After Busy Season: Cybersecurity Education Can’t Go on the Back Burner

Written by Anthony Zelnosky | May 14, 2026
Cybercriminals are well aware of the accounting industry’s seasonal pressures, so cybersecurity awareness is a critical professional competency. Taking time now to reflect, educate, and strengthen fundamentals helps ensure firms are not only compliant but resilient.

For many accounting professionals, the weeks following tax season bring a much-needed opportunity to catch their breath. After months of long hours, deadlines, and client demands, it’s natural to shift focus toward recovery and planning for what’s next.

But while workloads may temporarily ease, cyber risks do not.

In fact, the period immediately after busy season is one of the most important times for firms to pause, reflect, and reinforce their approach to cybersecurity efforts.

The Post-Busy-Season Reality

Tax season often requires firms to operate in survival mode. Temporary workflows are put in place, new staff or contractors are onboarded quickly, and technology decisions are made for speed rather than long-term optimization. While these actions are understandable, they can leave behind unseen gaps:

  • Systems accessed more frequently and sometimes from new locations.
  • Increased reliance on email, file sharing, and remote access.
  • Elevated exposure to phishing attempts and business email compromise.
  • Deferred software updates or security reviews due to time constraints.

Once the seasonal rush subsides, these risks don’t automatically resolve themselves. Without deliberate follow-up, they can quietly compound.

Understanding Cyber Risks

Cybercriminals are well aware of the accounting industry’s seasonal pressures. In many cases, attacks increase when firms are extremely busy or soon after.

Some common post-season risks include the following:

  • Phishing emails disguised as client follow-ups or tax notices.
  • Credential theft using reused or weak passwords created under time pressure.
  • Ransomware attacks targeting firms perceived as “less alert” after deadlines pass.
  • Exploitation of unpatched systems postponed during busy season.
Why Security Education Matters

The weeks after tax season are an ideal time for education – not because firms have more time, but because they have recent experience to reflect on.

This is a good time to ask meaningful questions:

  • Where did technology slow us down this year?
  • Were there moments where security felt like an obstacle instead of a safeguard?
  • Did staff recognize suspicious emails or near-miss incidents?
  • Are our policies and training still aligned with how we actually work today?

Regular education around cybersecurity helps firms move away from reactive habits to intentional practices. It also empowers staff to play a role in protecting client data.

Practical Areas to Revisit

Rather than overhauling everything at once, firms can start by focusing on a few high-impact areas:

  • Security awareness refreshers – Short, targeted training reminders help reinforce how phishing attempts are evolving and what red flags to watch for.
  • Access and permissions review – Busy season access granted to temporary staff or third parties should be reassessed and tightened.
  • Policy check-ins – Written policies, such as incident response or data handling should reflect how work actually happens, not just how it’s supposed to happen.
  • Technology hygiene – Ensure updates, backups, and monitoring are fully back in place to reduce exposure moving forward.
Building Cybersecurity Into Firm Culture

The most resilient firms treat cybersecurity education the same way they treat technical CPE: ongoing, practical, and relevant.

When staff understand why controls exist and how cyber risks directly impact clients, firm reputation, and professional responsibility, security becomes part of daily decision-making rather than a checkbox.

Coming out of the busy tax-filing season is the perfect moment to reset expectations, reinforce good habits, and prepare for the rest of the year with confidence.

Looking Ahead

As technology continues to shape how accounting firms operate, cybersecurity awareness will remain a critical professional competency. Taking time now to reflect, educate, and strengthen fundamentals helps ensure firms are not only compliant, but resilient.

The goal isn’t to slow firms down; it’s to help them move forward securely.

Anthony Zelnosky is an account director at United Datacom Networks Inc. (UDNI), where he helps organizations align technology with business strategy. Coming from a family of CPAs, Anthony chose to break the mold by moving into IT, building strong partnerships between finance and technology. He can be reached at azelnosky@udni.com.

Sign up for PICPA's weekly professional and technical updates by completing this form.

Statements of fact and opinion are the author's responsibility alone and do not imply an opinion on the part of the PICPA's officers or members. The information contained herein does not constitute accounting, legal, or professional advice. For actionable advice, you must engage or consult with a qualified professional.

 

 
View full post