NWS Insights

NWS-COMP-001 // Compliance

FTC Safeguards Rule Checklist for Arizona CPA & Tax Firms (2024 Update)

The FTC's Safeguards Rule was significantly expanded in 2023 to include non-bank financial institutions, which now includes tax preparers, CPAs, and bookkeeping firms. If your firm collects, processes, or retains client financial data, you're covered. Non-compliance can result in enforcement action, fines, and reputational damage that no Arizona CPA practice can afford.

The 9 Requirements Under the FTC Safeguards Rule

• Designate a Qualified Individual (QI): Assign one person responsible for your information security program.
• Conduct a Risk Assessment: Document the risks to client data across your systems, staff, and service providers.
• Implement Safeguards: Encryption, access controls, MFA, and patch management are all mandatory.
• Monitor and Test Your Safeguards: Annual penetration testing or quarterly vulnerability assessments.
• Train Your Staff: Security awareness training is explicitly required.
• Monitor Service Providers: Require your cloud storage, payroll, and tax software vendors to maintain appropriate safeguards by contract.
• Keep Your Program Current: Update based on changes to your business, new threats, and test results.
• Create a Written Incident Response Plan: Document containment, notification, and recovery steps.
• Report to Your Board: Your QI must report to senior management at least annually.

How NWS Helps CPA Firms Achieve Compliance

We provide a complete compliance pathway for accounting firms — from initial risk assessment through technical controls, staff training, and the annual review cycle. Book a compliance readiness call to see exactly where your practice stands.

NWS-STRAT-001 // IT Strategy

What Should Managed IT Actually Cost? A Phoenix Business Owner's Guide to MSP Pricing

One of the first questions in every discovery call: "What does this cost?" It's a reasonable question with an infuriatingly inconsistent answer across the industry. This guide breaks down how MSP pricing actually works, what the range looks like in the Phoenix market, and — more importantly — what questions to ask to avoid paying for the wrong thing.

The Three Main MSP Pricing Models

Per-user pricing: The most common model. A flat monthly fee per user, typically $85–$200/user/month depending on tier. Predictable, scalable, easy to budget. North Watch Systems uses this model.

Per-device pricing: Pay per managed device. Can be simpler for organizations with low headcount but lots of hardware. Ranges from $30–$100/device/month at the base level.

Break-fix / hourly: You pay only when something breaks. Sounds cost-effective until you have a down server at 3pm on a Friday. This model has no financial incentive for prevention.

The 5 Questions to Ask Every MSP Before You Sign

1. What's your average response time and how is it measured? (Get SLAs in writing.)
2. Who specifically responds to my tickets — a named contact or a shared queue?
3. What cybersecurity tools are included versus quoted as add-ons?
4. Do you have a written incident response procedure for my business?
5. Can you show me your own security certifications?

The Hidden Cost of Reactive IT

The average ransomware recovery for an organization in 2024 runs $1.4M+ when you factor in downtime, recovery costs, legal exposure, and lost customers. A managed IT investment that prevents that outcome doesn't need an ROI spreadsheet. Use our downtime cost calculator to run your own numbers.

NWS-CLOUD-001 // Cloud Security

Microsoft Copilot Security Risks: 5 Settings to Lock Down Before You Roll It Out

Microsoft Copilot is genuinely impressive. It also surfaces everything a user has access to — which means overly permissive file sharing, forgotten sensitive documents, and unlocked HR folders suddenly become a conversational risk. Here are the five settings we check before enabling Copilot for any client.

Setting 01: Audit and Restrict SharePoint Site Permissions

Copilot queries SharePoint and OneDrive based on the logged-in user's access. If your SharePoint has sites shared "Everyone in the organization" (a default Microsoft quietly enables in many tenants), Copilot will surface that data to any user who asks. Run a permissions audit before launch.

Setting 02: Enable Microsoft Purview Sensitivity Labels

Sensitivity labels classify documents (Confidential, Internal, Public) and apply automatic restrictions — including blocking Copilot from referencing labeled documents without explicit clearance.

Setting 03: Review Third-Party App Permissions

Copilot's scope includes data connected through M365 integrations. Audit which third-party apps have been granted broad permissions and restrict access to only what's operationally required.

Setting 04: Pilot With Controlled User Groups First

Deploy to IT, then management, then broader staff — with a permissions audit after each phase. This catches access control gaps before they become incidents.

Setting 05: Enable Copilot Interaction Logging

Log Copilot conversations through Microsoft Purview audit logs. Enable this before launch so you have a forensic record if a data exposure incident occurs. Increasingly required by cyber insurance carriers.

NWS-SEC-001 // Cybersecurity

Zero Trust Is Not a Product. It's a Strategy Your Organization Needs to Build.

The phrase "Zero Trust" has been attached to more vendor marketing decks than any other security term in the last five years. None of that marketing is wrong, exactly — but it obscures what Zero Trust actually means, and why it matters to organizations your size.

The Core Principle: Never Trust, Always Verify

Zero Trust starts with a single assumption: you cannot trust a user or device just because it's inside your network. Traditional security built a hard perimeter — castle walls around the office. Zero Trust acknowledges that perimeter is gone. Employees work from coffee shops, hotels, and home networks. Cloud services live outside any perimeter you could build. Contractors access your systems from unknown devices.

The Four Pillars for Practical Implementation

• Identity Verification: Multi-factor authentication on every account. Conditional access policies that check device compliance before granting M365 access.
• Device Trust: Only enrolled, managed, and compliant devices can access company resources. MDM enforces this for every endpoint — laptop, phone, or tablet.
• Least Privilege Access: Users get access only to what they need for their role. Regular access reviews remove permissions that accumulate over time.
• Continuous Monitoring: Assume breach. Log everything. Alert on anomalous behavior. EDR and M365 audit logging give you visibility into what's actually happening.

Where to Start

Start with MFA everywhere. Then enforce device compliance for M365 access. Then audit permissions and remove anything broader than necessary. That sequence alone addresses the majority of the attack surface we see across Arizona organizations.

NWS-BCDR-001 // Business Continuity

Monsoon Season IT Prep: Surge Protection, UPS Sizing & Business Continuity for Phoenix

Phoenix gets approximately 3 inches of rain per year — and about 2.5 of those inches arrive in violent 90-minute windows between July and September. The power fluctuations, brownouts, and direct lightning strikes that come with monsoon activity are responsible for more unplanned hardware failures in our client base than ransomware. This is your annual prep checklist.

Surge Protection: Consumer vs. Commercial Grade

The power strip surge protector from the office supply store will not protect your server or network equipment from a direct lightning strike. Commercial-grade surge protectors (APC, Tripp Lite) rated at 1,000+ joules with clamping voltage under 330V are the minimum for any business equipment.

UPS Sizing: The Math That Matters

Calculate total wattage of devices you're protecting, multiply by 1.25, and match to a UPS rated at that VA. A typical office server + networking stack needs a 1500–3000VA UPS for 10–20 minutes of runtime — enough for graceful shutdown if power fails.

The Backup Verification Window

June is when we run backup verification for all clients. This means actually restoring files from backup — not just confirming the backup job completed. A backup that can't restore is not a backup.

Remote Work Continuity

If a monsoon takes your office network down for four hours, can your team keep working? Cloud-first operations — M365 for email and files, cloud-hosted line-of-business apps, VoIP that routes to mobile — mean a building power outage is an inconvenience, not a productivity disaster.

NWS-SEC-002 // Cybersecurity

Dark Web Monitoring: What It Is and Why Every Arizona Organization Needs It Now

There are currently over 24 billion username and password combinations circulating on dark web marketplaces — a number that grows with every major data breach. Statistically, some of your team's credentials are already there. Dark web monitoring doesn't prevent this, but it tells you when your domain appears in breach data so you can act before an attacker does.

What Dark Web Monitoring Actually Does

A dark web monitoring service continuously scans criminal forums, hacking communities, paste sites, and breach databases for your monitored domains and email addresses. When a match is found, you receive an alert: which credential was found, where it appeared, and what was exposed.

What It Doesn't Do

Dark web monitoring is detection, not prevention. It won't stop a breach or remove your data once it's there. What it gives you is a window to act — force a password reset, enable MFA, and investigate whether the compromised credential was used. That window is critical: average time between credential theft and exploitation is under 12 hours for high-value targets.

The Connection to Cyber Insurance

Multiple major cyber insurance carriers now require evidence of active dark web monitoring as a condition of coverage. If you're renewing your cyber policy in 2025, expect this question on the application.

NWS-COMP-002 // Compliance

Why Your Cyber Insurance Renewal Is About to Get Complicated — And How to Prepare

Between 2020 and 2023, cyber insurance premiums increased an average of 130% across all tiers. Carriers now require documented evidence of specific technical controls — and they're including exclusion clauses that void coverage for incidents where those controls weren't in place. If you answer "yes" to controls you don't actually have and then experience a breach, your claim may be denied.

The Questions Carriers Are Now Asking

• Do you require MFA for all users accessing email, cloud systems, and remote access?
• Do you have endpoint detection and response (EDR) deployed on all endpoints?
• Do you maintain offline or immutable backups tested within the last 12 months?
• Do you conduct security awareness training at least annually for all staff?
• Do you monitor for credentials appearing on the dark web?
• Do you have a written incident response plan?
• Do you conduct vulnerability scanning or penetration testing?
• Do you patch operating systems and software within 30 days of critical release?

Building a Renewal-Ready Security Program

The controls carriers require are exactly what a well-structured managed IT program provides. MFA, EDR, automated patching, security awareness training, dark web monitoring, and backup verification are the baseline of what we deliver in Tier 1 and Tier 2. We've helped multiple Phoenix organizations walk into their renewal cycle with a complete security posture documentation package. If your renewal is coming up, let's talk.