Skip to content

Free 15-minute cybersecurity consultation — no obligation

Book Free Call
Tax37 min readDeep Dive

VPN for Tax Professionals: Secure Remote Access Guide

A compliant VPN for tax professionals must meet IRS Security Six: AES-256 encryption, MFA enforcement, and 12-month audit logs. Protect your practice.

VPN for Tax Professionals: Secure Remote Access Guide - vpn for tax professionals

A VPN for tax professionals is a Virtual Private Network configured to meet the encryption, authentication, and access control requirements established by the IRS Security Six framework — a mandatory set of cybersecurity controls for tax preparers handling nonpublic personal information (NPPI). Under IRS Publication 4557, every tax preparer holding a Preparer Tax Identification Number (PTIN) must implement six essential safeguards, with a properly configured VPN serving as the primary mechanism for securing remote access to client data.

Tax professionals handle concentrated volumes of sensitive financial data — Social Security numbers, bank account details, prior-year returns, and income records — that make remote access security a regulatory obligation. The FTC Safeguards Rule requires financial institutions and tax preparers to encrypt all client data in transit when accessing it remotely. A compliant VPN creates an encrypted tunnel between remote devices and your practice network, protecting NPPI whether your staff connects from home offices, coffee shops, or client locations.

With remote work now standard across the profession, implementing a VPN for tax professionals directly affects your ability to operate, pass IRS security audits, and maintain your PTIN. The average data breach costs $4.88 million according to the IBM Cost of Data Breach Report, while an IRS-mandated PTIN suspension can halt practice revenue entirely. This guide covers IRS VPN requirements, implementation steps, protocol selection, common compliance failures, and vendor evaluation criteria — giving tax practices a complete framework for secure, compliant remote access.

Tax Practice Cybersecurity By The Numbers

$4.88M
Average Data Breach Cost

IBM Cost of Data Breach Report

80%+
Hacking Breaches Involve Credentials

Verizon 2025 Data Breach Investigations Report

12 Months
Minimum VPN Log Retention Required

IRS Publication 4557 compliance requirement

Understanding the IRS Security Six VPN Mandate

The IRS Security Six framework establishes minimum cybersecurity standards for tax professionals through six mandatory controls designed to protect NPPI. Tax professionals face unique cybersecurity challenges because they aggregate large volumes of sensitive financial data during filing season — a single compromised remote connection can expose hundreds or thousands of client records simultaneously.

The VPN requirement directly addresses risks inherent in remote access scenarios: when tax preparers connect to office networks from external locations, access cloud-based tax software over public internet connections, or work from home offices without enterprise-grade network security. According to the Verizon 2025 Data Breach Investigations Report, over 80% of hacking-related breaches involve compromised or weak credentials — making VPN implementation with multi-factor authentication (MFA) essential for protecting NPPI during remote work sessions.

The CISA Telework Essentials Toolkit provides detailed guidance on VPN selection and hardening that directly supports IRS compliance efforts for tax professionals working remotely. These federal guidelines emphasize that secure remote access is a business-essential safeguard for practices handling sensitive taxpayer data outside traditional office environments — not merely a technical checkbox.

Your IRS cybersecurity requirements extend beyond simply deploying a VPN. The Security Six framework treats VPN as one component of a layered defense that also includes firewalls, anti-malware software, MFA, backup solutions, and employee security training. Failing to implement any single component — or implementing it without proper documentation — can result in an IRS security audit finding and potential PTIN suspension.

VPN Implementation Steps for Tax Practices

1

Assess Remote Access Requirements

Inventory all employees who access client data remotely. Document which systems, applications, and data types each person needs to reach from outside the office.

2

Select a Compliant VPN Platform

Evaluate vendors against IRS Security Six criteria: AES-256 encryption, native MFA integration, centralized management console, and audit-ready logging with 12+ month retention.

3

Configure MFA Enforcement

Deploy authenticator apps (TOTP) or hardware security keys for all VPN users. Single-factor authentication does not satisfy IRS Publication 4557 requirements regardless of password length or complexity.

4

Enable Kill Switch and Role-Based Access Controls

Configure a kill switch to block all internet traffic if the VPN connection drops unexpectedly. Apply role-based access controls so users reach only the network resources required for their specific job function.

5

Update Your WISP Documentation

Add VPN configuration details, MFA policy, log retention settings, and incident response procedures to your Written Information Security Plan before the start of each filing season.

6

Test, Audit, and Train

Verify encryption strength, test failover scenarios, confirm log retention is functioning correctly, and train all remote staff on VPN connection requirements and kill switch behavior.

Remote Access vs. Site-to-Site VPNs for Tax Practices

Tax practices typically implement one of two VPN architectures based on their operational structure. Understanding the distinction helps you select the right solution that meets both IRS requirements and your practice's workflow.

Remote access VPNs allow individual users to connect from any location to your practice network or cloud resources. This is the most common implementation for tax practices with mobile employees, work-from-home preparers, or staff who visit client offices. Remote access VPNs authenticate each user individually, enforce per-user access policies, and create encrypted tunnels on demand when staff connect from home networks, coffee shops, or other external locations.

Site-to-site VPNs create permanent encrypted connections between entire networks — linking your main office to a satellite location or connecting your office infrastructure to a cloud data center. All traffic between connected locations flows through the encrypted tunnel automatically, without requiring individual authentication for each session.

Most small to mid-sized tax practices need remote access VPN capabilities to support teleworking staff. Firms with multiple physical offices may benefit from a hybrid deployment combining remote access for individual users with site-to-site connections between locations. The key consideration is ensuring your solution provides the granular logging, user authentication, and access controls required by the IRS Security Six framework.

For practices using cloud-based tax software, a VPN may still be necessary when accessing client data stored on local servers, connecting to office shared drives, or when your software vendor requires access from a trusted IP address range. Review your software vendor's specific security requirements before assuming cloud tools eliminate the need for remote access infrastructure.

VPN Compliance Requirements Checklist

  • Deploy AES-256 encryption — the minimum standard per IRS Security Six requirements
  • Enforce multi-factor authentication on every VPN connection without exception
  • Enable a kill switch to block all internet traffic if the encrypted connection drops
  • Retain VPN connection logs for a minimum of 12 months for IRS audit documentation
  • Document VPN configuration, MFA policy, and log retention settings in your Written Information Security Plan
  • Restrict each user's VPN access to only the network resources their role requires
  • Use an enterprise VPN platform — consumer services do not satisfy IRS audit requirements
  • Review and re-test VPN configuration annually and before each filing season
  • Train all remote employees on VPN connection procedures and what to do if the connection drops

Multi-Factor Authentication: The Non-Negotiable VPN Requirement

The IRS explicitly requires MFA for all remote access to systems containing NPPI. Your VPN for tax professionals must enforce MFA before allowing any connection — single-factor authentication using only a username and password does not meet compliance requirements, regardless of password length or complexity.

This requirement applies with particular force when preparers connect from home networks, public WiFi, or client locations where network security is outside your direct control. When a preparer connects from a coffee shop or hotel, the VPN and its MFA gate are the primary barriers between an attacker on that same network and your client records.

Acceptable MFA implementations for tax practice VPNs include:

  • Authenticator apps generating time-based one-time passwords (TOTP) — such as Microsoft Authenticator or Google Authenticator
  • Hardware security keys such as YubiKey (the most secure option for high-risk environments)
  • Push notifications sent to registered mobile devices
  • SMS or voice codes (the weakest acceptable option — avoid for practices handling high data volumes)

Your Written Information Security Plan (WISP) must document your MFA implementation in detail: which method you use, how you provision credentials to new employees, and the procedure for handling lost or compromised authentication devices. Many tax practices fail IRS audits not because they lack MFA, but because their WISP documentation doesn't adequately describe the MFA policy.

For remote environments, consider extending MFA beyond the VPN itself to your tax software applications, email systems, and cloud storage platforms. Layered authentication controls throughout the remote access chain reduce the risk that a single compromised credential opens access to all client NPPI.

"Tax practices using VPN without MFA are operating in direct violation of IRS Publication 4557. PTIN suspension cases frequently trace back to IRS security audits discovering single-factor VPN authentication." — Aligned with NIST Cybersecurity Framework guidance for small businesses

2026 Tax Season VPN Compliance Deadline

The IRS requires all tax preparers to have documented, operational security controls — including compliant VPN infrastructure — in place before the start of the 2026 filing season. IRS security audits are ongoing and can result in PTIN suspension for practices without compliant remote access infrastructure, enforced MFA, or current Written Information Security Plans. Verify your VPN configuration and update your WISP now.

Common VPN Implementation Mistakes Tax Practices Make

Even well-intentioned practices make configuration errors that create compliance gaps or security vulnerabilities when implementing VPN for remote access. These are the most consequential mistakes to avoid:

Using Consumer VPN Services

Services like NordVPN, ExpressVPN, or Private Internet Access are designed for individual privacy browsing, not business access control. They lack centralized user management, cannot integrate with enterprise MFA systems, do not generate the connection logs IRS audits require, and route your traffic through shared servers worldwide — the opposite of what you need when accessing sensitive client data. An IRS auditor reviewing your security documentation will not accept a consumer VPN subscription as evidence of compliant remote access infrastructure.

Neglecting Kill Switch Configuration

A kill switch automatically blocks all internet traffic if the VPN connection drops unexpectedly. Without it, your device may continue transmitting data over an unencrypted connection without your knowledge — potentially exposing client NPPI to anyone monitoring that network segment. This risk is elevated when staff work from coffee shops, airports, hotels, or other shared WiFi environments. Configure kill switch policies at the client level to prevent any data transmission outside the encrypted tunnel.

Insufficient Log Retention

IRS Publication 4557 requires maintaining records that demonstrate your security controls function as documented. VPN logs must be retained for at least one year, but many default VPN configurations only keep 30 to 90 days of records. Configure extended retention periods and ensure logs are backed up before system upgrades or vendor migrations. This documentation becomes the primary evidence during an IRS security review.

Skipping Endpoint Compliance Checks

Before allowing VPN connections, verify that connecting devices have current antivirus software, OS patches applied, and endpoint detection and response (EDR) agents installed and active. A valid VPN session from a malware-infected device gives attackers authenticated access to your practice network. Many enterprise VPN platforms support device posture checks that automatically block connections from non-compliant endpoints before granting network access.

VPN Performance Optimization for Tax Season

VPN connections introduce some latency due to encryption overhead and routing. Poorly optimized implementations can slow tax software to unusable levels — especially during peak filing season when multiple remote workers access practice systems simultaneously. Selecting the right VPN for tax professionals requires balancing security requirements with operational performance.

Start by calculating your concurrent user count and multiplying by the bandwidth each person needs. Most tax applications require 5 to 10 Mbps per user when uploading returns or accessing cloud-based platforms. A practice with 10 simultaneous remote users needs at least 100 Mbps of internet bandwidth at the server termination point — with additional headroom for peak season loads when all remote workers connect at once.

If you use a cloud-based VPN service, select server locations geographically close to your users. A preparer in Chicago connecting through a VPN server in California experiences significantly more latency than connecting to a Chicago-region server. Many enterprise VPN platforms offer automatic server selection based on user location, optimizing performance without manual configuration for each user.

Modern protocols like IKEv2/IPsec or WireGuard offer better performance and stronger security compared to legacy OpenVPN configurations or PPTP. If you currently run an older OpenVPN deployment and experience latency complaints during filing season, migrating to WireGuard can meaningfully reduce connection overhead without sacrificing encryption strength or IRS compliance.

Implement monitoring for connection quality, bandwidth utilization, and user experience during filing season peaks. Track metrics like connection setup time, throughput, packet loss, and round-trip latency. Set alerts for degraded performance so you can address infrastructure issues before they affect productivity during critical tax deadlines. Most business VPN platforms include built-in dashboards displaying these metrics in real time, giving your IT support team visibility into remote access health without additional tooling.

Bottom Line

A compliant VPN for tax professionals requires more than installing software. It requires AES-256 encryption, enforced MFA, a configured kill switch, 12-month log retention, and documentation in your Written Information Security Plan. Consumer VPN services and legacy PPTP protocols fail IRS Security Six requirements regardless of cost or brand recognition. Enterprise platforms meeting these criteria typically cost $10–25 per user per month — a fraction of the financial exposure from a data breach or PTIN suspension.

Integrating VPN with the Other Security Six Controls

Your VPN operates as one component of a layered security framework — not a standalone compliance solution. Effective tax practice cybersecurity requires integrating your VPN with the other five IRS Security Six requirements.

Firewall configuration: Your firewall should restrict VPN access to only the ports and protocols necessary for operation — typically UDP 500/4500 for IPsec-based connections or TCP 443 for SSL/TLS VPNs. Configure rules that limit what resources each VPN user can reach based on their role. Preparers don't need access to accounting systems, server administration tools, or network management interfaces from remote locations.

Endpoint protection: Your broader remote work security strategy must include verifying that remote devices meet minimum security standards before connecting. Many enterprise VPN platforms support device health checks that enforce endpoint compliance — blocking connections from machines without current patches or active antivirus — before granting network access.

Employee training: Train your staff to recognize phishing attacks targeting VPN credentials. Attackers frequently send fake VPN expiration notices, security alert emails, or impersonation messages designed to capture authentication credentials from remote workers. For specific examples of the tactics used against tax practice staff, see our guide on identifying phishing attacks. Your team remains the last line of defense against credential compromise when working from networks outside your direct security controls.

Incident response: Your incident response plan must include specific procedures for VPN-related security events: compromised credentials, suspicious connections from unusual geographic locations, unauthorized access attempts, and infrastructure failures during peak filing season. Document who to contact, which systems to isolate, and how to preserve logs for regulatory reporting. An untested incident response plan is nearly as risky as having no plan at all.

Selecting a Compliant VPN Vendor for Your Tax Practice

Not all business VPN solutions satisfy IRS Security Six requirements. When evaluating vendors for your VPN for tax professionals implementation, confirm that your chosen platform provides each of the following:

  • AES-256 encryption — non-negotiable minimum per IRS Publication 4557
  • Native MFA integration — support for Duo, Microsoft Authenticator, or FIDO2 hardware tokens
  • Centralized management console — for provisioning users, pushing policy updates, and revoking access instantly when an employee leaves
  • 12+ month log retention — with tamper-evident storage formatted for IRS audit documentation
  • Role-based access controls — granular permissions restricting each user to only the resources their job requires
  • Device posture checks — automated verification that connecting endpoints meet your security baseline before granting access
  • 99.9%+ uptime SLA — with redundant infrastructure that prevents outages during peak filing periods
  • 24/7 vendor support — with documented response times for priority issues during filing season

Enterprise VPN platforms commonly deployed in tax practices include Cisco AnyConnect, Palo Alto GlobalProtect, Fortinet FortiClient, SonicWall NetExtender, and cloud-managed options like Perimeter 81 or Twingate. Budget $10 to $25 per user per month for platforms that include management, licensing, and vendor support — a fraction of the cost of a data breach or a PTIN suspension event.

When evaluating vendors, request references from other accounting or tax firms of similar size. Ask those references about behavior during peak filing season concurrent loads, support responsiveness outside normal business hours, and their experience when IRS auditors requested VPN log documentation. These conversations reveal operational realities that product demos won't surface.

For a thorough view of how VPN fits into your overall compliance posture, review the FTC Safeguards Rule requirements for tax preparers — including data encryption, access controls, and third-party vendor oversight obligations that extend to your VPN provider. Building a complete tax preparer cybersecurity program means treating VPN as one element of an integrated system, not an isolated compliance checkbox.

Need a Compliant WISP That Documents Your VPN?

Your Written Information Security Plan must document your VPN configuration, MFA policy, and remote access controls. Bellator Cyber Guard has helped 4,000+ tax professionals create IRS-compliant security plans.

Secure Your Tax Practice with Compliant VPN Solutions

Our cybersecurity experts help tax professionals implement IRS-compliant VPN infrastructure that protects client data while supporting remote work productivity. Schedule a free consultation today.

Frequently Asked Questions

A compliant VPN for tax professionals must provide AES-256 encryption (or equivalent strength), enforce multi-factor authentication before allowing any connection, maintain detailed connection logs for at least 12 months, and include a kill switch that blocks unencrypted traffic if the session drops. The full configuration must be documented in your Written Information Security Plan (WISP) as required by IRS Publication 4557. Consumer VPN services do not meet these requirements because they lack centralized management, cannot enforce enterprise MFA policies, and do not generate the audit-ready logging that IRS security reviews require.

No. Consumer VPN services like NordVPN, ExpressVPN, or Private Internet Access are designed for individual privacy browsing and do not meet IRS Security Six compliance requirements. They lack centralized user management, cannot integrate with enterprise MFA systems, route traffic through shared servers rather than your practice network, and do not generate the detailed connection logs required for IRS audit documentation. Using a consumer VPN service in place of an enterprise solution creates a documented compliance gap that could expose your practice to an IRS audit finding and potential PTIN suspension.

Expect to invest $10 to $25 per user per month for an enterprise VPN platform that includes management, licensing, MFA integration, and vendor support. For a practice with 5 remote users, that is $600 to $1,500 per year — significantly less than the $4.88 million average cost of a data breach or the revenue lost during a PTIN suspension. Many business VPN vendors offer annual pricing discounts and bundled security packages that combine firewall, endpoint protection, and VPN in a single subscription, which can reduce per-component costs further.

Often yes, depending on your practice setup. Cloud-based tax software encrypts data between your browser and the vendor's servers, but a VPN may still be necessary if you access client data stored on local servers or shared network drives, connect to office systems like printers or internal file shares, or if your tax software vendor requires access from a known, trusted IP address range. Some tax platforms also require VPN access for administrative functions. Review your specific software vendor's security documentation and consult your WISP requirements before concluding that cloud tools eliminate the need for VPN infrastructure.

Your WISP should include a documented business continuity procedure for VPN outages. This should specify who to contact for technical support, whether employees should pause remote work until connectivity is restored, and any alternative secure access method for essential client data. Your kill switch should automatically prevent unencrypted data transmission the moment the connection drops. To minimize this risk, select a vendor with a 99.9%+ uptime SLA and redundant infrastructure. Maintaining a secondary VPN endpoint or failover path is a best practice for practices that depend heavily on remote access during filing deadlines.

Review your VPN configuration and security policies at least annually, and update them after any of the following: onboarding new employees, changing your remote work structure, upgrading or switching VPN vendors, or experiencing a security incident involving remote access. Your WISP requires annual review under IRS Publication 4557, and your VPN documentation should be updated as part of that review cycle. Before each filing season, re-test your VPN configuration, verify that log retention is functioning correctly, and confirm that all remote users have valid, active MFA credentials.

Personal devices are a significant compliance risk. You cannot guarantee that an employee's personal laptop has current patches, active antivirus software, or no malware installed. If your practice allows personal device use, your WISP must document a formal Bring Your Own Device (BYOD) policy, and your VPN should enforce device posture checks before granting network access. The recommended approach for tax practices handling NPPI is to provide company-managed devices for all remote workers, with endpoint protection configured and verified centrally before enabling VPN access.

Avoid PPTP (Point-to-Point Tunneling Protocol) — its MPPE encryption is cryptographically broken and can be compromised with widely available tools. PPTP does not meet IRS Security Six encryption requirements under any configuration. L2TP without IPsec is similarly weak. Older SSL/TLS configurations using RC4 ciphers or SHA-1 certificates should also be avoided. Tax practices should use IKEv2/IPsec with AES-256, OpenVPN with AES-256-CBC, or WireGuard — all of which provide the encryption strength required by IRS Publication 4557 and the FTC Safeguards Rule.

Share

Share on X
Share on LinkedIn
Share on Facebook
Send via Email
Copy URL
(800) 492-6076
Share

Schedule

Need help with IRS compliance?

Our tax cybersecurity specialists can review your security posture and help you get compliant.

Protect your tax practice from cyber threats

Schedule a free consultation to assess your firm's security posture.