By Camren Majors, Co-founder & Chief Revenue Officer, Verito Technologies
More tax and accounting firms are running co-managed IT this year than ever, and it is no longer a model only for firms in transition. It is the model many growing practices are choosing on purpose.
The pattern is straightforward. A firm has one or two internal people who know the practice, the software, and the partners. They handle the day-to-day. An outside provider runs the things internal IT cannot scale to. Patching at volume. Twenty-four-seven monitoring. Compliance work. After-hours incident response. The two sides operate as one team, with clear ownership and clear handoffs.
The arrangement saves money compared with fully-managed IT and adds capacity that a one-person internal IT shop cannot reach alone. It also creates a category of cloud security risk that does not exist in either fully-internal or fully-external setups. The risk is the seam between the two teams.
This article covers eight cloud security tips that close the seam. Each one is written for firms either running co-managed IT today or evaluating whether to move there in 2026. The examples lean toward tax and accounting because that is the industry I work in most closely, but every tip translates to law, healthcare, financial advisory, and any other compliance-heavy SMB.
What Co-Managed IT Actually Means
Before the tips, the model.
Co-managed IT is a hybrid arrangement. The firm employs internal IT capacity, usually one to three people. An external managed service provider supplements that capacity with services the internal team would not deliver as well or as cost-effectively on its own.
The internal team typically owns relationship management with users, software-specific support for the practice’s core applications, and the parts of IT that benefit from being inside the firm every day. The external provider typically owns infrastructure, security tooling, after-hours coverage, compliance documentation, and the layers of work that benefit from scale and specialization.
The line between the two is set by contract and by convention. Where the line falls determines almost everything about how cloud security works under the model. We have written more on this in our breakdown of co-managed IT support scope and in our comparison of co-managed and fully-managed IT for CPA firms in 2026, if you want a deeper read on which model fits a given firm size.
Why Cloud Security Gets Harder Under Co-Managed IT
Two teams on the same estate doubles the surface area for coordination failures. Internal IT assumes the MSP is patching a system the MSP assumes internal IT is patching. The 2am alert lands in two queues; both teams expect the other to take it. The endpoint detection console internal IT logs into is not the console the MSP logs into. The compliance documentation lives somewhere only one team can access.
None of these failures are exotic. They are the predictable result of two competent teams operating without explicit coordination. Closing the seam is mechanical work, not strategic work, and the eight tips below are the playbook.
Eight Cloud Security Tips for Co-Managed IT Setups
1. Put patch deployment ownership in writing
The single most common failure point in co-managed IT cybersecurity is patch deployment. Internal IT assumes the MSP is patching. The MSP assumes internal IT is patching the things outside the contract. Vendor advisories pile up. Vulnerabilities sit unaddressed.
The fix is mechanical. Every operating system, hypervisor, network device, application, and browser in the estate has a named patching owner, a target deployment window, and an exception process. The owner is one person or one team, never both. The target window is in days, not weeks. The exception process exists for cases where business continuity overrides patch latency, with sign-off above the ops level.
This is the tip that pays for itself faster than any other. Patch latency is the difference between a vulnerability that gets closed and one that becomes an incident.
2. Run one identity provider, not two
Identity is the most common vector for unauthorized access. Co-managed IT setups frequently end up with two identity systems: one for the firm’s local infrastructure and one for the cloud-hosted applications. Users have two passwords. Multi-factor authentication gets enforced inconsistently. Offboarded staff retain access to the side that did not get the deprovisioning ticket.
Consolidate to one identity provider for the entire estate. Microsoft Entra (formerly Azure AD) or a comparable enterprise IdP becomes the single source of truth. Both internal IT and the MSP write to it. Account creation, deactivation, group membership, and MFA enrollment all happen in one place.
This eliminates the most common shadow-access path in mid-size firms. It also makes audit-readiness work for IRS Publication 4557 and the FTC Safeguards Rule far easier than maintaining two parallel identity systems.
3. Standardize endpoint protection across the entire estate
If internal IT runs Microsoft Defender on the office workstations and the MSP runs CrowdStrike Falcon on the hosted servers, the firm has two endpoint detection systems with two consoles, two alert formats, and two ways an incident gets missed because each team thought the other was watching.
Pick one. Deploy it everywhere. Both teams should be able to read the same console. Both teams should receive the same alerts. Behavior-based endpoint detection is only as strong as the weakest endpoint, and inconsistent coverage almost always concentrates the weak endpoints in one place.
4. Build an incident response runbook both teams can execute
The 2am question for any co-managed IT setup is: who picks up first? If the answer depends on who saw the alert, response is improvised. Improvised response is slow. Slow response is what costs firms reputation and money.
A written runbook eliminates the question. It covers containment, communication, evidence preservation, and recovery, with named roles for both internal IT and the MSP at each step. It is reviewed annually and exercised at least once a year through a tabletop drill that includes the managing partner and outside counsel.
This is the cybersecurity equivalent of a fire drill. Most firms do not have one. The ones that do find the seam between teams long before an attacker does.
5. Centralize security logging
Two teams operating on the same estate generate two log streams that often live in two places. The MSP has its visibility. Internal IT has its visibility. An attacker who moves between layers sees everything; the defenders see fragments.
Centralize. Both teams write logs to a single SIEM or aggregator that both teams can query. The cost of a SIEM is small relative to the cost of finding out three months after a breach that the evidence trail was scattered across systems.
6. Enforce MFA on every privileged account, no exceptions
The single most leveraged cybersecurity practice. MFA on user accounts is table stakes. MFA on privileged accounts is the line between a contained intrusion and a full compromise. Privileged accounts include domain admin, hypervisor admin, MSP-side service accounts, internal IT-side admin accounts, and any service account with broad rights.
Both teams should know which accounts they own that fall in this category. Both teams should enforce MFA on all of them. The audit question to ask: produce the list of privileged accounts and the MFA status of each. If either team cannot produce that list in twenty-four hours, the gap is bigger than the document.
7. Document who owns what, in writing, and review it twice a year
Co-managed IT contracts often define scope at signing and never revisit it. Two years in, the firm has migrated half its applications to the cloud, hired three new staff, and added a satellite office. The original scope no longer matches reality.
The tip is a written ownership matrix that lists every system, application, and security control, with the owning team marked next to each row. It is reviewed twice a year by both teams together. Items that have shifted are formally re-assigned. New items added in the previous six months are placed.
This single practice closes more co-managed IT seams than any tooling change.
8. Schedule recurring security posture reviews with both teams in the room
The tip with the lowest tooling overhead and the highest payoff. Once a quarter, internal IT and the MSP meet for ninety minutes. Agenda: patch compliance status, MFA enrollment status, EDR coverage gaps, backup integrity test results, Known Exploited Vulnerabilities catalog items affecting the estate, and any security-relevant changes since the last meeting.
Decisions made in the meeting get logged. Action items get owners and dates. The next meeting opens with the previous meeting’s action items.
It is the least exciting cybersecurity practice in this list. It is also the one that most distinguishes a high-functioning co-managed IT setup from one that looks fine until an incident reveals it is not.
Co-Managed IT Pitfalls to Avoid
The most common failure modes in co-managed IT cybersecurity are not exotic.
Ambiguous ownership. The first tip in the list. If two teams both think the other is responsible, neither is.
No review cadence. Without scheduled reviews, the line between teams drifts. The drift is invisible until the drift becomes the gap an attacker finds.
Tool sprawl. Two teams adopting different tools for the same job creates expense, complexity, and blind spots. Standardize before you scale.
Compliance disconnects. The firm needs to maintain a written information security plan under IRS Publication 4557. The MSP often holds the operational artifacts. The firm holds the legal accountability. If the two are not synchronized, the firm signs an attestation it cannot fully back up. This is the failure mode that produces enforcement exposure under the FTC Safeguards Rule.
What Tax and Accounting Firms Should Know
Tax and accounting firms operate under specific regulatory pressure that makes co-managed IT cybersecurity sharper than the same conversation in many other industries.
IRS Publication 4557 requires every paid preparer to maintain a written information security plan. The FTC Safeguards Rule, expanded in 2023, treats tax preparers as financial institutions under GLBA, with specific requirements covering risk assessment, encryption, MFA, vendor oversight, and incident response. Both frameworks assume someone owns the security posture. Co-managed IT distributes that ownership. Distributed ownership done well is fine. Distributed ownership done poorly is a compliance gap waiting for enforcement.
The eight tips above translate directly to compliance work. Patch deployment ownership maps to Safeguards Rule maintenance requirements. One identity provider maps to access controls. Centralized logging maps to monitoring requirements. The full picture, including the controls every firm should have regardless of staffing model, is in our deeper guide to cloud security tips for CPA firms.
Verito runs the MSP side of co-managed IT for over 1,000 tax and accounting firms across the United States. Most of the seams in this article are seams we have closed with internal IT teams over the past decade. The eight tips are not theoretical. They are the practices that distinguish co-managed IT setups that hold up from ones that look fine until they don’t.
The Bottom Line
Co-managed IT is the right answer for many growing firms. It saves money against fully-managed IT and adds capacity an internal team cannot reach. The model fails when the seam between teams becomes the gap an attacker finds.
The cloud security tips above close the seam. None of them require new tooling the firm cannot afford. All of them require both teams to do the unglamorous work of writing down who owns what, then reviewing the document on a cadence.
That is the entire job. Done well, it is the most cost-effective cybersecurity work a growing firm will ever do.
It just works. Securely.
Camren Majors is co-founder and Chief Revenue Officer of Verito Technologies, a cloud hosting and managed IT provider built exclusively for tax and accounting firms. Verito has served over 1,000 firms since 2016 and maintains 100% uptime since founding.
