For Canadian CPA, accounting, and bookkeeping firms
Managed IT Services for Accounting Firms in British Columbia
Most small firms run Microsoft 365 on default settings during tax season, when SINs, T4s, NOAs, and full financials move as raw email attachments. We harden M365 so client financial data stays protected when attackers hunt hardest.
- 81+ Google reviews
- ~15-minute response time
- No contracts, month to month
- Microsoft Partner
What tax season looks like for a lot of firms
From February to June, the volume goes up and the shortcuts start. SINs, T4s, T5s, NOAs, and full financial statements get exchanged as plain Outlook attachments, with no encryption and no secure portal.
Document collection ends up ad hoc: some by email, some by Dropbox, some on a USB stick a client dropped off. Each path is one more place client data can leak.
Underneath that, the Microsoft 365 tenant is often still on defaults. MFA is not enforced, conditional access is off, legacy authentication is still on, and a few shared mailboxes have more access than anyone remembers granting.
That is the setup business email compromise looks for. A phished partner mailbox lets an attacker sit quietly on refund and invoice threads, then redirect a client payment or pull financial data. None of this means your firm is doing something wrong. It means the busiest months are also the most exposed, and that is worth checking before they start.
Worth knowing
A few things we get asked a lot by accounting firms, answered plainly. This is grounded in the rules as they stand, with sources below.
-
Myth: it is illegal to store client data on US-hosted clouds
It is not. Neither PIPEDA nor the CPA Code bans cross-border or US-hosted storage. PIPEDA lets you use processors outside Canada as long as you have a contract and comparable safeguards in place, and you stay accountable for the data. The practical move is to secure the cloud you use, not to avoid all US clouds.
-
The real Canada rule is about CRA records
Separate from PIPEDA, CRA requires your official books and records to be kept in Canada unless CRA gives written permission to keep them elsewhere. Records stored outside Canada but accessed from a screen in Canada do not count as kept in Canada. Microsoft does run Canadian datacentres in Toronto and Quebec City, which is one way to keep that data in the country.
-
PIPEDA expects safeguards that match the sensitivity
PIPEDA asks for safeguards appropriate to how sensitive the information is. Financial data like SINs, income, and NOAs is treated as highly sensitive, so it warrants stronger protection. In practice that points to enforced MFA, encryption, and access controls rather than default settings.
-
Breach reporting is mandatory, and so is keeping records of breaches
Under PIPEDA you must report a breach to the Privacy Commissioner and notify affected people when there is a real risk of significant harm, and you have to keep records of breaches. Having a written plan before anything happens makes that a lot easier. Certain offences, like failing to report, can carry fines up to $100,000 per violation [[verify]].
-
FINTRAC may or may not apply to you
Accountants become FINTRAC reporting entities only when they perform specified triggering activities, like receiving or paying funds or managing client money. Routine tax prep and bookkeeping on their own do not trigger those duties. If they do apply, you take on a compliance program, client ID verification, record keeping, and reporting. Worth checking with your professional body if you are unsure.
-
MFA is the single biggest lever
Microsoft reports that MFA can block over 99.2% of account-compromise attacks, and that over 99.9% of compromised accounts did not have MFA on [[verify]]. It is not a full security program, but if one control goes first, this is the one.
Umbrella IT is an IT company, not a law firm, accounting firm, or compliance advisor. This is general information, not legal or professional advice. Check specifics with your own counsel, your CPA body, CRA, and FINTRAC.
Sources
- Office of the Privacy Commissioner of Canada - PIPEDA overview
- OPC - PIPEDA fair information principles (safeguards)
- CPA Ontario - CPA Code of Professional Conduct
- CRA - Where to keep your records and how long
- FINTRAC - Obligations and guidance for accountants
- Statistics Canada - Impact of cybercrime on Canadian businesses, 2021
- Microsoft Learn - Mandatory Microsoft Entra MFA
What makes us different
MFA and conditional access, enforced
We turn on multifactor authentication for every account, switch off legacy authentication, and add conditional access rules so a stolen password alone does not get someone in. Microsoft says MFA can block over 99.2% of account-compromise attacks [[verify]].
Encrypted email and a real client portal
Sensitive items stop going out as open attachments. We set up encrypted email and a secure portal for document exchange, so SINs and financials are not sitting in plain inboxes during the rush.
Canadian data residency when you need it
Microsoft runs Canadian datacentres in Toronto and Quebec City. For firms that need data to stay in Canada, we can configure that, and we offer a white-glove migration with a no-downtime guarantee.
A senior tech on your account
No junior techs learning on your tenant. Our average response time is 11 minutes [[verify]], and security is led by a former IDF security officer working from a written policy program of about 178 policies.
Month-to-month, no onboarding fee
Agreements are month-to-month. There is no onboarding fee and no long contract to sign before we start. No long contract means we have to be useful every month.
Quarterly reviews, not silence
You get a quarterly business review (vCIO) where we walk through what changed, what is at risk, and what is next. Clients tend to see about 80% fewer tickets after three months [[verify]].
What we do for accounting firms
We start with a review of your Microsoft 365 tenant and how client files actually move through your firm. Then we close the gaps that matter most before tax season, and keep them closed year round.
- Enforce MFA on every account and turn off legacy authentication
- Add conditional access rules and tighten over-permissioned shared mailboxes
- Set up encrypted email and a secure client portal for document exchange
- Sort out SaaS logins (tax software, QuickBooks Online, payroll) with SSO or a password manager where it fits
- Write a plain incident-response and breach-notification plan that fits PIPEDA's reporting duty
- Configure Canadian data residency and run a no-downtime migration if you need to move
Results you can measure
The Tax-Season Microsoft 365 Security Checklist for Canadian Accounting Firms
Get this sorted before January
The time to harden Microsoft 365 is before tax season, not during it. Book a 20-minute review and we will tell you which gaps are open and which ones matter for your firm. No long contract, no onboarding fee.