Summer Slowdown Projects: Three Security Improvements You Finally Have Time For

For the first time since January, your calendar has room in it. Tax season is behind you. The post-season catch-up is winding down. Your team isn't running at 120% anymore. And for a few months, before the extension deadlines and the year-end planning cycle ramp up again, you have something rare: bandwidth.

This is the window. Not for another project that can wait. For the security projects that have been sitting on your list since the FTC Safeguards Rule deadline hit in 2023. The ones you've been meaning to get to. The ones that feel important but never feel urgent enough to displace client work.

Summer is when firms that take governance seriously get ahead. Here are three projects that will materially improve your firm's security posture, each scoped for a small team with a realistic time estimate. Pick one, pick two, or tackle all three. The point is to start while you have the space.

Project 1: Build a Vendor Assessment Process

Time estimate: 8 to 12 hours spread over 2 to 3 weeks

Why it matters: Your firm relies on a constellation of third-party vendors. Tax software. Document management. Cloud storage. Payroll services. Scanning solutions. Client portals. Every one of those vendors touches client data, and the FTC Safeguards Rule requires you to periodically assess whether your service providers maintain appropriate safeguards.

Third-party involvement in data breaches doubled to 30% in 2024, up from 15% the prior year. That's not a distant problem. It's your problem, because when a vendor you selected gets breached and your clients' data is exposed, the regulatory scrutiny lands on your desk, not theirs.

Most CPA firms have never formally assessed their vendors. They chose their software because a colleague recommended it or because they've used it for years. There's nothing wrong with that as a starting point, but the FTC expects more than familiarity. They expect documented due diligence.

How to do it:

Start by listing every vendor that has access to client data. Include your IT provider, your tax software, your document management platform, your cloud storage, your email provider, and any other service that touches sensitive information. For most firms, this list is 8 to 15 vendors.

For each vendor, gather basic security information. Many vendors publish their security practices, certifications, and compliance documentation on their websites. Some will have SOC 2 reports available upon request. Others will respond to a simple questionnaire.

Create a standard set of 8 to 10 questions you'll ask each vendor: Do they encrypt data at rest and in transit? Do they conduct regular vulnerability assessments? Do they have an incident response plan? How do they notify you in the event of a breach? What certifications do they hold?

Document the responses and file them. You don't need to score vendors with a complex rubric. You need to demonstrate that you asked the questions, received answers, and made a reasonable judgment about whether the vendor meets your standards. This documentation becomes part of your compliance evidence.

First step: This afternoon, open a spreadsheet and list every vendor that touches client data. That's 15 minutes. Everything else builds from there.

Project 2: Run a Tabletop Incident Response Drill

Time estimate: 4 to 6 hours, including prep and debrief

Why it matters: The average cost of a data breach drops significantly when organizations have a tested incident response plan. Not just a plan that exists on paper. A plan that's been practiced. IBM's research consistently shows that organizations with regularly tested response plans identify and contain breaches faster, which directly reduces the financial impact.

Your firm probably has some version of an incident response plan in its WISP. The question is whether anyone on your team knows what it says, and whether the steps it outlines would actually work if something happened at 8 AM on a Monday.

A tabletop exercise is a low-stakes way to find out. You don't need to simulate an actual attack. You just need to walk through a realistic scenario as a team and talk through what you'd do. The exercise reveals gaps in your plan, unclear responsibilities, and assumptions that don't hold up under pressure.

How to do it:

Set aside 90 minutes with your partners, your office manager, and ideally a representative from your IT provider. Choose a scenario that's realistic for your firm. A good one for CPA firms: "A staff member clicked on a phishing link, and the attacker now has access to their email account. They've been sending fraudulent messages to clients for the past 48 hours requesting wire transfers."

Walk through the response step by step. Who discovers the compromise? Who do they notify? Who contacts the IT provider? Who locks down the affected account? Who communicates with clients? Who contacts legal counsel? Who handles the FTC notification if it's required? Who documents everything?

You'll find gaps. That's the point. Maybe nobody knows the IT provider's emergency number. Maybe the plan says "notify legal counsel" but you don't have a relationship with a breach attorney. Maybe the communication plan for clients doesn't exist. Every gap you identify now is a gap you can close before it matters.

After the exercise, spend 30 minutes updating your incident response plan based on what you learned. Document that the exercise occurred, who participated, and what changes were made. This documentation demonstrates to regulators that your plan isn't just written. It's been tested.

First step: Pick a date in the next three weeks. Send a calendar invite to the participants with a one-line description: "Incident response tabletop drill, 90 minutes." That's all it takes to make this real.

Project 3: Conduct a Comprehensive WISP Review and Update

Time estimate: 6 to 10 hours spread over 2 to 3 weeks

Why it matters: If your firm created its Written Information Security Plan before or around the June 2023 Safeguards Rule enforcement date, it's now over two years old. In that time, your firm has likely changed software, added or removed staff, modified your remote work practices, updated your client portal, and changed at least one or two vendors. If your WISP doesn't reflect those changes, it describes a firm that no longer exists.

The IRS expects minimum quarterly WISP reviews with immediate updates when you change technology, add or remove staff, modify business processes, or experience a security incident. The FTC requires your program to be maintained, not just developed. A WISP that hasn't been updated in two years isn't a program. It's an artifact.

How to do it:

Pull your WISP out and read it from start to finish. Yes, the whole thing. For each section, ask yourself: is this still accurate? Does it describe what we actually do today?

Check these specific areas:

The qualified individual section. Is the person named still at the firm? Are they actually performing the role? Can they describe the program's current status?

The risk assessment. When was it last updated? Does it reflect your current systems, your current staff, and your current operational environment? If you added cloud services, changed tax software, or expanded remote access since the last assessment, it needs an update.

The employee training section. Does it accurately describe what training is delivered, how often, and to whom? Can you produce attendance records for the most recent training?

The vendor oversight section. Does it list your current vendors? Do you have documented agreements with each one?

The monitoring and testing section. Does it describe your actual monitoring and testing practices? Can you produce evidence that those practices are being followed?

Update every section that's out of date. Add new sections for anything that's changed. Remove references to systems, people, or practices that no longer exist. When you're done, have your qualified individual review the updated version and sign off on it. Document the review date and the changes made.

First step: Print your WISP. Read the first two sections today. Note anything that's outdated. That's 20 minutes, and it sets the scope for the rest of the project.

How to Prioritize

If you can only do one of these, start with the WISP review. It touches everything else. The vendor assessment and the incident response drill are both more effective when they're grounded in an accurate, current WISP.

If you can do two, add the tabletop drill. It's the fastest of the three and produces the most immediate insight into your firm's readiness.

If you can do all three, start with the WISP review in early June, run the tabletop drill in late June or early July, and tackle the vendor assessment process through July and August. By the time extension season arrives, you'll have a firm that's materially more prepared than it was at the start of the summer.

The Bottom Line

The summer slowdown isn't just a break. It's an opportunity. The security work that gets pushed aside during busy season doesn't go away. It accumulates as risk. The firms that use this window to close gaps, test their plans, and update their documentation come out of the summer in a fundamentally stronger position.

None of these projects requires a massive budget or a dedicated security team. They require time, attention, and the willingness to do the work when you finally have the breathing room to do it.

If you want a structured approach to these projects, or if you want help prioritizing what matters most for your firm, Kompflow provides the frameworks, templates, and tracking tools that make this work manageable. But even without a tool, the first steps are simple. Start today, while the calendar is still on your side.

You've got the time. Use it.