I’m excited to welcome Aaron Dickerson, CPA, CVA, CFE, to Josh & Taxes. Aaron is a Partner at a tech-forward, advisory-oriented accounting firm in Austin, Texas, where he works with closely held businesses and their owners to provide strategic, forward-looking accounting and consulting services. He began his accounting career in the credit union industry and has since held roles in public accounting, both in tax and audit, as well as serving as a controller in real estate private equity. His professional experience spans a wide range of industries, including financial institutions, telecommunications, professional services, real estate, and non-profit organizations. Aaron holds both a Bachelor’s and a Master’s degree in Accounting and is a Certified Public Accountant, Certified Valuation Analyst, and Certified Fraud Examiner. He can be found on X and LinkedIn.

Why I Reclaimed My Firm’s Tech Stack to Meet the FTC Safeguards Rule

For most small accounting firms, information technology (IT) is treated as a black box. It is a necessary and significant expense outsourced to a Managed Service Provider (MSP) and rarely scrutinized until a system crashes or a client’s sensitive data is leaked.

Following a recent merger of my firm, I reached a crossroads: continue with the status quo of hands-off IT management or build a modern, distributed architecture from the ground up.

My background isn’t in IT, but I spent some time working with community financial institutions as an outsourced internal auditor. We assisted the banks with various areas of operations and one that I focused on was information technology and GLBA compliance. I saw exactly how regulatory examiners scrutinized information security practices in financial institutions.

When it came time to secure our own firm’s PII and NPI under the FTC Safeguards Rule, I realized that the standard MSP cookie-cutter approach often prioritizes their ease of management over our specific legal requirements. To ensure proper oversight, I decided it was best to dump the MSP and start from scratch.

The Risk of the Hands-Off MSP Approach

The traditional MSP model is built on volume—managing as many clients as possible with the fewest number of technicians. This often leads to three critical vulnerabilities for a financial institution like an accounting firm:

• The Visibility Gap: When you outsource your IT entirely, you lose the ability to verify that controls are actually in place. “I think we’re encrypted” is not an acceptable answer.

• Supply Chain Risk: If your MSP is breached, their master key access to your systems becomes a backdoor for attackers. For a small firm, an MSP’s vulnerability is your firm’s liability.

• The Perimeter Fallacy: Most MSPs still rely on the office firewall model. In our world of shared desks and home Wi-Fi, the perimeter no longer exists. Security must follow the user and the device.

The Auditor’s Tech Stack

In professional IT circles, Ubiquiti and Synology are sometimes viewed as prosumer rather than enterprise. However, for our firm, they are the cornerstone of our security for one reason: total visibility.

I manage a robust Ubiquiti environment in my own home, but this familiarity isn’t just a hobby; it’s an audit advantage. I don’t have to call a help desk to see if our IDS/IPS (Intrusion Detection/Prevention) is active or if a firmware patch was applied—I can see the dashboard in real-time. Similarly, the Synology NAS provides us with immutable snapshots of our Google Workspace and other data. In the event of a ransomware attack, we don’t pray that our cloud provider’s system works; we have physical possession of our backups and data.

We chose these platforms because their interfaces are transparent. We’ve traded the “black box” of an MSP for a system where I, as a partner, can personally verify every security toggle, and satisfy the oversight requirements of the Safeguards Rule.

Share

The Hybrid Model

Internal management doesn’t mean doing it alone. We utilize a hybrid IT model:

Oversight: I manage the day-to-day configuration and security posture.

Expert Consultants: We engage niche specialists for project-based work. JumpCloud architects to refine our Mobile Device Management (MDM) policies and networking pros to assist with network configuration.

This gives us direct access to Tier-3 engineering talent without paying the $150-$200 per-user, per-month overhead of a full-service MSP.

The Bottom Line: Cost and Conscience

The cost savings are substantial. Reclaiming our IT function has cut related spending significantly, but the real ROI is the ability to sleep at night. I found countless issues as we transitioned out of the MSPs systems, which solidified the decision to move away from them.

If you utilize an MSP, I encourage you to do an in-depth review of their practices and question them about the FTC Safeguards Rule and GLBA. You might find that your biggest liability is the company you hired to protect you in the first place.

“I didn’t know” is not a defense for firm owners. By owning our tech stack, I know that MFA is enforced via JumpCloud, I know our laptops are encrypted and up-to-date, and I know our client data is backed up. We have eliminated the “hope” factor and replaced it with verifiable certainty.

Conclusion: Accountability Cannot Be Outsourced

This approach is not right for everyone, but oversight of your Written Information Security Plan (WISP) cannot be outsourced.

The FTC Safeguards Rule is clear: the responsibility for data protection rests squarely on the shoulders of firm leadership. While an MSP can provide the labor, they cannot provide the accountability.

In an era where a single data breach can damage a firm’s reputation, understanding your own security posture isn’t just a technical choice—it’s a fiduciary duty to clients.

Leave a comment