Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

C2 provides technology services and consultation to businesses and individuals.

T (818) 584 6021
Email: [email protected]

C2 Technology Partners, Inc.
26500 Agoura Rd, Ste 102-576, Calabasas, CA 91302

Open in Google Maps
QUESTIONS? CALL: 818-584-6021
  • HOME
  • BLOG
  • SERVICES
    • Encryption
    • Backups
  • ABOUT
    • SMS Opt-In Form
    • Terms and Conditions
    • Privacy Policy
FREECONSULT

Mid-Year IT Health Check: 10 Things Professional Services Firms Should Review Now

  • 0
Christopher Woo
Wednesday, 01 July 2026 / Published in Woo on Tech
mid year check-in

Most firms set their technology priorities in January with the best of intentions. By June, those intentions have been buried under client deadlines, staff turnover, and whatever fire needed putting out that particular Tuesday.

I’ve been doing this long enough to know that the gap between what a firm’s IT environment is supposed to look like and what it actually looks like tends to widen quietly, without anyone noticing, until something breaks. That’s what makes mid-year the right time to look. You still have six months to fix what you find.

This is the list I walk through with my own clients right now. It is specific to accounting practices, law offices, and property management companies because these businesses handle a particular combination of sensitive client data, regulatory exposure, and lean administrative staff.

1. Does Your IT Roadmap Still Reflect Where the Business Is Going?

Has the business changed since you last reviewed your technology plan? A second location, five new staff, or an absorbed partner’s book of business means the hardware you budgeted, the software you licensed, and the backup capacity you sized were all built around a version of the company that may no longer exist. Pull out your IT roadmap and compare it to where you actually are.

2. Review Your Backup and Recovery Setup

A backup that has never been restored is a theory. I have seen firms discover mid-incident that their backup solution had been failing silently for months because notification emails went to an inbox no one checked. Pick a date in July. Run a test restore. Document what happened. This takes two hours and eliminates what would otherwise be a catastrophic week.

3. Audit Who Has Access to What

People leave, change roles, and accumulate permissions without anyone removing the old ones. A paralegal who transferred departments still has full access to the client billing system. A former office manager’s account was never disabled. Access creep is how small breaches become large ones. Pull a list of active accounts, compare it with your current staff, and revoke those that should not be there.

4. Check Your Cybersecurity Insurance Policy Against Your Environment

Insurers ask whether you have multi-factor authentication, endpoint detection software, offsite backups, and regular security training. Those answers were true when you filled out the application. Whether they are still true depends on whether anything has changed. A staff member disables MFA because it was inconvenient. A license lapses. Review the policy against your current state before your renewal, not after a claim.

5. Evaluate Your Vendor Relationships

Every firm I work with has at least one vendor relationship that is no longer serving them well. A software subscription for a tool three people use. A support contract with a provider that takes 72 hours to respond. List every technology vendor, what you are paying, and whether you are getting value. Most of the time it surfaces one or two things worth addressing, which pays for the hour it took to do the review.

6. Test Your Password and Authentication Policies

If your firm does not have a formal password policy, you have one. It is just the one each employee invented for themselves. Review whether MFA is active across all critical systems: email, document management, accounting software, and remote access tools. Password hygiene accounts for roughly 22 percent of all data breaches, according to Verizon’s 2025 Data Breach Investigations Report.

7. Review Remote Work Security for Your Current Setup

The policies put in place in 2020 have not necessarily kept pace with how people work now. Staff connect from personal devices. Home routers never got firmware updates. Someone is using personal Gmail to send client documents because it is easier. Ask your IT provider to give you a current picture of who is connecting from where and how.

8. Confirm Your Compliance Documentation Is Current

Cyber insurance carriers require documented security policies. State bar associations are publishing guidance on attorney obligations for client data security. Compliance documentation decays. If it has not been reviewed since it was written, treat that as a gap.

9. Look at Your Network Infrastructure

Switches, wireless access points, and firewalls that are two or three years old and have had no firmware updates applied are running vulnerabilities that have been publicly documented for years. Attackers run scans, identify outdated hardware running outdated software, and exploit known vulnerabilities. Ask when your network equipment was last audited. If no one can tell you, that is the audit.

10. Have an Honest Conversation About the Rest of the Year

What is the one technology investment that would make the biggest difference to how your firm operates? What is the one vulnerability you have been aware of but keep putting off? What has changed in your business that your technology has not caught up to? Those three questions, answered honestly, will tell you more about where to focus than any framework.

None of these items requires weeks of analysis. Most require someone to look, ask a question, and write down what they find. The firms that consistently avoid major technology problems are not the ones with the most sophisticated systems. They are the ones who check in regularly and address what they find before it becomes urgent.

If you want to run through this list with someone who knows how professional services firms actually work, schedule a conversation with us. No pitch. Just a practical look at where you are and what actually needs attention.

Meta Description: Halfway through 2026, it’s time to review what’s working and what’s not. An IT consultant’s practical checklist for professional services firms.

Cloud Migration for Professional Services: When It Makes Sense (And When It Doesn’t)

  • 0
Christopher Woo
Tuesday, 23 June 2026 / Published in Woo on Tech
Cloud Migration for Professional Services: When It Makes Sense

Every vendor in the technology industry will tell you to move to the cloud. What they won’t tell you is whether moving to the cloud is the right decision for your firm.

I’ve been doing this for 35 years. I’ve watched the industry cycle through mainframes, desktops, servers, and the cloud, and in every era, the companies selling infrastructure find a way to make their solution sound like the only one that makes sense. The cloud is genuinely useful, but also genuinely oversold. My job is to tell you which is which for your specific situation.

What “The Cloud” Means for a Professional Services Firm

Before we get into when to migrate and when not to, let’s be clear about what we’re talking about.

When most firms ask about cloud migration, they’re usually asking about one of three things: moving email and productivity tools to a hosted platform like Microsoft 365 or Google Workspace, moving file storage and document management off local servers and into a cloud service, or moving line-of-business software like practice management, accounting, or property management platforms to hosted versions.

These are different decisions with different tradeoffs. Treating them as one question is where a lot of firms go wrong.

Where Cloud Migration Makes Clear Sense

Email and productivity tools

This one is mostly settled. Running your own on-premises Exchange server to host email for a 50-person accounting firm stopped making practical sense years ago. Microsoft 365 deployment handles uptime, security patching, spam filtering, and backups at a cost that no small firm can match when running their own infrastructure.

The same goes for collaboration tools. When your attorneys or accountants work from multiple locations, cloud-based document access and real-time collaboration in Microsoft 365 or Google Workspace are genuinely better than the alternatives. This is a cloud migration decision where the answer is almost always yes.

One thing to watch: deployment matters as much as the decision to migrate. A poorly configured Microsoft 365 environment with the wrong license tier, no multi-factor authentication, and default security settings is not better than what you had before. Cloud migration support from someone who knows professional services firm requirements is not optional. It’s the part that makes the migration work.

This is also a decision that intersects with your firm’s specific software needs. If you’re weighing which platform fits best, the considerations for law firms and accounting practices differ enough to warrant a closer look. We cover that comparison in detail.

.

Remote and hybrid work infrastructure

If your team works from anywhere, cloud infrastructure is not a preference, it’s a practical requirement. Local servers that staff can only access via a fragile VPN setup, or document storage that lives only on office desktops, break down quickly in a distributed work environment.

Cloud-based file storage, access controls, and productivity platforms built for remote access are what make hybrid work viable. For firms that have embraced any degree of remote work, this is another area where the migration decision usually has a clear answer. For a closer look at the security side of that equation, Remote work security for professional services firms is worth reading alongside this post.

Disaster recovery and backup

Your backup strategy should have a cloud component. Full stop. Local backups that reside in the same building as the systems they back up are not a recovery strategy. They’re a false sense of security. Cloud-based backup solves that problem directly, and the cost is low enough that there’s no reasonable argument against it for any firm.

Where the Cloud Argument Gets Weaker

Specialized line-of-business software

Many professional services firms run software that is specific to their industry. Tax platforms, legal document management systems, and property management databases. The hosted versions of these applications are not always better than on-premises versions, and they are often significantly more expensive on a per-user subscription model.

Before migrating a line-of-business application to a hosted cloud version, do the math. What is the annual cost per user for the cloud version versus the cost of running the application on your existing server infrastructure? Include the IT support cost for server maintenance, but be honest about it. For firms with managed IT support already in place, the incremental cost of maintaining a single application server is often lower than many assume.

There are cases where the cloud version wins. There are cases where it doesn’t. The calculation is worth doing before the vendor does it for you.

When your connection is the problem

Cloud infrastructure runs on internet connectivity. If your office has unreliable internet or your team works in locations with limited bandwidth, moving critical applications to the cloud can create a reliability problem that didn’t exist before.

I’ve seen firms migrate enthusiastically, then discover that their 25-person office shares a business internet connection that simply wasn’t designed for the load. Before any significant cloud migration, your network infrastructure needs an honest assessment. This step is skipped more often than it should be.

When compliance requirements restrict your options

Accounting firms, law offices, and property management companies handle sensitive client data. Depending on your specific situation, the cloud environment you choose and how it’s configured may need to meet particular security and compliance standards.

This doesn’t mean you can’t use cloud platforms. Microsoft 365 and Google Workspace both have configurations that meet demanding compliance requirements. This means the migration needs to be designed with those requirements in mind, not retrofitted after the fact. If your cyber insurance requires specific data handling controls, or your clients have contractual requirements around data residency, those need to be on the table before you sign up for a cloud service.

Cyber insurance requirements around data handling have tightened considerably in the past two years. Understanding what your policy requires is a conversation in itself.

The Question Nobody Asks

I find myself having this conversation fairly often. A managing partner or office manager tells me they want to move everything to the cloud. When I ask why, the answer is usually something like, “because that’s where everything is going” or “because our current setup is frustrating.”

Those are not the same problem, and they don’t have the same solution.

If your current setup is frustrating because local servers are aging, backups are unreliable, and remote access is painful, cloud migration probably does solve that. If your current setup is frustrating because your software is poorly configured, your hardware is underpowered, or your IT support isn’t keeping up, migrating to the cloud can move the same problems into a new environment and add a subscription fee on top.

The cloud is a location, not a fix.

Before any migration conversation, I recommend an honest technology assessment. What’s breaking? What does your team need? What does it cost to solve the problem on-premises versus in the cloud? Once you have real answers to those questions, the right path forward is usually obvious.

If you want to work through that assessment for your firm, that’s a conversation worth having. C2 Technology Partners works exclusively with professional services firms in Southern California, and we’ve been through this decision enough times to give you a straight answer without a sales agenda attached.

Primary Keyword: cloud migration support 

Secondary Keywords: Microsoft 365 deployment, Google Workspace setup

Meta Description (155 chars): Not everything belongs in the cloud. When cloud migration makes sense for professional services firms, and when on-premises is still the better choice. 

Summer Vacation Security Checklist for Professional Services Firms

  • 0
Christopher Woo
Friday, 19 June 2026 / Published in backup and recovery
mid age man working on laptop while floating in the sea summer vacation

Summer is the one time of year when professional services firms run at a reduced pace, and their security posture quietly relaxes along with it.

That’s not a coincidence, but a pattern. Fewer people in the office means fewer eyes on unusual activity. Staff traveling on personal devices means firm data moving through networks you don’t control. Out-of-office auto-replies mean bad actors know exactly who isn’t watching their inbox. The pressure against your small business network security never takes a break, even when your team does.

The good news is that a few hours of preparation before the summer travel season starts can close the most common gaps. This checklist is built for accounting practices, law offices, and property management firms with distributed summer schedules.

Before Anyone Leaves

Review and update your access controls

This is the step most firms skip because it feels administrative. Do it anyway.

Pull a list of who has access to what. Look specifically for former employees or contractors whose credentials were never deactivated, staff who changed roles but kept legacy access they no longer need, and shared passwords that have never been rotated. Summer is a natural forcing function for this review because you’re already thinking about who will be out and who needs coverage.

Shared credentials for practice management software, document storage, and billing systems are a particular risk during vacation season. When one person is covering for three others, the temptation to use a shared login grows. That’s exactly when you want individual access properly configured, not less.

Confirm MFA is active on every external-facing system

If your staff can access email, client files, or any line-of-business software from outside the office, multi-factor authentication must be enabled. Every account, not just the partners or admins.

Vacation travel is when credentials are most likely to be compromised. Hotel networks, airport Wi-Fi, and coffee shops are not secure environments. MFA doesn’t make a compromised password harmless, but it makes it substantially harder to exploit. Check your configuration now rather than after someone calls from a beach in Mexico, wondering why they can’t log in.

Brief your team before they go

Security policy development works on paper. It works when people understand what to do in a specific situation.

Before staff travel, cover two things. First, remind them not to connect firm devices to public Wi-Fi without a VPN, and make sure the VPN is installed and tested before they leave the office. Second, tell them what to do if something feels wrong: who to call, how to reach remote IT support, and that it’s always better to report something that turns out to be nothing than to stay quiet about something real.

A three-minute conversation before someone leaves for two weeks is worth considerably more than an incident response call from a hotel lobby.

While Your Team Is Out

Set a clear policy on out-of-office responses

Auto-replies are useful, but they’re also a free announcement to anyone probing your firm. A message that says “I’m out until July 14, for urgent matters, contact Jane at [email protected]” hands an attacker a name, an alternate target, and a window of time when the original contact won’t notice something unusual in their account.

Keep out-of-office messages simple. Confirm the person is unavailable and provide a general contact for urgent matters. Avoid specific return dates, alternate contact names and direct emails, or any details about the firm’s operational structure.

Assign coverage for security alerts

Your monitoring tools and security software generate alerts whether or not the right person is watching. Before the summer schedule kicks in, identify who is reviewing alerts for each person who will be out for more than a few days. Remote IT support can handle ongoing monitoring, but your internal point of contact needs to be clearly defined and reachable.

This is particularly important for firms managing client data under confidentiality or compliance requirements. An unmonitored alert from a data access anomaly that sits for two weeks while the responsible partner is in Hawaii is not an acceptable gap.

When People Return

Do a brief device check before reconnecting

Any device that left the office, spent time on home or travel networks, and is now returning to your environment is worth a quick review. This doesn’t have to be complex. Confirm the device has the latest security updates, run a scan with your endpoint protection software, and verify that the VPN connection is functioning properly.

This is especially true for staff who traveled internationally, used airport charging kiosks, or connected to hotel networks. The risk is low for any individual trip. It compounds quickly across a 50-person firm returning from summer vacations.

Revisit your access list one more time

The same review you did before the summer is worth repeating after the summer. Summer often brings personnel changes: interns who have finished, contractors who have completed a project, and staff who have given notice and left during the summer. Each of those is a credential that should be deactivated promptly.

None of these items requires a large time investment. The full list takes an afternoon to work through before summer begins and an hour to verify when it ends. What they do require is actually doing them before something happens, rather than after.

If you want help running through this checklist for your firm, C2 Technology Partners works with professional services firms across Southern California on exactly this kind of proactive security review. Reach out before your team’s out-of-office messages go up.

The $300 Laptop vs. The $1,300 Laptop: A Technology Investment Guide

  • 0
Christopher Woo
Thursday, 11 June 2026 / Published in Woo on Tech
The $300 Laptop vs. The $1,300 Laptop: A Technology Investment Guide

I have had this conversation more times than I can count. Someone buys a laptop at Costco for $300, hands it to a paralegal or a bookkeeper, and calls it a day. Six months later, they’re on the phone with me, wondering why everything is slow and what we’re going to do about it.

What I tell them is that the $300 laptop and the $1,300 laptop look almost identical in the store: same screen, same keyboard, same ports. On the surface, they act the same, too, for about the first three months. After that, the differences become very clear, and they’re the kind of differences that cost you real money.

What You’re Paying For

Consumer-grade laptops sold at big box retailers are built to a price point. That’s not an opinion, it’s a manufacturing reality.

The components inside a budget machine are sourced for cost, not durability. The processor handles basic tasks but struggles under the load of business software. The storage drives are slower and wear out faster. The build quality is lighter because lighter means cheaper materials, and cheaper materials mean shorter lifespans. Memory is often the minimum required for the thing to boot.

Business-class laptops are built differently. The processors are selected for sustained workloads. The storage is faster and rated for higher read-write cycles. The chassis is more durable because the people buying them need them to last four or five years, not one or two. Quality assurance testing is more rigorous because the buyer notices when a machine fails.

None of that is marketing. It’s component selection.

The Real Math on Cheap Technology

A $300 laptop that lasts two years before becoming a productivity problem costs your firm significantly more than the purchase price.

Consider what happens when that machine starts underperforming. Staff spend time waiting on slow load times. IT support time goes up. If the device fails outright, you’re dealing with downtime, potential data recovery costs, and the disruption of getting a replacement deployed quickly. Factor in lost billable hours for the person who can’t work normally during any of that.

Research cited by Atlassian puts the average cost of IT downtime at $5,600 per minute, and a failing laptop is a reliable, recurring source of exactly that kind of unplanned outage.

A $1,300 machine that stays reliable for four to five years, with minimal support overhead, almost always wins on total cost. The math isn’t complicated once you stop looking at the purchase price in isolation.

The Quality Decline Problem Nobody Talks About

This topic is personal for me. I was a Dell advocate for years: reliable machines, consistent business-line products, and good support. I can’t say that anymore. I won’t recommend most of their consumer products today, and I’m not alone in that assessment.

The decline in the quality of technology hardware has been real and measurable over the past decade. What most people don’t know is why.

Before the pandemic, a series of disasters hit semiconductor and component manufacturers across Asia, particularly in Taiwan, Japan, and Malaysia. Floods, fires, and factory shutdowns degraded supply chains that had taken decades to build. That infrastructure has not fully recovered.

Then the pandemic hit, which compounded everything. Component shortages forced manufacturers to substitute materials and suppliers at every level of the supply chain. Some of those substitutions became permanent because the economics worked in the short term.

Layered on top of that is a straightforward business reality: public companies face relentless pressure to extract margin from their products. The easiest place to find margin without raising prices is to reduce the quality of what’s inside the box. Consumers rarely crack open their laptops to inspect the components. That created an opening, and many manufacturers took it.

The result is that you cannot shop by brand name the way you could ten years ago. A brand that produced excellent business hardware in 2015 may be producing mediocre hardware today from the same product line.

What This Means for Device Lifecycle Management

Workstation setup and deployment for professional services firms need to account for all of this.

A replacement cycle of four to five years is standard guidance for business-class hardware, but only if you’re buying business-class hardware to begin with. Consumer devices often can’t make it that far without significant performance degradation, which means you’re replacing them more frequently and paying IT support costs along the way.

The firms I work with that invest in quality hardware upfront have more predictable technology budgets and fewer emergency support calls. The ones that buy cheap get a short-term win on the purchase order and a long-term headache on everything else.

Spend $1,300 on a machine that your attorney or accountant uses reliably for five years, and you’ve spent $260 per year on that device. Buy a $300 machine that needs replacing in two years, and the per-year cost is $150 before you count a single hour of downtime or support.

The numbers get closer than people expect.

A Practical Buying Framework

When I’m advising firms on device procurement, I look at a few specific factors.

What software are these users running? Tax and legal software is resource-intensive. A machine sized for web browsing and email will struggle with it. Match the device to the actual workload, not to the lowest acceptable price.

Who is the user? A partner at a law firm or a CPA signing off on returns needs a reliable machine without fail. An intern doing administrative work might be fine with something less expensive. Not every seat requires the same investment.

What’s the warranty and support structure? Business-class machines from reputable manufacturers typically come with on-site service warranties. Consumer devices don’t. For a 50-person professional services firm, that distinction matters when something breaks.

Finally, what does replacement cost your firm? Include IT labor for setup and deployment, any data migration, and the disruption to the person whose machine just died. 

Once you factor all of that in, the $300 laptop rarely looks like the savings it appeared to be at checkout.

Technology planning for business growth means treating your devices as assets rather than expenses. A device lifecycle management strategy, built around quality hardware and realistic replacement cycles, will cost your firm less over time and save you more headaches than I can count.

If you’re not sure whether your current hardware is serving your team well or quietly costing you, reach out. We do this assessment regularly for professional services firms across Southern California, and the conversation doesn’t cost you anything.

Remote Work Technology Setup: What Matters for Professional Services Firms

  • 0
Christopher Woo
Wednesday, 03 June 2026 / Published in Woo on Tech
Remote Work Technology Setup: What Matters for Professional Services Firms

Remote work is no longer a temporary arrangement that your firm is managing. It’s how your people work now, and the security gaps it created are still wide open.

Most professional services firms handled the transition to remote work the same way. They handed out laptops, set up VPN access, and called it done. That approach was fine in 2020 when everyone was scrambling. In 2025, it’s a liability.

The firms we work with across accounting, law, and property management all share similar setups. Attorneys reviewing client files from home networks, accountants accessing tax software from personal devices, and property managers processing payments from coffee shops. Every one of those scenarios introduces a risk that a basic VPN was never designed to cover.

Your Home Network Is Not Your Firm’s Network

Office networks are managed. Home networks are not. That difference is significant.

When your staff works from home, they’re connecting through consumer-grade routers that often run outdated firmware, have never had their default passwords changed, and share bandwidth with every smart TV, gaming console, and doorbell camera in the house. Your firm’s data is traveling through that environment.

The fix is not complicated. Requiring employees to connect through a business VPN is a start, but it’s not sufficient on its own. The stronger approach is zero-trust network access, which means every connection is verified before it reaches your systems, regardless of its origin. This is increasingly standard for firms handling sensitive client data, and it also matters for cyber insurance qualification.

If your current IT setup does not include a defined remote access policy, that gap should be addressed first.

Multi-Factor Authentication Is Not Optional

If your staff can log into client files, billing systems, or email with just a username and password, your firm is exposed. Full stop.

According to Microsoft, multi-factor authentication (MFA) blocks over 99.9%  of automated account compromise attacks. It is the single highest-return security measure available to small and mid-sized firms, and it costs almost nothing to implement correctly.

The challenge we see most often is not firms refusing to implement MFA. It’s firms that enabled it inconsistently, or skipped certain applications because they were inconvenient. An accounting firm might have MFA on email but not on their practice management software. A law office might have it enabled for partners but not for support staff.

That inconsistency is where breaches happen.

MFA needs to be applied uniformly across every application that accesses client data. That includes email, document storage, billing, and any line-of-business software your staff uses remotely. Hybrid work infrastructure planning should treat authentication as a foundation, not an afterthought.

Devices Are the Weakest Link in a Distributed Workforce

When everyone worked from the office, your IT team could see every device on the network. They could push updates, enforce policies, and spot problems. Remote work changed that dynamic completely.

The device your paralegal is using at home right now, are you certain it has current security patches? Do you know whether it’s running endpoint protection? If it were lost or stolen, could your team wipe it remotely?

For professional services firms, the answers to those questions need to be yes. Client confidentiality requirements, insurance obligations, and, in many cases, bar association or state CPA board standards require it.

Device management for remote employees means a few specific things in practice. Every firm-issued device should have endpoint detection and response software installed. Automatic updates should be enforced, not left to the discretion of individual employees. Also, remote wipe capability should be configured before devices leave the office, not after something goes wrong.

Personal Devices Are a Different Problem

Many firms allow employees to use personal computers or phones to access work systems. This is common and often unavoidable, particularly in smaller offices. It is also genuinely difficult to manage from a security standpoint.

You cannot install corporate security software on a personal device without creating legal and privacy complications. What you can do is control what those devices can access and how they can access it.

Mobile device management policies can enforce minimum security standards before a personal device is granted access to firm systems. Requiring a PIN, enabling device encryption, and preventing downloads of client files to local storage can all be enforced through the right configuration, even on personal devices. Your remote IT support strategy should account for this distinction.

If your firm has not made a clear decision about personal device access, it is worth making one now. Either allow it with defined controls in place, or restrict it and provide firm-issued devices where needed.

The Security Conversation You Are Not Having With Your Staff

Most data breaches in professional services firms do not start with sophisticated attacks. They start with a staff member clicking a link in a phishing email while working from home, without the informal safeguards that exist in a physical workplace.

In an office, someone might turn to a colleague and ask, “Did you see this email from a client?” That quick check happens naturally. Remote employees make those judgment calls alone.

Security awareness training is not a one-time checkbox. It needs to be ongoing, specific to the threats targeting professional services firms, and directly tied to the tools your staff uses. Credential theft targeting law firms and accounting practices is a documented and growing problem. Your training program should reflect that.

What This Looks Like in Practice

Getting remote work security right for a professional services firm does not require a large IT budget. It requires a clear-eyed assessment of where your gaps are, and a plan to close them in order of priority.

Start with an honest inventory. Which applications can staff access remotely? Which devices are being used? Is MFA enabled everywhere it should be? Are remote access policies documented?

From there, the path forward is usually straightforward. The firms that struggle are the ones that have never asked the questions.

If you want to run through that inventory, C2 Technology Partners offers a no-pressure remote work security assessment for professional services firms in Southern California. It takes about an hour and gives you a clear picture of where you stand.

Your Software Vendor Is Not Your Partner. Protect Yourself Anyway.

  • 0
Christopher Woo
Tuesday, 26 May 2026 / Published in Woo on Tech
Backup

Your software vendor does not care whether your business survives an outage, a price increase, or a forced platform migration. They care about your renewal. Those are not the same thing, and the sooner you build your IT strategy around that fact, the better off you will be.

I want to be fair here. I am not saying software vendors are villains. They are businesses. They have investors, payroll, and pressure to grow revenue. However, their incentives are structurally misaligned with yours, and pretending otherwise costs businesses money every single year.

What Vendor Mercenary Behavior Actually Looks Like

It rarely announces itself. It shows up in the details.

Licensing that stores your data in proprietary formats you cannot easily export. Price increases that arrive with 30 days’ notice, which gives you no realistic time to evaluate alternatives, negotiate, or move. Support tiers that make what used to be a standard service request into a premium feature. “Integration partnerships” that are really artificial barriers to using competing tools. Security features that exist at enterprise pricing tiers but not the small business plan you are on, which means the capability exists but the vendor has decided your size does not merit access to it.

I see the Microsoft 365 markup issue all the time in this industry. You can look up Microsoft’s pricing directly. A lot of IT firms mark up those licenses anywhere from 200 to 1,000 percent without ever explaining what the markup covers or why. At C2, we tell clients exactly what we are marking up and why. That is not the industry norm. It should be.

None of the behaviors I described above are illegal. Most of them are rational from the vendor’s perspective. But they are not aligned with your interests, and knowing that going in is different from figuring it out when you are locked in.

The Lock-in Nobody Notices Until They Try to Leave

The most expensive vendor relationship is not the one with the highest monthly bill. It is the one you cannot exit without a major disruption to your business.

Think about your practice management software, your document storage platform, your client portal. If you decided tomorrow that you wanted to move to a competing product, what would that actually look like? How long would it take? How much would it cost? What data might you lose or have to manually recreate?

For most professional services firms, the honest answer is “more than we want to think about.” That is not always a problem. Some vendor relationships are worth the dependency because the switching cost is genuinely higher than the cost of accepting the terms. However, you should arrive at that conclusion consciously, not by default.

The firms that get hurt are the ones that discover their exposure when the vendor raises prices by 40 percent and the realistic alternative is six months of migration work at the worst possible time.

What You Can Realistically Manage Yourself

I try to be honest with clients about the line between what they can handle and what they should bring to us.

Things most professional services firms can manage without IT help: exporting your own data periodically to verify you actually can, keeping a plain-language record of what tools you use and what they cost, reading renewal notices before approving them, and maintaining a vendor contact list somewhere outside the software itself. These sound obvious. Most businesses do not do them.

Things you should probably not try to manage without help: migrating data between platforms, evaluating the security implications of a new vendor contract, negotiating enterprise licensing terms, or building redundancy around a tool that is critical to daily operations.

Being clear about that line is more useful than pretending either that you can handle everything or that you need to outsource every decision.

Three Things You Can Do This Month

Export a copy of your data from your two most critical platforms. Just to see if you can. The experience of trying will tell you more than any vendor FAQ. If the export option does not exist or the output is unusable, that is information worth having now.

Read the terms of your next software renewal before you approve it. Look specifically for language about data portability, price adjustment clauses, and what happens to your data if you cancel. It will not be exciting reading. It will be useful.

Ask your IT partner: if we needed to move off this platform in 90 days, what would that actually look like? If your IT partner cannot answer that question clearly and specifically, that is also information worth having.

The Honest Part

Some vendor lock-in is unavoidable and some of it is worth accepting. The goal is not to be vendor-free. It is to make those choices with your eyes open rather than discovering your exposure when the leverage has already shifted entirely to the vendor’s side.

The firms I have watched get hit hardest by this are not the ones that made bad decisions. They are the ones that made no decision at all, and let default inertia build dependencies they were not aware of until something forced them to look.

Technology is a tool. Like any tool, it can be built improperly, it can be misused, and it can fail at the worst possible moment. Understanding who actually controls that tool, and what happens when their priorities stop aligning with yours, is part of running a business in 2026. It is just not a part anyone talks about much.

If you want to take stock of where your real dependencies are and what your options look like, we are happy to have that conversation.

Quick and Easy: Software vendors build their businesses around keeping you subscribed, not around making it easy to leave, and that is a rational business decision that just happens to conflict with yours. Understanding which tools your firm genuinely cannot exit quickly, and what that exposure actually costs, is one of the most underrated parts of technology planning for professional services firms. Start by trying to export your own data and reading the next renewal notice before you click approve.

The AI That Was Too Dangerous to Release Just Got Leaked

  • 0
Christopher Woo
Tuesday, 05 May 2026 / Published in elephant on the internet

I have been saying for a while now that the AI gold rush is moving faster than the guardrails can keep up. Recently, that point made itself.

Anthropic, the company behind Claude and one of the AI providers I have generally considered more thoughtful than the rest of the pack, built something called Mythos. It is a model so capable at finding and exploiting security vulnerabilities that Anthropic decided not to release it to the general public. Instead, they rolled it out under a program called Project Glasswing, a carefully controlled initiative limited to a small circle of major companies, including Amazon, Apple, Cisco, and JPMorgan Chase. The whole idea was to use Mythos to find vulnerabilities before the bad guys did, while keeping it out of the hands that would use it for the opposite purpose.

That plan hit a wall almost immediately.

A small group of unauthorized users gained access to Mythos through a third-party vendor environment. One member of the group was apparently a contractor for Anthropic, which gave them enough access to piece together where the model was hosted. They have been using it ever since. Anthropic confirmed they are investigating and said there is no evidence the breach extended beyond the vendor environment. If you have been around technology long enough, you know that “we are investigating and have no evidence of further impact” is, at a minimum, a very early statement.

What Mythos Actually Does

To understand why this matters, you need to understand what this tool is capable of. Mythos was used to find 271 vulnerabilities in Mozilla Firefox. A human security team found nothing. Claude also independently identified a 27-year-old security flaw in OpenBSD, an operating system specifically known for being difficult to compromise.

When I told a client about this recently, the reaction was something along the lines of “well, at least they found the bugs.” And yes, that is the optimistic read. The sobering read is that the same capability that finds vulnerabilities can be turned around and used to exploit them. The first step in attacking a system and the first step in defending a system are identical: find the weakness. The difference is what you do next.

The Third-Party Problem Nobody Talks About Enough

The part of this story I keep coming back to isn’t really about Anthropic specifically. It is about how organizations secure access when they rely on outside vendors and contractors.

Anthropic built a system with serious restrictions around who could access Mythos. However, the security of that system was only as strong as the security of every vendor and contractor who touched it. One person with legitimate access found a way in for people who should not have had any. That is not a unique failure. It is a pattern I see constantly in the organizations I work with, and it is one of the reasons third-party risk management has become such a critical part of any serious security posture.

Your business may not be managing a dangerous AI model. It’s likely, though, that you do have vendors, contractors, and service providers who have some level of access to your systems. Do you know exactly what that access looks like? Do you review it? Do you revoke it when the relationship ends?

If the answer to any of those is “I think so” or “probably,” that is worth a closer look.

What This Means for Your Business Right Now

The short version: Mythos itself is not your problem today. However, the story behind it illustrates why AI security is no longer a theoretical concern.

A tool this powerful in the hands of people who want to use it offensively is a genuine acceleration of the threat environment. My industry colleagues and I have already seen a significant spike in phishing attacks in recent weeks. Whether Mythos is directly connected or not, something has turned the volume up out there. What took a skilled attacker hours or days can now take an AI model minutes.

I am not telling you this to scare you. I am telling you this because the practical response is the same as it has always been: make sure your basics are locked down, make sure your people know what to watch for, and make sure whoever is managing your technology is paying attention to what is happening in the broader threat environment, not just keeping the lights on.

Quick and Easy

Anthropic’s Mythos model, built specifically to find and patch security vulnerabilities before attackers could exploit them, was accessed by unauthorized users through a third-party vendor almost immediately after its limited release. The incident is a clear example of why third-party access controls matter as much as the security measures you put on your own systems. The AI threat environment is accelerating, and basic security hygiene is what keeps professional services firms protected.

aiHacking

Remote Work Security: What Actually Matters for Professional Services Firms

  • 0
Christopher Woo
Tuesday, 28 April 2026 / Published in data privacy
Remote worker on phone meeting and on computer

Remote work is not a temporary arrangement that professional services firms are still adjusting to. It has been five years. It is the baseline. Most firms’ security posture still treats it like a guest bedroom situation rather than a permanent part of how the business operates.

This is not about blame. The shift happened fast, priorities were elsewhere, and the security implications were not obvious until they became obvious. But by 2025, roughly 42% of employees were logging in remotely at least once a week, which means the attack surface of the average professional services firm now extends well past the office walls into home networks, personal devices, and coffee shops, whether the firm has planned for that or not.

This is what actually matters for your remote work technology setup, without the sales pitch.

The Home Network Problem Your Remote Work Technology Setup Cannot Ignore

Your office network is managed. It has a firewall, monitored access points, and someone responsible for keeping it current. Your employee’s home network has a router their ISP shipped three years ago, still running the default admin password, on firmware that has not been updated since installation.

That is not the employee’s fault. They are not network engineers. However, it is a meaningful gap, and home networks are now the entry point for roughly 38% of cyberattacks targeting remote access infrastructure.

What you can actually do about this: require that any employee working remotely connect through a company-provided VPN before accessing firm systems. A VPN encrypts the connection between the employee’s device and your network, which does not solve the home router problem but substantially reduces what a compromised home network can do to your firm’s data. This is a policy decision more than a technical one, and it is not expensive to implement.

Hybrid Work Infrastructure Planning Starts with Devices

Misconfigured access controls accounted for 24% of cloud security breaches in 2025, and a significant percentage of those trace back to personal devices accessing company systems without proper configuration.

When an employee uses a personal laptop to access your client portal, document management system, or email, that device may be running outdated software, missing security patches, or shared with other household members. The firm has no visibility into any of that.

Solid hybrid work infrastructure planning means making a deliberate choice here. Either provide company-owned devices to employees who work remotely and manage those devices centrally, or establish a clear policy for personal device use that includes minimum requirements: current operating system, enabled encryption, and a business-grade password manager. Neither is free, but both are considerably less expensive than responding to a breach.

The People Problem No Technology Solves on Its Own

This one gets less attention than devices and networks, but remote workers are three times more likely to accidentally expose data than office employees, largely because the cues and norms of an office environment are not there to slow them down.

An employee who would never print a client document and leave it at a coffee shop might share that same document through a personal email account because it was faster than logging into the firm portal. Someone who would follow office protocols automatically when surrounded by colleagues may not think twice about the same action from their kitchen.

This is an environment issue, not a character issue. The office creates passive guardrails. Remote work removes them.

What helps: clear, specific policies about how client data can be transmitted and stored outside the office, combined with regular reinforcement. Not an annual training click-through, but actual conversations with staff about specific scenarios, including the borderline ones.

The Three Remote IT Support Priorities for Professional Services Firms

If your firm is going to prioritize, these are the controls that carry the most weight.

Multi-factor authentication on everything. Not just email. Your document management system, client portal, practice management software, and accounting platforms. If an attacker gets a password, MFA is often the only thing standing between them and your client data. In 2025, 91% of companies made MFA mandatory for all remote access points. If your firm has not, that is the first thing to fix.

A written remote work security policy. It does not have to be long. It needs to exist, be specific, and be communicated to staff. It should cover which devices are permitted, how client data can and cannot be transmitted, what to do if a device is lost or compromised, and who to call. If the policy lives only in someone’s head, it is not a policy.

Endpoint management. This means having the ability to see and manage the devices that connect to your firm’s systems, including remotely wiping a device if it is lost or stolen. For firms handling sensitive client financial data, this is a baseline requirement, not a luxury. Your remote IT support provider should be able to tell you exactly what devices are connected to your environment at any given time.

What You Are Not Doing Wrong

The firms I work with that have unresolved remote work security gaps are not being careless. They built remote access solutions quickly, under pressure, and the security refinements got deferred. That is a rational response to a chaotic period.

The window for treating remote security as a work-in-progress is closing, though. Cyber insurance underwriters are increasingly scrutinizing remote work controls specifically, and firms that cannot demonstrate basic hygiene in this area are finding their coverage options narrow. Getting ahead of that is worth the effort.

If you want to walk through where your firm’s remote work technology setup actually stands right now, that is a conversation we are happy to have.

Quick and Easy: Remote work permanently expanded the attack surface of professional services firms, and most firm security policies have not kept pace. The three controls that matter most are MFA on every system, a written and communicated remote work policy, and endpoint management for devices that access firm data. These are not complicated or expensive to implement, but they require treating remote security as permanent infrastructure rather than a temporary workaround.

remote work

Sustainable Technology Practices for Professional Services Firms

  • 0
Christopher Woo
Tuesday, 21 April 2026 / Published in Woo on Tech
Horizon of Earth from space

Earth Day feels like the right time to talk about technology waste, not because I am particularly sentimental about the occasion, but because most professional services firms are sitting on a device lifecycle management problem that is quietly costing them money. Nobody is talking about it in those terms.

I am also going to be honest about something upfront: sustainable technology practices are good for the environment, but I have never once convinced a business to change its approach to hardware solely for environmental reasons. What actually moves the needle is the operational and financial argument. The good news is that the same decisions that reduce e-waste also reduce costs and risk. So the environmental benefit is, in this case, the bonus.

Why Device Lifecycle Management Is a Business Problem First

Most professional services firms I work with do not have a formal device lifecycle management policy. What they have is a replacement habit: when a computer stops working acceptably, or when a staff member complains loudly enough, a new one gets purchased.

The result is an office full of machines of wildly different ages and configurations. Some are running operating systems that are no longer receiving security updates. Some are brand new. Most have not been inventoried in years. That is a security problem as much as an environmental one, and it is also expensive in ways that do not show up on any single invoice.

A reasonable device lifecycle for business computers is three to five years, depending on the workload. Below that range, you are replacing hardware before you can extract reasonable value from it. Above it, you are running machines that are slower than they should be, less secure than they need to be, and more likely to fail at an inopportune time. The operating cost of an aging machine in support time, productivity loss, and security risk tends to exceed the cost of replacement well before the hardware visibly gives out.

Responsible Workstation Setup Includes Planning What Happens at End of Life

When a device reaches the end of its useful life at your firm, a few steps need to be taken before it goes anywhere.

Data must be wiped, not deleted. Wiped. Deleting files does not remove them from a hard drive in a way that prevents recovery. A proper wipe overwrites the storage, making recovery practically impossible. If you are sending devices to a recycler or donating them, this step is not optional. Your clients’ data has been on those machines.

Devices that are still functional but no longer appropriate for primary staff may have a second life. Many nonprofits and schools accept used business equipment. If the device has been properly wiped and is running a current operating system, it can provide meaningful value elsewhere rather than going straight to a landfill.

For devices genuinely at the end of life, find a certified e-waste recycler. Most municipalities in Southern California have periodic e-waste collection events. A certified recycler ensures that the materials inside, some of which are genuinely hazardous if handled carelessly, are processed correctly.

Technology Planning for Business Growth Means Replacing Reactively Less Often

One of the most useful things a professional services firm can do, for both its operations and its environmental footprint, is move from reactive device replacement to planned refresh cycles.

Practically, this means knowing what hardware you have, when it was purchased, and when it is due for replacement. A simple spreadsheet works. When you know three years in advance that a wave of machines will need replacing, you can budget for it, plan the transition, and avoid the operational disruption of emergency replacements during busy periods. Tax season is a terrible time to discover that a staff member’s computer has finally given out.

It also means you stop buying machines during crisis conditions, which is almost always when the worst purchasing decisions are made. When the controller’s computer dies the week before a filing deadline, you buy whatever is available and ship it overnight. When you plan a refresh 12 months out, you have time to evaluate what your staff actually needs and buy accordingly. That is both better technology planning for business growth and considerably less expensive.

The Software Side of Sustainable Technology

Physical hardware is not the only place where waste accumulates. Software subscriptions are the other.

Most firms are paying for licenses they are not using, for platforms that have been partially replaced by something else, or for features within a platform that nobody has ever turned on. A software audit, a straightforward review of what you are subscribed to, who is using it, and whether the cost is justified, is something most firms have never done systematically.

It is not a complex exercise, and it consistently identifies funds that can be reallocated to what actually matters. I have never done one for a client and come up empty.

The Practical Starting Point

If you want to do something concrete this month that addresses all of the above, take an inventory. Pull together a list of every computer, laptop, and tablet used in your firm, when it was purchased, and who uses it. If you do not know when something was purchased, a good IT partner can usually determine that from the device’s system information.

Once you have that list, you have the information you need to make actual decisions about device lifecycle management, rather than just reacting to the next thing that breaks.

If you would like help pulling that inventory together or thinking through a refresh and workstation setup strategy, reach out. It is a straightforward conversation, and the starting point is almost always simpler than people expect.

Quick and Easy: Most professional services firms lack a device lifecycle management plan, which means they replace hardware reactively under pressure, run aging machines that pose security risks, and generate more e-waste than necessary. Moving to a planned three-to-five-year refresh cycle, properly wiping devices before retirement, and auditing unused software subscriptions addresses all three problems at once and often saves money.

The Government Might Have to Reissue Every Social Security Number in America. What Does That Mean for Your Business?

  • 0
Christopher Woo
Tuesday, 14 April 2026 / Published in data privacy
Social security cards

Two years ago, that sentence would have sounded like paranoid fiction. It does not sound like that right now.

I want to be clear upfront: I’m not here to argue politics. I genuinely do not care which side of the DOGE debate you’re on. What I do care about is that the data situation quietly unfolding within the Social Security Administration has real consequences for your business, your employees, and your clients, and most people are not paying attention.

Let me explain what happened, and more importantly, what it means for you specifically.

What Actually Happened

The Department of Government Efficiency, working inside the Social Security Administration, allegedly copied the entire NUMIDENT database to a cloud environment that bypassed the agency’s standard security protocols. According to a whistleblower complaint filed by the SSA’s former chief data officer, Charles Borges, this was done despite court orders limiting DOGE’s access to the agency’s systems.

The NUMIDENT is not just Social Security numbers. It is every record ever submitted in an application for a Social Security card: names, dates of birth, citizenship status, race and ethnicity, phone numbers, home addresses, and parents’ names and Social Security numbers. For more than 300 million Americans.

Court filings later revealed that DOGE employees used a third-party Cloudflare server not approved for SSA data, sent a password-protected file containing private records to outside affiliates, and that the SSA still cannot fully account for what was left in its systems or where it went. The Department of Justice has acknowledged in court filings that earlier statements about the scope of access were inaccurate.

Borges, per his complaint, warned his superiors that the agency might one day be forced to reissue every Social Security number in the country. A Senate investigation put the risk of a catastrophic breach at 65 percent.

Why This Is Different from Every Other Breach

Most data incidents involve something replaceable. Credit card compromised? You get a new one. Password exposed? Reset it. Account hacked? Recover it.

A Social Security number does not work that way. It is the root credential for your credit history, your tax filings, your employment verifications, your professional licenses, your Medicare records, and your background check history. Getting a new one, in the rare cases the SSA permits it, creates nearly as many problems as it solves, because nothing else in your financial life knows about the change.

If this data ends up in the wrong hands, the damage will not look like a fraud alert next week. It looks like a suspicious loan application two years from now or a tax return filed in your employee’s name before they can file their own. It could look like a wire transfer request that sounds exactly like your CFO, because someone has enough personal details to make it convincing.

The Three Business Risks Worth Taking Seriously

Your employees are now higher-value social engineering targets. If bad actors have an employee’s SSN, home address, employer, and parents’ names, they can construct pretexts that are genuinely hard to detect. Not a generic phishing email. A targeted call that opens with information that sounds like insider knowledge. Professional services firms, where staff regularly handle client funds and sensitive documents, are exactly the kind of target that makes this worthwhile for a criminal.

Your clients are downstream of whatever happens to your team. Accounting firms, law offices, and property management companies hold sensitive financial and personal data on behalf of other people. If an employee identity compromise creates an intrusion into your systems, your clients have a problem too. The liability runs in both directions and it runs fast.

The verification systems your business relies on may become unreliable. If large-scale SSN fraud materializes from this exposure, financial institutions will respond by tightening verification processes. Credit applications, employment checks, and background verifications may get slower, more expensive, or more complicated across the board. That is an operational headache even for firms that do not experience a direct breach.

What You Can Actually Do

None of this requires an expensive platform purchase or a consultant’s SOW. It mostly requires an afternoon and some attention.

Tell your team what happened in plain language. Informed employees are harder to manipulate. A staff that knows their personal data is out there is less likely to be fooled by a pretext that uses it.

Encourage everyone to freeze their credit at all three bureaus. It is free, it is reversible when needed, and it is still the most effective individual defense against identity fraud available. Experian, Equifax, and TransUnion all allow you to do it online.

Set up an alert through ssa.gov so you receive notification if anyone attempts to access Social Security benefits using your number.

Review your cybersecurity insurance policy for social engineering coverage specifically. Many policies cover breaches of company systems but have lower limits, or outright exclusions, for employee identity compromise that creates a business loss. Find out before you need to know.

If your firm does not have a written process for what to do when an employee reports identity theft, write one. It does not have to be long. It just has to exist before you need it.

The Bigger Picture

I have written before about the way cybersecurity threats have become environmental. They are not targeted at you specifically. They are more like pollution: pervasive, ongoing, not always visible, and best managed through preparation rather than reaction.

What makes this particular situation harder is that the exposure did not come from a criminal enterprise. It came from inside the institutions we were told to trust with our most sensitive information. That is a more uncomfortable conversation. But avoiding it does not change the exposure.

The firms that handle this well are not the ones with the most sophisticated tools. They are the ones that thought through what they would do before something went wrong, rather than figuring it out in the middle of it.

If you want to talk through what your firm’s actual risk picture looks like right now, reach out. That conversation is always free.

Quick and Easy: DOGE allegedly copied the Social Security Administration’s entire national database to an unauthorized cloud server, and the agency’s own cybersecurity officials raised the possibility of having to reissue every SSN in the country as a worst-case outcome. For professional services firms, the real risks are targeted social engineering of your employees, downstream exposure of your clients, and potential disruption to financial verification processes. The practical responses are mostly free and can be put in place this week.

privacysecurity
  • 1
  • 2
  • 3

Recent Posts

  • mid year check-in

    Mid-Year IT Health Check: 10 Things Professional Services Firms Should Review Now

    Most firms set their technology priorities in J...
  • Cloud Migration for Professional Services: When It Makes Sense

    Cloud Migration for Professional Services: When It Makes Sense (And When It Doesn’t)

    Every vendor in the technology industry will te...
  • mid age man working on laptop while floating in the sea summer vacation

    Summer Vacation Security Checklist for Professional Services Firms

    Summer is the one time of year when professiona...
  • The $300 Laptop vs. The $1,300 Laptop: A Technology Investment Guide

    The $300 Laptop vs. The $1,300 Laptop: A Technology Investment Guide

    I have had this conversation more times than I ...
  • Remote Work Technology Setup: What Matters for Professional Services Firms

    Remote Work Technology Setup: What Matters for Professional Services Firms

    Remote work is no longer a temporary arrangemen...

Archives

  • GET SOCIAL
Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

© 2016 All rights reserved.

TOP