Trust Issues: How Bad Cybersecurity Is Killing Client Relationships

Most firms are aware of cybersecurity. They’ve turned on MFA somewhere, bought a password manager, and feel a vague sense of comfort. But awareness isn’t understanding, and false comfort is dangerous. The reality is that baseline security is simple when you know the playbook. It’s not exotic tooling or seven-figure budgets; it’s a short list of habits you do every day and verify every quarter. If you can run a month-end close, you can run baseline cyber.

The trust you didn’t know you were risking

Accounting lives on trust. Not just in the numbers, but in how you protect the data behind them. Bank statements, payroll, SSNs, contracts: hand us your blueprint and you expect us to guard it. When that trust is broken, great technical work becomes irrelevant. A single compromised inbox can ripple through hundreds of client relationships in minutes.

The “small fish” myth

“We’re not a big target.” I hear this from partners all the time. Attackers aren’t hunting headlines; they’re hunting efficiency. Smaller firms often have weaker controls and incredibly valuable data. One mailbox, one vendor portal, one reused password: that’s all it takes. Being small doesn’t make you invisible; it makes you convenient.

Policy theater vs. operational reality

Policies don’t protect anything if they’re not enforced. A binder that says “MFA required” means nothing if it isn’t on every identity, for every app. Disk encryption that exists on paper doesn’t help the unencrypted laptop left in an Uber. Cybersecurity is measured at 2:00 AM when someone tries to get in, not at 2:00 PM when you’re revising a checklist.

Why we chose SOC 2 Type 2

This is why we went through SOC 2 Type 2. Type 1 says, “We wrote down controls.” Type 2 says, “We operated those controls consistently over time.” It’s not easy. It is the right kind of hard. Clients shouldn’t have to take our word that their data is safe; they deserve third-party proof.

More than IT: it’s client service

Security failures aren’t just IT incidents. They’re service failures. When data leaks, you don’t just pay for remediation: you spend social capital you may never get back. Protecting client data and delivering great financial advice are not competing priorities; they’re the same promise kept in two different ways.

The daily discipline (aka the boring stuff that works)

The work that prevents breaches isn’t glamorous. It’s access reviews, least privilege, tested backups, phishing-resistant MFA, patching, vendor diligence, and staff training. It’s asking uncomfortable questions like why that one partner still reuses a password. Strong security isn’t a project; it’s a practice.

The baseline playbook (what “good enough” actually looks like)

If you want the 80/20 that drastically reduces risk, start here:

• Identity first: Enforce phishing-resistant MFA (FIDO2/passkeys) on every account and app, including email and admin roles.
• Least privilege: Role-based access with quarterly reviews; no standing admin; use just Intime elevation.
• Device trust: Full disk encryption on all laptops/desktops; OS auto updates; EDR with alerting.
• Email security: Modern authentication only; DKIM/DMARC aligned; block legacy protocols; conditional access for impossible travel.
• Data hygiene: Centralize storage; disable local downloads where possible; label and restrict sensitive data.
• Backup reality checks: 3-2-1 backups for critical systems; run restore tests quarterly.
• Vendor risk: Security addendum in every contract; collect SOC 2/ISO attestations or compensating controls.
• Human layer: Mandatory training with simulated phishing; incident response dry runs twice a year.
• Proof, not vibes: Metrics and logs that show controls are working, then review them.

None of this requires a moonshot. It requires ownership.

The bottom line

Whether you’re a CPA firm or a client choosing one, cybersecurity isn’t optional overhead: it’s the foundation of the relationship. The firms that understand this: and operationalize it: will thrive. The ones that don’t will serve as cautionary tales. The choice is yours; the consequences are shared.

About Dark Horse CPAs

Dark Horse CPAs provides an integrated suite of services including tax, accounting, fractional CFO, and wealth management to small businesses and individuals across the U.S. The firm was established to transform the client experience by offering personalized, high-quality services that small businesses and individuals deserve. As Dark Horses in their industries, these businesses benefit from advanced tax strategies and accounting insights typically reserved for larger companies. With a nationwide presence and a team of dedicated professionals, Dark Horse CPAs is committed to your success. Get a quote today.