Summer is the one time of year when professional services firms run at a reduced pace, and their security posture quietly relaxes along with it.
That’s not a coincidence, but a pattern. Fewer people in the office means fewer eyes on unusual activity. Staff traveling on personal devices means firm data moving through networks you don’t control. Out-of-office auto-replies mean bad actors know exactly who isn’t watching their inbox. The pressure against your small business network security never takes a break, even when your team does.
The good news is that a few hours of preparation before the summer travel season starts can close the most common gaps. This checklist is built for accounting practices, law offices, and property management firms with distributed summer schedules.
Before Anyone Leaves
Review and update your access controls
This is the step most firms skip because it feels administrative. Do it anyway.
Pull a list of who has access to what. Look specifically for former employees or contractors whose credentials were never deactivated, staff who changed roles but kept legacy access they no longer need, and shared passwords that have never been rotated. Summer is a natural forcing function for this review because you’re already thinking about who will be out and who needs coverage.
Shared credentials for practice management software, document storage, and billing systems are a particular risk during vacation season. When one person is covering for three others, the temptation to use a shared login grows. That’s exactly when you want individual access properly configured, not less.
Confirm MFA is active on every external-facing system
If your staff can access email, client files, or any line-of-business software from outside the office, multi-factor authentication must be enabled. Every account, not just the partners or admins.
Vacation travel is when credentials are most likely to be compromised. Hotel networks, airport Wi-Fi, and coffee shops are not secure environments. MFA doesn’t make a compromised password harmless, but it makes it substantially harder to exploit. Check your configuration now rather than after someone calls from a beach in Mexico, wondering why they can’t log in.
Brief your team before they go
Security policy development works on paper. It works when people understand what to do in a specific situation.
Before staff travel, cover two things. First, remind them not to connect firm devices to public Wi-Fi without a VPN, and make sure the VPN is installed and tested before they leave the office. Second, tell them what to do if something feels wrong: who to call, how to reach remote IT support, and that it’s always better to report something that turns out to be nothing than to stay quiet about something real.
A three-minute conversation before someone leaves for two weeks is worth considerably more than an incident response call from a hotel lobby.
While Your Team Is Out
Set a clear policy on out-of-office responses
Auto-replies are useful, but they’re also a free announcement to anyone probing your firm. A message that says “I’m out until July 14, for urgent matters, contact Jane at [email protected]” hands an attacker a name, an alternate target, and a window of time when the original contact won’t notice something unusual in their account.
Keep out-of-office messages simple. Confirm the person is unavailable and provide a general contact for urgent matters. Avoid specific return dates, alternate contact names and direct emails, or any details about the firm’s operational structure.
Assign coverage for security alerts
Your monitoring tools and security software generate alerts whether or not the right person is watching. Before the summer schedule kicks in, identify who is reviewing alerts for each person who will be out for more than a few days. Remote IT support can handle ongoing monitoring, but your internal point of contact needs to be clearly defined and reachable.
This is particularly important for firms managing client data under confidentiality or compliance requirements. An unmonitored alert from a data access anomaly that sits for two weeks while the responsible partner is in Hawaii is not an acceptable gap.
When People Return
Do a brief device check before reconnecting
Any device that left the office, spent time on home or travel networks, and is now returning to your environment is worth a quick review. This doesn’t have to be complex. Confirm the device has the latest security updates, run a scan with your endpoint protection software, and verify that the VPN connection is functioning properly.
This is especially true for staff who traveled internationally, used airport charging kiosks, or connected to hotel networks. The risk is low for any individual trip. It compounds quickly across a 50-person firm returning from summer vacations.
Revisit your access list one more time
The same review you did before the summer is worth repeating after the summer. Summer often brings personnel changes: interns who have finished, contractors who have completed a project, and staff who have given notice and left during the summer. Each of those is a credential that should be deactivated promptly.
None of these items requires a large time investment. The full list takes an afternoon to work through before summer begins and an hour to verify when it ends. What they do require is actually doing them before something happens, rather than after.
If you want help running through this checklist for your firm, C2 Technology Partners works with professional services firms across Southern California on exactly this kind of proactive security review. Reach out before your team’s out-of-office messages go up.
I have had this conversation more times than I can count. Someone buys a laptop at Costco for $300, hands it to a paralegal or a bookkeeper, and calls it a day. Six months later, they’re on the phone with me, wondering why everything is slow and what we’re going to do about it.
What I tell them is that the $300 laptop and the $1,300 laptop look almost identical in the store: same screen, same keyboard, same ports. On the surface, they act the same, too, for about the first three months. After that, the differences become very clear, and they’re the kind of differences that cost you real money.
What You’re Paying For
Consumer-grade laptops sold at big box retailers are built to a price point. That’s not an opinion, it’s a manufacturing reality.
The components inside a budget machine are sourced for cost, not durability. The processor handles basic tasks but struggles under the load of business software. The storage drives are slower and wear out faster. The build quality is lighter because lighter means cheaper materials, and cheaper materials mean shorter lifespans. Memory is often the minimum required for the thing to boot.
Business-class laptops are built differently. The processors are selected for sustained workloads. The storage is faster and rated for higher read-write cycles. The chassis is more durable because the people buying them need them to last four or five years, not one or two. Quality assurance testing is more rigorous because the buyer notices when a machine fails.
None of that is marketing. It’s component selection.
The Real Math on Cheap Technology
A $300 laptop that lasts two years before becoming a productivity problem costs your firm significantly more than the purchase price.
Consider what happens when that machine starts underperforming. Staff spend time waiting on slow load times. IT support time goes up. If the device fails outright, you’re dealing with downtime, potential data recovery costs, and the disruption of getting a replacement deployed quickly. Factor in lost billable hours for the person who can’t work normally during any of that.
Research cited by Atlassian puts the average cost of IT downtime at $5,600 per minute, and a failing laptop is a reliable, recurring source of exactly that kind of unplanned outage.
A $1,300 machine that stays reliable for four to five years, with minimal support overhead, almost always wins on total cost. The math isn’t complicated once you stop looking at the purchase price in isolation.
The Quality Decline Problem Nobody Talks About
This topic is personal for me. I was a Dell advocate for years: reliable machines, consistent business-line products, and good support. I can’t say that anymore. I won’t recommend most of their consumer products today, and I’m not alone in that assessment.
The decline in the quality of technology hardware has been real and measurable over the past decade. What most people don’t know is why.
Before the pandemic, a series of disasters hit semiconductor and component manufacturers across Asia, particularly in Taiwan, Japan, and Malaysia. Floods, fires, and factory shutdowns degraded supply chains that had taken decades to build. That infrastructure has not fully recovered.
Then the pandemic hit, which compounded everything. Component shortages forced manufacturers to substitute materials and suppliers at every level of the supply chain. Some of those substitutions became permanent because the economics worked in the short term.
Layered on top of that is a straightforward business reality: public companies face relentless pressure to extract margin from their products. The easiest place to find margin without raising prices is to reduce the quality of what’s inside the box. Consumers rarely crack open their laptops to inspect the components. That created an opening, and many manufacturers took it.
The result is that you cannot shop by brand name the way you could ten years ago. A brand that produced excellent business hardware in 2015 may be producing mediocre hardware today from the same product line.
What This Means for Device Lifecycle Management
Workstation setup and deployment for professional services firms need to account for all of this.
A replacement cycle of four to five years is standard guidance for business-class hardware, but only if you’re buying business-class hardware to begin with. Consumer devices often can’t make it that far without significant performance degradation, which means you’re replacing them more frequently and paying IT support costs along the way.
The firms I work with that invest in quality hardware upfront have more predictable technology budgets and fewer emergency support calls. The ones that buy cheap get a short-term win on the purchase order and a long-term headache on everything else.
Spend $1,300 on a machine that your attorney or accountant uses reliably for five years, and you’ve spent $260 per year on that device. Buy a $300 machine that needs replacing in two years, and the per-year cost is $150 before you count a single hour of downtime or support.
The numbers get closer than people expect.
A Practical Buying Framework
When I’m advising firms on device procurement, I look at a few specific factors.
What software are these users running? Tax and legal software is resource-intensive. A machine sized for web browsing and email will struggle with it. Match the device to the actual workload, not to the lowest acceptable price.
Who is the user? A partner at a law firm or a CPA signing off on returns needs a reliable machine without fail. An intern doing administrative work might be fine with something less expensive. Not every seat requires the same investment.
What’s the warranty and support structure? Business-class machines from reputable manufacturers typically come with on-site service warranties. Consumer devices don’t. For a 50-person professional services firm, that distinction matters when something breaks.
Finally, what does replacement cost your firm? Include IT labor for setup and deployment, any data migration, and the disruption to the person whose machine just died.
Once you factor all of that in, the $300 laptop rarely looks like the savings it appeared to be at checkout.
Technology planning for business growth means treating your devices as assets rather than expenses. A device lifecycle management strategy, built around quality hardware and realistic replacement cycles, will cost your firm less over time and save you more headaches than I can count.
If you’re not sure whether your current hardware is serving your team well or quietly costing you, reach out. We do this assessment regularly for professional services firms across Southern California, and the conversation doesn’t cost you anything.
Remote work is no longer a temporary arrangement that your firm is managing. It’s how your people work now, and the security gaps it created are still wide open.
Most professional services firms handled the transition to remote work the same way. They handed out laptops, set up VPN access, and called it done. That approach was fine in 2020 when everyone was scrambling. In 2025, it’s a liability.
The firms we work with across accounting, law, and property management all share similar setups. Attorneys reviewing client files from home networks, accountants accessing tax software from personal devices, and property managers processing payments from coffee shops. Every one of those scenarios introduces a risk that a basic VPN was never designed to cover.
Your Home Network Is Not Your Firm’s Network
Office networks are managed. Home networks are not. That difference is significant.
When your staff works from home, they’re connecting through consumer-grade routers that often run outdated firmware, have never had their default passwords changed, and share bandwidth with every smart TV, gaming console, and doorbell camera in the house. Your firm’s data is traveling through that environment.
The fix is not complicated. Requiring employees to connect through a business VPN is a start, but it’s not sufficient on its own. The stronger approach is zero-trust network access, which means every connection is verified before it reaches your systems, regardless of its origin. This is increasingly standard for firms handling sensitive client data, and it also matters for cyber insurance qualification.
If your current IT setup does not include a defined remote access policy, that gap should be addressed first.
Multi-Factor Authentication Is Not Optional
If your staff can log into client files, billing systems, or email with just a username and password, your firm is exposed. Full stop.
According to Microsoft, multi-factor authentication (MFA) blocks over 99.9% of automated account compromise attacks. It is the single highest-return security measure available to small and mid-sized firms, and it costs almost nothing to implement correctly.
The challenge we see most often is not firms refusing to implement MFA. It’s firms that enabled it inconsistently, or skipped certain applications because they were inconvenient. An accounting firm might have MFA on email but not on their practice management software. A law office might have it enabled for partners but not for support staff.
That inconsistency is where breaches happen.
MFA needs to be applied uniformly across every application that accesses client data. That includes email, document storage, billing, and any line-of-business software your staff uses remotely. Hybrid work infrastructure planning should treat authentication as a foundation, not an afterthought.
Devices Are the Weakest Link in a Distributed Workforce
When everyone worked from the office, your IT team could see every device on the network. They could push updates, enforce policies, and spot problems. Remote work changed that dynamic completely.
The device your paralegal is using at home right now, are you certain it has current security patches? Do you know whether it’s running endpoint protection? If it were lost or stolen, could your team wipe it remotely?
For professional services firms, the answers to those questions need to be yes. Client confidentiality requirements, insurance obligations, and, in many cases, bar association or state CPA board standards require it.
Device management for remote employees means a few specific things in practice. Every firm-issued device should have endpoint detection and response software installed. Automatic updates should be enforced, not left to the discretion of individual employees. Also, remote wipe capability should be configured before devices leave the office, not after something goes wrong.
Personal Devices Are a Different Problem
Many firms allow employees to use personal computers or phones to access work systems. This is common and often unavoidable, particularly in smaller offices. It is also genuinely difficult to manage from a security standpoint.
You cannot install corporate security software on a personal device without creating legal and privacy complications. What you can do is control what those devices can access and how they can access it.
Mobile device management policies can enforce minimum security standards before a personal device is granted access to firm systems. Requiring a PIN, enabling device encryption, and preventing downloads of client files to local storage can all be enforced through the right configuration, even on personal devices. Your remote IT support strategy should account for this distinction.
If your firm has not made a clear decision about personal device access, it is worth making one now. Either allow it with defined controls in place, or restrict it and provide firm-issued devices where needed.
The Security Conversation You Are Not Having With Your Staff
Most data breaches in professional services firms do not start with sophisticated attacks. They start with a staff member clicking a link in a phishing email while working from home, without the informal safeguards that exist in a physical workplace.
In an office, someone might turn to a colleague and ask, “Did you see this email from a client?” That quick check happens naturally. Remote employees make those judgment calls alone.
Security awareness training is not a one-time checkbox. It needs to be ongoing, specific to the threats targeting professional services firms, and directly tied to the tools your staff uses. Credential theft targeting law firms and accounting practices is a documented and growing problem. Your training program should reflect that.
What This Looks Like in Practice
Getting remote work security right for a professional services firm does not require a large IT budget. It requires a clear-eyed assessment of where your gaps are, and a plan to close them in order of priority.
Start with an honest inventory. Which applications can staff access remotely? Which devices are being used? Is MFA enabled everywhere it should be? Are remote access policies documented?
From there, the path forward is usually straightforward. The firms that struggle are the ones that have never asked the questions.
If you want to run through that inventory, C2 Technology Partners offers a no-pressure remote work security assessment for professional services firms in Southern California. It takes about an hour and gives you a clear picture of where you stand.
Your software vendor does not care whether your business survives an outage, a price increase, or a forced platform migration. They care about your renewal. Those are not the same thing, and the sooner you build your IT strategy around that fact, the better off you will be.
I want to be fair here. I am not saying software vendors are villains. They are businesses. They have investors, payroll, and pressure to grow revenue. However, their incentives are structurally misaligned with yours, and pretending otherwise costs businesses money every single year.
What Vendor Mercenary Behavior Actually Looks Like
It rarely announces itself. It shows up in the details.
Licensing that stores your data in proprietary formats you cannot easily export. Price increases that arrive with 30 days’ notice, which gives you no realistic time to evaluate alternatives, negotiate, or move. Support tiers that make what used to be a standard service request into a premium feature. “Integration partnerships” that are really artificial barriers to using competing tools. Security features that exist at enterprise pricing tiers but not the small business plan you are on, which means the capability exists but the vendor has decided your size does not merit access to it.
I see the Microsoft 365 markup issue all the time in this industry. You can look up Microsoft’s pricing directly. A lot of IT firms mark up those licenses anywhere from 200 to 1,000 percent without ever explaining what the markup covers or why. At C2, we tell clients exactly what we are marking up and why. That is not the industry norm. It should be.
None of the behaviors I described above are illegal. Most of them are rational from the vendor’s perspective. But they are not aligned with your interests, and knowing that going in is different from figuring it out when you are locked in.
The Lock-in Nobody Notices Until They Try to Leave
The most expensive vendor relationship is not the one with the highest monthly bill. It is the one you cannot exit without a major disruption to your business.
Think about your practice management software, your document storage platform, your client portal. If you decided tomorrow that you wanted to move to a competing product, what would that actually look like? How long would it take? How much would it cost? What data might you lose or have to manually recreate?
For most professional services firms, the honest answer is “more than we want to think about.” That is not always a problem. Some vendor relationships are worth the dependency because the switching cost is genuinely higher than the cost of accepting the terms. However, you should arrive at that conclusion consciously, not by default.
The firms that get hurt are the ones that discover their exposure when the vendor raises prices by 40 percent and the realistic alternative is six months of migration work at the worst possible time.
What You Can Realistically Manage Yourself
I try to be honest with clients about the line between what they can handle and what they should bring to us.
Things most professional services firms can manage without IT help: exporting your own data periodically to verify you actually can, keeping a plain-language record of what tools you use and what they cost, reading renewal notices before approving them, and maintaining a vendor contact list somewhere outside the software itself. These sound obvious. Most businesses do not do them.
Things you should probably not try to manage without help: migrating data between platforms, evaluating the security implications of a new vendor contract, negotiating enterprise licensing terms, or building redundancy around a tool that is critical to daily operations.
Being clear about that line is more useful than pretending either that you can handle everything or that you need to outsource every decision.
Three Things You Can Do This Month
Export a copy of your data from your two most critical platforms. Just to see if you can. The experience of trying will tell you more than any vendor FAQ. If the export option does not exist or the output is unusable, that is information worth having now.
Read the terms of your next software renewal before you approve it. Look specifically for language about data portability, price adjustment clauses, and what happens to your data if you cancel. It will not be exciting reading. It will be useful.
Ask your IT partner: if we needed to move off this platform in 90 days, what would that actually look like? If your IT partner cannot answer that question clearly and specifically, that is also information worth having.
The Honest Part
Some vendor lock-in is unavoidable and some of it is worth accepting. The goal is not to be vendor-free. It is to make those choices with your eyes open rather than discovering your exposure when the leverage has already shifted entirely to the vendor’s side.
The firms I have watched get hit hardest by this are not the ones that made bad decisions. They are the ones that made no decision at all, and let default inertia build dependencies they were not aware of until something forced them to look.
Technology is a tool. Like any tool, it can be built improperly, it can be misused, and it can fail at the worst possible moment. Understanding who actually controls that tool, and what happens when their priorities stop aligning with yours, is part of running a business in 2026. It is just not a part anyone talks about much.
If you want to take stock of where your real dependencies are and what your options look like, we are happy to have that conversation.
Quick and Easy: Software vendors build their businesses around keeping you subscribed, not around making it easy to leave, and that is a rational business decision that just happens to conflict with yours. Understanding which tools your firm genuinely cannot exit quickly, and what that exposure actually costs, is one of the most underrated parts of technology planning for professional services firms. Start by trying to export your own data and reading the next renewal notice before you click approve.
I need to tell you about a conversation I had last year with a property management firm that thought they had off-site backup. Their office manager was taking home an external hard drive every Friday night and bringing it back Monday morning. When I asked them what would happen if there was a fire in the office on a Tuesday, they suddenly realized their “off-site” backup was sitting in a drawer ten feet from the server it was supposed to be protecting.
This is more common than you’d think. Lots of businesses believe they have off-site backup when what they actually have is backup that occasionally leaves the building but spends most of its time in the same disaster zone as their primary data.
What Off-Site Actually Means
Off-site backup means your data is stored in a location that is geographically separate from your primary location and would not be affected by any disaster that could reasonably hit your main office. The point is to protect you from localized disasters: fires, floods, theft, ransomware, power surges, angry former employees, and all the other ways that everything in one physical location can be destroyed or compromised simultaneously.
According to FEMA’s disaster statistics, 40% of businesses never reopen after a disaster, and another 25% fail within one year. Off-site backup is your insurance policy against being in those statistics.
Cloud backup is genuinely off-site. When your data is stored in a data center in another state, a fire in your office doesn’t touch it. A flood in your building doesn’t reach it. Ransomware that encrypts every computer on your network can’t encrypt data that’s not connected to your network at that moment.
The Problems with ‘Portable’ Off-Site Backup
The external hard drive that goes home with an employee seems like a reasonable approach, and it’s better than nothing, but it has some serious problems that most businesses don’t think about until it’s too late.
First, it’s only off-site part of the time. If your disaster recovery planning assumes you always have an off-site backup available, but that backup is actually in the building 70% of the time, your plan has a 70% chance of failing when you need it.
Second, portable drives get lost, damaged, or stolen. They get left in cars that get broken into. They get knocked off desks. They get erased accidentally. They get run over in parking lots. I’ve seen all of these happen. Kroll Ontrack’s data recovery statistics show that portable drives have a 25% higher failure rate than stationary drives, primarily due to physical damage from transport and handling.
Third, and this is the big one that nobody thinks about, portable drives that get plugged into your network regularly can be compromised by ransomware just like everything else on your network. If your backup drive is connected to an infected computer when the ransomware decides to encrypt everything it can reach, congratulations, your backup just got encrypted too.
The Ransomware Problem with Connected Backups
Modern ransomware is sophisticated. According to Sophos’s State of Ransomware 2024 report, 94% of ransomware attacks attempt to compromise backups. They specifically look for backup drives, backup software, and cloud backup credentials. The entire point is to make sure you can’t recover your data without paying the ransom.
This is why business continuity planning requires truly isolated off-site backup. If your backup can be accessed from your network, it can potentially be compromised from your network. Cloud backup services that use immutable storage or versioning can protect against this. A backup drive that never connects to your network can protect against this. A backup drive that plugs in every Friday is vulnerable.
What Actually Counts as Off-Site
Cloud backup with a reputable provider absolutely counts. Services like Backblaze, Carbonite, Datto, or Veeam’s cloud offerings store your data in professional data centers that are geographically distant from your location. They use redundant storage across multiple facilities, so even if one data center has a problem, your data still exists somewhere else.
Tape backups that are physically stored off-site count. Some firms still use tape drives and rotate tapes to a safe deposit box or storage facility. This is old school, but it works. The tapes are genuinely off-site, genuinely disconnected from any network, and genuinely protected from local disasters.
Replication to a second office location can count, if you actually have a second office location that’s far enough away to not be affected by the same disaster as your primary location. A second office across town works for fire or theft. A second office in the same building does not work for anything.
The Hybrid Approach That Actually Works
For most professional services firms I work with, the answer is a hybrid approach. You keep local backup for fast recovery from common problems like accidental deletions or hard drive failures. You keep true off-site backup in the cloud for disaster recovery. And you test both regularly to make sure they actually work.
The local backup gets you back up and running in hours when someone accidentally deletes an important folder. The off-site backup gets you back up and running in days when your office floods and destroys all your hardware. Different tools for different scenarios, both important.
This is what professional disaster recovery planning looks like. Not just having backup, but having the right kinds of backup in the right locations for the right purposes. It’s not exciting. It’s not sexy. But it’s what keeps your business alive when everything goes wrong.
Quick and Easy
True off-site backup must be geographically separated from your primary location and protected from the same disasters. Cloud backup meets this requirement while portable drives that regularly connect to your network don’t, as modern ransomware specifically targets connected backup devices during attacks.
A client forwarded me a message from her internet provider a few weeks back. It warned that certain router brands might have security issues and suggested she consider upgrading to a managed service. She wanted to know if she should be worried.
I looked at the message and told her two things. First, the warning is real and the underlying concern is legitimate. Second, the way this particular company wrote it was deliberately vague, designed to create just enough unease to push her toward paying for something she may or may not need. The two facts are not mutually exclusive, and that combination is worth unpacking.
What Started the Questions
On March 23, 2026, the FCC added all foreign-manufactured consumer-grade routers to its Covered List, which effectively bans new models from being imported or sold in the United States. The ruling cited documented cyberattack campaigns, most notably the Salt, Flax, and Volt Typhoon operations, where foreign-produced routers in homes and small offices were used as entry points to attack critical US infrastructure.
The brands affected read like a shopping list at Best Buy: TP-Link, Netgear, Asus, Linksys, Eero, Google Nest WiFi. All of them. Because virtually every consumer router on the market is manufactured outside the United States, the ban essentially covers the entire category of new product introductions until manufacturers either establish US-based production or receive individual conditional approval from the Department of Homeland Security.
Netgear has already received an exemption. Eero received conditional approval through October 2027. TP-Link, which holds roughly 65 percent of the US home router market, is still working through the process.
What This Does Not Mean
Before anyone calls me to ask if they need to throw their router in the trash, let me be direct: if you already own one of these devices and it is running fine, you are not required to do anything immediately. The FCC ruling grandfathers existing equipment. You can keep using your current router legally and indefinitely.
The ban prevents new foreign-made models from receiving FCC authorization going forward. What it does not do is criminalize the router sitting on your credenza right now.
There is, however, one real deadline buried in this that most of the coverage has glossed over. Manufacturers on the covered list have until March 1, 2027 to issue firmware updates to existing devices. After that date, unless they have secured a conditional approval, they cannot push software patches to devices already in the field. Which means a router that is fine today may gradually become a security liability as vulnerabilities emerge and fixes are no longer permitted.
Why This Matters for Your Business
What most business owners are not thinking about is the part I find most relevant for the professional services firms I work with.
The router sitting in your office is probably not the one that concerns me most right now. Business-grade networking equipment used in professional environments is generally managed differently and held to a higher standard than what you find in a consumer retail package.
What I am thinking about is the router in your employee’s home office.
You have probably had people working remotely for years now. They are accessing your systems, your client files, and your email through whatever networking equipment they set up in their living room. A lot of it is exactly the kind of foreign-manufactured consumer hardware that is now at the center of this national security discussion. Much of it has not been updated, assessed, or evaluated by anyone with any technical accountability for your business’s security.
I tell clients all the time: your security perimeter is not the four walls of your office anymore. It extends into every home where someone logs into your network. If that connection is running through a device with documented vulnerabilities and no path to a security patch after March 2027, that is a gap worth addressing.
My Honest Take
I have been watching the concerns around foreign-manufactured networking equipment for a long time. The documented attacks and vulnerabilities are real. Whether the current political moment is driving the timing of this particular ruling is a separate conversation I will spare you.
What I will say is that this is a good time to have someone take an honest look at your network, including your remote workers’ home setups, and give you a realistic assessment of where you actually stand. Not a sales pitch dressed up as a security warning. Just a straight answer about what you have, what the risks are, and what, if anything, you should actually do about it.
That is the conversation I am always happy to have.
Quick and Easy
The FCC banned new foreign-manufactured consumer routers in March 2026, citing documented national security threats. Existing devices are legally protected for now, but a March 2027 deadline for firmware updates means routers from affected manufacturers could become security liabilities. For professional services firms, the immediate priority is evaluating remote employee home networks, not just office infrastructure.