Employee happily using computer, developers profiting from data in background

Shadow AI, A Looming Threat to Small Accounting Firms and IRS WISP Compliance

WISP
February 03, 20253 min read

Small to mid-sized accounting firms face unique cybersecurity challenges, especially when it comes to protecting sensitive client data under the IRS's Written Information Security Plan (WISP). While large-scale breaches grab headlines, a more insidious threat is emerging: "Shadow AI." This refers to the growing trend of employees using unauthorized AI tools and applications, often without IT's knowledge or approval. For accounting firms, this poses a significant risk to Personally Identifiable Information (PII) and jeopardizes WISP compliance.

The ease of access to powerful AI tools is remarkable. Employees, seeking efficiency or convenience, might adopt these tools for tasks like data analysis, report generation, or even client communication. While seemingly innocuous, these unsanctioned applications can create significant vulnerabilities. Data uploaded to these platforms, often including sensitive PII like Social Security numbers, financial records, and addresses, may be stored insecurely, shared with third parties, or even used for purposes unknown to the firm.

The problem is compounded by the fact that many employees, particularly in smaller firms, may lack the necessary cybersecurity training to recognize these risks. They might not understand the implications of uploading client data to an unvetted AI tool. This lack of awareness makes them the weakest link in the firm's security posture.

Furthermore, many accounting firms rely on third-party contractors to supplement their workforce. These contractors, while valuable, introduce another layer of complexity. They may have their own preferred AI tools and workflows, further expanding the potential attack surface and making it harder to maintain consistent security practices. Without proper oversight, these contractors can inadvertently expose client PII to significant risk.

So, what can small to mid-sized accounting firms do to combat the threat of Shadow AI and maintain IRS WISP compliance? The answer lies in proactive security management, spearheaded by the designated Data Security Coordinator (DSC).

The DSC plays a crucial role in mitigating the risks associated with Shadow AI. Their responsibilities should include:

  • Research and Vetting: The DSC must thoroughly research and evaluate any AI tools or applications that employees or contractors might use. This includes assessing the security practices of the vendors, data storage methods, and potential vulnerabilities.

  • Policy and Procedures: Clear policies must be established regarding the use of AI tools within the firm. These policies should explicitly state which applications are approved, which are prohibited, and the consequences of non-compliance.

  • Training and Awareness: Regular cybersecurity training is essential to educate employees and contractors about the risks of Shadow AI. This training should emphasize the importance of data security, the firm's policies regarding AI tools, and best practices for protecting PII.

  • Application Inventory: The DSC should maintain an inventory of all approved applications used within the firm. This includes both software installed on company devices and cloud-based services. This inventory should be regularly reviewed and updated.

  • Access Control: Implement strict access controls to limit the data that employees and contractors can access. This principle of least privilege ensures that individuals only have access to the information necessary to perform their job duties.

By taking these steps, small to mid-sized accounting firms can minimize the risks associated with Shadow AI, protect their clients' valuable PII, and maintain compliance with the IRS WISP. Don't leave your firm vulnerable. Wispnest.com offers comprehensive cybersecurity training tailored specifically for small to mid-size accounting firms, covering all aspects of the IRS WISP. We also offer specialized employee training programs that explain the risks of Shadow AI in clear terms and teach practical strategies for minimizing those risks. Visit wispnest.com today to learn more and strengthen your firm's security posture.

Back to Blog