Back to Blog
Practice Operations

Backup and Disaster Recovery for a Tax Practice in 90 Minutes

A practical backup setup for a small tax firm that survives ransomware, hardware failure, and accidental deletion, built in under 90 minutes with off-the-shelf tools.

May 26, 2026
·
min read

Most small tax firms have a backup strategy that works exactly until the moment they need it. The external drive plugged into the file server. The Microsoft 365 default retention. The cloud sync that runs both ways. None of these survive ransomware. All of them give a false sense of safety.

This is the 90-minute setup we use to give a tax firm a backup that actually holds up. Three tiers, off-the-shelf tools, total cost around $50 to $120 per month for a 5-person firm.

Tier 1: email and Microsoft 365

Microsoft 365 has built-in retention but it is not a backup. If a phisher deletes a year of emails, Microsoft retains them for 14 to 30 days depending on the license. After that they are gone.

Use a third-party Microsoft 365 backup tool. Veeam, Datto SaaS Protection, and SkyKick are the standard options. Configure daily backup of email, OneDrive, SharePoint, and Teams. Retention should be at least 1 year, ideally 7 years for a tax firm.

Cost: $3 to $5 per user per month.

Tier 2: tax software and client portal

Cloud-based tax software (Drake on Cloud, ProSeries Online, Lacerte cloud) typically backs up to the vendor's data centers. Confirm this in writing. Ask for the retention period and the restore process. Then back it up again separately.

For Drake on cloud: export your client list and current-year returns weekly to a separate cloud storage account. For desktop tax software: the local data files belong in tier 3 below.

For the client portal: export the client documents quarterly. Most portal vendors allow bulk export. If yours does not, the answer is not "I will do it manually." The answer is to switch portals.

Tier 3: local files and the immutable backup

This is where most firms fail. The setup that survives ransomware has three properties.

  1. 3 copies of the data: 1 production, 2 backups
  2. Stored on 2 different types of media
  3. 1 copy stored offline or in a separate cloud account that cannot be accessed from the production network

Practical setup for a small firm:

  • Local backup to a NAS or external drive that runs nightly. Disconnect it weekly so it cannot be encrypted live.
  • Cloud backup to a service like Backblaze, Wasabi, or AWS S3 with object lock enabled. Object lock is the immutable property that blocks ransomware from encrypting the backup.
  • Separate credentials for the backup cloud account, not stored on any production workstation.

Cost: $30 to $50 per month for cloud storage at typical small firm volumes.

The test that proves it works

A backup that has never been tested is not a backup. It is a hope. Pick a test schedule and stick to it.

  1. Quarterly: restore one client's documents from cloud backup to a separate folder. Confirm the file is correct and matches the production version.
  2. Annually: full restore test. Pick a workstation, wipe it, restore from backup, verify the firm could function from that backup if needed.
  3. Document each test with date, what was tested, and the outcome. Save it in your compliance folder.

If you cannot remember the last time you ran a test, your backup does not work yet. Treat it as broken until proven otherwise.

Recovery time and recovery point

Two numbers belong in the WISP next to the backup section.

Recovery time objective (RTO): how long after a disaster you can be operational again. For a tax firm, 24 to 48 hours is reasonable for non-tax-season periods. During tax season, 4 to 8 hours is the realistic ceiling before client damage starts.

Recovery point objective (RPO): how much data loss is acceptable. With nightly backups, your RPO is up to 24 hours of work. With hourly backups (more expensive), it is 1 hour. Most firms can tolerate 24 hours; some cannot.

If your current setup cannot meet those numbers, fix it. The cost of meeting them is dramatically less than the cost of failing during tax season.

What this looks like in your WISP

"Client data is backed up nightly to local storage and to immutable cloud storage with object-lock enabled. Backup integrity is verified quarterly and a full restore test is performed annually. Recovery time objective is 24 hours during off-season and 8 hours during active tax season."

That is the language insurers and the FTC look for. The 90 minutes you spend setting this up is the cheapest tax-season insurance you will buy.

Book a 15-minute WISP and security review

Kenny Berrios
CEO and Co-owner, Watch Cloud Cyber Security

Kenny Berrios leads Watch Cloud Cyber Security, an MSSP built for tax and accounting firms. He helps owners translate FTC Safeguards, IRS Pub 4557, and state privacy laws into operational defenses that protect client data without disrupting tax season.

FREE GAP ANALYSIS

See exactly where your WISP falls short

Five minutes. We compare your documentation against FTC Safeguards and IRS Publication 4557, flag every gap, and hand you a prioritized fix list.

Start My Free Gap Analysis
MORE FROM THE BLOG

Keep reading

Practice Operations

Password Manager Rollout for a 5-Person Tax Firm

July 21, 2026
Practice Operations

Replacing Email Attachments With a Secure Client Portal

July 7, 2026
Practice Operations

Building a Phishing Awareness Program in 30 Days

June 23, 2026