Prueba Gratis
Guía de Riesgos del Hosting de Software de Impuestos

The Cybersecurity Risk of Running Lacerte Tax on a Local Network

Software: Lacerte Tax  |  Proveedor: Intuit

Idea clave

In a Lacerte network install, the entire return database is essentially a shared dataset on the office LAN, and the security of every taxpayer file is only as strong as the weakest workstation, password, and remote access tool in the office.

A quién aplica esto

Tax preparation firms, CPA firms, EAs, bookkeepers, EROs, and accounting offices that run Lacerte Tax on local PCs, mapped network drives, peer-to-peer shares, or an in-office file server.

Lacerte Tax is commonly used by tax professionals, and many firms run it as a desktop or local-network install because it is familiar, fast, and convenient. The tradeoff is that local convenience can create serious cybersecurity exposure when sensitive taxpayer data lives on office PCs, shared drives, mapped network paths, or an in-office file server.

What Lacerte Tax is

Lacerte Tax, from Intuit, is widely used by professional CPA firms and EAs handling complex 1040, 1065, 1120, 1120S, 1041, and 990 returns. Intuit also offers ProConnect Tax (cloud) and ProSeries (separately covered), but Lacerte is most commonly deployed as a Windows desktop / network install where the application and the shared "Lacerte Data" path live inside the firm. This article focuses on that local-network configuration.

How local Lacerte Tax setups usually work

A typical Lacerte network install places the program on each workstation and points everyone at a shared data path — often a mapped drive or UNC path to a "Lacerte" data folder on a server, NAS, or designated host PC. Multiple preparers and reviewers open the same client files concurrently. Many firms also run Intuit DMS or document management alongside Lacerte on the same server. Remote access is frequently provided through RDP, VPN, or a third-party tool.

Definiciones rápidas

  • Mapped drive — a Windows drive letter (like T:\ or Z:\) that points to a shared folder on another computer or server.
  • Local server / file server — a computer in the office that hosts shared files for other workstations.
  • Hosted server — a server in a controlled hosting environment (cloud or properly hardened internal) that users reach through controlled remote sessions.
  • MFA — multi-factor authentication; requires a second factor (app code, hardware key) in addition to a password.
  • WISP — Written Information Security Plan, expected of tax professionals under IRS Publication 4557 and FTC Safeguards Rule expectations.
  • Ransomware — malware that encrypts files and demands payment for a decryption key.

Why taxpayer data inside Lacerte Tax is so valuable

Return data inside professional tax software typically includes:

  • Names, addresses, and dates of birth
  • Social Security numbers and dependent information
  • Employer information and W-2, 1099, and K-1 details
  • Bank account and routing numbers used for refunds and payments
  • Prior-year return data and carryforwards
  • Tax credits, deductions, and filing status
  • Identity verification information
  • E-file submission data

That combination is exactly what attackers need for identity theft, refund fraud, business email compromise, extortion, and ransomware. It is a major reason tax offices are repeatedly targeted, particularly during filing season.

Risk summary

Local setup elementWhy it creates riskBetter hosted-server control
Shared / mapped tax data folderMalware on one workstation may reach all shared filesKeep tax data inside a controlled hosted session
Shared Windows credentialsHard to prove individual accountabilityRequire unique user accounts with MFA
Local workstation storageData may remain on laptops and desktopsCentralize data on a secured, segmented server
Local backupsBackups may be reachable by ransomwareUse protected, segmented, monitored backups
Uncontrolled remote accessAttackers may abuse exposed RDP / remote toolsUse MFA-protected remote sessions only

The inherent problem with local network sharing

When Lacerte Tax data is shared over the office LAN, the security of the tax database effectively depends on the weakest workstation, weakest password, weakest Windows account, weakest remote access tool, weakest backup process, and weakest shared-folder permission in the office. Common risks include:

  • Compromised Windows logins and phishing attacks on staff
  • Malware on a single workstation that reaches all shared data
  • Ransomware encrypting mapped drives and reachable backups
  • Weak, reused, or shared passwords; no individual MFA on app access
  • Local admin rights granted too broadly
  • Exposed RDP or poorly secured third-party remote access tools
  • Unencrypted or co-located backups
  • Old workstations and missing patches during busy season
  • Inconsistent endpoint protection across the office
  • Over-permissive file shares with no centralized audit trail
  • No clear evidence of access controls or written security plan

Escenarios de ataque realistas

  • A preparer's laptop is infected via a malicious browser extension; the malware enumerates mapped drives and encrypts the shared Lacerte data folder.
  • An exposed RDP session on the host PC is brute-forced; the attacker logs in with the same access as a legitimate preparer.
  • A staff member reuses a password from a breached personal account; an attacker pivots into the firm's network and exfiltrates returns.
  • A document management folder used alongside Lacerte holds scanned IDs and W-2s; that folder is reachable from the same compromised account.
  • Local backups on an external drive in the same office are encrypted with the live data during a ransomware event.

Why "we have antivirus" is not enough

Antivirus, endpoint protection, firewall appliances, spam filtering, and backups are useful — but they are not the same thing as a secure architecture. A Lacerte Tax office can still be exposed if a user is phished, a workstation is compromised, a mapped drive is reachable, a backup share lives on the same network, an attacker gains local admin rights, users share credentials, the tax app does not require individual MFA on every access, or the firm cannot prove who accessed which client file and when.

IRS, WISP, and the compliance angle

Tax professionals are expected to protect taxpayer data and to maintain a Written Information Security Plan (WISP). IRS Publication 4557 and the FTC Safeguards Rule frame this expectation in general terms: a firm needs more than good intentions. It needs documented controls, access management, incident response planning, employee training, backup and recovery planning, and security monitoring. This article is not legal advice — it describes architectural patterns that are easier or harder to defend during a review.

Why hackers target tax offices

Small and mid-sized tax firms are attractive targets because they:

  • Hold uniquely valuable identity and financial data
  • Often do not have full-time IT or security staff
  • Frequently rely on older local-network software workflows
  • Use seasonal preparers and rush operations during tax season
  • Sometimes delay patches and upgrades until "after April"
  • Commonly use multiple remote access tools
  • Allow a single compromised workstation to expose all shared tax data

A more defensible architecture: hosted server model

For Lacerte, a more defensible architecture is to run the program inside a controlled hosted-server environment — Intuit's hosting program, a reputable tax software hosting provider, or a properly hardened internal server — where each preparer logs in with a unique MFA-protected account, the Lacerte data path is not directly accessible from ordinary office desktops, and backups are segmented from production.

In a properly designed hosted-server model: Lacerte Tax runs on a controlled server, users access it through secure remote sessions, each user has an individual account, MFA is required, local desktops do not directly store or freely browse the tax database, access is logged, backups are centralized and segmented, permissions are enforced, security updates are managed centrally, and the environment is segmented from the rest of the office network. That is materially easier to document for WISP and compliance purposes than a peer-to-peer or mapped-drive LAN.

Matiz importante

A "hosted server" can be either a reputable remote tax software hosting provider or a properly secured local server environment that is designed to behave like a hosted system — users authenticate individually with MFA and access the tax software through controlled sessions, instead of opening raw shared data from ordinary office desktops. The architecture matters more than the address.

Schedule a Lacerte Tax security review

If your firm runs Lacerte Tax from local desktops, mapped drives, peer-to-peer shares, or an office file server, EasyWISP can help you understand the risk, document your WISP, and plan a safer hosted-server model with individual access controls and MFA.

Agenda una Revisión de Seguridad de Software de Impuestos Cómo EasyWISP Ayuda a Firmas de Impuestos

Preguntas frecuentes

Lacerte runs reliably on local networks, but the architecture concentrates risk: every preparer, admin, and remote tool with access to the shared Lacerte data folder becomes part of the security boundary, and that is hard to defend without MFA, segmentation, and protected backups.

Lacerte is generally pointed at a shared "Lacerte Data" path on a server, NAS, or host PC (for example, a mapped drive like X:\Lacerte). The exact path depends on the install, but the security implication is the same: shared data on the office LAN.

Yes. Lacerte client files live as standard files on a Windows file system. Any ransomware running under an account with write access can encrypt them, and any reachable local backups typically go down at the same time.

A properly run hosted Lacerte environment with individual user accounts, MFA, centralized controls, and segmented backups is materially easier to defend than a peer-to-peer or mapped-drive LAN setup. The architectural pattern matters more than any single vendor.

Antivirus and endpoint protection are important, but they do not stop phished credentials, exposed remote tools, shared logins, or over-permissive shares — all of which are typical in small Lacerte offices.

For most CPA firms handling federal returns, moving Lacerte into a controlled hosted environment with MFA and segmentation is significantly easier to defend under IRS Publication 4557 and the FTC Safeguards Rule.

EasyWISP helps firms document their WISP, evaluate whether their Lacerte environment is unnecessarily exposed, and plan a safer hosted-server architecture.

Conclusión

Lacerte Tax is not automatically unsafe, and many firms have used it for years. The issue is that the local-network architecture gives attackers too many paths to taxpayer data when a single workstation, password, remote access tool, or mapped drive is compromised. For firms handling sensitive taxpayer information, the more defensible model is to move Lacerte Tax access into a controlled hosted-server environment with MFA, centralized backups, logging, segmentation, and documented WISP controls.

Artículos relacionados de hosting de software de impuestos

CCH ProSystem fx Tax

Wolters Kluwer / CCH

CCH ATX

Wolters Kluwer / CCH

CCH TaxWise Desktop

Wolters Kluwer / CCH

UltraTax CS

Thomson Reuters

Índice de Hosting de Software de ImpuestosWISP para Preparadores de ImpuestosCumplimiento de Seguridad Fiscal del IRSAgenda una Consulta

Aviso: Este artículo es para educación general en ciberseguridad y cumplimiento. No es asesoría legal, fiscal ni regulatoria. Las firmas deben consultar a profesionales calificados para orientación específica a su entorno.

Prueba Gratis