A secure portal is not the same as a secure firm.
Your clients trust you with their tax returns, Social Security numbers, and bank accounts — the raw material of their financial lives. The portal protects one room. Droptine secures the building.
30 minutes, in plain English. Bring your questions; skip the jargon.
Where "we're secure" comes from
Somewhere along the way, your company bought a product with "secure" in the name. A portal. A vault. Encrypted file sharing. The invoice says secure, so the firm feels secure.
Here's what that product actually covers: itself.
It doesn't secure the email account that receives the portal notifications — the same account that can reset its password. It doesn't manage the laptop a preparer takes home in March. It doesn't stop a client file from being downloaded to a desktop and forgotten there. And your backups? Outside its job entirely, untested until the week you need them.
The firms that get hurt aren't careless. They just protected the door the brochure called secure, and left the rest on the honor system.
Client data lives behind three layers. Most firms have secured one.
Layer 1 — Email
The outermost layer and the first one tested. Email holds password resets, client conversations, and notification links into everything else. An attacker who owns a partner's inbox rarely needs to "hack" anything more.
Layer 2 — Devices
Every laptop, desktop, and phone that touches client data — at the office, at home, at a kid's soccer game. A personal device on home Wi-Fi with downloaded client files is the exposure that never had to exist.
Layer 3 — The portal and the data behind it
The layer you already bought. It matters — and it inherits the weaknesses of the two layers around it. A secure portal opened from a compromised inbox on an unmanaged laptop is not secure. It's just expensive.
All three layers have to hold. Droptine makes sure they do.
Six questions worth answering honestly
Before any tools, any contracts, any spend — a financial firm should be able to answer these:
- Who can access client data, and from what devices?
- Do those devices leave the office?
- Is the email account that logs into the portal protected with MFA?
- Can client files be downloaded and stored locally?
- When were your backups last tested with an actual restore?
- If a regulator, insurer, or client asked for proof of your security program tomorrow — what would you show them?
Count the answers you weren't sure about. Most firms find two or three. That's not a crisis — it's a starting list, and lists can be worked.
The WISP is page one, not the finish line
The IRS expects tax professionals to have a Written Information Security Plan. So firms download a template, fill in the blanks, and file it away. Requirement met. Risk unchanged.
A WISP that says you enforce MFA, manage devices, and test backups is a description of work. If the work never happened, the document isn't protection — during an incident or an audit, it's evidence of what you knew you should have done.
Droptine builds the program your WISP describes: the actual controls, the actual monitoring, and documentation that matches reality. The FTC Safeguards Rule and cyber insurance carriers ask about the same fundamentals, so the same work satisfies several requirements at once.
What working with Droptine covers
- MFA and access controls on email and every system that touches client data
- Managed, monitored firm devices — and a plan for the personal ones
- Portal permissions and download policies that match how the firm actually works
- Backups that are protected, tested, and ready for your busiest week
- A WISP and security policies that describe real controls, kept current
- Answers for insurers, regulators, and the occasional client who asks hard questions
- Monitoring and maintenance after setup — because firms change, and security drifts
The Droptine plan, for firms
Find the exposure
The first step is tracing where client data actually goes: inboxes, downloads, home offices, and the contractor from two tax seasons ago. The paths nobody mentions in the brochure are usually the ones that matter.
Lock down what matters
Email and access first; they're what attackers test first. Then devices, downloads, backups, and the policies that hold it together.
Maintain the program
The program you set up this year won't match the firm you're running in three years. We keep the controls, monitoring, and documentation current, so the answer to "are we secure?" doesn't quietly expire.
Signs it's time
- Preparers or contractors work from personal devices.
- The portal is solid, but nobody can vouch for email security.
- Client files get downloaded locally with no policy on where they land.
- MFA is on for some tools, not all. Nobody is sure which.
- The WISP is a template with the firm's name pasted in.
- Your cyber insurance renewal asked questions you had to guess at.
Two or more sound familiar? That's exactly the firm this work is for.
Common questions
Isn't our secure portal enough?
The portal is one room. The breach usually comes through the hallway: an inbox without MFA, a personal laptop, a downloaded file nobody remembered. None of that is the portal vendor's job — which is exactly the problem.
Do we actually need a WISP?
If the firm prepares tax returns, the IRS expects one. But the document alone isn't the point — the controls it describes are. We help with both, in that order of importance.
Can Droptine write our WISP?
Yes, and we'd rather build the program behind it. A well-written WISP attached to an unprotected firm is a liability with a cover page.
We already have an IT person. Why isn't that enough?
Most small-firm IT support is built to fix what breaks — printers, email, slow laptops. Security is a different job: deciding who can access what, watching for misuse, testing recovery, maintaining proof. We can work alongside your current IT or handle both. Either way, someone ends up owning security by name.
How disruptive is this during tax season?
Tax season is exactly when the stakes peak — more data moving, more deadline pressure, more people clicking fast. So we sequence the work around your calendar: assessment and planning any time, heavier changes in your off-season, monitoring year-round.
Will we understand what we're paying for?
Yes. Scope and pricing go in writing before work starts, and every recommendation comes with the business reason attached — what it protects, what it costs, what happens if you skip it. If you can't explain a security expense to your partners, we haven't finished explaining it to you.
We're a small firm. Are we really a target?
Small firms hold the same Social Security numbers, returns, and account details as large ones — with a fraction of the defenses. That ratio is exactly what attackers shop for. Size isn't protection; it's the reason this work matters.
Are we too small for this?
No — the size that worries us most is exactly yours. Firms with a handful of people hold the same Social Security numbers and account details as the big ones, without an IT department standing watch. The program gets sized to the firm, not the other way around.
Protect the firm the way your clients assume you already do.
They handed you their financial lives. A 30-minute conversation will tell you whether the systems holding that trust deserve it.