The situation
A 20-person tax and accounting firm in Southern California had been operating successfully for years — filing returns, managing client finances, and growing their practice. Their technology worked well enough to get the job done every day.
But "working" and "compliant" aren't the same thing. As a firm handling Federal Tax Information and client financial data, they're subject to the GLBA Safeguards Rule and IRS Publication 4557 — both of which require documented security controls, tested backup and recovery, access management, encryption, and a Written Information Security Plan.
They had none of that. Not because they didn't care — because nobody had ever told them what the rules actually require.
What we found
Our initial technology assessment uncovered seven critical gaps that represented immediate risk to the firm's operations, client data, and regulatory standing:
Critical Finding
No backup system of any kind — a single hardware failure would have destroyed all client data and tax records
Critical Finding
Remote Desktop Protocol (RDP) exposed directly to the internet — a common ransomware entry point
Critical Finding
No multi-factor authentication on any system — one compromised password could grant full access to client data
Critical Finding
Unmanaged remote access tools (TeamViewer, AnyDesk) installed on server and workstations with no audit trail
Critical Finding
Stale user accounts from former employees still active with full access to production systems
Critical Finding
Single-server dependency with no disaster recovery plan — the entire firm ran on one machine with no failover
Critical Finding
No centralized documentation — no asset inventory, no network diagram, no written policies, no WISP
Any one of these gaps could result in a data breach, regulatory penalty, or operational shutdown. Together, they represented a compliance posture that would not survive an FTC inquiry, a cyber insurance claim, or a ransomware event.
What we did
We designed and executed a structured remediation across seven phases, prioritizing the highest-risk items first. The entire project was completed within 90 days while the firm continued operating normally.
01
Immediate Stabilization
Disabled stale accounts, removed unauthorized remote access tools, restricted RDP exposure, and enabled audit logging and account lockout policies. Completed in the first week to eliminate the most urgent attack vectors.
02
Emergency Backup Deployment
Deployed an interim backup solution and performed full image and file-level backups of the production server, including all tax software data and shared drives. Validated with a documented test restore.
03
Full Backup & Disaster Recovery
Deployed a hybrid backup solution with on-premises NAS, enterprise backup software, and cloud replication. Defined RPO/RTO targets with firm leadership and created a written DR runbook.
04
Secure Remote Access
Installed an enterprise-grade firewall, configured SSL VPN for all remote access, restricted RDP to VPN-only connections, and deployed MFA for every remote session.
05
Identity & Access Governance
Audited all user accounts, groups, and privilege assignments. Archived legacy accounts, implemented password rotation, and built documented onboarding and offboarding workflows.
06
Endpoint Security & Server Hardening
Deployed enterprise EDR/antivirus with 24/7 managed detection, removed legacy AV remnants, implemented BitLocker encryption, applied Group Policy security baselines, and established monthly patching.
07
Documentation & Compliance
Created network diagrams, server documentation, asset inventory, password vault, and written IT policies covering passwords, remote access, acceptable use, and onboarding/offboarding. Developed a complete Written Information Security Plan (WISP) aligned to GLBA and IRS 4557 requirements.
The result
Within 90 days, the firm went from having zero documented security controls to operating a fully managed, GLBA-compliant IT environment. The remediation addressed every critical finding identified in the initial assessment.
What changed
- Tested backup and disaster recovery — daily server images, frequent file-level backups, cloud replication, monthly documented test restores
- Secure remote access — enterprise firewall with SSL VPN, MFA enforced on every connection, RDP no longer exposed to the internet
- Enterprise endpoint protection — 24/7 monitored EDR/antivirus with centralized alerting and incident reporting
- Identity governance — stale accounts removed, password policies enforced, onboarding and offboarding documented and repeatable
- Encryption — BitLocker enforced on all endpoints with centralized policy management
- Compliance documentation — complete WISP, written IT policies, network diagrams, asset inventory, and DR runbook
- Ongoing managed services — 24/7 monitoring, monthly patching, backup verification, quarterly security reviews, and continuous compliance reporting
The firm now operates with predictable IT costs, documented security controls, and the ability to demonstrate compliance to regulators, insurers, or anyone else who asks. When tax season comes, their infrastructure is monitored, backed up, and ready — and if something does go wrong, there's a tested plan to get them back online.
Why it matters
This firm's situation wasn't unusual. Most small financial firms we talk to are in a similar position — they've been operating for years, their technology works well enough, and nobody has told them what GLBA and IRS Publication 4557 actually require. The gap between "having a firewall and antivirus" and "being compliant" is enormous, and it's exactly the gap that exposes firms to six-figure FTC penalties, denied insurance claims, and operational shutdowns they can't recover from.
The fix isn't complicated. It's structured. It just needs to be done by someone who understands both the technology and the regulatory requirements.