Back to Blog

Onboarding a New Employee During Tax Season: The Security Checklist Nobody Gives You

Daniel ChangFounder of SafeGuardGRC

It's late February. Your firm just hired two seasonal preparers who start Monday. Your office manager is scrambling to get them laptops and logins set up. Email access, accounting software, the client portal, maybe remote desktop. The to-do list is a mile long, and everyone's focused on one thing: speed.

The last thing on anyone's mind is a security briefing.

But here's what keeps most CPA firm owners awake at night if they stop to think about it: those two new hires are about to become your firm's biggest vulnerability for the next 90 days. Not because they're careless. Not because they're trying to cause problems. But because they don't know your firm yet, they don't recognize your normal communication patterns, and attackers know this too.

Why New Hires Are Your Biggest Risk Window

New employees are 71% more likely to click on phishing links in their first 90 days compared to the rest of your staff. That's not a typo. The data is consistent across multiple security research studies.

Why? Because they're still learning. They don't immediately recognize when something looks off. A phishing email pretending to be from "IT Support" asking them to reset their password looks legitimate when they literally are trying to reset passwords. A message from someone claiming to be the CFO asking for urgent client files seems plausible when they haven't yet internalized what your CFO actually does or how she communicates.

Attackers aren't random. They're strategic. Security researchers have found that criminals specifically target new employees within three weeks of seeing them pop up on LinkedIn with their new job title. They see "Tax Preparer, CPA Firm" and they start digging. An email account is easy to find. A quick pretext call to confirm information. By Monday morning, a phishing email is sitting in the new hire's inbox.

What the Regulators Expect

This isn't just a best practice conversation. It's a compliance requirement.

The FTC Safeguards Rule (16 CFR 314.4) requires that every financial services company, including CPA firms, ensure that "all personnel" receive appropriate security awareness training. Not just accountants. Not just office managers. All personnel. That includes the seasonal preparer who works two months a year. The IRS agrees: Publication 4557 explicitly states that security training should cover every employee, both professional and administrative staff, who may handle sensitive information.

If your firm handles tax returns, Social Security numbers, bank account information, or anything else protected under GLBA (the Gramm-Leach-Bliley Act), this training is not optional. It's a regulatory requirement with potential penalties if you can't document that it happened.

The 30-Minute Security Onboarding

You don't need hours. You need a system.

Before Their First Day

Work with your IT team or MSP to handle these before the new hire ever arrives:

  • Set up accounts with least privilege access. Translation: give them access to only the systems and files they actually need for their job. A seasonal preparer doesn't need access to the partner portal. They don't need to change firm policies. They need their email, their accounting software workstation, and maybe the client portal. Nothing more.
  • Enable multi-factor authentication (MFA) on every account before you hand over credentials. This is non-negotiable. NIST standards and the FTC both expect it.
  • Prepare a one-page security quick-reference sheet. Keep it simple: what does a phishing email look like, who do I ask if something looks suspicious, what's the password policy, which systems can I use personal devices for? You'll use this in the next step.

First Morning (15 minutes)

Sit down with the new hire for a conversation. Not a lecture. A conversation.

  • Walk through your verification policy. Make it real: "If someone calls you and says they're from IT and asks for your password, the answer is always no. Even if they claim there's an emergency. Even if they know your name. Hang up and call me directly."
  • Show them what a phishing email looks like. Use a real example from your industry if you can find one, or describe one clearly. Help them see the pattern: urgent language, requests for sensitive information, slight misspellings in the sender address.
  • Tell them exactly who to contact if something feels off. This matters more than you'd think. People often spot something suspicious but don't report it because they're not sure who to tell or they don't want to seem paranoid.
  • Have them sign acknowledgment of your security policy. One sentence: "I acknowledge I've reviewed the firm's security expectations." You need documentation that this conversation happened.

First Week

  • Review acceptable use of firm devices and personal devices. Can they work from home? Can they use personal email on firm devices? Can they take files on USB drives? Your policy, their responsibility.
  • Cover client data handling in detail. Where does it live? How is it securely sent? What should never, ever happen? This is where most problems start.
  • Add them to whatever ongoing security awareness program you have. Quarterly emails about phishing trends, annual training, lunch-and-learn sessions. Consistency matters.

Don't Forget Offboarding

Tax season ends. Your seasonal staff leaves. And this is where firms often fail.

Access must be revoked the same day they leave. Not the next day. Not "sometime next week." The same day. Work with your IT team to have an offboarding checklist that mirrors your onboarding checklist: disable accounts, revoke VPN access, retrieve firm devices, confirm they've deleted files from personal devices if applicable.

One departing employee with forgotten remote access credentials is all it takes for a problem months later when they're looking for work and a threat actor offers them cash for that access. Protect them by protecting yourself.

What You Can Do Today

  1. Create that one-page security reference sheet for new hires. Start with our template ideas above and customize it to your firm.

  2. Coordinate with your IT team or MSP on setting up a least-privilege access template specifically for seasonal roles. Have it ready to go so onboarding is faster, not slower.

  3. Block out 15 minutes in your actual onboarding process for security. Put it on the calendar. Make it as official as the tax software training.

  4. Set a calendar reminder for offboarding before tax season even begins. You won't remember to do it on the day someone leaves if you don't plan for it now.

The Bottom Line

Onboarding security takes 30 minutes. Recovering from a breach takes months, costs tens of thousands of dollars, and creates regulatory headaches you don't want. A new employee who clicks a phishing link and compromises client data creates liability for your firm, your clients, and possibly personal liability for you.

The investment is straightforward: 15 minutes for a security conversation, 15 minutes to build your one-page reference sheet, and coordination with your IT team to make sure access is properly controlled from day one.

That's it. The difference between a firm that's protected and one that's hoping nothing happens.

If you're looking for a systematic way to handle this across multiple new hires during a busy season, that's what tools like SafeGuardGRC are built for. But even without software, the checklist above is something you can implement this week.

Your seasonal team needs access fast. Your firm needs security maintained. These aren't competing goals. They're the same goal approached the right way.

Ready to Get Compliant?

Plans starting at $99/mo for firms of every size

See Plans & Pricing

Starting at $99/mo · Billed annually

30-day money-back guarantee
Cancel anytime

Core compliance modules in every plan · Professional adds IRP, tasks & more →

We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy