Why exfiltration prevention is now a compliance imperative for accounting firms

Ask any accountant, and they will tell you that protecting client data is a vital part of their job, and with good reason. 

Accounting firms are entrusted with some of the most valuable information that businesses and individuals possess. This includes tax filings, audit reports, payroll records and financial forecasts. The biggest threat these professionals face has traditionally been ransomware, with attackers encrypting files and demanding payment. 

But today, it's no longer about locking the data. Cybercriminals are now stealing it, using data exfiltration, which, according to BlackFog, is used in 91% of ransomware attacks. Combined with ransomware, data exfiltration creates what's commonly known as a double extortion scheme, ushering in some new and significant challenges. 

Namely, even if a firm restores all its data, the criminals maintain possession of the files and can take any action they want, including selling them on the dark web. In such a scenario, it's easy to see how this creates a significant issue for any company where confidentiality and compliance with key regulations is vital.

Why accounting firms?

There are several reasons why accounting firms are one of the most targeted industries for cybercriminals. Firstly, as touched on earlier, they handle significant amounts of financial data that criminals can sell for significant profit. And accessing this data has become easier thanks to the growing hybrid workforce. 

As with many other industries, remote workers have stretched the attack surface. Every day, accounting professionals are accessing sensitive files from their home offices, often using personal devices. This not only lowers the bar for criminals looking to steal data and then encrypt it, but it also opens up significant operational and compliance risks.

If this scenario wasn't sufficiently damaging, remember that accounting firms face strict regulations that can result in hefty fines, lawsuits, failed audits, and more when violated. These regulations include:

• The Gramm–Leach–Bliley Act, which calls for safeguards and breach notification that, if violated, can result in penalties up to $100,000 per violation.
• SOC 2 audits demand strict confidentiality and security controls. 
• The General Data Protection Regulation in Europe and the Personal Information Protection and the Electronic Documents Act in Canada require timely reporting of breaches. Penalties here can climb up to €20 million (USD $23 million). 
• U.S. state laws such as the California Consumer Privacy Act add further obligations. For example, it mandates transparency, consumer rights, proactive data governance, and features steep penalties for noncompliance.

Why traditional defenses don't add up

Most security solutions in place today at firms only act on threats once they have been detected. The challenge is that criminals' approaches have changed. Deploying ransomware or issuing demands is no longer the first step in an attack. Today, attackers often steal data first, so when firms are alerted to an incident, the data, in many instances, has already left the premises. 

Attackers are also leveraging other techniques that further cripple their victims. One example is Domain Name System tunneling or encrypted cloud uploads, which can slip past defenses. While this is happening, firms are also being inundated with alerts, including mountains of false positives sent by their detection-based tools. And if you're working at a smaller accounting firm with a small cybersecurity team, separating the real threats from the false ones is an impossible task to maintain on a daily basis.

Building a prevention-first strategy

To truly combat data exfiltration, firms need to adopt a prevention-first mindset — one that stops threats before they can succeed, rather than reacting after the fact. That begins with limiting access. Employees should only have visibility into the information required for their specific roles. Through this principle of least privilege, firms can dramatically reduce the potential fallout when credentials are stolen or accounts are compromised.

Equally important is securing the devices employees use outside the office. With remote and hybrid work now the norm, laptops and personal desktops are prime targets. Additional layers of protection on these endpoints help detect and shut down malicious scripts and exfiltration tools before they can execute.

Authentication and monitoring controls must also evolve. Firms should be actively tracking login behavior and flagging anomalies — particularly those involving privileged accounts, which are frequent targets for attackers. Finally, incident response plans should not be left on the shelf. They need to be living documents, updated regularly and tested through realistic exfiltration scenarios to ensure firms can act quickly and decisively when an incident occurs.

Taken together, these measures not only strengthen defenses but also align closely with the proactive safeguards required by frameworks like GLBA, SOC 2 and GDPR — turning compliance obligations into security advantages.

The business case for prevention

Accounting firms today are under attack. According to research from the insurance firm L Squared, accounting firms have a 30 to 60% chance of a 2025 cyber event. And those attacks that succeed not only make it difficult for victims to maintain client trust, but they could ultimately run the company out of business altogether. 

In the world of data exfiltration, reactive approaches to cyberattacks are a recipe for failure. By implementing preventative approaches, firms not only stop exfiltration but safeguard client trust, avoid lawsuits, insurance claims and long-term reputational damage that takes years, and ensure compliance in an evolving threat landscape.