Is your IT Provider actually protecting you

Is Your IT Provider Actually Protecting You—or Just Maintaining You?

Matt Kinsey — Cyber Risk, Compliance & AI Governance for Law & CPA FirmsGeneral

Most CPA firms and law firms believe their IT provider is “taking care of security.”

Servers are running.
Computers are patched.
Help desk tickets get answered.

On the surface, everything looks fine.

But here’s the uncomfortable question many firm owners never ask until something goes wrong:
Is our IT provider actually protecting us—or are they just maintaining us?

There’s a big difference. And in today’s threat and regulatory landscape, that difference matters more than ever.

Maintenance Feels Comfortable. Protection Requires Intent

Traditional managed IT services grew out of a simple model: keep systems online, fix things when they break, and respond quickly when users have problems. For years, that was enough.

But cyber risk has changed.

Today’s breaches don’t usually happen because a server crashes. They happen because someone clicks the wrong email, a password is reused, or a trusted account is quietly abused. These are not “IT problems” in the old sense. They’re business risk problems.

Maintenance focuses on uptime.
Protection focuses on risk, exposure, and impact.

If your IT provider’s primary success metric is ticket volume and response time, you may be well maintained—but not well protected.

The Blind Spot in Many CPA and Law Firms

Professional firms often assume that because they’re small or mid-sized, they’re less interesting to attackers. In reality, the opposite is true.

CPA firms and law firms hold:

  • Highly sensitive financial and legal data
  • Direct access to money, tax records, and escrow accounts
  • Information protected by ethical and regulatory obligations

At the same time, many firms still rely on flat networks, password-based security, and reactive monitoring. Attackers know this. It’s why phishing remains so effective—and so profitable.

When a breach occurs, regulators, insurers, and clients don’t ask how quickly your IT provider closed tickets. They ask whether reasonable safeguards were in place.

That’s where the gap between maintenance and protection becomes painfully clear.

What “Maintained but Not Protected” Usually Looks Like

Firms in this category often have:

  • Antivirus installed, but limited visibility into real threats
  • Backups configured, but rarely tested or reviewed
  • Firewalls in place, but no meaningful monitoring of behavior
  • MFA applied inconsistently, if at all
  • No clear understanding of what would happen during a breach

None of this means the IT provider is incompetent. It means their role was defined too narrowly.

They were hired to keep things running—not to manage risk.

Protection Is Proactive, Not Reactive

A protection-focused IT partner thinks differently.

Instead of asking, “Is everything working?” they ask:

  • Where are the most likely points of failure?
  • How would an attacker actually get in?
  • What access is unnecessary or excessive?
  • How quickly would we detect and contain a problem?

This mindset aligns much more closely with the expectations facing CPA and law firms today, including frameworks like the FTC Safeguards Rule, IRS Publication 4557, and state privacy laws. These don’t require perfection—but they do require intentional, defensible controls.

Protection is about reducing the likelihood and impact of incidents, not just responding faster after the fact.

Why This Difference Matters to Firm Leadership

From a leadership perspective, this isn’t a technical debate. It’s a governance issue.

Partners and owners are responsible for:

  • Client confidentiality
  • Regulatory compliance
  • Professional liability exposure
  • Firm reputation

Outsourcing IT does not outsource responsibility.

If your IT provider cannot clearly explain how they reduce cyber risk—not just maintain systems—that responsibility still lands on the firm.

What a Protection-Focused Approach Looks Like

In a protection-first model, technology supports strategy—not the other way around.

Security decisions are based on identity, access, and behavior rather than assumptions. Monitoring focuses on indicators of compromise, not just system health. Controls are layered so that a single mistake doesn’t become a firm-wide incident. And most importantly, leadership has visibility into risk instead of blind trust.

This doesn’t require enterprise budgets or complexity. It requires intentional design and the right priorities.

The Question Every Firm Should Ask Their IT Provider

Here’s a simple test.

Ask your IT provider:

“If one of our users is compromised tomorrow, how would you detect it—and how would you stop it from spreading?”

If the answer is vague, tool-focused, or centered on “we’ll clean it up afterward,” you’re likely being maintained, not protected.

Where to Start Without Blowing Everything Up

Shifting from maintenance to protection doesn’t start with ripping out your IT environment. It starts with understanding reality.

You need clear answers to questions like:

  • What are our actual security gaps?
  • Which risks matter most for our firm?
  • How would an attacker see us today?
  • What improvements would meaningfully reduce exposure?

That’s why the first step is not new technology—it’s insight.

Take the First Step Toward Real Protection

If you’re not sure whether your firm is truly protected or just well maintained, a Cybersecurity Assessment is the right place to start.

Our assessment is designed specifically for professional firms. It provides a practical, third-party view of your current risk posture, highlights real-world gaps, and delivers prioritized recommendations that align with your size, obligations, and tolerance for disruption.

There’s no jargon and no pressure—just clarity.

👉 Request your Cybersecurity Assessment here:
https://itfusiontech.com/free-network-assessment/

Because in today’s environment, “everything seems fine” is no longer a strategy.