Bellator Cyber Guard
Employee Security Training

Cybersecurity training guide for tax firm employees

Your employees are your first line of defense and your biggest vulnerability. This guide covers what the IRS requires, what topics to teach, and how to build a security-aware culture that actually protects taxpayer data.

Get Training HelpFree WISP Template

The Human Factor

Why security training matters

The most sophisticated security technology in the world cannot protect you if an employee clicks the wrong link. Training transforms your team from a vulnerability into a security asset.

91%

of breaches start with phishing

The vast majority of data breaches in professional services begin with an employee clicking a malicious email link or opening an infected attachment.

45%

of employees fail phishing tests

Nearly half of untrained employees will click a simulated phishing email, demonstrating that without training, your team is a significant vulnerability.

70%

reduction with regular training

Organizations that conduct regular security awareness training see a 70% reduction in successful phishing attacks within the first year.

$4.5M

average breach cost

The average cost of a data breach in 2024 reached $4.5 million globally, with human error being a contributing factor in the majority of incidents.

Compliance

IRS training requirements for tax firms

The IRS does not merely suggest security training. Publication 4557 and the FTC Safeguards Rule make it a documented requirement with specific expectations.

Initial Training on Hire

IRS Publication 4557 requires that all new employees receive security awareness training before they are granted access to taxpayer information. This is not optional and should be completed during the onboarding process, before the employee handles any client data.

Annual Refresher Training

Every employee with access to taxpayer data must complete security awareness training at least once per year. The training must be updated to reflect current threats and any changes to your security policies or procedures outlined in your WISP.

Documentation and Acknowledgment

You must document all training sessions, including the date, content covered, and attendees. Each employee must sign an acknowledgment confirming they completed the training and understand their responsibilities. Retain these records as part of your WISP documentation.

Role-Based Training

The FTC Safeguards Rule requires that training be appropriate to each employee's role. A receptionist who answers phones needs different training than a preparer who accesses tax software. Tailor your program so each person understands the specific risks relevant to their job duties.

Curriculum

Essential training topics for tax firm staff

A comprehensive training program should cover these six core topics, each tailored with examples and scenarios specific to the tax industry.

Phishing and Social Engineering

Teach employees to recognize phishing emails, phone-based social engineering (vishing), and text-based attacks (smishing). Use real-world examples specific to the tax industry, such as fake IRS notices, spoofed e-filing rejection emails, and impersonated client requests for wire transfers.

  • How to verify sender email addresses and domain names
  • Spotting urgency tactics and authority impersonation
  • What to do when you suspect a phishing attempt
  • Reporting procedures for suspicious communications

Password Security and MFA

Cover your firm's password policies, the importance of unique passwords for every account, and how to use a password manager. Explain multi-factor authentication and ensure every employee knows how to use it on all systems, especially tax software and email.

  • Creating strong, unique passwords with a password manager
  • Setting up and using multi-factor authentication
  • Never sharing passwords or MFA codes with anyone
  • What to do if you suspect your account is compromised

Data Handling and Classification

Employees must understand which data is sensitive, how to handle it properly, and the rules for storing, transmitting, and disposing of taxpayer information. Cover your firm's policies on emailing client documents, using encrypted file sharing, and clean desk practices.

  • Identifying personally identifiable information (PII) and tax data
  • Using encrypted email and secure file transfer portals
  • Clean desk policy and locking screens when away
  • Proper disposal of paper documents and electronic media

Physical Security

Train staff on physical security measures including office access controls, visitor management, securing mobile devices, and protecting printed documents. Tax firms often have sensitive documents in physical form that are just as vulnerable as digital records.

  • Challenging and logging unknown visitors in the office
  • Locking filing cabinets and securing printed tax returns
  • Protecting laptops and mobile devices when traveling
  • Secure document shredding procedures

Incident Recognition and Reporting

Every employee should know the signs of a security incident and exactly how to report it. The faster an incident is reported, the faster your firm can contain it. Create a blame-free reporting culture where employees are not afraid to speak up if they made a mistake.

  • Recognizing signs of malware, ransomware, or unauthorized access
  • Immediate steps to take if you click a suspicious link
  • Who to contact and how to report a suspected incident
  • Understanding that early reporting limits damage significantly

Remote Work Security

With many tax professionals working remotely or from home offices, training must cover the unique risks of remote work. This includes securing home networks, using VPNs, avoiding public Wi-Fi for tax work, and ensuring family members cannot access work devices or data.

  • Securing your home Wi-Fi network with WPA3 encryption
  • Always using the firm VPN when accessing client data remotely
  • Keeping work devices separate from personal and family use
  • Securing physical documents in a home office environment

Training Schedule

How often to train your team

Security training is not a once-a-year checkbox. An effective program layers different types of training at different intervals to keep security top of mind year-round.

Upon Hire
  • Comprehensive security awareness orientation
  • WISP review and acknowledgment signature
  • Acceptable use policy review and signature
  • Account setup with MFA and password manager
Monthly
  • Simulated phishing tests (at least one per month)
  • Brief security tips via email or team chat
  • Review of any recent industry breach news relevant to tax
Quarterly
  • Formal training session on a focused topic (30-60 minutes)
  • Phishing test results review and targeted retraining
  • Update on any new threats specific to tax practices
Annually
  • Full security awareness training refresh (all topics)
  • WISP review, update, and re-acknowledgment
  • Incident response plan tabletop exercise
  • Training documentation audit for compliance records
As Needed
  • After any security incident or near-miss
  • When new threats emerge targeting the tax industry
  • When the firm adopts new technology or changes processes
  • When an employee fails a simulated phishing test

Start training your team today

We provide fully managed security awareness training for tax firms, including automated phishing simulations, compliance tracking, and IRS-ready documentation.

Schedule Training Consultation