiable)
  
  
• At least once a year for all employees
  
  
• After any real or suspected breach
  
  
• Whenever you roll out new software or security tools

Training doesn’t have to be formal to be effective. A 10-minute phishing quiz every quarter will help your staff stay alert and confident.

What We See in Ohio Firms

Firms in Akron, Columbus, and Cleveland often rely on one-time training, or informal reminders. That’s not enough. Regulators now expect documentation. If you can’t show who was trained, on what topics, and when, it’s as if it didn’t happen.

We’ve also seen firms avoid training to “save time.” But every hour of training avoided now could lead to days of incident response later. Most successful attacks are caused by one mistake: a clicked link, an insecure file, or a reused password.

Securafy helps firms build practical, repeatable training programs. We manage the schedule, provide content, and track results, so you stay compliant and protected without making training a burden.

Co-Managed IT vs. Outsourced Cybersecurity: What’s Right for Your Firm?

Most accounting firms already work with some form of IT support, either internal, outsourced, or a mix of both. But not all IT providers offer true cybersecurity. And as compliance requirements grow, many firms are realizing they need more than basic tech help. They need a partner focused on risk, not just repair.

This is where the distinction between general IT support and cybersecurity matters. It’s also where co-managed IT comes in, a model that gives your firm more control, more visibility, and more compliance support without hiring a full in-house security team.

What Most IT Providers Offer

Traditional IT support covers:

• Helpdesk for login issues, printer problems, and software installs
  
  
• Network setup and basic troubleshooting
  
  
• Antivirus installation and software updates
  
  
• Microsoft 365 or email administration
  
  

These services are useful, but they don’t include:

• Risk assessments
  
  
• Compliance documentation
  
  
• Phishing simulations
  
  
• Incident response planning
  
  
• Secure vendor reviews

If your provider doesn’t mention GLBA, the FTC Safeguards Rule, or written security policies, you’re probably missing critical protections.

What a Cybersecurity Partner Like Securafy Offers

A cybersecurity-first provider focuses on:

• Protecting client financial data
  
  
• Meeting legal and ethical obligations
  
  
• Defending against targeted attacks
  
  
• Documenting security controls for audits
  
  
• Supporting compliance with SOX, GLBA, and FTC rules
  
  

This includes:

• 24/7 threat detection and response (EDR)
  
  
• Security awareness training for staff
  
  
• Vendor and software risk reviews
  
  
• Policy and procedure documentation
  
  
• Local support for Ohio firms during audits, incidents, or client reviews

What is Co-Managed IT?

Co-managed IT is a flexible model where your internal team or current IT vendor handles day-to-day support, and a cybersecurity partner like Securafy adds the specialized security services you’re missing.

This approach works especially well for:

• Small firms with part-time IT staff
  
  
• Mid-sized firms with no formal security program
  
  
• Firms that already use Microsoft 365, QuickBooks, or cloud-based tax tools
  
  
• Multi-location practices that need centralized policy enforcement

You keep control of your systems, but gain access to the tools, templates, and monitoring that support your compliance goals.

Quick Comparison
Service	General IT Provider	Cybersecurity Partner (Securafy)
Helpdesk support	✅	✅
Email and device setup	✅	✅
GLBA / FTC compliance	❌	✅
Written security policies	❌	✅
Phishing simulations	❌	✅
Microsoft 365 hardening	❌	✅
Legal vendor risk reviews	❌	✅
Local audit support (Ohio)	❌	✅

Why Ohio Firms Are Making the Switch

Firms in Columbus, Medina, and Painesville often outgrow their general IT provider once compliance questions start coming up, from regulators, clients, or insurance companies. When that happens, they either scramble to meet requirements or look for a security-focused partner who already understands the accounting industry.

Co-managed cybersecurity means:

• You don’t need to replace your IT vendor
  
  
• You get documented protections that auditors understand
  
  
• You avoid the learning curve of doing it all in-house
  
  
• You reduce your risk without overspending on tools you don’t need

Regional Spotlight: Ohio Accounting Firms and Cyber Risk

Cybersecurity risks aren’t limited to large cities or high-profile firms. Across Ohio, small and mid-sized accounting practices are being targeted in ways that directly threaten their operations, reputations, and compliance standing. The risks may look different in Columbus than they do in Medina, but the exposure is real, and growing.

Securafy has worked with accounting firms throughout the state. We’ve seen how resource constraints, outdated systems, and vendor reliance put firms in a vulnerable position, especially during tax season.

Local Threat Trends We’re Seeing

1. Ransomware hits during peak season.
   Firms in Cleveland and Akron have been locked out of tax prep platforms after attackers used phishing emails to deploy ransomware. In many cases, backups were either missing or untested.
   
   
2. Wire fraud in payroll and trust accounts.
   BEC attacks have led to fraudulent ACH transfers in small firms that didn’t have dual-approval controls. Attackers used compromised Microsoft 365 accounts to trick staff into sending money.
   
   
3. Data exposure through unvetted software vendors.
   Firms using low-cost, cloud-based bookkeeping apps without verifying their encryption or breach notification practices found themselves caught in vendor-related incidents. Most had no vendor risk assessments on file.

Inconsistent protections in hybrid environments.

In towns like Painesville and Medina, remote staff working without endpoint protection or secure VPN access have introduced malware and exposed client data. Personal laptops and public Wi-Fi remain common entry points.

The Compliance Pressure Is Real

Many Ohio-based firms still believe compliance rules don’t apply to them. But as soon as a breach occurs, the FTC, state regulators, or even clients will start asking questions. The most common gaps we see:

• No documented security policies (WISP)
  
  
• No MFA enforcement
  
  
• No formal vendor review process
  
  
• No phishing training for staff

Failing to address these areas leaves firms exposed not just to attackers, but to legal liability and audit failure.

How Securafy Supports Ohio Accounting Firms

We specialize in helping accounting firms in Ohio build realistic, defensible cybersecurity programs. We understand that your team is small, your tools are already in place, and you don’t have time for fluff. Our focus is on delivering what matters.

What we offer:

• Local security assessments tailored to Ohio compliance expectations
  
  
• Documentation support for GLBA, FTC Safeguards Rule, and SOX
  
  
• Training, phishing simulations, and audit preparation
  
  
• Microsoft 365 hardening and real-time threat monitoring
  
  
• Vendor reviews specific to the tools Ohio firms actually use (Drake, QuickBooks, SmartVault, etc.)
  
  

Whether you’re in Columbus, Medina, or Cleveland, we deliver cybersecurity that matches your operations, not a one-size-fits-all service from an out-of-state provider.

FAQs: Cybersecurity and Compliance for Accounting Firms

This FAQ covers the questions we hear most from CPA firms, tax professionals, and financial service providers in Ohio. The answers focus on compliance, practical tools, and security expectations specific to small and mid-sized firms.

1. Does my small accounting firm really need to follow the FTC Safeguards Rule?

Yes. If you prepare taxes, manage financial data, or provide payroll or advisory services, the FTC considers you a “financial institution” under the Safeguards Rule. This applies even if you're a solo practitioner. The rule requires you to maintain:

• A written information security program
  
  
• Regular risk assessments
  
  
• Encryption and MFA
  
  
• Staff training
  
  
• Vendor oversight

Failure to comply may result in fines or enforcement action after a breach.

2. What does SOX say about cybersecurity?

If your firm works with publicly traded companies, the Sarbanes-Oxley Act (SOX) applies. It requires IT controls to protect the integrity of financial reporting. That includes:

• Access control and audit trails
  
  
• Change management for financial systems
  
  
• Data backup and retention
  
  

These expectations often overlap with GLBA and general cybersecurity frameworks like NIST.

3. Is QuickBooks Online secure enough for client data?

QuickBooks Online is secure by design, but only if configured properly. You should:

• Enable MFA for all users
  
  
• Set role-based permissions (don’t give full access to everyone)
  
  
• Review login and access logs regularly
  
  
• Avoid sharing credentials
  
  

Consider using a secure client portal like SmartVault or ShareFile to share sensitive data instead of giving clients direct QBO access.

4. How do I know if my tax software vendor is compliant?

Ask for:

• SOC 2 Type II reports
  
  
• Encryption details (at rest and in transit)
  
  
• MFA capabilities
  
  
• Breach notification policies
  
  

Vendors like Drake, Lacerte, and UltraTax can meet compliance standards, but you need to confirm that their security settings are properly implemented on your end.

5. What tools help with GLBA and FTC documentation?

• WISP templates (Securafy provides these)
  
  
• Vendor risk register (track SOC reports, breach response)
  
  
• KnowBe4 for phishing training logs
  
  
• Microsoft 365 Secure Score for policy tracking
  
  
• Endpoint detection logs (e.g., SentinelOne, CrowdStrike)
  
  

All documentation should be reviewed annually and updated after major incidents or changes to your tech stack.

6. Does Ohio have specific cybersecurity laws for accounting firms?

Yes. Ohio requires notification to affected residents if unencrypted personal data is compromised. This applies to both digital and paper records. Notification must happen “without unreasonable delay” and include details about the breach, the type of data affected, and contact instructions.

Ohio also provides Safe Harbor protection for firms that adopt recognized cybersecurity frameworks (e.g., NIST, GLBA, ISO 27001). This can reduce legal exposure after a breach.

7. How do I train my team on cybersecurity?

Use tools like:

• KnowBe4 for phishing simulations and awareness modules
  
  
• Curricula for short, non-technical lessons
  
  
• Trainual to document and test your firm’s specific data handling rules
  
  

Train everyone at onboarding, then at least once a year. More often if you deploy new systems or experience a breach.

8. What’s the difference between general IT support and cybersecurity?

IT support focuses on:

• Fixing login issues
  
  
• Installing software
  
  
• Maintaining basic operations
  
  

Cybersecurity focuses on:

• Preventing breaches
  
  
• Complying with legal and ethical rules
  
  
• Detecting threats before they spread
  
  
• Responding to incidents
  
  

If your provider can’t speak to GLBA, FTC, or SOX expectations, they’re likely not offering full cybersecurity support.

9. Should I use Google Drive or Dropbox for client files?

Not without configuration. Both tools can be secured, but most firms use them with default settings that allow public link sharing and lack encryption at rest. Use a tool designed for accounting file storage, like:

• SmartVault
  
  
• ShareFile
  
  
• CaseWare Cloud
  
  

These offer stronger controls, audit trails, and permissions built for financial documents.

10. How often should we do a risk assessment?

At least annually. Also after:

• A breach or close call
  
  
• Major software or vendor changes
  
  
• Expanding remote access or adding new staff
  
  

Document your findings, review policies, and adjust access controls based on what you learn.