We've spent the last five years talking to firms that have experienced leaks of tax audit documents. A pattern has emerged: the leaks come from a small number of predictable sources, and most of them are preventable with controls that take less than an hour to set up.

The five common root causes

1. Email mis-addressing. Someone types "Sarah" into the To field, autocomplete picks the wrong Sarah (a former client, a competitor, a vendor), and the email goes out. In a quarter of cases, the recipient notifies the sender immediately. In the other three quarters, the document sits in someone's inbox indefinitely.

2. Departed staff with lingering access. A bookkeeper leaves the firm and nobody revokes their access to the shared drive. Six months later they're at a competitor and still have read access to historical audit files.

3. Password reuse compromising a cloud account. A firm's Dropbox password is the same as one that was leaked in an unrelated data breach. Attackers try the credential on Dropbox, it works, and they download everything.

4. Forwarded attachments. Junior staff forward confidential documents to their personal email "to work on over the weekend." The personal email has no two-factor authentication and uses a password that's been breached.

5. Lost or stolen laptops. Cached copies of documents on an unencrypted hard drive. When the laptop disappears, so do the documents — and you have no audit trail of what was on it.

The five controls that stop most of them

Control 1: Move document sharing off email onto a controlled platform. This eliminates causes 1, 4, and parts of 2.

Control 2: Run a quarterly access review. Pull the list of everyone who has access to sensitive folders, compare it to your current staff list, and revoke anything that shouldn't be there. Takes 30 minutes and eliminates most of cause 2.

Control 3: Enforce two-factor authentication on everything. This makes cause 3 almost impossible — even a leaked password won't get an attacker in without the second factor.

Control 4: Encrypt laptop hard drives. macOS FileVault is free and takes 10 minutes. Windows BitLocker is included with Pro editions. This eliminates cause 5 if the laptop is lost.

Control 5: Ban personal email for work documents. Make it a policy and enforce it. Combined with a good data room, there's no legitimate reason anyone needs to email client files to themselves.

The compounding effect

None of these controls is expensive. Together they close off 80-90% of the realistic leak vectors. The firms that suffer major breaches almost always had at least three of these controls missing, not one.