Client Data Protection

Why a Secure Portal Isn't Enough for an Accounting Firm

Your firm bought a secure portal, and the portal is probably doing its job. The problem is the job description.

By Droptine Group · 4 min · Financial Providers

TL;DR

  • A portal secures files inside the portal. It has no authority over the email account that logs into it, the laptop it's opened on, or the copy of the file someone downloaded in March.
  • Client data follows the path of least resistance: inboxes, desktops, home networks. That's where firms actually get hurt.
  • You can check your own exposure with six questions — and the ones you can't answer are the ones that matter.

What the portal actually promised

Go back and read what the portal vendor sold you. It's real: encrypted file transfer, controlled sharing, an access log. Files inside the portal are genuinely protected, and your clients are right to prefer it over email attachments.

Now notice what's missing from that list. Nothing about the email account that receives the portal's notifications. Nothing about the computer the portal gets opened on. Nothing about what happens to a file after someone clicks download.

The vendor isn't hiding anything. Those things were never the product. But "we have a secure portal" quietly became "we're secure," and those are different sentences.

Where client data actually goes

Watch one tax return move through a firm during March.

A client uploads documents to the portal. A notification lands in a preparer's inbox. The preparer downloads the PDFs to work on them locally, because the software runs faster that way. Some of the work happens at the office. Some happens at home, on a laptop the firm has never seen, over Wi-Fi the firm has never thought about. A question comes up, and a schedule gets emailed back and forth as an attachment because that's faster than the portal.

By April, that return exists in the portal, in two inboxes, on a desktop, on a personal laptop, and in a downloads folder nobody will open again until next year.

The portal protected its copy the whole time.

The attacker's view

An attacker sizing up a small firm doesn't start with the portal. Encrypted products with access logs are the hard way in.

The easy way is the email account — the one that receives password resets for everything else, including the portal. If that inbox is protected by a password alone, no MFA, then the portal's security now depends on the security of one reused password.

The next easiest way is an unmanaged device. A personal laptop with downloaded client files doesn't need to be "hacked" in any sophisticated sense. It needs to be lost, or borrowed, or infected by something its owner clicked on a Saturday.

Neither path touches the portal. Both reach the data.

Six questions to ask your own firm

You don't need a security background to check this. You need honest answers:

  1. Who can access client data, and from what devices?
  2. Do those devices leave the office?
  3. Is the email account that logs into the portal protected with MFA?
  4. Can client files be downloaded and stored locally?
  5. When were your backups last tested with an actual restore?
  6. If a regulator, insurer, or client asked for proof of your security program tomorrow — what would you show them?

Count the ones you couldn't answer. Most firms find two or three. The unanswered ones are your actual exposure map, and they're a better starting point than any product brochure.

What closing the gap looks like

The fix is rarely another tool. It's ownership: someone responsible for the layers around the portal.

MFA on email first, because email unlocks everything else. Then the devices that touch client data — managed, updated, accounted for, including a decision about personal laptops. Then download and storage rules that match how the firm actually works in March, because a policy nobody can follow during tax season is a policy that doesn't exist. Then backups that have survived a real restore test.

None of this is exotic. Most of it is discipline applied to systems you already own.

Recognize your firm in this? The risk assessment will show you which doors are open — ten minutes, no technical answers required.

Check Your Exposure

Keep going

Cybersecurity for Financial Providers

The full picture: the three layers around client data.

Read more →

The Client Data Exposure Checklist for CPA Firms

The printable version of the six questions, expanded.

Read more →

Managed IT

The device and access discipline behind all of this.

Read more →

Useful in theory. More useful applied to your business.

If this article described something you recognize, a 30-minute conversation will tell you how much of it applies to you.

Book a Consultation