Protecting your firm, your clients, and your reputation in the digital age.

The Breach That Should Make Every Firm Pay Attention

When a global accounting firm such as Ernst & Young (EY) appears in headlines for a major data exposure, every professional service firm, from accounting and legal offices to financial advisory practices, should take note.

In late October 2025, multiple outlets reported that a roughly 4-terabyte database backup file was found publicly accessible on the internet. Security researchers said the backup likely contained highly sensitive internal information such as API keys, authentication tokens, and service account credentials.

EY stated that the issue was limited to an entity acquired by EY Italy, not connected to its global systems, and that no client or personal data was impacted. Researchers also praised EY’s response as timely once notified. Still, the length of exposure and full contents of the file remain unknown as internal reviews continue.

If this can happen to EY, one of the most security-conscious organizations in the world, it can happen to any firm.

No Firm Is Untouchable

Cybersecurity is no longer only a technology issue. It is a core business responsibility that directly affects trust, continuity, and reputation.

Professional service firms hold enormous amounts of confidential information, including tax data, payroll details, legal filings, financial statements, and audit workpapers. Even a rumor of a breach can damage relationships and erode client confidence.

EY has the scale and resources to recover from reputational harm. A regional or mid-sized firm may not.

The Pattern Is Clear

EY is not the first of the Big Four to face a significant security event, and the associated costs are high.

  • Deloitte disclosed in 2017 that attackers accessed internal email systems containing client data. Independent estimates placed investigation and remediation costs above US$20 million, excluding relationship losses.
  • PwC was caught in the 2023 MOVEit file transfer fallout that affected many organizations worldwide. Even when a firm is not the direct target, notification, system reviews, and compliance work can cost millions.
  • KPMG has also faced incidents involving ransomware and third-party compromise, with regional cases reporting seven-figure recovery costs and significant operational disruption.

The lesson is clear: no firm is immune, even with robust security frameworks. The cost of prevention remains far lower than the cost of response.

2025: The Cost of a Breach in Canada

According to IBM’s 2025 Cost of a Data Breach Report, the average cost per breach in Canada reached CA$6.98 million, an increase of 10.4 percent from 2024. Reports also highlight rising costs from unsanctioned or “shadow” AI use.
(IBM Canada Newsroom)

These figures include direct expenses such as forensics, legal, and notification, as well as indirect losses such as downtime, lost business, and damaged reputation.

For many mid-sized Canadian firms, even a single breach at this scale could threaten financial stability or insurance eligibility.

The Hidden Risk: Insurance Gaps

Many firms invest in security tools but overlook governance, the policies, documentation, and monitoring that cyber insurers now require.

Even with strong security products, a firm may face coverage denial if it cannot prove adequate controls and oversight.

Insurers increasingly ask for evidence of:

  • Documented cybersecurity policies and recurring employee training
  • Multi-factor authentication (MFA) on all critical systems
  • Endpoint protection with centralized management and alerting
  • Defined incident response, business continuity, and recovery plans
  • Vendor oversight and access reviews

Without these foundations, firms risk higher premiums, restricted coverage, or denied claims after an incident.

Readiness, Not Fear

For smaller professional service firms, the message is not panic. It is readiness.

You do not need a Big Four budget to achieve enterprise-level protection. You need the right people, the right technology, and consistent policies that align with your size, risk, and regulatory obligations.

The following nine best practices represent what leading Canadian firms are implementing to strengthen cybersecurity, maintain compliance, and safeguard client trust.

1. Strengthen Access with Multi-Factor Authentication and Zero-Trust Principles

Most breaches start with stolen or reused passwords. Adding a second layer of protection such as an authenticator app or hardware token prevents unauthorized logins even if credentials are compromised.

Forward-thinking firms are adopting Zero Trust principles: never trust, always verify. Every login, device, and app must prove its legitimacy, regardless of network location.

Best practices:

  • Enable MFA across all cloud, email, and remote systems.
  • Prefer authenticator apps over SMS codes.
  • Regularly audit accounts that lack MFA.
  • Implement conditional access rules based on user, device, and geography.

2. Keep Software and Systems Up to Date

Outdated software remains one of the easiest paths for attackers. Automated scanning tools powered by AI can identify unpatched vulnerabilities in seconds.

What to do:

  • Enable automatic updates wherever possible.
  • Apply critical patches promptly to servers and endpoints.
  • Schedule maintenance windows to avoid disruption.
  • Track updates centrally for accountability.

3. Protect Client Data with Verified Cloud Backup and Rapid Recovery

Backups are not just about storage; they are about resilience. When cyberattacks or system failures occur, your firm’s ability to recover quickly determines client confidence.

What to prioritize:

  • Automated cloud replication of files and systems.
  • Immutable backup storage that cannot be altered or encrypted.
  • Rapid restore options for both files and full systems.
  • Regular restore testing to verify integrity.

4. Train Your Team to Recognize Modern Cyber Threats

Technology alone cannot stop every threat. People remain the number one entry point for attackers.

Today’s phishing emails, generated by AI, can look almost identical to legitimate correspondence.

Steps to strengthen awareness:

  • Provide short, interactive training sessions each quarter.
  • Include real-world examples of AI-generated phishing and voice scams.
  • Conduct simulated phishing tests and share lessons learned.
  • Encourage a “report, don’t blame” culture.

5. Control Access to Sensitive Information

Limiting permissions minimizes damage when accounts are compromised.

How to manage access effectively:

  • Apply the principle of least privilege so users get only what they need.
  • Review permissions quarterly and after any role change.
  • Immediately disable accounts for departing employees.
  • Closely monitor administrator access.

6. Secure Cloud and Email Platforms

Cloud systems are only as secure as their configurations. Misconfigurations, such as publicly exposed backups like the EY incident, are among the top causes of breaches today.

Key actions:

  • Enable audit logs and retention policies.
  • Use conditional access to block unmanaged devices.
  • Apply data-loss-prevention (DLP) policies.
  • Review external sharing and permissions regularly.
  • Encrypt data in transit and at rest.

7. Plan for the Unexpected

Even the best defenses can fail. A documented Incident Response Plan helps you react quickly and minimize damage.

Your plan should include:

  • A clear reporting and escalation process.
  • Defined roles and responsibilities during incidents.
  • Steps for containment, investigation, and communication.
  • Contact details for IT, legal counsel, and your insurer.

8. Understand Your Compliance and Privacy Obligations

Canadian firms must comply with PIPEDA, and in provinces such as Quebec, stricter privacy laws such as Law 25. Firms dealing with U.S. clients may also face cross-border data obligations.

What to consider:

  • Know where your client data is stored and whether it is located in Canada.
  • Verify that your vendors comply with recognized frameworks such as SOC 2 and ISO 27001.
  • Maintain written cybersecurity and privacy policies.
  • Align your practices with your cyber insurance requirements.

9. Partner with Experts Who Understand Your Industry

Cybersecurity is not a one-time project. It is an ongoing discipline that requires specialized expertise.

Partnering with an IT and cybersecurity provider that understands the professional services landscape helps align technology, compliance, and risk management with how your firm operates.

A trusted partner can help you:

  • Monitor systems around the clock.
  • Automate patching, backup, and threat detection.
  • Conduct annual assessments and policy updates.
  • Streamline compliance audits and insurance renewals.

You focus on your clients while your technology partner focuses on keeping you secure and productive.

The 2025 Cybersecurity Outlook

Cyber threats are evolving faster than traditional defenses. Key trends shaping the year ahead include:

  • Zero Trust Access: The perimeter is disappearing and verification at every step is becoming essential.
  • AI-Powered Attacks: Criminals are using artificial intelligence to create sophisticated, personalized scams.
  • Resilience Over Prevention: Firms are prioritizing detection and recovery over absolute prevention.

In this environment, preparedness and adaptability are your best safeguards.

From Risk to Opportunity

When breaches such as EY’s make headlines, clients inevitably ask how well their own advisors are protecting sensitive information.

This is the moment for proactive firms to demonstrate maturity by communicating safeguards, showing readiness, and positioning cybersecurity as part of client service excellence.

Firms that do this move from being “just a service provider” to being trusted, resilient partners.

The Bottom Line

If the largest accounting and consulting firms in the world can experience exposure, no firm can claim immunity.

Cybersecurity is not only about technology. It is about leadership, governance, and trust. Firms that invest in the right combination of people, processes, and technology protect not only data but also their reputation and long-term stability.

Strong governance also improves eligibility for cyber insurance and accelerates recovery when incidents occur.

About ITS Canada Inc.

At ITS Canada Inc., we help Canadian CPA and professional service firms protect their reputation, client data, and operational continuity through managed IT and cybersecurity solutions designed for professional environments.

Our services align with modern insurance, compliance, and privacy standards to help firms stay secure, compliant, and confidently productive.

If your firm is ready to strengthen its cybersecurity posture and protect what matters most, Book a call today to  schedule a consultation.