Why should cybersecurity be front and center for even the smallest firms? Small firms are just as vulnerable to crippling cyberattacks as much larger organizations. In fact, bad actors often target smaller firms specifically because they assume that their safeguards are not as strong. Small firms also are seen as offering an easy, single access point to a wealth of sensitive client information.
Firms seem to understand the threats they face. In the 2026 PCPS CPA Firm Top Issues Survey, data security was cited among the top five issues for both solo firms and for those with 1 to 10 professionals. At the same time, the profession is grappling with rapid changes in technology and AI, making it more important than ever for firms to maintain strong cybersecurity practices. Fortunately, there are steps firms can take to strengthen their cybersecurity posture and stay ahead of emerging threats.
1. Understand the impact. One thing I've learned from talking with hundreds of small firms is that cybersecurity isn't just an IT issue anymore; it's a business issue. Cyber threats can significantly disrupt operations, damage client trust, and create financial and reputational risks. And it’s a growing problem. In 2025, there was an 89% year-over-year increase in attacks by bad actors using AI, according to the CrowdStrike 2026 Global Threat Report.
2. Leverage your risk expertise. CPAs have always been in the business of managing risk. We evaluate internal controls, protect sensitive financial information, and help clients make informed decisions. Cybersecurity is simply another area where that mindset applies. CPAs can bring the same professional skepticism and risk assessment skills they already use every day. Ask questions like: Where are we most vulnerable? What would happen if this system went down tomorrow? Do we have the right controls in place?
It's also important to think about who has access to what. As firms grow, employees often accumulate permissions they no longer need. Taking time to periodically review and update user access is a simple step that can significantly reduce risk. These are the kinds of conversations CPAs are uniquely equipped to lead.
3. Don’t go it alone. It’s a good idea to lean on trusted technology partners for advice on ways to strengthen your cyber defenses and to use reputable cloud-based software with strong security features. In addition, don’t hesitate to ask for help when you need it from sources such as other small firm owners in your networking groups or through your state CPA society.
4. Assign responsibility. No matter how strong your external resources are, someone within the firm should be accountable for cybersecurity. In a small firm, there may not be many options, but that ownership should be clearly defined. This person can champion proper cybersecurity practices, including the steps covered in the AICPA/PCPS CPA Cybersecurity Checklist. Practices should be updated regularly, too, given the rapid changes in technology and the ways that bad actors misuse it. New scams and schemes emerge at a dizzying pace, and AI has only given cybercriminals even more powerful tools.
5. Develop clear internal processes. This is an area I think firms often overlook, but your technology is only as strong as the habits of the people using it. You can raise their awareness through regular conversations emphasizing smart cybersecurity guidelines, ongoing education, and creating a culture where people feel comfortable asking questions or reporting something suspicious. At a minimum, staff should understand and follow the firm’s IT security policies.
Getting the training and information you need doesn't have to be overwhelming. There are excellent webinars, professional associations, vendors, and peer groups that can help firms stay informed without becoming cybersecurity experts.
6. Get the team on board. Assigning ownership of cybersecurity doesn’t mean it’s only one person’s responsibility. Everyone in the firm should understand their role as part of the first line of defense. Most firms don't have dedicated security teams, so the basics matter more than ever. Simple safeguards like multi-factor authentication, password managers, software updates, secure backups, and regular phishing awareness training go a long way.
7. Recognize the impact of AI. While AI creates tremendous opportunities for small firms, it also opens them up to risk and privacy issues. Employees may start using AI tools without fully understanding where client information is being stored, how it's being used, or whether it becomes part of a model's training data.
That's why firms need clear policies around AI use in particular before it becomes part of everyone's daily workflow. Just because a tool is easy to use doesn't mean it's appropriate for confidential client information. The firms that will benefit most from AI won't be the ones that adopt it the fastest — they'll be the ones that adopt it thoughtfully.
A new chapter
Cybersecurity isn't about achieving perfection; it's about continuously improving. Every step you take — whether that's creating an AI policy, training your staff, or reviewing your backups — makes your firm stronger.
Small firms and sole practitioners have always adapted to change. Cybersecurity and AI are simply the next chapter. Firms that approach both with curiosity, good judgment, and a commitment to continuous learning will be in the best position to protect their clients, strengthen their practices, and build lasting trust.
Additional resources:
21 Cybersecurity Questions Every Small CPA Firm Must Answer
A CPA’s Introduction to Cybersecurity
AICPA Small Firm Generative Artificial Intelligence (AI) Policy Template
Stephanie Otero, CPA, is the Association’s Vice President—Small Firm Advocate. Have questions for Stephanie? Contact her directly at stephanie.otero@aicpa-cima.com. To stay ahead on issues affecting CPA firms, the PCPS Small Firm Success Series offers strategies on staffing, technology, compliance, and practice management. The series is available at no cost to AICPA members and provides CPE.
We welcome your suggestions and feedback on how the AICPA can better support small firms.