I just got back to Fort Lauderdale after two days in Sugar Land, Texas at the 2026 Spring Technology and Accounting Resources Summit, better known as S.T.A.R.S., hosted by TXCPA Houston. It was one of the best rooms I've spoken to in a while, and I want to share a few thoughts while they're still fresh.
For context,
TXCPA Houston is the largest
CPA chapter in Texas, with roughly 7,000 members
across a 13-county area. The summit ran May 19 and 20 at the Sugar Land
Marriott Town Square,
with sessions spanning tax, audit and accounting, technology, and practice
management, and up to 20 CPE hours
on the table.
The caliber of the attendees was high, and so were the questions.
Why I said yes to this one
I speak at a fair
number of events. Over the years that's included MIT,
NASA, The Florida
Bar, The
New York City Bar, the ABA, FICPA,
and the Harvard Club of Boston. But I have a particular soft spot for rooms full of
CPAs, because the firms they run and serve are exactly the kind of
organizations that attackers love and that often have the least margin for a
bad day.
So when TXCPA Houston
invited me to present, it was an easy yes.
What I talked about: Cybersecurity Risk Management for CPA Firms
My session
focused on preventing cyber fraud and protecting client
funds, and I built it around
four essentials every CPA firm needs to understand: business email compromise, cyber hygiene,
social
engineering and executive impersonation, and building a cyber-aware culture.
I'll repeat my core message here because it's worth repeating. Cybersecurity is not an IT problem that lives in a back office. It is a business problem, and ultimately a leadership responsibility, that lands directly on a firm's reputation, its client trust, and its bottom line.
A few of the ideas that got the most heads nodding:
That moment of hesitation matters
Most of us have looked at an email and thought "this doesn't feel right." I talked about what actually happens in your brain in that moment, when an urgent or threatening message kicks you into survival mode and narrows your thinking. That narrowed state is exactly where criminals want you. Learning to notice the hesitation and slow down is one of the most powerful defenses there is.
Business Email Compromise is the threat to watch
BEC is one of the most significant financial threats facing CPA firms today. I walked through a real $200,000 wire diversion and the common forms this takes, from partner and vendor impersonation to gift card scams and adversary-in-the-middle attacks.
A simple framework: STOP
●
Slow down.
●
Think about
context.
●
Observe anomalies.
● Phone-verify outside of email.
You do not need to work in IT to use it.
Technology alone is not enough
Firewalls help. Email filtering helps. But no control is perfect, which
is why human awareness
and a culture where people feel safe reporting mistakes remain the difference makers.
We also got into cyber hygiene fundamentals, mobile device risk, and a topic drawing a lot of questions lately: the risks of agentic AI, including prompt injection and shadow AI, and why firms need governance before they deploy it.
The conversations that stuck with me
The best part of any event like this is what happens after you step off the stage. The questions I got at our Microtech booth and in the hallways were specific and serious. People weren't asking whether they should care about this. They were asking what to do first, how to talk to their partners about it, and how to protect clients without grinding the practice to a halt. That tells me the message is landing, and that this community is taking it seriously.
I want to thank our marketing director, Blake Hickey, who designed everything on our table and built the graphics for my slides. Standing up there with sharp visuals behind me made the whole thing easier, and that work happens long before anyone walks the floor.
Thank you, TXCPA Houston
Events like this
don't run themselves. The TXCPA Houston team put together a genuinely
well-organized, welcoming experience, and it showed in every detail. My thanks to their staff and volunteers for the invitation
and the hospitality.
"TXCPA
Houston 2026 S.T.A.R.S. Conference is made stronger because of partners like
Microtech. By sharing their knowledge and supporting the event, they help create
meaningful learning opportunities and strengthen connections within the
profession. We truly appreciate their continued partnership and support."
— Kristie Ondracek, CPA, CAE Chief Financial Officer / Chief
Operating Officer, TXCPA
Houston
Until next time
I left Houston encouraged. The threats facing
CPA firms are real and they're evolving, but so is the willingness of this profession to
get ahead of them. As I told the room, cybersecurity should empower, not intimidate. I'm already looking
forward to the next TXCPA event, and to
continuing the conversations that started this week.
If we spoke at S.T.A.R.S. and you want to keep going, my door is open.
Brian Butterfield, CISSP Co-Founder and Chief Security Officer Microtech IT & Cybersecurity Services
