In January 2026, a mid-sized accounting firm in Orange County received notice that its cyber insurance claim had been denied. They’d been hit with ransomware, had to shut down operations for five days, lost client data, and faced reporting requirements to multiple regulatory bodies. The recovery cost exceeded $300,000. Their insurance policy had a $2 million limit for cyber incidents. However, the carrier denied the claim in full after their post-breach audit revealed the firm wasn’t consistently enforcing the security controls it had attested were in place when it purchased the policy.
This is not an isolated incident. It’s the new reality of cyber insurance in 2026.
Why Insurance Requirements Have Gotten Stricter
Cyber insurance carriers have been getting hammered by claims. According to Fitch Ratings’ analysis, cyber insurance claims increased 74% year over year, with the average ransom payment reaching $2.73 million in 2024. Ransomware attacks have increased in frequency and sophistication, and insurance companies have responded by tightening underwriting requirements and becoming much more aggressive in verifying that firms actually maintain the security posture they claim to have.
For professional services firms such as accounting practices, law offices, and property management companies, this creates a significant challenge. You need cyber insurance because the risk is genuine and the potential costs are catastrophic. IBM’s Cost of a Data Breach Report 2024 found that the average cost of a data breach reached $4.4 million, with smaller businesses often facing costs that threaten their survival. However, maintaining coverage now requires implementing and documenting security measures that many smaller firms haven’t traditionally prioritized.
The Security Controls That Matter Most
Let’s be specific about what cyber insurance carriers are requiring in 2026. These aren’t suggestions. These are baseline requirements that most carriers won’t negotiate on.
Multi-factor authentication must be enabled on all accounts that have access to email, financial systems, client data, and remote access to your network. According to Marsh McLennan’s 2025 Cyber Insurance Market Report, 99% of cyber insurance applications now include specific questions about MFA implementation, and 87% of carriers require it as a condition of coverage.
Regular backups with offline or immutable copies are mandatory. You need to prove you’re backing up critical data daily, testing restoration regularly, and keeping at least one backup copy that ransomware can’t reach. Carriers want to see evidence of the 3-2-1 backup rule: three copies of your data, on two different types of media, with one copy offsite and offline.
Endpoint protection that goes beyond basic antivirus is required. This means managed detection and response, not just a set-it-and-forget-it antivirus program you installed three years ago. Carriers want to see that you’re actively monitoring for threats, updating security software promptly, and have someone watching your systems who can respond when something looks wrong.
Security awareness training for all employees has moved from recommended to required, and it is not limited to a single training session at hire. Research from KnowBe4’s 2024 Phishing Benchmarking Report showed that organizations with ongoing quarterly training reduced susceptibility to phishing attacks by 86% compared to those with annual or no training. Carriers are looking for documented, ongoing training with testing.
Email security beyond your standard spam filter is increasingly common as a requirement. The majority of successful attacks start with email, so carriers are paying close attention to what you have in place to filter out malicious messages before they reach your employees.
The Documentation Burden
What catches many firms off guard is the fact that having these controls in place isn’t enough. You need to document that you have them, document that you’re maintaining them, and be prepared to prove it when your carrier asks.
This means maintaining security policies that spell out your requirements. Not generic templates you downloaded from the internet, but actual policies that reflect what you’re really doing. It means keeping records of your training sessions, your backup tests, your security updates, and your incident response procedures.
When you apply for cyber insurance or renew your policy, you’ll fill out detailed security questionnaires. These are getting longer and more technical every year. Your answers need to be accurate because if there’s a claim, the carrier will audit what you actually had in place versus what you said you had in place. Any discrepancies can and will be used to deny coverage.
What Compliance Readiness Actually Looks Like
Compliance readiness for small business cyber insurance isn’t about being perfect. It’s about being honest about your current state and having a plan to address gaps. If you’re a 15-person law office, nobody expects you to have an enterprise-grade security operations center. But they do expect you to have implemented the baseline security controls appropriate for your size and risk profile.
This means conducting regular risk assessments to identify your vulnerabilities, maintaining an incident response plan so you know what to do when something goes wrong, testing your backups periodically rather than assuming they work, and being realistic about your technical capabilities and getting help where you need it.
Many professional services firms are finding that they need outside assistance to meet insurance requirements. This isn’t a failure of your systems, but a recognition that security policy development and ongoing security management require expertise that most small and mid-sized firms lack in-house.
Taking Action Before Renewal
If your cyber insurance renewal is coming up, start your security audit now, not two weeks before your policy expires. Your audit should include:
- Working through the security questionnaire carefully
- Honestly assessing where you stand on each requirement
- Developing a realistic timeline and budget to address any areas where you are not compliant
Understand that improving your security posture may actually reduce your premiums or increase your coverage options. Carriers are willing to work with firms that demonstrate a serious commitment to security and consistent progress. What they won’t tolerate is firms that misrepresent their security controls or ignore requirements after purchase.
If you’re getting quoted higher premiums or having trouble finding coverage, the problem is probably in your current security posture, not the insurance market. Rather than shopping for a cheaper carrier that asks fewer questions, focus on getting your security house in order. The savings from slightly cheaper insurance won’t help you if your claim gets denied when you actually need coverage.
For professional services firms serving clients in accounting, legal, or property management, your security posture is increasingly part of your professional responsibility. Your clients trust you with sensitive information. They expect you to protect it. Meeting cyber insurance requirements in 2026 is really about meeting the baseline expectations of professional data stewardship.
Quick and Easy
Cyber insurance claims increased 74% in 2024, forcing carriers to require documented security controls, including MFA, tested offline backups, endpoint protection, and ongoing security training. Professional services firms must implement and document these controls accurately to avoid claim denials in the event of a breach.
Look, I get it. Multi-factor authentication is a pain in the butt. It slows you down when you’re trying to get work done, it interrupts your flow with prompts at the worst possible times, and yes, it makes you feel like technology doesn’t trust you anymore. Your team is going to complain about it. Some will actively try to find workarounds. And honestly, I don’t blame them.
The thing about ransomware, though, is that it’s worse.
I’ve been managing IT for professional services firms for over three decades, and I can tell you that the conversation we have after a breach is exponentially more painful than the conversation about implementing MFA. One is an inconvenience. The other is a catastrophe.
The Uncomfortable Truth About Endpoint Security
The professional services industry is getting hammered by ransomware. Accounting firms, law offices, and property management companies are prime targets because you have exactly what criminals want: sensitive financial data, confidential client information, and typically just enough technology to be vulnerable but not enough to be fortress-like.
According to the FBI’s Internet Crime Complaint Center, ransomware complaints increased 18% in 2024, with losses exceeding $59.6 million. However, those numbers only capture reported incidents. Most small and mid-sized firms never report attacks because they’re embarrassed, worried about reputation damage, or they just paid the ransom quietly and moved on.
When someone gets ransomware into your network, it doesn’t just encrypt your files. It steals them first, then encrypts them, then threatens to publish your clients’ private information if you don’t pay. Even if you have backups, which you should, you still have a data breach on your hands. You still have to report it. Your clients still find out. Your reputation still takes a hit.
You know what the entry point is in most of these attacks? Stolen credentials. Microsoft’s Digital Defense Report found that password-based attacks increased 146% in 2024, with more than 7,000 password attacks happening every second across their platforms. Someone phished an employee’s password, logged in as them, and waltzed right through your front door like they owned the place.
What MFA Actually Does (And What It Doesn’t)
Multi-factor authentication isn’t perfect. I’m not going to pretend it’s some silver bullet that makes you invincible. Criminals have already figured out ways around it, like cookie-stealing, where they trick you into authenticating through a legitimate-looking service just to capture your session token.
Here’s what it does: it makes the cheap, easy attacks fail. The automated bot that tries 10,000 stolen passwords against your email server. The script kiddie who bought a dump of credentials on the dark web. The lazy criminal who isn’t willing to put in the extra effort. According to research from Google, implementing any form of MFA blocks 99.9% of automated attacks. Even the most basic SMS-based authentication stops the vast majority of credential stuffing attacks cold.
Think of it like locking your car doors. Will it stop a professional car thief with the right tools and motivation? No. But it will stop the opportunistic criminal who’s just walking through the parking lot trying door handles. Most cybercrime is exactly that: opportunistic.
Why Your Cyber Insurance Company Cares
Something that might make the MFA conversation easier with your team: it’s not really optional anymore. In 2026, cyber insurance requirements have gotten strict enough that most carriers won’t even quote you coverage without multi-factor authentication on all your critical systems. Email, remote access, financial systems, client portals. All of it.
I’ve seen insurance companies do post-breach audits and deny claims because MFA wasn’t implemented properly. It can’t be partially implemented, or “we were planning to roll it out.” Actually implemented and actually used. They will look at your authentication logs, and if they see that the account that got compromised didn’t have MFA enabled, that’s it. Claim denied. You’re on your own for the six-figure recovery costs.
Making It Less Terrible
The good news is that MFA in 2026 is better than it used to be. Not good, but better. You’re not stuck with those horrible SMS codes that never arrive when you need them. Modern authentication apps are faster. Hardware security keys work better. Some services even use passwordless authentication now, which sounds scarier but is actually more convenient once you get used to it.
The key is implementing it intelligently. You don’t need to make people authenticate every single time they access their email if they’re on a trusted device on your network. You can set reasonable timeout periods. You can use conditional access policies that only trigger extra authentication when something looks suspicious, like a login from an unfamiliar location.
You need to train your people not just on how to use MFA, but also on why it matters. Not with scare tactics, but with reality. The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element, whether that’s stolen credentials, social engineering, or simple mistakes. Tell your team about the law firm down the street that got hit with ransomware because someone clicked a phishing link. Tell them about the accounting practice that had client tax returns published online because their insurance claim got denied. Make it real, because it is real.
The Reality of Small Business Ransomware Protection
Look, if I’m being completely honest with you, which I always am, no security measure is going to stop a determined, sophisticated attacker who specifically targets your firm. But you’re probably not going to get specifically targeted. What you’re trying to protect against is being the easy target, the firm that criminals hit because you’re vulnerable and they know it.
Multi-factor authentication is one piece of a larger endpoint security solution. You also need proper backups, security monitoring, email filtering, security awareness training for your team, and someone who actually knows what they’re doing managing all of it. But MFA is the piece that insurance companies look for first, and for good reason.
If you haven’t implemented multi-factor authentication yet, start now. Check with your cyber insurance carrier about their specific requirements, because they vary. Get your critical systems secured first: email, financial software, anything that touches client data, and any way your team accesses your network remotely.
And when your team complains, which they will, remember that their annoyance is temporary. A ransomware attack isn’t.
Quick and Easy
Multi-factor authentication blocks 99.9% of automated attacks and is now required by most cyber insurance policies. While your team will find it annoying, the alternative of ransomware attacks and denied insurance claims is far worse for professional services firms.
Let’s talk about something most IT companies won’t discuss openly: how much managed IT services in Southern California actually cost and why.
We’ve been serving professional services firms in Southern California for over 35 years, and one of the most common questions we hear is: “What should we actually be paying for IT support?” The frustration behind that question is real. Business leaders know they need professional technology consulting, but the pricing landscape feels deliberately opaque.
So here’s an honest breakdown of the cost of managed IT support services.
The Basic Numbers for 2026
For professional services firms in the 50-150 employee range, including accounting practices, law offices, and property management companies, managed IT services in Southern California typically range from $150-$250 per user per month.
Yes, that’s a wide range for IT support costs. Why?
The lower end ($150-$175 per user) usually includes:
- Basic helpdesk support during business hours
- Standard security monitoring
- Patch management for operating systems
- Basic cloud email support (Microsoft 365 or Google Workspace)
The higher end ($200-$250 per user) typically includes:
- 24/7 helpdesk availability
- Advanced threat protection
- Compliance support (HIPAA, CMMC, PCI, SOC 2)
- Strategic technology planning
- Dedicated account management
What Most Companies Won’t Tell You About IT Services Pricing
The IT industry has markup rates that range from 200% to 1000% on certain services and products. That’s not a typo.
A business-grade laptop that costs an IT provider $800 might be sold to you for $1,600 or more. Microsoft 365 deployment licenses that cost the provider $22 per month might appear on your bill at $35 per month. Network equipment, software subscriptions, security tools – all of these commonly have substantial markups in managed IT support services.
We’re not saying this to criticize other providers. Running an IT service business has real costs: experienced technicians command high salaries in Southern California, insurance is expensive, ongoing training is necessary, and the tools we use to monitor and protect your systems aren’t cheap.
We believe in transparency about fair-priced managed IT services. You should understand what you’re paying for and why.
What “Managed Services” Actually Means
This is where the confusion really happens with IT support. “Managed IT services” can mean drastically different things depending on who’s providing them.
Some companies use “managed services” to mean “we’ll fix things when they break.” That’s not managed services. That’s break-fix support with a monthly retainer.
True managed IT services for professional services means:
Proactive monitoring. We’re watching your systems 24/7 and addressing issues before they affect your team. According to Cyber adAPT and the Aberdeen Group, proactive monitoring can reduce downtime by up to 70% compared to reactive support models.
Strategic planning. We’re not just keeping the lights on. We’re helping you plan technology investments that align with your business growth and IT roadmap development.
Security as a foundation. Security isn’t an add-on for small business IT consulting. It’s built into everything we do, from how we configure new workstations to how we manage your network access.
Vendor management. We handle relationships with software companies, internet providers, and hardware vendors. You shouldn’t need to call five different companies when something goes wrong.
The Hidden Costs of Cheap IT Support
We regularly talk with professional services firms that are paying $75-$100 per user per month for “managed services.” Here’s what usually happens with cheap IT support:
They’re getting reactive support, not proactive management. When something breaks, someone fixes it. But nobody’s watching for warning signs. Nobody’s planning for technology growth. Nobody’s ensuring compliance with industry standards.
Then something major goes wrong. A server fails. A ransomware attack hits. A compliance audit reveals security gaps. Suddenly, they’re facing emergency bills that dwarf whatever they saved on monthly IT support costs.
The Rule of Thumb for IT Support Costs
If you want a very general rule of thumb for managed IT services, expect to spend about $200 per user per month for quality services in Southern California. That should cover comprehensive support, reasonable response times, proactive monitoring, and basic security measures.
If you need additional compliance support, advanced security measures, or 24/7 availability, expect that number to increase by $50-$75 per user for professional services technology.
If someone quotes you significantly less, ask detailed questions about what’s included in managed IT support services. You might be getting a great deal, or you might be getting break-fix support disguised as managed services.
Quick and Easy
Managed IT services in Southern California cost $150-$250 per user per month, with $200 being typical for professional services firms, but many companies charging $75-$100 are providing reactive support rather than true managed services. According to CompTIA, the nationwide average is $182 per user, and cheap IT often leads to catastrophic emergency costs that exceed any monthly savings.
I need to tell you something that might make you uncomfortable: your employees aren’t stupid for clicking that phishing email. They’re human.
I’ve been doing this for 35 years, and I’ve watched the conversation around cybersecurity training evolve from “teach people to be more careful” to something far more honest. The problem isn’t your people. The problem is that the internet changed, and most business leaders don’t realize how much.
The Internet Used to Be Smaller
When I started in technology, the bad actors on the internet were relatively unsophisticated. You could spot a phishing email because it had terrible grammar, pixelated logos, and came from an email address like “[email protected].” Your team could learn to recognize red flags because they were obvious.
That world doesn’t exist anymore.
It’s Not Personal Anymore. It’s Like Radiation.
Cybersecurity threats used to be like someone specifically targeting you. Now, they’re more like radiation or pollution. You’re swimming in it constantly, and it’s affecting everyone simultaneously.
According to the FBI’s Internet Crime Report, Americans lost over $12.5 billion to cybercrime in 2023, a 22% increase from the previous year. What that number doesn’t capture: the sophistication of phishing attacks has increased even faster than the financial losses.
AI-powered phishing attacks now analyze your writing style from your social media posts. They know which vendors you work with because that information is publicly available. They can create emails that look exactly like internal communications because they’ve studied how your company writes.
Your employees are facing cybersecurity threats that would have fooled security professionals five years ago.
What Does This Mean for You?
If you’re a managing partner at a law firm or an accounting practice, you need to stop thinking about security awareness training as “teaching people not to click bad links.” That approach assumes the problem is user error. The actual problem is environmental.
Think about it this way: if someone gets sick from polluted water, you don’t just tell them to “be more careful about what they drink.” You acknowledge that the water supply has a problem, and you implement systems to address it.
The same logic applies to cybersecurity for professional services firms.
The Real Solution Isn’t Just Training
Don’t get me wrong. Employee cybersecurity training matters. Your team should know what modern phishing looks like. They should understand that requests for urgent wire transfers need verification. They should recognize that real IT support never asks for passwords via email.
But training alone won’t solve this, because phishing prevention challenges evolve faster than training programs can keep up.
According to Verizon’s Data Breach Investigations Report, 60% of breaches involved the human element, but that statistic is misleading. It makes it sound like humans are the weak link. The reality is that humans are the target because attackers know that sophisticated social engineering is more effective than trying to hack into security systems.
What Actually Works for Small Business Ransomware Protection
After three decades of watching this problem evolve, this is what I tell professional services firms:
Layer your defenses with multi-factor authentication. MFA isn’t fun. It’s annoying. Your team will complain about endpoint security solutions. Implement it anyway. Multi-factor authentication stops most attacks, even if someone clicks a phishing link, because the attacker still can’t get into your systems without that second factor.
Make reporting easy. The worst thing you can do is create an environment where people are afraid to admit they clicked something suspicious. I’ve seen security incidents that could have been contained in minutes turn into disasters because someone was too embarrassed to report what happened.
Accept that failures will happen. Technology fails. People make mistakes. If you expect perfection, you’re setting yourself up for catastrophe. Plan for the reality that someone will eventually click something they shouldn’t.
Use email filtering that actually works. Most professional services firms are using whatever spam filter came with their email service. That’s not enough anymore. Invest in advanced threat protection that can catch sophisticated phishing attempts before they reach your team’s inboxes.
The internet changed. Your security policy development needs to change with it. Not because your people aren’t smart enough, but because the phishing prevention challenges are designed by professionals whose full-time job is defeating security measures.
What does this mean for you? It means stop blaming your team and start building better endpoint security solutions. That’s how professional services firms actually stay secure in 2026.
Quick and Easy
AI-powered phishing attacks are too sophisticated for training alone to stop, so professional services firms need multi-factor authentication, advanced email filtering, and systems that assume someone will eventually click something suspicious. According to the FBI, cybercrime losses exceeded $12.5 billion in 2023, and your employees face threats from social engineers whose full-time job is to target them.
Remember when you could spot a phishing email because it had terrible grammar or came from a weird email address?
Those days are over.
Research from Hoxhunt showed that by March 2025, AI-generated phishing attacks had become more effective than those created by elite human security experts. The AI didn’t just catch up, but surpassed the best humans at social engineering.
Let that sink in. The people whose entire job is creating realistic phishing simulations to test your employees? AI is better at it than they are.
The Scale of the AI Phishing Problem
According to the World Economic Forum, phishing and social engineering attacks increased 42% in 2024. That was before AI really hit its stride.
The attacks aren’t just better written anymore. They’re contextual and arrive at the exact right time. They reference real projects, real people in your organization, and real deadlines.
Google’s 2026 forecast warns that attackers are using AI to create emails that are essentially indistinguishable from legitimate communication.
This is what that looks like in practice:
You receive an email from your CFO requesting an urgent invoice payment. It uses her exact writing style. It references the specific vendor you’ve been working with. It arrives right when you’d expect such a request. The email address looks right. The signature looks right. Everything looks right.
Except it’s not from your CFO. It’s from an AI that studied 50 of her previous emails and generated a perfect forgery.
Voice Cloning: The New Frontier
Email isn’t even the scariest part anymore.
A tech journalist recently demonstrated that she could clone her own voice using cheap AI tools and fool her bank’s phone system – both the automated system and a live agent – in a five-minute call.
Think about what that means for your business. Your CFO gets a call that sounds exactly like your CEO: voice, cadence, the way they clear their throat, everything. It’s asking for an urgent wire transfer for a time-sensitive deal.
How do you defend against that?
Why Traditional Phishing Training Fails Against AI
Your annual security training tells employees to look for:
- Spelling and grammar errors (AI doesn’t make these mistakes)
- Generic greetings (AI personalizes everything)
- Suspicious sender addresses (AI uses compromised legitimate accounts)
- Urgent requests (legitimate urgent requests also sound urgent)
- Links that don’t match the display text (AI uses legitimate-looking domains)
Every single indicator you’ve trained people to watch for? AI bypasses them.
What Actually Works Against AI Generated Phishing
The old training about “look for spelling errors” is dead. Your employees need to understand that verification matters more than urgency.
Use this to protect you and your team:
Slow down when things feel urgent. Urgency is the weapon. If someone’s asking for sensitive information or money transfers, that urgency should trigger caution, not immediate compliance.
Verify through a different channel. Email says it’s from your CEO? Call them on a known number. Text message from your bank? Call the number on your card, not the one in the message. Voice call asking for a transfer? Hang up and call back.
Trust your judgment about whether requests make sense. Does your CEO normally ask for wire transfers via text? Does your IT department usually request password resets through email? If the method doesn’t match the request, verify.
Create a culture where questioning is safe. Your employees need to know they won’t get fired for double-checking whether the CEO really sent that request. These attacks exploit hierarchy and time pressure.
The Reality for Professional Services Firms
The accounting firms, law offices, and property management companies we work with are particularly vulnerable to these attacks because:
- They handle sensitive financial information
- They regularly process wire transfers
- They work with clients who expect fast responses
- They have hierarchical structures that discourage questioning authority
One immigration law firm we work with almost lost $180,000 to an AI-generated email that perfectly mimicked its managing partner’s communication style, requesting an urgent retainer transfer. The only thing that saved them was an associate who thought the request was weird enough to verify in person.
That associate didn’t stop the attack because they spotted technical indicators. They stopped it because something felt off, and they were empowered to question it.
What This Means for Your Business
You need to update your security training immediately. Not next quarter. Not when the budget allows. Now.
The training needs to focus on:
- Verification procedures that work regardless of how legitimate something appears
- Creating psychological safety for employees to question urgent requests
- Understanding that AI can fake anything visual or auditory
- Practicing what to do when something seems both urgent and suspicious
You need to practice these procedures regularly. Not once a year during security awareness month. Monthly at minimum.
Because the attacks are getting better every single day. Criminals using them no longer need your employees to click a suspicious link. They need your employees to trust their eyes and ears when they shouldn’t.
The Quick and Easy: AI-generated phishing attacks now outperform human security experts, with attacks increasing 42% in 2024. AI generates emails and phone calls that are indistinguishable from legitimate communication, bypassing traditional phishing indicators such as spelling errors, generic greetings, and suspicious links. Voice cloning technology can fool both automated systems and live humans. Traditional training focusing on spotting errors no longer works. Instead, businesses need verification procedures that work regardless of appearance, cultures where questioning authority is safe, and regular practice with realistic scenarios. Professional services firms are particularly vulnerable due to their hierarchical structures and regular financial transactions. The key defense is slowing down when things feel urgent and verifying through different channels.
The uncomfortable truth is your employees are using AI tools you don’t know about. Right now. Today.
IBM’s latest research found that 20% of organizations already suffered a breach due to what they’re calling “shadow AI” – employees using unauthorized AI tools without IT’s knowledge. The kicker is that those breaches added an average of $200,000 to remediation costs.
Think about that for a second. The issue is not the technology failing or hackers breaking through your firewall. The cause is your own people, trying to do their jobs faster, pasting proprietary information into ChatGPT, Gemini, or whatever AI tool made their work easier that day.
Why Shadow AI Happens (And Why You Can’t Stop It)
Varonis found that 98% of employees use unsanctioned apps. That’s not a typo. Ninety-eight percent. If you think your company is the exception, you’re wrong.
Why does this happen? Because your employees are struggling. They’re being asked to do more with less, and they’re exhausted. Then they discover this magical tool that can summarize a 50-page document in 30 seconds or write that email they’ve been dreading. Of course, they’re going to use it.
The problem isn’t that they’re lazy or malicious. The problem is that they have no idea what happens to the data they feed into these systems. Some AI services train their models on your inputs. Some store everything you type. Some have security controls. Most don’t.
Why Banning AI Tools Doesn’t Work
Banning these tools outright works. Right? Gartner predicts that by 2027, 75% of employees will acquire or create technology outside IT’s visibility. Bans just push people to hide what they’re doing better.
This happens constantly with the accounting firms and law offices we work with. A partner bans ChatGPT, but an associate uses it on their phone anyway. Now, instead of managing the risk, you’ve just lost visibility into it entirely.
The Real Cost of Shadow AI
The financial impact goes beyond the $200,000 average breach cost. Consider what happens when:
- Your proprietary client data gets fed into a public AI model
- Your trade secrets become part of an AI training dataset
- Your confidential legal strategy gets stored on servers you don’t control
- Your financial projections end up accessible to your competitors
These aren’t theoretical risks. These are things happening right now to businesses that thought their employees would never do something that careless.
What You Actually Need to Do About Shadow AI
You need an actual policy about AI use. Not a ban. A policy.
This is what works:
Identify which AI tools are safe for your business. Not every AI tool is a security nightmare. Some have proper data handling. Some don’t train on your inputs. Figure out which ones meet your requirements.
Make approved tools easy to access. If your employees need AI to do their jobs effectively, give them a way to use it safely. The property management firms we work with that have implemented approved AI tools see almost zero shadow AI usage.
Train people on what they can and cannot share. Most people don’t realize that pasting client information into ChatGPT might expose it. They’re not trying to cause a breach. They’re trying to work faster. Teach them the difference between safe and unsafe usage.
Create a culture where people can ask questions. Your employees should feel comfortable asking, “Is this AI tool safe to use?” instead of just using it and hoping for the best.
The Bottom Line on Shadow AI
This isn’t going away. The only question is whether you’re managing it or pretending it doesn’t exist.
The firms sleeping well at night aren’t the ones who banned AI. They’re the ones who acknowledged it exists and created safe pathways for using it.
Because your employees are already using these tools, you just don’t know about it yet.
The Quick and Easy: Shadow AI, unauthorized AI tool usage by employees, has already caused breaches in 20% of organizations, costing an average of $200,000 each. With 98% of employees using unsanctioned apps and 75% projected to acquire technology outside IT visibility by 2027, banning AI tools doesn’t work. Instead, businesses need clear AI usage policies, approved tools that are easy to access, employee training on safe data sharing, and a culture that allows people to ask questions before using new tools. Technology isn’t the risk, but using it without oversight or understanding the consequences.
You would think that with all the money pouring into technology these days, we would figure out a way to stem the flood of hacking attempts, but it seems the tech bros are more focused on figuring out how replace humans with AI than keeping humans safe. And sadly, email compromises, and even more importantly, business email compromises are big business for cybercrime, so they are pouring just as much money, humans and AI into stealing their way into your email.
What this means for you
First off, you may be wondering how it is, with all the existing tools and money aimed at security, we can’t do a better job filtering out all the myriad of ways hackers keep inventing to steal our passwords, and why multi-factor doesn’t seem to make any difference in stopping them. Lately a popular method of getting access to your 2FA-protected accounts is by cloning the cookie that is created when you authenticate with your multifactor, and this is accomplished by sending you links from actual legitimate websites, like Docusign for example, where the authentication process is expected. Most people, even hardened internet warriors, aren’t trained to spot when an authentication request is “out of context” – in this case, using your Microsoft credentials to log into the Docusign website, and may also be thinking, “Even if this isn’t legit, I have 2FA so the password being stolen doesn’t matter.” Normally they would be right, but the hacker is actually counting on that 2FA prompt to print them out a fake ID that gets them past the bouncer who is only trained to check ID’s and not whether the holder presenting them is legitimate. That’s an oversimplification of what happens, but the point is that the process they use to fake you out is actually a legitimate service (and hence ignored or passed through by usual malware checks) and even the documents you might actually be granted access to are harmless, because it was all a distraction to mask the real crime of bypassing your multifactor and gaining access to your email account undetected. And from there, the mayhem begins.
How do you combat this? Aside from being ultravigilent and deeply cautious to the point of paranoia, this particular type of attack is difficult to defend against, especially for personal email accounts. As a company, there are services that can be implemented that can detect certain types of unauthorized access once they have already occurred, but as many of you probably realize, the horse is already out of the barn, and this is damage control, not prevention. This type of unauthorized access detection is only one layer of a multilayered approach to security that all companies should have to keep their employees and themselves safe.
In 2016, the Oxford Dictionary named “post-truth” as its “Word of the Year.” At the time, AI generated content was crude and easy to spot, and when it was presented as “real” no one took it seriously. There were plenty of other things to worry about: Brexit, the Panama Papers, the deaths of David Bowie, Prince, Muhammad Ali and John Glenn, numerous European terrorist attacks, Creepy Clown sightings, and the election of a US president who was (and still is) enamored with social media, a platform many of us had already noticed was having a significant detrimental effect on society in general. Fast forward nine years where I just saw a very convincing video on the internet from Jake Paul announcing that he was gay and releasing a makeup line. Except that video wasn’t real, but thousands, possibly millions thought it was.*1
What can we do?
I am asked constantly by my family, friends and clients how we are supposed to trust what we see and hear on the internet. Given just how far we have “advanced” in generating fake content that is essentially indistinguishable from reality, they are understandably concerned if not outright scared. We are far past the point of mainstream media priortizing objectivity and truth over profits. It’s clear we have plenty of politicians and leaders for whom truth is an inconvenience rather than an ideal, and the world’s richest men who are in charge of our technology seem hellbent on squeezing every last cent out of us, at the cost of our security, privacy and integrity. Unfortunately, none of us (as far as I know), is someone with enough clout and money to move this particular needle in any significant way, but we can all do something: You can continue to value truth and scientific knowledge and hold others to that same ideal. There so many ways to pursue this in your daily life that are beyond my capabilities to share with you, but there is definitely one thing I can call out in this blog: if you are going to consume content from social media (let’s face it, it’s not going anywhere anytime soon) don’t be lazy about it. Don’t just assume because someone you know on the internet posted something, that it is automatically true or to be taken at face value. We are already past the point of being able to say, “Seeing is believing,” without having to second guess ourselves, and we already know there are plenty of “people” on social media who are there purely to exploit anyone they can. We are tired. We are overworked and under overwhelming stress, and the internet is so conveniently apt at showing us exactly what we think we want to see. If you are going to value truth, you must be mindful that your social media feed is carefully tailored to show both want you want to see as well as what they want you to see, and their objective, in the end, is always profit and power frequently at the expense of truth. Knowing this is indeed half the battle, and the other half will be you, holding others accountable to truth as you hold yourself.
As a start for my own quest to seek truth on the Internet, I have found a service called Ground News (https://ground.news) that brings you the news as well as the reported bias of the news sources. I have found it useful in determining if the article I am reading might have some bias, and from that, determining if what I have read be helpful in finding out what actually is happening.
Another site that does something similar is AllSides (https://www.allsides.com/unbiased-balanced-news), another news aggregator run by a public benefit corporation, a concept that I wish were applied to many more corporations, especially the ones that seem to have a stranglehold on our daily existence.
Image by Pablo Jimeno from Pixabay
- I don’t want to give the “creator” any more internet clicks than they are already getting. If you want to see it, you know how to find it. ↩︎
I’ve written about this topic before, but it’s nice when major publications back your viewpoint. One of my favorite authors has a new book forthcoming, and as a sign of the times the title – which may have been scandalous in a previous, perhaps more innocent age – gets straight to the point: “Enshittification: Why Everything Suddenly Got Worse and What To Do About It“. And because everything these days is meta and Mr. Doctorow’s book isn’t even out, I read an advanced review of the book that contained praise as well as some criticisms which I think are valid and troubling to consider when asking the most important question.
What can we do about it?
In case you didn’t read my previous blog about this or don’t remember it (because we all have enough to worry about already, so I get it), “enshittification” is the concept that all good online services and websites will eventually be ruined by our society’s relentless pursuit of profit. The advanced review as it appears on the Current Affairs website does a pretty good job of explaining this topic, and if you don’t intend to purchase the book, I think the article provides enough of an overview for you to spot this trend in the world around you, which may or may not improve how you may feel about it. I’m going to read the book for myself before I render my own praise or criticism, but I have similar concerns to the reviewer’s when it comes to answering the question that you have all asked, “What can we do about it?” It sounds like Mr. Doctorow is calling for grassroots efforts and government intervention to counteract future enshittifications (the author seems to think it’s already too late for the likes of Amazon, Facebook, Netflix, etc. and I agree), but from where I’m sitting it seems like getting help from the government isn’t on the menu at the moment, and our grassroots are divided as we fight to maintain healthcare, livelihoods and just basic human decency. So what is my recommendation to you if your technology feels “shitty?”
Take matters into your own hands. If you have the option to use something else, do so and make sure you tell the losing platform why you moved (even if they will probably never read your feedback). If changing the technology isn’t an option, perhaps take a moment to clearly identify the crappy part for the purposes of determining if it’s something you have control or agency over (maybe a new setting or change in interface), or if it’s out of your hands, such as the price going up. If it’s out of your control, focus your energy on working around or through it, or changing something else so that you can eliminate it altogether. Using technology is unavoidable for most of us, but there is no reason to feel like you are a hostage to it, and the best way to manage this is to change the things that you can control, and asking for help or sympathy (or both!) on the things you can’t.
I’ve been working in tech long enough to remember when “automation” meant macros in Excel and AI was still the stuff of sci-fi. Today, artificial intelligence is everywhere—from customer service chatbots to advanced data analytics, predictive modeling, and content creation. It’s no longer a niche tool; it’s a foundational layer in how businesses operate. And while this explosion of AI capability is exciting, it’s also incredibly risky—especially for those who treat it like a shortcut instead of a tool.
Let me be clear: AI is not magic. It’s not intelligent in the human sense. It’s powerful, but it’s only as good as the data it learns from and the intent behind its use. I’ve watched companies implement AI without understanding how it works, leading to biased outcomes, false insights, or compliance violations. They feed it flawed data, make strategic decisions based on unverified outputs, or worse, let it replace human judgment entirely.
The danger lies not in the technology, but in the overconfidence that often accompanies it.
AI should augment decision-making, not replace it. When misused, it can erode trust, amplify existing inequalities, and expose companies to significant legal and reputational risk. If you’re using generative AI to write content, ask yourself—how do you verify it’s accurate? If you’re using AI to screen job candidates, are you confident it’s not introducing bias?
As a consultant, I encourage clients to treat AI the same way they would a junior employee: train it, supervise it, and never let it act without oversight.
The future of AI is promising, but only if we use it responsibly. Those who blindly chase efficiency without understanding the tool may find themselves solving one problem and creating five more. So take the time to understand what AI is—and more importantly, what it isn’t.
Want help making AI work for your business—safely and strategically? Reach out for a consultation.
Author’s Note: This blog post was written by ChatGPT using the following prompt, “Write a short blog from the perspective of an experienced technology consultant about the rising use of AI and the dangers it poses for those that use the tool incorrectly.” I did not touch-up or edit the text provided by that prompt in any way, shape or form other than to copy and paste it into this website. Anyone who’s followed my blog for awhile or knows me personally might have smelled something fishy, or maybe not. In reading the above, I can definitely say that I have written plenty of articles just as bland. Interestingly, ChatGPT included the last, italicised bit – it’s clearly been trained on plenty of marketing blogs like this one. I know that many of you actually read my blogs for my personal take on technology. If I were to feed my own AI engine the past 10 years of my articles so that it could perhaps get a sense for my writing style and personality, do you think it could produce more blogs that would be indistinguishable from what I wrote with my own two hands and one brain?
Image courtesy of TAW4 at FreeDigitalPhotos.net