Security for accounting firms: shielding digital certificates, tax systems and the data of hundreds of clients

An accounting firm is a vault holding the tax and financial data and the digital certificates of dozens or hundreds of companies. Decripte structures the defense of that vault: detection of certificate misuse, rapid ransomware containment, and LGPD compliance.

Direct answer

Protecting an accounting firm requires treating the digital certificate (e-CNPJ, e-CPF, client certificates) as the most critical asset of the business: keeping it in a vault with controlled access, requiring MFA for any use, monitoring every signature and issuance in real time, and having an incident response plan that contains ransomware and tax fraud in minutes, not days. Decripte combines SOC 24x7, Incident Response with containment within 1 hour, Pentest and LGPD compliance to defend the tax and financial data of all of the firm's clients at once.

24/7

SOC monitoring certificate and system usage

<=1h

Incident containment SLA

LGPD

Tax and financial data are personal data under the law

ISO 27001

Information security management framework

In summary

  • The digital certificate is the most sensitive asset of an accounting firm: whoever controls it can sign, transmit and commit fraud on behalf of any client.
  • Ransomware in an accounting system paralyzes the entire firm at the end of the tax month, when the pressure to deliver is at its peak and the temptation to pay the ransom is highest.
  • The firm is both a controller and a processor of personal data under the LGPD: a client data breach triggers a duty to notify the ANPD and the data subjects.
  • Early detection of anomalous use of a certificate (time, volume, origin) is the difference between blocking the fraud and discovering the loss on the bank statement.
  • SOC 24x7 + Incident Response + a certificate vault + MFA form the minimum baseline of defense for anyone safeguarding the data of many companies.
Serviços Profissionais e BPO

Cibersegurança para Accounting

An accounting firm is a vault holding the tax and financial data and the digital certificates of dozens or hundreds of companies. Decripte structures the defense of that vault: detection of certificate misuse, rapid ransomware containment, and LGPD compliance.

Why an accounting firm is a high-value target

Few businesses concentrate as much tax and financial power per square meter as an accounting firm. On a single server or workstation coexist balance sheets, payrolls, tax filings, banking data and, above all, the digital certificates that authorize signing and transmitting documents on behalf of dozens or hundreds of companies. For an attacker, compromising the accountant means compromising the entire client portfolio at once: it is the leverage effect that makes the sector a disproportionately attractive target.

The problem is compounded because security maturity often fails to keep pace with the criticality of the data. Many firms operate with A1 certificates scattered across network folders, A3 certificates permanently plugged into USB tokens, passwords shared among the team, and local backups on the same computer that runs the accounting system. This scenario turns every isolated incident into a systemic event.

The risk of the always-connected certificate

An A3 certificate left permanently in the token, or an A1 installed in the Windows repository without strong password protection, allows any malware or malicious operator to sign and transmit documents without anyone noticing. Misuse does not require stealing the file: it is enough to hijack the session of the machine where it is already available.

The five threats that most affect accounting

Where the attack enters and what it seeks

Priority vectors in the accounting sector

  • Theft and misuse of digital certificates (e-CNPJ, e-CPF and client certificates) to sign and transmit fraudulent documents
  • Ransomware in accounting systems, encrypting databases at the height of the tax close to maximize ransom pressure
  • Tax and financial fraud: alteration of payment slips, diversion of payments and issuance of documents on behalf of clients
  • Client data breaches (personal, tax and banking data), with a duty to notify the ANPD under the LGPD
  • Phishing and BEC (Business Email Compromise): emails posing as a client, partner or tax authority to induce transfers or capture credentials

These threats rarely act in isolation. A successful phishing attack delivers credentials; with the credentials the attacker reaches the workstation where the certificate is installed; with the certificate they sign fraudulent documents and, on the way out, deploy ransomware to erase traces and demand a ransom. The defense must break this chain at several points, not just at the perimeter.

Gestão de Ameaças · Grátis

Is accounting data already exposed or up for sale? Find out now — for free.

Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.

Anatomy of the misuse of a digital certificate

The misuse of a stolen certificate is rarely noisy at first. The attacker knows the window of impunity is short and acts to appear legitimate: they use the certificate in the same systems the accountant uses, replicate signing patterns, and prefer times when no one is watching. That is why detection cannot depend on someone noticing something strange the next day.

The signs that reveal fraudulent use

  • Signatures or issuances outside the firm's usual business hours
  • Volume spikes inconsistent with the routine of that client or that day of the month
  • An IP origin or geolocation that does not match the authorized workstation
  • A sequence of signatures across distinct CNPJs in a short interval, typical of batch exploitation
  • Use of the certificate from an unexpected process or application on the machine

Turning these signs into an actionable alert is the role of continuous monitoring. Decripte's SOC correlates authentication logs, events from the workstation where the certificate resides, and usage telemetry to distinguish the accountant's legitimate activity from the intruder's fraudulent activity, even when both use the same certificate.

The certificate vault as a central control

Taking the certificate out of the network folder and placing it under governance

The structural hardening of an accounting firm requires changing the way the certificate is stored and used. Instead of scattered A1 files or permanently connected A3 tokens, the certificate comes to reside in a vault with controlled access: each use requires strong operator authentication, is recorded in an audit trail, and respects policies on time, purpose and quantity.

Principles of the certificate vault

  • Individual, named access: no shared passwords; each operator has their own identity
  • Mandatory MFA to release any signature or issuance
  • Principle of least privilege: the operator only accesses the certificates of the clients under their responsibility
  • An immutable audit trail of each use, with who, when, from where and for what purpose
  • Fast revocation and rotation: if a certificate is compromised, it is blocked and reissued without paralyzing the firm

The vault is not just a technical control; it is also a compliance control. It embodies the LGPD's principle of accountability, demonstrating that the firm applies adequate technical measures to protect its clients' data and signing instruments.

Ransomware at the tax close: the worst-case scenario

The tax calendar is the attacker's ally. Ransomware deployed at the end of the month or on the eve of an ancillary obligation finds the firm at peak pressure: clients demanding deliveries, legal deadlines running, and the accounting database unavailable. It is precisely at this moment that the organization is most tempted to pay the ransom, which Decripte does not recommend, because payment does not guarantee recovery and it finances new attacks.

A local backup is not a backup

Backups kept on the same network or the same machine as the accounting system are encrypted along with the database at the moment of the attack. Reliable recovery requires isolated copies (offline or immutable), tested regularly, with a known restoration time. Without this, the firm discovers it has no backup exactly when it needs one most.

Decripte's response combines immediate containment (isolating affected workstations and cutting off propagation), eradication (removing the attacker's access and closing the point of entry) and recovery from reliable copies, prioritizing the databases needed to meet the nearest tax deadlines.

Gestão de Ameaças · Grátis

What would an incident in accounting cost? See your real risk before it happens.

Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.

LGPD: the firm is the guardian of the data of many companies

Under the General Data Protection Law (Law 13.709/2018), an accounting firm processes a large volume of personal data: of the clients' partners and employees, of suppliers, of individuals served. In many workflows the firm acts as a processor, handling data on behalf of the controller client; in others, as the controller of its own processes. In both roles, there are duties of information security and incident response.

Obligations that an incident triggers

  • Notifying the ANPD and the affected data subjects, within a reasonable timeframe, of incidents that may cause relevant risk or harm
  • Maintaining a record of processing operations and of the security measures adopted
  • Demonstrating the application of technical and administrative measures to protect the data (principle of accountability)
  • Supporting the controller client in meeting its own legal obligations

That is why the security of an accounting firm is not just an IT matter: it is a matter of legal and reputational continuity. A poorly handled breach can lead to sanctions, loss of clients and liability. Decripte structures the documentation, the controls and the response plan so that, if an incident occurs, the reaction is fast, recorded and defensible.

How Decripte structures and operates the defense

Protecting an accounting firm is delivered on two complementary fronts. The first is structural: discovering the critical assets, shielding the certificates, segmenting the network, applying MFA and achieving LGPD compliance. The second is operational: monitoring the use of certificates and systems 24x7, and maintaining a response team ready to contain any incident within one hour.

A free assessment as a starting point

Before any contract, the firm can start with Decripte's free Threat Management plan at decripte.com.br/intelligence-center, which provides visibility into exposure and risk. From there, the complete setup is contracted at decripte.io/start, and specific questions can be addressed at /contato.

The ultimate goal is simple to state and demanding to execute: that the firm can assure its clients that the digital certificate, the tax data and the continuity of deliveries are protected by continuous monitoring and rapid response, with evidence to prove it.

Anatomy of a real case: the digital certificate that signed what it should not have

Real, de-identified example

A real, anonymized example (with no identification of the client), built to show how Decripte operates. A mid-sized accounting firm keeps A1 certificates of about 120 client companies in a shared network folder, with passwords reused across the team. An employee clicks on a phishing email posing as a tax authority, and their credentials are captured. With them, the attacker reaches the workstation that has access to the certificate folder.

  1. Initial compromise

    The phishing delivers valid credentials. The attacker remotely accesses the employee's workstation outside business hours and locates the certificate folder on the network, where the A1 certificates of dozens of clients are ready for use.

  2. Detection

    Decripte's SOC 24x7 raises an alert by correlating three anomalies: a login from an unusual geographic origin at 2 a.m., access to distinct clients' certificates in rapid sequence, and signing attempts in a volume inconsistent with the firm's routine. The alert is classified as certificate misuse in progress.

  3. Containment

    Within the SLA of up to 1 hour, the Incident Response team isolates the compromised workstation from the network, drops the attacker's remote session, suspends the access of the captured credential, and triggers the preventive blocking of the certificates that recorded anomalous use, halting the fraud before the mass transmission of documents.

  4. Eradication

    The team identifies and removes the attacker's persistent access, resets all exposed credentials, ends the insecure sharing of the certificate folder, and closes the phishing vector with email rules and blocking of the malicious domain.

  5. Recovery and hardening

    The affected certificates are revoked and reissued. The certificates of all clients migrate to a vault with named access and mandatory MFA. The network is segmented to separate the certificate-use workstations, and continuous usage monitoring is activated permanently.

  6. Compliance and lessons

    Decripte documents the incident timeline, assesses the duty to notify the ANPD and the affected clients under the LGPD, and delivers an executive report with the root cause and improvements. Anti-phishing training and simulations become recurring for the team.

Outcome with Decripte

The fraud was contained before the attacker could transmit documents on behalf of the clients, avoiding tax and financial loss at scale. The firm emerged from the incident with certificates under a vault, MFA, a segmented network, 24x7 monitoring and a tested response plan, turning a near-systemic catastrophe into a controlled lesson and a defensible security posture before clients and regulators.

Resposta a Incidentes · 24/7

Don’t wait for the incident. Start hardening accounting today.

Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.

How Decripte responds to an incident at an accounting firm

When a certificate is misused, ransomware is detected, or fraud is suspected, every minute counts. Decripte's response follows a structured flow, with the goal of containing the damage within one hour and preserving evidence and compliance.

  1. Triage and classification: the SOC 24x7 validates the alert, determines the type of incident (certificate misuse, ransomware, fraud, breach) and its reach within the firm's client portfolio.
  2. Immediate containment: isolation of affected workstations, blocking of compromised credentials, preventive suspension and revocation of certificates with anomalous use, and cutting off propagation, within the SLA of up to 1 hour.
  3. Forensic investigation: identification of the root cause, the entry vector (phishing, leaked credential, exposed remote access) and the attacker's complete timeline, with evidence preservation.
  4. Eradication: removal of persistent access and malware, reset of exposed credentials, and definitive closure of the point of entry.
  5. Prioritized recovery: restoration of accounting databases from reliable, isolated copies, prioritizing the tax obligations with the nearest deadlines.
  6. LGPD compliance assessment: analysis of the duty to notify the ANPD and the affected data subjects, with support for the documentation required by law.
  7. Post-incident hardening: migration of certificates to a vault, activation of MFA, network segmentation and continuous usage monitoring to prevent recurrence.
  8. Executive report and lessons learned: delivery of a report with root cause, actions taken and an improvement plan, the basis for the continuous evolution of the firm's security.

How Decripte structures the security of an accounting firm

A rapid response only works on a well-built foundation. Decripte structures the firm's defense in pillars that reduce the attack surface and make misuse detectable and containable.

Certificate vault and governance

Centralization of digital certificates in a vault with named access, mandatory MFA, least privilege and an audit trail of every signature and issuance. An end to shared folders and reused passwords.

24x7 monitoring of certificate and system usage

A SOC operating around the clock, correlating authentication logs, workstation events and usage telemetry to distinguish the accountant's legitimate activity from the attacker's fraud in real time.

Ransomware resilience

Isolated and immutable backups, tested periodically, with a known restoration time; network segmentation to limit propagation; and a recovery plan prioritized by the tax calendar.

Defense against phishing and BEC

Email protection, strong authentication, and recurring training and simulations for the team, attacking the human vector that opens most of the breaches in the sector.

LGPD compliance

Mapping of data processing activities, definition of controller and processor roles, documentation of security measures, and an incident response plan aligned with the duties of notifying the ANPD.

Continuous offensive validation

Periodic Pentest of the workstations, accounting systems and certificate-use workflows to find and fix flaws before an attacker exploits them.

Recommended plans for Accounting

Frequently asked questions

My firm keeps A1 and A3 certificates of many clients. How do I protect them from misuse?

The path is to take the certificates out of shared folders and always-connected tokens and place them in a vault with named access, mandatory MFA and an audit trail of every use. Added to that, 24x7 monitoring detects signatures at unusual times, volumes or origins, making it possible to block fraud before the documents are transmitted.

What do I do if I discover that a certificate was used to sign fraudulent documents?

Trigger incident response immediately: revoke the compromised certificate, isolate the workstation where it resided, reset credentials and investigate the scope of the fraud. Decripte conducts this flow with containment within 1 hour, identifies the root cause and assesses the duties to notify the ANPD and the affected clients under the LGPD.

Ransomware encrypted my accounting database at the end of the month. Should I pay the ransom?

Decripte does not recommend paying: payment does not guarantee data recovery and it finances new attacks. The safe way out is to restore the database from isolated, tested copies, prioritizing the nearest tax obligations. That is why the immutable backup strategy and network segmentation are set up before the incident, not during it.

How does the LGPD apply to an accounting firm?

The firm processes a large volume of personal data of clients, partners and employees, acting sometimes as a processor (handling data on behalf of the controller client) and sometimes as a controller. In both cases there are security duties and, in the event of an incident with relevant risk, a duty to notify the ANPD and the data subjects. Decripte structures the controls and documentation to make that compliance demonstrable.

How do I know if someone is using my client's certificate without authorization?

Through continuous usage monitoring. The SOC correlates time, volume, IP origin and the process that triggers the signature to distinguish the accountant's legitimate use from fraudulent activity. Signatures in the middle of the night, across distinct CNPJs in sequence, or from an unknown origin generate an actionable alert.

My firm is small. Is it worth investing in security at this level?

Yes, precisely because the impact is independent of the firm's size: compromising a single accountant exposes the entire client portfolio. You can start with the free Threat Management assessment at decripte.com.br/intelligence-center to understand your exposure and, from there, structure the protection at the appropriate pace at decripte.io/start.

How do I recognize a phishing or BEC attack targeting accountants?

They are emails that imitate tax authorities, clients or partners, with urgent requests to transfer funds, change banking data or click on links to capture credentials. The defense combines email protection, strong authentication and recurring team training, since the team is the ultimate target of this type of fraud.

How long does Decripte take to contain an incident?

The containment SLA is up to 1 hour from activation, with the SOC 24x7 ensuring that the alert is handled at any hour, including in the middle of the night and on weekends, when many attacks against accounting firms are launched.

Sector terms

Digital certificate (A1 and A3)
An instrument that identifies and authorizes the signing and transmission of electronic documents on behalf of a person or company. The A1 is a file installed on the computer; the A3 resides on a token or card. For an accounting firm, it is the most critical asset, as it authorizes tax and financial acts on behalf of clients.
Certificate vault
A solution that centralizes certificates in a protected environment, requiring named identity and MFA for each use, applying least privilege and recording an audit trail. It replaces shared folders and permanently connected tokens, making misuse difficult and traceable.
BEC (Business Email Compromise)
A fraud in which the attacker poses as a client, partner, supplier or tax authority by email to induce improper transfers or capture credentials. It is a frequent vector against accounting firms due to the number of financial transactions they intermediate.
LGPD
The General Personal Data Protection Law (Law 13.709/2018), which regulates the processing of personal data in Brazil. It imposes on the accounting firm duties of security, recording of operations and, in incidents with relevant risk, notification of the ANPD and the affected data subjects.
ANPD
The National Data Protection Authority, the body responsible for enforcing and applying the LGPD in Brazil. It is the entity to which the firm must report security incidents that may cause relevant risk or harm to the data subjects.
SOC 24x7
A Security Operations Center that operates around the clock, monitoring logs, events and telemetry to detect and respond to threats in real time. In the accounting sector, it especially watches over certificate usage and access to tax systems at any hour of the day.

Decripte protects and responds to incidents in accounting.

Pentest, 24x7 SOC, incident response with a 1-hour containment SLA and compliance — without building an internal team. Or start free by seeing what has already leaked from your company.