Frustrated man with a magnifying glass in a cluttered office while gremlins cause chaos around computer and files.

Midyear Reality Check: The System Drift You Can’t See

July 07, 2026

Midyear Reality Check: The System Drift You Can't See (Especially with Client Data on the Line)

You've carried your firm through deadlines, clients, and high-stakes work without missing a step.

But your systems didn't stand still while you were doing that.

Access was granted quickly. Tools were added when needed. Vendors stepped in to help.

None of that was wrong.

What's risky is what didn't happen afterward.

Almost no one goes back and asks:
"Is this still correct today?"

That's where drift happens.

And in firms handling confidential client data, drift isn't just inefficiency. It's exposure.

What a Clean System Actually Looks Like

When your systems are aligned, everything feels predictable.

Not simple—predictable.

You can answer, immediately:

  • Who has access
  • What each system does
  • Where your data flows
  • Who owns each system

And you can prove those answers if anyone asks.

That's what control looks like.

Run This Audit in 60 Minutes (Exactly How)

Here's how this gets done in the real world.

Step 1: Export user lists Pull directly from:

  • Microsoft 365 admin center (user export)
  • Practice or case management system
  • Billing or accounting system

Combine into one spreadsheet.

Step 2: Compare against your staff list Flag anything that doesn't match:

  • Former employees
  • Unknown users
  • Duplicate accounts

In most firms, this alone uncovers problems. It's common to find 10-20% of accounts no longer aligned with reality.

Step 3: Check access and security controls Focus on:

  • Admin-level access (global admin, system admin)
  • Access to sensitive client data
  • MFA (multi-factor authentication) status

If MFA isn't enforced through your identity system, that's a priority gap.

Step 4: Map your core systems List:

  • Email and file system (Microsoft 365)
  • Document management
  • Case or practice management
  • Billing

Draw simple arrows for how data moves.

You're not building architecture diagrams—just clarity.

Step 5: Assign ownership

  • One owner per system
  • One backup
  • Vendor involvement clearly defined

If ownership is shared, it's not owned.

Step 6: Validate backup reality

  • Confirm backups exist
  • Confirm last test (not setup)
  • Confirm recovery expectations

A practical cadence for most firms is quarterly testing. Without testing, backups are just assumptions.

What Your Audit Spreadsheet Should Look Like

This is your single source of truth.

Columns: User | Role | System | Access Level | MFA | Owner | Flag

Example rows:

  • Sarah L. | Attorney | Microsoft 365 | Standard | Yes | IT | —
  • Mark D. | Former Employee | Microsoft 365 | Active | No | — | REMOVE
  • Admin-Global | System | Azure AD | Global Admin | No | IT Vendor | CRITICAL
  • Jenna K. | Paralegal | Document System | Full Access | Yes | Ops | REVIEW
  • Contractor-Tmp | External | CRM | Admin | No | Marketing | REMOVE

If this isn't easy to understand at a glance, it won't be useful when it matters.

Where to Start If Everything Feels Messy

Don't spread effort evenly.

Focus where risk concentrates.

Tier 1: Identity systems

  • Microsoft 365 / Azure AD
  • Admin roles
  • MFA enforcement

Most real-world issues start here.

Tier 2: Client and financial systems

  • Billing
  • Case management

These directly impact client trust and revenue.

Tier 3: Everything else

  • Marketing tools
  • Operational platforms

If You Only Fix Three Things, Start Here

If time is limited:

  1. Remove inactive accounts immediately
  2. Reduce admin access to the smallest necessary group
  3. Enforce MFA across all users

Those three actions eliminate a significant portion of actual exposure.

What to Do With What You Find

This is where most audits stop short.

Here's how to act on it:

Inactive accounts

  • Remove or disable immediately
  • Do not leave "just in case" access

Over-permissioned users

  • Reduce access to role-based minimums
  • Avoid removing everything at once—step down access safely

Admin privileges

  • Limit to a small, named group
  • Move others to standard access

Ownership gaps

  • Assign ownership to someone already closest to the system (operations, finance, or IT)
  • Define one person accountable—not a team

Speed matters here.

The longer you leave gaps in place, the more likely they become normalized.

Where Firms Get Caught Off Guard

These don't show up until they matter:

  • Shared logins no one owns
  • Vendor access never revoked after projects end
  • Old integrations still moving data in the background
  • "Temporary" permissions that were never removed

These are rarely documented—and that's why they get missed.

Where This Usually Breaks (Real Example)

We worked with a mid-sized legal firm—about 30 people—that initiated an audit after struggling with a cyber insurance renewal.

They couldn't answer basic access and control questions.

Inside one review, they found:

  • 17 inactive Microsoft 365 accounts still active
  • Two core systems with no assigned owner
  • Backups that had never been tested

What changed afterward:

  • Access was reduced and aligned to roles
  • Ownership was clearly assigned
  • They were able to confidently complete their insurance audit

Nothing had failed before.

But they moved from assumption to proof.

What Happens When This Goes Wrong

This doesn't start as a major incident.

It starts quietly.

An inactive account remains active
→ That account still has access to documents
→ A sensitive file is accessed or shared
→ A client questions confidentiality

At that moment, it's no longer a systems issue.

It's a reputation issue.

What This Drift Actually Costs

You see it in operations first:

  • One hour of downtime can disrupt multiple matters at once
  • Attorneys lose billable time waiting on access or clean data
  • Reporting becomes unreliable across systems
  • Insurance renewals become harder to justify

The cost builds slowly—until it suddenly doesn't feel small anymore.

What You Should Walk Away With

By the end of this, you should have two documents you can reuse every quarter:

1. Midyear Systems Audit Checklist

  • Verified access
  • Permissions validated
  • Systems mapped
  • Backup status confirmed

2. System Ownership Tracker

  • Every system listed
  • Primary and backup owner assigned
  • Vendor responsibility defined
  • Last review date recorded

These aren't just notes.

They're how you prove control.

Your Next-Week Action

Start with Microsoft 365.

Export your user list and compare it to your current staff.

If you find one account that doesn't belong, keep going.

That's not an exception—it's a pattern.

The Goal Isn't Perfection. It's Control

You've already built a firm your clients trust.

This is about making sure your systems support that—quietly and consistently.

Schedule your 10 minute discovery call to walk through your access and ownership structure. It will help you confirm whether these gaps exist in your environment and what needs attention first. 911 IT can give you a clear answer so you know exactly where you stand.