Featured On:

chart
Small black triangle in bottom-left corner on a white background.
A person typing on a Dell laptop next to a MacBook laptop on a white desk in a workspace environment.

Top Cybersecurity Gaps in CPA, Engineering, and Insurance Firms

September 25, 2025

Think You're Covered? The Cybersecurity Gaps Most Firms Miss

Professional services firms, especially CPA, engineering, and insurance businesses, handle enormous volumes of sensitive data every day. Financial records, personally identifiable information, intellectual property, and confidential client communications flow through your systems constantly. But despite this responsibility, many small and midsize firms operate with dangerous cybersecurity blind spots.

They've invested in antivirus software, maybe even a firewall or two, and assume that's enough. Until it's not.

At TechSage Solutions, we've worked with dozens of professional firms across South and Central Texas, and we've seen it all: accounting practices paralyzed by ransomware, engineering firms struggling to recover CAD files, and insurance offices unknowingly leaking client data via compromised email accounts. What all these cases had in common? Gaps in their cybersecurity posture they didn't even know were there.

Basic Antivirus as Your Only Defense

Many smaller firms believe that a good antivirus program is enough to protect against modern cyber threats. The problem is that today's attacks are more sophisticated than ever.

Ransomware doesn't just sneak in through infected downloads anymore. It exploits unpatched software, poorly configured remote access, or phishing emails that look like it's from a colleague. Once it's in, it doesn't just encrypt files, but spreads laterally, stealing credentials, and even accessing your backups.

What to do instead:

  • Invest in endpoint detection and response (EDR) tools that actively monitor behavior—not just scan for known viruses.
  • Use zero-trust security principles that assume threats can come from anywhere (including inside your network).
  • Implement multi-layered security: firewall, EDR, DNS filtering, MFA, and patch management.

Employees Don't Recognize Phishing

Your firewall can't stop a staff member from clicking a bad link. In many of the incidents we've investigated, the root cause wasn't malware, but an employee clicking on a fake invoice or login prompt that looked real.

Phishing remains one of the most effective tools for attackers, especially in industries like accounting and insurance where staff regularly exchange documents and log in to cloud-based portals.

The biggest Phishing Red Flags:

  • An unexpected DocuSign or QuickBooks link
  • Urgent requests to change banking info
  • Logins that look slightly off (e.g., "0ffice365.com" instead of "office365.com")

How to fix it:

  • Run simulated phishing campaigns to test awareness
  • Provide ongoing security awareness training, not just once a year
  • Encourage a no-blame culture where employees report suspicious emails immediately

Backups Are Local and Not Tested

Many firms assume they have a backup, but few test and inspect them regularly. We've seen CPA offices diligently back up to an external hard drive that stays connected to the network, which leaves it perfectly positioned to be encrypted alongside production data during a ransomware attack.

Others' businesses store backups in the cloud. However, they forget to test whether they can restore their line-of-business applications, CAD drawings, or QuickBooks files in the event of a disaster.

Recommended strategy:

  • Use off-site, immutable backups that can't be altered or deleted by attackers
  • Ensure regular restore testing is part of your IT process
  • Document what "critical data" includes—not just files, but apps, configurations, and user settings

No Cybersecurity Training or Policies

It's not just about having the right tools. It's about making sure your staff use them correctly.

In many engineering firms, for instance, high-value project data might be shared via personal Dropbox or email accounts, which may be completely outside company control. In insurance offices, we've seen team members reusing weak passwords across client-facing portals and internal systems.

Minimum policies every firm needs:

  • Password policy (with enforced complexity and change requirements)
  • Acceptable use policy (to prevent shadow IT)
  • Mobile device management and bring-your-own-device (BYOD) guidelines

And above all: invest in regular cybersecurity training, especially for front-office teams and those who handle sensitive client data.

Poor Cloud Configurations

Microsoft 365 is a fantastic productivity suite, but it's not secure by default. Many firms assume that because Microsoft runs the infrastructure, they're automatically protected. But if you haven't configured your tenants correctly, you could be vulnerable to business email compromise (BEC), account hijacking, and data leaks.

Specific risks we see:

  • Email forwarding rules sending messages outside the company
  • OneDrive or SharePoint files shared with "anyone with the link"
  • Admin accounts without multi-factor authentication (MFA)
  • No data loss prevention (DLP) settings in place

The fix:

  • Audit your Microsoft 365 tenant with a cybersecurity professional
  • Enable security defaults, including MFA and Safe Attachments
  • Consider migrating to Microsoft GCC if you're handling sensitive or regulated data (especially for CMMC or federal contracts)

Outdated Systems

Support for Windows 10 ends in October 2025. After that, no more security updates, patches, or support from Microsoft. While many businesses can work with their MSP to update to Windows 11, many firms still rely on aging desktops or laptops that won't support the update.

What happens if you do nothing:

  • Increased vulnerability to malware and ransomware
  • Loss of compliance with frameworks like CMMC, FTC Safeguards, and PCI DSS
  • Third-party software vendors may stop supporting your systems

Your next step:

  • Begin auditing endpoints now to identify machines that can't upgrade
  • Budget for phased replacements over the next 12-18 months
  • Work with an MSP that can help you develop a practical, compliance-aligned upgrade strategy

No Incident Response Plan or Breach Readiness

If a breach happens today, would your team know what to do?

Too often, firms don't know who to call, what steps to take, or how to minimize the damage. Downtime drags on. Notifications are missed. Regulatory deadlines slip by. And confidence—internal and external—is shaken.

A basic incident response plan includes:

  • A clear communication tree (who's notified, and when)
  • Access to forensic support (internal or external)
  • Defined steps for system isolation and recovery
  • Legal, insurance, and compliance contacts

Even a simple, well-rehearsed plan is better than none. And if you're in a regulated industry, a documented IR plan may be required.

Compliance Gaps That Put You at Risk

Professional services firms increasingly fall under federal and industry regulations, but some don't even realize it.

Common gaps include:

  • CMMC: Required for firms working with the Department of Defense or handling Controlled Unclassified Information (CUI)
  • FTC Safeguards Rule: Applies to CPA firms, tax preparers, and financial advisors
  • PCI DSS: Required for any firm that handles credit card transactions

While this post doesn't dive into the specifics of each regulation, the point is clear: compliance isn't optional. And ignorance isn't a defense.

What you need:

  • A clear understanding of which standards apply to your business
  • A gap assessment with a qualified cybersecurity expert
  • Documentation and policy development support
  • A roadmap to remediation

At TechSage, we help firms align with compliance standards without overcomplicating things. Whether it's building a secure SharePoint site or walking through your FTC Safeguards checklist, we've got the experience to guide you.

Next Steps: Don't Wait for the Wake-Up Call

Cybersecurity doesn't need to be overwhelming—but it does need to be a priority. The cost of inaction can be steep: lost data, lost trust, and lost revenue.

If you're unsure where your vulnerabilities lie, start with a cybersecurity assessment. We'll help you find the gaps, understand the risks, and build a plan that fits your business—not some generic checklist.

Click Here or give us a call at (210) 582-5814 to Book a FREE Discovery Call

Key Takeaways

  • CPA, engineering, and insurance firms are prime targets for cyberattacks due to the high value of the data they handle.
  • Common gaps—like poor backups, untrained teams, or misconfigured cloud tools—can go undetected until disaster strikes.
  • Compliance requirements (CMMC, FTC, PCI) are increasing, and many firms don't realize they're already out of compliance.
  • A proactive approach—including training, backup testing, and cloud configuration audits—can dramatically reduce risk.

Call 210-582-5814 or fill out the form below to schedule a FREE discovery call.

 

Recent Articles

Stressed woman in white shirt sitting at a desk with hand on forehead in a bright office with large windows.

What to Expect from Your First 90 Days with a New IT Provider

 Old sad Windows 10 computer contrasts with happy, upgraded Windows 11 laptop showing improvement and security.

5 Signs You’re Due For A Tech Upgrade

 Modern workspace with Apple iMac, MacBook, graphics tablet, smartphone, white keyboard, and desk lamp in bright room.

Common Mistakes Businesses Make in Their Backup Strategy