Why Your CPA Firm Needs MFA Before Next Tax Season
A stolen password is all it takes. One phishing email to a staff member, one reused password from a data breach, and someone outside your firm has access to your Microsoft 365 account. Your email. Your client files. Your calendar. Everything. Multi-factor authentication, or MFA, stops that scenario cold. It is the single most impactful security step your firm can take, and most small CPA firms still do not have it turned on for everyone.
What MFA actually does
When MFA is enabled, logging in requires two things: your password and a second verification step. That second step is usually an approval from an app on your phone, or a six-digit code. An attacker who steals your password still cannot log in without that second factor.
It sounds simple because it is. That is the point. The most common way small businesses get compromised is through credential theft. A password on its own is no longer enough protection, especially for cloud applications like Microsoft 365 that are accessible from anywhere in the world.
Why tax season makes this urgent
During tax season, your Microsoft 365 account contains more sensitive client data than at any other time of year. W-2s, business financials, prior-year returns, bank account information. All of it sitting in email threads, SharePoint folders, and OneDrive.
Attackers know this. Business email compromise attacks on accounting firms spike during Q1. A compromised account during tax season does not just disrupt your operations. It exposes your clients' most sensitive financial information and puts your firm's reputation at serious risk.
If something goes wrong in February, there is no good time to deal with it. MFA dramatically reduces the chance that it happens at all.
What your cyber insurance likely requires
Many cyber liability policies now list MFA as a required security control. If MFA is not enabled and you suffer a breach, your insurer may deny the claim on the grounds that you did not meet the basic security requirements of your policy.
Before your next renewal, verify what your policy requires. The security controls section will spell it out. If you are not meeting those requirements, fix it before the policy renews.
How to turn it on in Microsoft 365
If your firm uses Microsoft 365, MFA is already included in your subscription. You do not need to buy anything. Go to the Microsoft 365 admin center, open Users, select Active users, and enable multi-factor authentication. Microsoft's built-in Authenticator app is what most firms use for the second factor.
The process takes under an hour for a small firm. Staff will need to set up the Authenticator app on their phones the first time they log in after MFA is enabled. That is a five-minute process.
Enable it for every account, including admin accounts. Admin accounts are the most valuable target and the most important to protect.
What about staff pushback?
Some staff find MFA inconvenient at first. That is a real concern and worth addressing directly. Most people adjust within a few days and stop thinking about it. The Microsoft Authenticator app works with one tap on your phone after the initial setup.
Frame it this way: this is the same protection your bank uses. It is the same protection your clients' banks use. For a firm that handles sensitive financial data, it is a baseline expectation, not an extra burden.
If you are not sure whether MFA is fully enabled across your firm, we can check. We do free Microsoft 365 security reviews for accounting firms in the Chicago area. We will tell you exactly what is on and what is not, and help you get it configured correctly before tax season starts.
ITM Consulting
Questions about your IT setup?
We work with small businesses and accounting firms across the Chicago area. Schedule a free 30-minute consultation and we will tell you honestly what we see.