The IRS Security Six: What Tax Professionals Need to Know

Clients trust accounting and tax firms with some of their most sensitive financial and personal information. Several employees of a tax firm have access to this sensitive information during the tax season. That makes tax practices a clear target for cybercriminals.

A data breach at a tax firm is not just a minor glitch in its IT systems. It can damage its reputation and create legal, regulatory, and client trust issues. This is why the IRS continues to remind tax professionals about the “Security Six.”

The Security Six are six important security measures that every tax professional should have in place. They are not complicated ideas, but they do require discipline, proper setup, and regular review.

In this article, we look at what the IRS Security Six means, why it matters, and how tax professionals can apply it in daily practice.

Why Should Tax Professionals Care About the IRS Security Six?

Tax firms handle highly sensitive client information, including Social Security numbers, income records, bank details, and tax documents. If this data is compromised, cybercriminals can use it to file fraudulent returns, steal refunds, open accounts, or commit broader identity fraud.

Many small and mid-sized firms assume they are too small to be targeted. In reality, smaller tax practices can be attractive targets because they may rely on outdated systems, weak access controls, or limited cybersecurity resources.

For tax professionals, data security is not optional. Protecting client information is both a business responsibility and a compliance requirement. The IRS Tax Security 2.0 checklist encourages tax professionals to follow the Security Six, maintain a written data security plan, stay alert to phishing attempts, and monitor for signs of client data theft.

Firms are expected to document their security practices and take reasonable steps to protect taxpayer data from unauthorized access, misuse, and theft.

That is why the Security Six should not be viewed as an extra layer of protection. It should be treated as a core part of daily firm operations, just like tax software, document management, client onboarding, workflow review, and quality control.

What Exactly Are the IRS Security Six?

The IRS Security Six includes:

1. Antivirus software
2. Firewalls
3. Multi-factor authentication
4. Backup software or services
5. Drive encryption
6. Virtual Private Networks (VPNs)

While these measures may seem straightforward, each plays an important role in reducing cybersecurity risks. Let’s explore each of the Security Six in detail and their potential uses.

1. Antivirus Software

Antivirus software helps detect and block malicious programs that can corrupt your system. These programs can come in the form of email attachments, unsafe downloads, infected websites, or compromised files.

Tax firms receive a large volume of client data in the form of documents via email during tax season, which makes it important for them. A single infected attachment can cause serious problems if the firm doesn’t have proper protection.

But antivirus software only works well when it is up to date. Outdated antivirus protection is like using last year’s tax rules for this year’s filing. It may give a sense of comfort, but it may not protect against current risks.

Related Reading: 6 Reasons To Choose EDR Over Antivirus

Tax firms should ensure antivirus software is installed on all work devices, including desktops, laptops, and servers. It should update automatically, perform regular scans, and send out an alert when it finds a threat.

2. Firewalls

A firewall helps protect a firm’s network by controlling traffic between internal systems and the internet. It can block unwanted access based on pre-defined parameters, limit the firms’ internal networks’ exposure to harmful traffic, and help prevent unauthorized connections.

This is very important for accounting and tax firms as their systems are used by multiple users, who have access to client files, tax software, or remote desktops. A properly configured firewall would provide a much-needed barrier against outside attacks.
A firm should not treat its firewall as a one-time setup. They should review the setup every time they add new software, remote users, cloud tools, or office locations.

3. Multi-Factor Authentication

Passwords can be stolen through phishing emails or exposed in data breaches. A firm should not rely on passwords alone. It must add multi-factor authentication, which adds one or more steps to the login process in addition to passwords. After entering a password, the user must verify their identity using another method, such as an authentication app, a security code, a hardware key, or a biometric check.

Firms should have MFA enabled wherever client data is stored or accessed. This includes tax software, email accounts, cloud storage, document portals, payroll systems, accounting platforms, and remote access tools.

This is one of the most practical controls a tax firm can use. If a password is stolen, MFA can still prevent an unauthorized person from getting into the system.

The key is to make MFA firm-wide. It should not be used only by partners or senior staff. Anyone who can access client information should use it.

4. Backup Software or Services

For many firms, backups remain a low priority until something goes wrong and recovery becomes essential. However, in case of a natural disaster or cyberattack, backups are the differentiating factor between firms that lose critical data and those that recover quickly.

Accounting firms should have a reliable backup system or backup-as-a-service in place to ensure that all critical files are backed up at regular intervals. A good backup system should be automatic, encrypted, and tested at regular intervals. A backup is only valuable if it can be successfully restored when needed. Regular testing is therefore essential to verify that recovery processes work as expected.

5. Drive Encryption

These days, most accountants work on laptops, tablets, and other portable devices. If a laptop is lost or stolen, the files stored can be exposed unless the device is encrypted.

Drive encryption converts stored data into an unreadable format unless the user has proper access. This means that even if someone physically gets the device, they cannot easily read the data.

This matters for firms where employees download client documents, save tax files locally, or carry devices outside the office.

6. Virtual Private Networks (VPN)

A VPN helps tax firms secure remote access to sensitive systems, tax software, and client data. It creates an encrypted connection between an employee’s device and the firm’s network, reducing the risk of taxpayer information being intercepted during remote work. This is especially useful when tax professionals work from home, travel, or use public Wi-Fi.

However, a VPN should not be used alone. It works best with other security measures such as MFA, antivirus protection, firewalls, secure backups, and access controls. For accounting and tax firms, a VPN is a practical step toward protecting client data and maintaining secure operations.

The Security Six Should Be Part of a Bigger Security Plan

The IRS Security Six provides essential protection against common cyber threats, but it should not be treated as a complete security strategy. Every accounting and tax firm should have a Written Information Security Plan that defines how client data is protected, how security controls are managed, how staff are trained, how risks are reviewed, and how the firm will respond in case of a breach.

For many firms, the biggest gap is not the lack of tools but the lack of ownership. Someone in the firm must be clearly responsible for ensuring that security measures are in place, updated, and working as intended.

This is also where cloud technology can play an important role. As more accounting firms support remote and hybrid work, cloud hosting can help centralize tax software, accounting applications, and client data in a more controlled environment. It enables secure remote access, better collaboration, managed backups, access controls, and stronger protection than relying only on local desktops or office servers.

However, the choice of a managed security service partner matters. Firms should evaluate whether the provider supports multi-factor authentication, data encryption, regular backups, defined access privileges, security monitoring, recovery protocols, and protection against downtime. While the ultimate responsibility for client data remains with the accounting firm, the right cloud partner can help strengthen its overall security posture.

At its core, the IRS Security Six is not just about avoiding cyberattacks. It is about protecting the trust clients place in their tax professionals. Clients share highly sensitive financial and personal information with the expectation that it will be handled carefully.

Cybersecurity may seem like a technical subject, but the business message is simple: protecting client data is now part of running a responsible tax practice. Firms that take the Security Six seriously are not only reducing risk but also building stronger client trust, better credibility, and a more future-ready business.

Have questions? Book a free consultation with Ace Cloud Hosting today!