5 Email Security Best Practices for Accounting Firms

Accounting firms make lucrative targets for sneaky cyberhackers. Firms often house sensitive personal and financial client information. To best protect sensitive data, it is important for accounting firms to understand which risks they might be vulnerable to and to take steps to protect themselves. 

According to the IRS, around 91% of all cyberattacks start with a phishing email that entices the user to open a link or attachment containing malware. Once the malware is downloaded, the attacker can steal passwords, track keystrokes, or gain access to sensitive client data in a computer system. And as email volumes continue to rise, so does the risk of email-based attacks.

Protecting against these sophisticated threats requires a multi-layered approach. Accounting firms can strengthen their cyber defenses to protect confidential client data by following these five email security best practices.


Download the ebook: Cyber & Data Security for Accountants


5 Email Security Best Practices

1. Email Encryption

Many email privacy laws and compliance regulations mandate email encryption, which scrambles the content of an email message until it reaches the recipient’s server. Using encrypted email and file sharing can protect against phishing, spoofing, and other attempted cyberattacks by making messages more difficult to intercept. Security features like password protection, multi-factor authentication, and user authorization ensure that the intended recipient is the only one allowed to access private information.

2. Client Portals

Rather than sending sensitive attachments like tax returns via email, accounting firms might consider exchanging documents through secure client portals instead. These password-protected file-sharing portals offer a convenient alternative to email, often with robust built-in security features. These platforms store data safely online, rather than sending social security numbers and other personal info through unprotected email servers. Clients can log in to access private financial documents through a link from their accountant.

3. Regulatory Compliance

Various email privacy laws and compliance regulations define the type of information that financial services providers can share via email. These regulatory requirements should be the foundation of your firm’s email security policy. For example:

  • The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain how they protect their clients’ confidential information and share consumers’ data while allowing customers to opt out of data-sharing with third parties.
  • The Security and Exchange Commission (SEC) Rule 17a-4 requires financial services brokers and dealers to retain electronic client correspondences for at least six years.
  • The Federal Rules of Civil Procedure (FRCP) require all organizations to maintain complete email archives so that electronically stored information is accessible in case of litigation.

Heeding relevant industry regulations is key to implementing email security best practices—keeping client data safe and your firm compliant.    

4. Email Archives

Several email privacy laws and compliance regulations require companies to retain email messages for internal audits, investigations, or litigation. By systematically archiving emails, financial firms can keep a thorough record of all email correspondences that can be easily accessed, whether for business or legal purposes.

Email archiving involves securely storing messages either in the cloud or on-premises, where content can be easily searched and audited but not altered or deleted. Archiving not only keeps firms legally compliant but can also ensure smooth data recovery and business continuity.

5. Employee Training

Even the most robust email security policy is useless if your employees let their guard down. Regular cybersecurity training equips your team with the diligence and vigilance they need to spot suspicious email phishing attempts. For example, your accountant email security training may emphasize:

  • Creating strong email passwords
  • Identifying the telltale signs of email spam
  • Verifying sensitive requests in person or on the phone
  • Limiting email administrator privileges to as few users as necessary

Most data breaches happen because of human error, so train your staff to avoid costly email mistakes that can leave your firm vulnerable to cyberattacks.


Read more: What to do if you have a data breach


Executing Best Practices

Even if your accounting firm follows all the recommended email security best practices, the threat of cybercrime still lurks in every inbox throughout the financial sector. All it takes is one oblivious click on a spammy email attachment to unleash a damaging attack on your confidential client information. Safeguarding your data is a constant challenge with potentially catastrophic consequences.

To effectively manage the risks inherent with email, financial firms need a holistic approach to protecting sensitive data, which should always include a cyber insurance policy in addition to a robust risk management program.

When selecting your cyber insurance policy, set yourself up for success by working with a professional insurance agency that understands your business and the industry.

The experts at McGowanPRO can provide you with the knowledge and information you need to protect your business in the event of a security breach. For more information on Security and Data Privacy Liability Insurance, contact Rob Ferrini, McGowanPRO Program Manager, at rferrini@mcgowanprofessional.com.