Key takeaway
Desktop tax software on a local network is not automatically unsafe, but the architecture concentrates taxpayer data in a place where the security of every return depends on the weakest workstation, password, and remote access tool in the office. A controlled hosted-server model with individual MFA-protected access is materially easier to defend.
Who this applies to
Tax preparation firms, CPA firms, EAs, bookkeepers, EROs, service bureaus, and accounting offices that run any major U.S. desktop tax package on local PCs, mapped drives, peer-to-peer shares, or an office file server.
Why this matters
Most professional tax software in the U.S. is still commonly deployed in a desktop or local-network configuration. Multiple preparers open returns from a shared data folder over the office LAN, often through a mapped drive. That setup is fast and familiar — and it is also exactly the configuration attackers are most successful against during tax season.
Tax data is a high-value target. A single shared folder typically holds names, Social Security numbers, dates of birth, dependent information, employer data, bank routing details, prior-year returns, e-file submission information, and identity verification details. When that folder is reachable from every workstation in the office, the security of the entire firm depends on the weakest endpoint, the weakest password, and the weakest remote access tool in the environment.
Common local-network risks
- Phishing or malware on a single workstation that reaches the shared tax data folder
- Ransomware encrypting mapped drives and any reachable local backups in the same incident
- Exposed RDP or poorly secured third-party remote access tools used during tax season
- Shared Windows logins that eliminate individual accountability for who accessed which return
- Over-permissive file shares with no centralized audit trail
- Inconsistent endpoint protection, missed patches, and old workstations during busy season
- Unencrypted or co-located backups that go down with the live data
- No documented Written Information Security Plan (WISP) or evidence of access controls
A more defensible architecture
The pattern that holds up better under IRS Publication 4557 and FTC Safeguards Rule expectations is a controlled hosted-server model — either a reputable tax software hosting provider or a properly hardened internal server designed to behave like one. In that model, each preparer authenticates with a unique account, MFA is required on every session, the tax database is not exposed as a raw network share to ordinary office desktops, backups are segmented and monitored, and access is logged in a way the firm can show during a security review.
Important nuance
"Hosted" does not automatically mean "compliant." What matters is the architectural pattern: individual user access, enforced MFA, segmentation between desktops and tax data, centralized backups, and documented controls — combined with an actual written WISP that reflects how the firm operates.