In this issue:
- Security: Make it a business priority, not a business regret
- Beat the winter chill: How clear expectations keep your firm warm and thriving
- From Paul Blart to smart start: Why your firm needs a security champion
- Get a handle on your firm’s security for 2025
- On our bookshelf
- What’s going on at Rightworks Academy?
INSIDE LOOK
Security: Make it a business priority, not a business regret
Throughout my career, I’ve witnessed firsthand the chaos that security risks can create. Without diving too deeply, I’d like to share a couple with you.
The cost of carelessness
Several years ago, I watched as a firm found itself in a crisis that could have been easily avoided with proper security measures and practices in place…
It all started with a single staff member working on an unmanaged device. This absence of security left her susceptible to a seemingly harmless phishing email. She clicked a link, inadvertently exposing her credentials to a hacker who gained a foothold into the firm’s systems.
With access to the employee’s inbox, the intruder began quietly watching like a spy. Over several months, the bad guy absorbed the nuances of company communications, including how employees interacted with clients and the terms they used with each other. This surveillance allowed them to craft messages that mimicked legitimate company correspondence.
Armed with an understanding of the firm’s operations and culture, the hacker executed their fraud. They created rules in the inbox to allow them to delete certain emails, and then, they impersonated a client, requesting a large financial transaction that mirrored actual client requests. The email was so convincing that it resulted in the unauthorized transfer of nearly $500,000.
Imagine the surprise when, several days later, the actual client called to ask about the missing money. This prompted an immediate chaotic triage, identifying and isolating infected devices and a comprehensive audit of devices and email accounts, uncovering additional compromised emails that had also been infiltrated.
Even simple security measures, like a secondary confirmation through a phone call, could have prevented the firm from being shorted half a million dollars. I don’t know the full cost of legal fees or insurance ramifications, but skimping on a few dollars monthly to cover all devices certainly had an outsized impact on someone’s bottom line.
A Friday afternoon frenzy
One summer Friday afternoon, I was cleaning up for the weekend when our support team received a frantic call from a client at a very large firm. An executive operating from a personal computer at a vacation house had clicked on a malicious link, triggering chaos. Their email account immediately began sending emails with malicious links to everyone in their contact list, including clients and coworkers.
This became a problem spiraling into pure chaos…
Trusting the authority of the sender, several coworkers clicked on the link. Fortunately, those at secure workstations or using secure email instances were shielded, but the malware spread from personal devices, leading to a flood of calls from concerned clients to the firm’s main phone number.
Despite our security alerts successfully halting the malware on managed machines, the infection continued to grow on unsecured devices. The risk of the malware spreading to every client loomed over them, threatening to exponentially grow every few minutes.
Because we couldn’t stop employees from logging in to their network from personal devices…
We proposed a drastic solution…
Shutting down the firm’s entire network.
While disruptive, this would be crucial in preventing further damage and preserving the firm’s reputation, particularly given the upcoming weekend when firm employees were unlikely to read internal emails and would likely be going about their day on personal devices.
At this point, the COO was uncomfortable making the call, so we ended up conferencing in the CEO from his vacation. To say he was irritated is an understatement. Despite initial “resistance” (which is to put it nicely), he came to understand the potential reputational damage after a lengthy (and time-consuming) conversation.
So, midway through the afternoon, we pulled the trigger and shut down access to the firm’s network.
The outcome?
Over the weekend, our team worked overtime to clean all devices, including unmanaged ones, and I’m proud to say that by 9 a.m. on Monday, we had restored access and cleaned everything thoroughly. The invoice the firm had to pay for our work was significant but paled in comparison to the potential loss of business and reputation had the attack continued. I’m also happy to report that several years later, the firm participated in a very large merger that I believe would not have occurred had its reputation been tarnished.
Still wondering why security matters?
These are two of the many examples I’ve personally witnessed that illustrate the catastrophic impact of short-changing security measures. Say it however you want: Penny-wise but dollar-foolish; an ounce of prevention prevents a pound of cure; leaping over dollars to chase dimes. Whatever your phrase, the cost of prevention is far less than the cost of recovery. Remember, this is about more than preventing financial loss—it’s about safeguarding your firm’s integrity and credibility, your staff’s time and peace of mind, and perhaps most importantly, your weekends!
CULTURE CLUB
Beat the winter chill: How clear expectations keep your firm warm and thriving
As the last leaves fall and the air turns crisp, there’s a natural urge to hunker down, reflect and prepare for the months ahead. December is a pivotal time for accounting firms—the post-tax-season glow is fading, but year-end deadlines are fast approaching. Like pulling on a cozy sweater before winter hits, now is the time to wrap your firm in clear expectations and healthy boundaries. A firm that operates without these elements risks more than missed deadlines—it risks its team’s energy, motivation and well-being.
Clear expectations: Avoid the guessing games
Autumn is all about letting go of assumptions that pile up like leaves. Similarly, when silent expectations—like assuming staff will handle a new software rollout on their own or respond to clients after hours—pile up, so do frustrations, neglect and duplication of efforts. Instead, clear out the piles by clearly outlining roles, availability and responsibility expectations.
Pro tip: If it’s worth assuming, it’s worth saying out loud.
Boundaries: Layering up for winter’s chill
Without boundaries, burnout mode creeps in, leaving people drained and disengaged just when energy is needed most. Now’s the time to protect your team’s well-being by setting limits. Consider implementing the following before winter comes barreling in:
- Block no-meeting afternoons to give people uninterrupted focus time.
- Discourage after-hours emails—and model that behavior yourself.
Pro tip: Boundaries aren’t about slowing down—they ensure your team stays sustainable through the busy season.
Spot the 3 ‘modes’ before they take root
Unhealthy patterns sneak in when you’re not paying attention and setting clear expectations. Here’s a quick overview of the three dangerous modes that creep up when staff aren’t clear about their roles, expectations and boundaries:
- Zombie mode: Work gets done but without passion or ownership.
- Survival mode: Just doing the bare minimum to get through the day.
- Burnout mode: Exhaustion takes over, leaving no space for ingenuity or engagement.
If you notice these signs, act quickly. Have conversations around tasks and boundaries. Listen first and show that you care about staff and culture well-being by letting individuals express what they need and want to do their work more effectively and efficiently.
Pro tip: Implement clarifications with documented boundaries and expectations—specific support can make all the difference.
Celebrate small wins and reframe challenges
Before the tax season sprint begins, take time to reflect and celebrate. Bring lunch for the team, send a gift card, give a shoutout or simply say “thank you” often. Even small victories matter—celebrate the successes to keep motivation high and build momentum.
One crucial reminder: Leaning into discomfort of challenges is a chance for personal growth. If meeting with each staff member to clarify their roles and expectations feels uncomfortable, embrace it and move it to the top of your to-do list. Growth may feel chilly at first, but it’s the promise of progress.
Your December checklist: Simple steps to thrive
- Clarify one unspoken expectation. Undoubtedly, there is an assumption in the firm that is quietly causing friction. Identify that unspoken expectation and use this month to bring it into the open. Sit down with your team, ask questions and clarify responsibilities. Think of it as sweeping up those last stubborn leaves before winter—get everything tidied now, so you’re not scrambling later.
- Set or reinforce a boundary. Just like you pull on extra layers to stay warm, set or revisit one critical boundary to protect your team’s energy. Maybe that means blocking off no-meeting afternoons, outlining expectations around availability or scheduling intentional downtime between projects. A boundary isn’t a barrier—it’s an investment in sustainable productivity, ensuring your team is energized and not exhausted before the winter months settle in.
- Celebrate a win—even a small one. Whether it’s a smooth new client onboarding process, having 90% of engagement letters signed before year-end or mastering a new software implementation, every win matters. Show your appreciation and call it out! Think of these small celebrations as the warm fires that brighten spirits as the busy season builds.
With clear expectations, strong boundaries and moments to celebrate, you’ll head into winter prepared and energized—without sliding into Zombie, Survival or Burnout Mode. Now, grab a cozy sweater (and maybe that donut), and let’s make December count!
TIPS & TRICKS
From Paul Blart to smart start: Why your firm needs a security champion
Have you seen the movie Paul Blart: Mall Cop? (Fun fact: I almost dressed up as Paul for Halloween this year, but I started looking for a fake mustache too late.) When I think of security, he’s the first thing that comes to mind. The movie might just be average, but Paul Blart has left a lasting impression on me. I’m lucky enough that when I think of security, I think of him rather than immediately worrying about cybersecurity threats or identity theft.
Unfortunately, that’s not the case for many people, which is why it’s so important to take security seriously in your accounting firm. The landscape is constantly changing, and there’s always someone looking to access your firm’s—or your clients’—sensitive information.
Security in a firm involves more than just safeguarding digital data; it encompasses physical and administrative measures as well. A truly robust security strategy is built on three essential principles that help safeguard your staff and clients, ensuring the highest level of protection and compliance, including:
- Standardizing technology and workflows
- Protecting client data
- Staying adaptable to new threats
Standardizing your tech stack and security workflows reduces vulnerabilities and simplifies training and compliance. Clear procedures for protecting client data also build client trust and fulfill legal obligations.
Adaptability to new threats is crucial. Staying informed on what’s emerging and updating security practices demonstrates your firm’s commitment to protecting client data. Appointing a Cybersecurity Officer (CSO) to lead and coordinate these efforts further strengthens your firm’s defenses, ensuring that security remains a priority across all areas. This approach not only protects sensitive information but also positions your firm as a trustworthy partner.
Tips for appointing a Cybersecurity Officer (CSO) to champion security
Requirements of the CSO role
The CSO should ideally be someone in a leadership role, such as a partner, office manager or in-house technical professional. They should:
- Possess strong leadership skills and be comfortable holding staff accountable.
- Communicate effectively and be able to coordinate with IT professionals.
- Have the authority to schedule staff meetings and implement policy updates.
Responsibilities of the CSO
The CSO’s primary responsibilities include:
- Implementing a security policy: The CSO is responsible for ensuring that the firm’s security policy is comprehensive, remains current and covers all potential vulnerabilities.
- Ensuring compliance: The CSO works with both staff and IT professionals to make sure the firm adheres to security policies.
- Coordinating staff training: The CSO schedules regular training sessions to increase awareness and understanding of security procedures among staff.
- Conducting routine security meetings: Routine meetings help keep security practices top of mind and ensure that all team members are aware of updates.
- Managing the incident response plan: In the event of a breach, the CSO activates the incident response plan, coordinating with relevant stakeholders (e.g., IT professionals, legal counsel) to mitigate the damage.
The CSO is not solely responsible for handling all security incidents but is a coordinator who ensures that the appropriate people are involved in addressing security needs as they arise. For instance, the CSO might bring in a security expert to discuss potential risks with the staff or coordinate with legal professionals in response to a data breach.
Appointing the CSO
Select a team member to take on the CSO role and establish clear lines of communication for security discussions. This person should be fully supported by leadership and have the resources to carry out their responsibilities effectively. Once the CSO is appointed, they can work on developing and refining the security policies and creating a clear action plan for protecting the firm and its clients.
Take as many steps as possible to take control of security in your firm. Give your clients that peace of mind to only think about Paul Blart the mall cop, instead of some cybersecurity threat.
SECURITY PRO TIP
Get a handle on your firm’s security for 2025
As we get ready to jump into busy season 2025, how does your security plan stack up? Are you feeling overwhelmed by all the have-to-dos—and should-dos—you’ve been hearing about regarding security?
Let’s take a step back and get some simple, tactical steps you can take to get ready for 2025.
Consider your overall risk
Your threat vectors are many.
As attacks mature, the surface area across which your firm and client data potentially lives is expanding. Going into the new year, it may help to start with the basics and make sure you feel good about your approach to protection.
- Core accounting and tax applications: Keep in mind that these applications will hold much of your most important client data. Desktop applications that you host yourself onsite have security risks, particularly around data loss in the event of an emergency. If you’re accessing cloud-based applications from any browser without any additional controls around identity and access, you’re opening your firm up to risk. You’ll likely want to get a fully secure, single cloud to work in so you can avoid app sprawl and its inherent risk.
- Devices: Your devices can be at risk if you or your staff unintentionally download malware from something as simple as a rogue email or QR code. You’ll want to go beyond antivirus to some kind of proactive threat monitoring, likely managed by a qualified outside party.
- Where you work: Your international and outsourced users have different security and access needs than full-time staffers. If you’re showing them passwords and struggling to limit their access to firm resources based on location or IP address, you’re putting your firm at unnecessary risk.
- How you respond: Lack of a plan is a threat in and of itself. You’ll want a fully documented incident response plan in place that shows how your firm will proceed in the event of a breach or emergency.
Get your staff aligned with your security vision
Training your staff is a must. But beyond ongoing security awareness training, have you considered the need to have a security vision that your firm leaders evangelize every day?
You need a documented plan around where data lives at your firm, how personally identifiable information (PII) is stored and accessed, and how your firm will respond in the event of an emergency. Your staff must understand this and be kept up to date on changes, so make sure you turn any documentation like your Written Information Security Plan (WISP) into an active agreement between all firm employees about how you will be good stewards of client data.
If you want your employees to live by the plan you’ve put into place, make sure you’ve addressed the most relevant technology trends, like AI. Chances are, your staffers are using some form of AI whether you’re aware of this or not. You’ll need to get an AI policy in place that clearly identifies both allowed and prohibited use cases.
Find a partner who gets it
Your clients outsource their taxes to you, so you should outsource your security to an expert. You’re expected to meet certain compliance as well as security requirements, so it makes sense to put your focus on your clients’ needs and find a security provider who understands the security landscape of accounting and tax.
Plus, clients trust you with their most sensitive data, so it’s in your best interest to protect your relationships and reputation.
Bottom line? Start with a security plan you design with a trusted party, and then start executing it. You can improve over time and make sure you’re keeping up to date with the current threat landscape.
BOOKSHELF
On our bookshelf
Small Acts of Leadership: 12 Intentional Behaviors That Lead to Big Impact
by G. Shawn Hunter
Collaboration Is the New Competition: Why the Future of Work Rewards a Cross-Pollinating Hive Mind & How Not to Get Left Behind
by Priscilla McKinney
Thinking 101: How to Reason Better to Live Better
by Woo-kyoung Ahn
The Art of Prompt Engineering with ChatGPT: GPT-4, Plugins & DALL.E 3
by Nathan Hunter
Looking for a non-business-inspiring read? Here’s a bonus recommendation for our readers:
The Small and the Mighty: Twelve Unsung Americans Who Changed the Course of History, From the Founding to the Civil Rights Movement
by Sharon McMahon
WHAT’S GOING ON
What’s going on at Rightworks Academy?
Events for members
- December 10: The Huddle: Great job!
- December 11: Fostering a positive firm culture during the holiday season
- December 18: Getting ready for busy season, Part 1: Strategies for success
- January 8: Getting ready for busy season, Part 2: Optimizing your tax strategy
To register, log into your Academy account and navigate to Community > Events.
Education workshops
Join the education team for workshop-style coaching sessions facilitated by your Academy coaches and trainers. Designed to provide expert insights, peer discussions and practical exercises, you’ll acquire the tools needed to support the modern firm topic(s) the workshops address while providing a space for more interactive, group-style coaching.
- December 11: Mastering payroll with ADP: Best practices and new year prep
- December 12: The Huddle: Great job!
To register, log into your Academy account and navigate to Community > Events.
Events for members and non-members
Not a Rightworks Academy member yet? We have you covered with live and on-demand events where you can learn more about Academy and the latest hot topics in the profession. Visit rightworks.com/resources/live-on-demand-webinars for a continually updated schedule of events.
In the spotlight this month:
Moving to the cloud: A primer for accounting and tax firms
On-demand
Ready to demystify the cloud? Join Darren Root, Growth Strategist, and Molly Gallaher Boddy, Director of Product Marketing, as they break down cloud migration into bite-sized, actionable steps. You’ll discover how to build your ideal tech stack, maximize security and efficiency, and avoid common pitfalls—all through the lens of real success stories from real firms just like yours. Whether you’re cloud-curious or ready to make the leap, this on-demand webinar is your roadmap to confident cloud adoption.
What’s new on the blog?
From a fun pop quiz to embracing the Retention Revolution, the Rightworks blog has great information to inspire Rightworks Academy members to prepare for your future successes. Check out our newest posts, and don’t forget to bookmark the blog so you can stay up to date.
Read the latest posts at rightworks.com/blog.