Author Segal LLP

Simple & Effective Ways to Improve Web Security



Simple, Yet Effective Ways for SMBs to Improve Their Security Posture

As we enter 2019, the security challenges faced by small to medium sized businesses will only continue to escalate and as such, it may be a good time to re-evaluate your company’s security posture. SMBs are often challenged by the fact that they do not possess the internal expertise required to correctly safeguard against current and persistent threats. As such, it is a good time to evaluate solutions that can greatly increase your security while being simple to deploy. All this, of course, does not ignore the fact that many more complex solutions—such as firewalls, multi-factor authentication, data-loss prevention systems, VPNs, vulnerability assessment tools, SIEM, and more—are advised. Yes, all of these should exist in your security tool set, however, there are certain solutions that require very little technical expertise and may provide far better returns than some of these more complicated safeguards.

The “Human Firewall”

One of the most neglected elements of a network is the human element. In order to better safeguard your network, it is important to improve your “Human Firewall”. This refers to an end-user’s ability to detect harmful links or sites. According to the “2018 DATA SECURITY INCIDENT RESPONSE REPORT,” an analysis of 560 security events by BakerHostetler, one of the U.S.’s largest law firms, 34 percent of security incidents were related to phishing and as many as 18 percent of those involved ransomware. To this day the human element remains one of the most targeted in the security landscape. We can therefore greatly improve our security posture through better security and user awareness training programs. Many of these programs use a combination of simulated attacks, onboard and continued training program, and informative newsletters. With a simulated phishing attack, you can identify everything a user did with a phishing e-mail, such as:

  • Opening the malicious e-mail
  • Clicking on bad links within the e-mail
  • Opening dangerous, attached documents
  • Even running a macro within a contained document

Once the user’s actions are reported, it is easy to rectify the issue by enrolling them in additional awareness training. Certain sites will even report on e-mail addresses within the company that are at risk of phishing due to their external exposure. They obtain the information by crawling business social media networks and breach databases.

Although the success of a user awareness program may differ from one company to the next, some vendors of these platforms claim as much as a ten-fold reduction on users clicking on bad links within 12 months of having introduced the program.

DNS Security and Filtering

Another simple yet effective option in increasing your security posture is to deploy Domain Name System (DNS) based security and filtering. DNS is used to convert internet domain names into internet protocol (IP) addresses so that people can type in a friendly name, such as, instead of remembering an IP address. The issue with DNS is that it was not designed with security in mind. In other words, standard DNS servers, either from your internet service provider or the widely used Google DNS servers, do not provide any safeguards to prevent you from going to malicious sites. As stated on the Google website:

Does Google Public DNS offer the ability to block or filter out unwanted sites?

No. Google Public DNS is purely a DNS resolution and caching server; it does not perform any blocking or filtering of any kind, except that it may not resolve certain domains in extraordinary cases if we believe this is necessary to protect Google’s users from security threats. But we believe that blocking functionality is usually best performed by the client. If you are interested in enabling such functionality, you should consider installing a client-side application or browser add-on for this purpose.


Secure DNS solutions, of which there are many, provide filtering of bad content such as phishing sites or botnets. The good news is that basic use of this type of service is free and can literally be set up in minutes, the only caveat being that you have no visibility into the data that is being blocked by the service. The paid service offers full notification of events as well as reporting and category-based filtering to block such things as adult websites, social media, and weapons and drug related content. The nicest part of this service is the simplicity of the setup.

DNS-based security services have been successful in preventing ransomware, phishing attacks, malicious sites and spyware. They can also help a company identify internal resources that have been compromised as these will continually be showing up in the logs as trying to communicate to bad infrastructure. In an instance like this the issue can be remedied before the damage is done. Additionally, most DNS security offerings provide solutions for equipment that is outside of the corporate network.

Keep in mind that these two often overlooked suggestions—your human firewall and DNS security—should be part of a more holistic solution that takes into account the complexities of protecting all aspects of your organization.


Contributed by Keith Chabot, IT Director from Marcil Lavallee.

This piece was produced as a part of the quarterly Canadian Overview, a newsletter produced by the Canadian member firms of Moore Stephens North America.

Manage Risks to Ensure Your Company’s Long-Term Success

Risk Management (1)

Manage your risks to ensure your company’s long-term success

Risk management 

It is impossible to completely eliminate the risks that can threaten a company’s success, but we can manage and minimize them by implementing a risk management process.

The main risk categories are:

  • Strategic: Related to running the business, including industry developments
  • Operational: Related to the company’s operational and administrative procedures
  • Financial: Related to the company’s financial structure and external factors such as exchange and interest rates
  • Conformity: Related to the obligation to comply with laws and regulations
  • Other: Related to reputational and human risk

The risks a company faces are constantly changing. They change based on the market (new competitor, new product), the organization (international expansion strategy, acquisition of another company, initial public offering), products (product obsolescence, major recall of a defective product), etc. As such, risks must be re-evaluated regularly according to changes within the company, the business sector, or regulations, for example.

According to a study on the state of enterprise risk management in Canada conducted in 2015, 61% of respondents confirmed that their organization did not have a chief risk officer or equivalent. [1] With no designated manager for risk assessment, it is hard to plan and adjust strategies before threats arise. As a result, companies end up encountering emergency situations, and they often do not have the time to evaluate possible solutions, leading to less-informed decision-making and sometimes the wrong decision.

A risk management process is therefore the solution for being proactive and managing threats faced by your company.

What about you?

  • Do you have a risk management process?
  • When was your most recent risk assessment?
  • Are front-line employees as aware of the company’s risks as upper management and the board of directors?

Aspects of the risk management process 

The risk management process involves five steps:

  1. Risk identification
  2. Risk assessment
  3. Strategy development for addressing risks
  4. Implementation of strategies
  5. Follow-up and re-assessment, as necessary

After risks are fully identified, they must be assessed. This allows you to determine the probability that the risk will arise, as well as the company’s tolerance for each risk, so a strategy can be established for each one.

A company might decide to accept, transfer, minimize, or eliminate the risk.

Strategies might be as simple as periodic maintenance of machines to prevent damage that would have a major impact on production (operational risk), obtaining an exchange rate contract to protect the company from a currency’s volatility (financial risk), or even performing due diligence during acquisition of a new company (strategic risk).

Remember: we are your risk management partners. We want to hear from you!


Contributed by Jacqueline Lemay, CPA, CA, CA-EJC, CFF, from Demers Beaulne.

This piece was produced as a part of the quarterly Canadian Overview, a newsletter produced by the Canadian member firms of Moore Stephens North America.

[1] Chartered Professional Accountants of Canada and the Canadian Financial Executives Research Foundation, “The State of Enterprise Risk Management in Canada.”

Investment Income in a Corporation

BLOG - Investment Income Corporation (1)

Investment Income in a Corporation

The Canadian taxation system is structured so that investment income (such as interest income and rental income) earned in a corporation would be taxed at the same rate as investment income earned personally (at the highest tax rate).  The way in which the system works is that a corporation pays tax on its investment income and at the same time a portion of the taxes (30 2/3%) notionally goes into an account called the refundable dividend tax on hand (“RDTOH”).  The RDTOH is refundable to the corporation for each dollar of taxable dividend paid at a ratio of 38 1/3% of taxable dividends paid.  The result of this approach is that a corporation does not provide for a tax deferral on investment income.  Instead, there is corporate tax immediately on the investment income and a portion of that will be refunded once a taxable dividend has been paid out.

In Ontario, the highest personal tax rate is 53.53%.  In a corporation, investment income is taxed at 50.17%.  When the RDTOH is refunded upon the payment of a dividend, the net tax in the corporation is 19.50% (50.17-30.67%).  This does mean that there is a small deferral by earning investment income in the corporation.  The deferral is 3.36% (53.53% – 50.17%).

When a non-eligible taxable dividend is received by an individual and taxed at the highest rate, the tax rate to the individual is 46.65% in Ontario.  Based on this, the personal tax on the funds available would be approximately 37.6% (46.65% x $80.50) .  The net effect is that the overall tax rate including corporate and personal tax on earning investment income is 57.2%.  This is 3.68% greater that earning the investment income directly (57.2% vs 53.53%).

For a capital gain, the cost of earning capital gains in a corporation versus directly is 1.84%.  There is also a deferral in this case of 1.68%.

Based on this, what should taxpayers consider in determining whether they should earn investment income in the corporation or not?  One of the first considerations is the cost of taking capital out of a company in order to earn the investment income personally.  In other words, if a corporation has accumulated retained earnings, there is a cost to taking that capital out.  The cost would be the dividend tax rate of 46.84%.  In most cases, it is not efficient to accelerate the payment of personal tax on these accumulated retained earnings in order to reduce the corporate tax on the investment income on that capital.  As well, if there are accrued gains on the capital in the corporation, there would also be a capital gains tax on the liquidation of any assets with accumulated gains.  Therefore, in most situations where there is significant accumulated capital in a corporation, it does not make sense to wind up the corporation or liquidate the assets so that the assets are held personally.

Another consideration is the new rules wherein if a corporation earns more than $50,000 of adjusted aggregate investment income then the corporation will start to lose the small business deduction.  This is only relevant in those situations where the corporation earning investment income has either active business income in the same corporation or active business income as part of an associated group.  In those cases, consideration should be made as to whether or not the after-tax funds of the active business income should be left in the corporation or should be paid out as a dividend so that the capital can be used to earn investment income personally instead of in the corporation.  Again, consideration must be given to the fact that there is an acceleration of personal income tax.  Where active business income is earned in a corporation, the tax rate is 13.50%.  This means that there is $87.50 available to be invested and earn investment income.  If the funds are fully paid out, the net result would be capital available of approximately $46.00 personally.  Obviously, from an investment perspective there is more capital available at the corporate level if a dividend is not paid out to the individual.  However, by accumulating significant assets in the corporation, the corporation could lose access to the small business deduction and instead of paying 13.5% in the corporation, the corporation would pay 26.5% on active business income.

The next consideration is whether assets or funds should be put into a corporation to earn investment income.  For example, if an individual is going to make an investment, should that individual first put the funds into a corporation and then make the investment.  From a purely tax perspective, it is not beneficial to take personal funds to invest in a corporation to earn investment income because the investment income will be taxed overall at a higher rate (3.7%).

The above tax rates assume that the individuals receiving the dividends will always be in the highest tax bracket. However, if you are not in the highest tax bracket when you receive the dividends, the tax deferral can become a permanent tax savings.

However, there may be non-tax reasons, such as liability, why an individual would want to use a corporation to make the investment.  For example, there was a rental property and there was concern for operational liability, a corporation might be considered.  This would be a business decision.

Another consideration is U.S. estate tax.  Individuals that own U.S. investments and assets personally could be subject to U.S. estate tax.  At present, the estate tax exemption is over $US11m, so the exposure for most people is minimal.  This, however, could change as there have been a number of different exemptions over the last few years.  In order to be protected, one consideration is to own U.S. investments through a Canadian corporation as opposed to personally.  There may be increased taxation on the investment income but there is reduced or eliminated exposure to U.S. estate taxes.

A final consideration is probate in Ontario.  If assets are held personally, then there is exposure to Ontario probate tax of 1.5% (on assets in excess of $50,000).  If, however, assets are held in a corporation, there is the opportunity that the shares held in that corporation are not subject to probate if the individual has dual Wills (the discussion of dual Wills is beyond the subject matter of this article).  By holding assets in a corporation there could be a 1.5% savings on the capital of the corporation even though there may be increased tax on the investment income.

As you can see from the above, there are a number of considerations to determine if investment income should be earned in a corporation of not.  As always, you should consult your tax advisor to determine the best course.


Contributed by Howard Wasserman, CPA, CA, CFP, TEP

Principal in Taxation at Segal LLP.

This piece was produced as a part of the quarterly Canadian Overview, a newsletter produced by the Canadian member firms of Moore Stephens North America.

Partnership Announcement


Segal LLP is very pleased to announce that Harley Appleby, CPA, CA, has joined the firm’s partnership group, effective January 1, 2019.

Harley joined Segal in January of 2009. Over the course of his career at Segal, his focus on tax advisory to owner managed businesses has helped provide exceptional service to clients across a multitude of industries including real estate, professional services, manufacturing, high-net-worth individuals, and retail.

“Harley has a strong focus on client service. His dedication to dealing with client tax needs and other business-related matters fits well with the Segal client service culture.” says Dan Natale, Managing Partner at Segal.

Harley is a member of the Ontario Institute of Chartered Professional Accountants and a graduate of the Ivey School of Business at Western University with an honours degree in business administration.

We extend a heartfelt congratulations to Harley and a warm welcome to the Segal partner group.

Successful CFE Writers

We are proud to celebrate those members of the Segal team who successfully completed the 2018 CFE exam!  After many years of study and a grueling 3-day exam, their hard work has paid off and we’re excited for their future.

Congratulations to:

  • Christopher Luk
  • Cheryl Vanderland
  • Chris Ball
  • Victoria Huang

Special recognition goes to Chris Ball who earned a place on the honour roll.  The CFE honour roll consists of the top one percent of CFE writers across Canada.

Congratulations again to our writers!

2018 Successful CFE Writers