Tax season is the best stress test your technology will ever get. And it is completely free. You did not ask for it, you cannot opt out, and every year between January and April your systems will tell you exactly where the cracks are. The question is whether you are paying attention.
I work with accounting firms as managed IT clients, and I have worked with several more over the years. The pattern is consistent enough that I could describe it before the season starts: the issues that barely registered in November become full-blown crises in March, usually at the worst possible moment, because that is what technology is reliably good at.
Why Tax Season Is the Real Measure of Your IT Support for Accounting Firms
The most common issues that surface during peak filing season are not new problems. They are old problems that finally got loud enough to demand attention.
Slow systems are the most common complaint, and the cause is almost never a mystery. Machines that are three or four years old, running software that has grown steadily more demanding, start struggling under the weight of high-volume processing. The firm has lived with the sluggishness for months because it was tolerable. In March, when everyone is working longer hours and deadlines are immovable, tolerating it is no longer an option.
Remote access failures are the second most common issue. Hybrid teams that work fine under normal conditions hit their limits when everyone is remote simultaneously and the VPN was never sized for that load. Or a staff member is working from home on a personal device with outdated software that creates compatibility problems with cloud-based tax platforms.
Cloud platform slowdowns round out the top three. Accounting firms run on software like Lacerte, CCH, UltraTax, or Drake. When those platforms slow down or have service interruptions during filing season, it is not just inconvenient. According to one analysis, a single hour of downtime at a ten-person firm with a $200 average billable rate can cost over $1,000 in lost productivity and that does not count the backlog that builds, the client frustration, or the staff morale hit.
What Tax Season Actually Reveals About Professional Services Technology
Beyond the specific failures, tax season exposes something more fundamental: whether your firm has professional services technology built for how you actually work, or built for how you worked five years ago.
An accounting firm with no coherent IT support plan tends to normalize the warning signs until they stop feeling like warning signs. Work slows and nobody identifies why. Staff develop workarounds for software that does not behave reliably. Files end up saved in inconsistent locations because nobody established a protocol. None of these are catastrophic on their own, but under peak-season pressure, they compound.
The other thing tax season reveals is your security posture. Accounting firms are high-value targets because they hold a concentration of financial data that is genuinely valuable to criminals. Firms in regulated states like California face stricter data privacy requirements than many owners realize. A ransomware attack the week before the April deadline is not a hypothetical scenario for accounting firms. It happens.
Workflow Optimization Starts with Honest Post-Season Analysis
The instinct after surviving a rough tax season is to exhale, finish the remaining client work, and deal with technology problems later. I understand that instinct. Unfortunately, later tends to become next January, when you are headed into the same situation again.
A post-tax-season review does not have to be comprehensive or expensive. A few honest questions are a reasonable place to start.
What specifically slowed down or broke during the season? Write it down while it is fresh. “The system felt slow” is less useful than “CCH was taking four minutes to load on Maria’s machine starting around March 10.”
Were there any near-misses? Security alerts, unusual login attempts, or phishing emails that someone caught? Those matter too.
What workarounds did your team create? Workarounds are symptoms. They tell you where the official process broke down, which is exactly where your IT attention should go next.
If you have a managed IT partner, share that list with them. If you do not, and your tax season was rougher than it needed to be, that list is a good starting point for a conversation about what a proactive approach to IT support for accounting firms actually looks like.
The goal is not to over-engineer your environment. It is to make sure the systems your firm runs on are built for the way you actually work, not just adequate for a slow Tuesday in October.
Quick and Easy: Tax season reliably surfaces every technology problem your accounting firm has been tolerating, from aging hardware to under-sized VPNs to security gaps, because pressure turns inconveniences into crises. The firms that come out ahead are the ones that treat the post-season debrief as useful data instead of something to forget as quickly as possible. Write down what broke, what slowed down, and what workarounds your team created, then fix those things before next January.
Many businesses, when trying to get their processes in order, debate whether using Microsoft 365 or Google Workspace would work best for their needs. Although the business world tends to “expect” Microsoft applications, there are those who fully utilize Google.
Here’s the honest truth: both platforms are good. Both will handle your email, calendar, file storage, and collaboration needs. Both have gotten dramatically better in the past few years. And both will cost you roughly the same amount of money. So if you’re expecting me to tell you that one is objectively superior to the other, you’re going to be disappointed.
What I can tell you is which one works better for the specific ways that accounting firms, law offices, and property management companies actually work.
Where Microsoft 365 Wins
For law firms specifically, Microsoft 365 is usually the better choice, and the reason comes down to two things: document formatting and industry expectations.
Legal documents require precise formatting. Numbered paragraphs, specific indentation, complex tables, cross-references, and redlining that tracks every change made by every attorney who touches a document. Microsoft Word is still the gold standard for this kind of work. Google Docs has gotten better, but it’s still not quite there for complex legal documents. According to ABA’s 2024 Legal Technology Survey, 94% of law firms still use Microsoft Word as their primary document creation tool.
The second issue is client expectations. When you send a legal document to a client or opposing counsel, they expect to receive a .docx file. They expect to be able to open it in Word, make their comments using Word’s track changes feature, and send it back. You can absolutely do this workflow with Google Workspace, but it creates friction. You’re constantly converting files, worrying about whether formatting survived the conversion, and explaining to clients why your documents look slightly different.
Microsoft 365 also integrates better with practice management software that law firms use. Most legal-specific software was built with Microsoft in mind. The integrations are tighter, the compatibility is better, and you spend less time fighting with your tools.
Where Google Workspace Makes Sense
That said, Google Workspace isn’t a bad choice, and for some firms it’s actually the better option. If your firm is smaller, more nimble, and doesn’t have decades of document templates built in Microsoft Word, Google Workspace can be easier to manage and more intuitive for people who aren’t deeply technical.
Google Workspace setup is simpler than Microsoft 365 deployment. There are fewer moving parts, fewer configuration options, and less that can go wrong. For a 5-person law office that just needs email, calendars, and basic document collaboration, Google Workspace gets you up and running faster with less complexity.
Google’s collaboration features are also more intuitive. Multiple people can edit a document simultaneously, and it just works. With Microsoft 365, you can do the same thing, but it requires OneDrive and specific versions of Office apps, and there’s more that can go sideways.
The Real Cost Comparison
Price-wise, they’re comparable. Microsoft 365 Business Standard runs about $12.50 per user per month. Google Workspace Business Standard is $12 per user per month. You’re not making this decision based on a 50-cent difference. The real costs come from cloud migration support, training your staff, and potential productivity loss during the transition.
According to Forrester’s Total Economic Impact study, organizations switching platforms experience an average productivity dip of 15-20% for the first 2-3 months while people adjust. That’s the real cost you need to factor in. If you’ve been using Microsoft for 20 years, switching to Google isn’t just a technology change, it’s a workflow change.
What About Hybrid Approaches?
Some firms try to split the difference by using Gmail with Microsoft Office apps. This mostly works, but it creates its own complications. You lose some of the tight integration between email and calendar. File storage gets confusing when people aren’t sure whether to save things in Google Drive or OneDrive. And you’re paying for redundant services.
I generally don’t recommend hybrid approaches unless you have a specific technical reason that requires it. Pick one platform and commit to it fully. Your people will be happier, your IT management will be simpler, and you’ll spend less time troubleshooting weird compatibility issues.
Making the Decision
For most law firms and accounting practices I work with, Microsoft 365 is the right choice. The document compatibility, the industry standard status, and the integration with other professional services software outweigh the slightly steeper learning curve and more complex administration.
But if you’re a smaller firm, if you don’t have complex document formatting needs, or if you value simplicity over feature depth, Google Workspace is a perfectly viable option. The key is making the decision based on your actual workflow, not on what some article on the internet told you was “better.”
Quick and Easy
For law firms and accounting practices, Microsoft 365 is usually the better choice due to document formatting requirements and industry standard expectations. Google Workspace works well for smaller firms prioritizing simplicity, but both platforms require careful cloud migration support and training to avoid productivity loss.
Look, I get it. Multi-factor authentication is a pain in the butt. It slows you down when you’re trying to get work done, it interrupts your flow with prompts at the worst possible times, and yes, it makes you feel like technology doesn’t trust you anymore. Your team is going to complain about it. Some will actively try to find workarounds. And honestly, I don’t blame them.
The thing about ransomware, though, is that it’s worse.
I’ve been managing IT for professional services firms for over three decades, and I can tell you that the conversation we have after a breach is exponentially more painful than the conversation about implementing MFA. One is an inconvenience. The other is a catastrophe.
The Uncomfortable Truth About Endpoint Security
The professional services industry is getting hammered by ransomware. Accounting firms, law offices, and property management companies are prime targets because you have exactly what criminals want: sensitive financial data, confidential client information, and typically just enough technology to be vulnerable but not enough to be fortress-like.
According to the FBI’s Internet Crime Complaint Center, ransomware complaints increased 18% in 2024, with losses exceeding $59.6 million. However, those numbers only capture reported incidents. Most small and mid-sized firms never report attacks because they’re embarrassed, worried about reputation damage, or they just paid the ransom quietly and moved on.
When someone gets ransomware into your network, it doesn’t just encrypt your files. It steals them first, then encrypts them, then threatens to publish your clients’ private information if you don’t pay. Even if you have backups, which you should, you still have a data breach on your hands. You still have to report it. Your clients still find out. Your reputation still takes a hit.
You know what the entry point is in most of these attacks? Stolen credentials. Microsoft’s Digital Defense Report found that password-based attacks increased 146% in 2024, with more than 7,000 password attacks happening every second across their platforms. Someone phished an employee’s password, logged in as them, and waltzed right through your front door like they owned the place.
What MFA Actually Does (And What It Doesn’t)
Multi-factor authentication isn’t perfect. I’m not going to pretend it’s some silver bullet that makes you invincible. Criminals have already figured out ways around it, like cookie-stealing, where they trick you into authenticating through a legitimate-looking service just to capture your session token.
Here’s what it does: it makes the cheap, easy attacks fail. The automated bot that tries 10,000 stolen passwords against your email server. The script kiddie who bought a dump of credentials on the dark web. The lazy criminal who isn’t willing to put in the extra effort. According to research from Google, implementing any form of MFA blocks 99.9% of automated attacks. Even the most basic SMS-based authentication stops the vast majority of credential stuffing attacks cold.
Think of it like locking your car doors. Will it stop a professional car thief with the right tools and motivation? No. But it will stop the opportunistic criminal who’s just walking through the parking lot trying door handles. Most cybercrime is exactly that: opportunistic.
Why Your Cyber Insurance Company Cares
Something that might make the MFA conversation easier with your team: it’s not really optional anymore. In 2026, cyber insurance requirements have gotten strict enough that most carriers won’t even quote you coverage without multi-factor authentication on all your critical systems. Email, remote access, financial systems, client portals. All of it.
I’ve seen insurance companies do post-breach audits and deny claims because MFA wasn’t implemented properly. It can’t be partially implemented, or “we were planning to roll it out.” Actually implemented and actually used. They will look at your authentication logs, and if they see that the account that got compromised didn’t have MFA enabled, that’s it. Claim denied. You’re on your own for the six-figure recovery costs.
Making It Less Terrible
The good news is that MFA in 2026 is better than it used to be. Not good, but better. You’re not stuck with those horrible SMS codes that never arrive when you need them. Modern authentication apps are faster. Hardware security keys work better. Some services even use passwordless authentication now, which sounds scarier but is actually more convenient once you get used to it.
The key is implementing it intelligently. You don’t need to make people authenticate every single time they access their email if they’re on a trusted device on your network. You can set reasonable timeout periods. You can use conditional access policies that only trigger extra authentication when something looks suspicious, like a login from an unfamiliar location.
You need to train your people not just on how to use MFA, but also on why it matters. Not with scare tactics, but with reality. The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element, whether that’s stolen credentials, social engineering, or simple mistakes. Tell your team about the law firm down the street that got hit with ransomware because someone clicked a phishing link. Tell them about the accounting practice that had client tax returns published online because their insurance claim got denied. Make it real, because it is real.
The Reality of Small Business Ransomware Protection
Look, if I’m being completely honest with you, which I always am, no security measure is going to stop a determined, sophisticated attacker who specifically targets your firm. But you’re probably not going to get specifically targeted. What you’re trying to protect against is being the easy target, the firm that criminals hit because you’re vulnerable and they know it.
Multi-factor authentication is one piece of a larger endpoint security solution. You also need proper backups, security monitoring, email filtering, security awareness training for your team, and someone who actually knows what they’re doing managing all of it. But MFA is the piece that insurance companies look for first, and for good reason.
If you haven’t implemented multi-factor authentication yet, start now. Check with your cyber insurance carrier about their specific requirements, because they vary. Get your critical systems secured first: email, financial software, anything that touches client data, and any way your team accesses your network remotely.
And when your team complains, which they will, remember that their annoyance is temporary. A ransomware attack isn’t.
Quick and Easy
Multi-factor authentication blocks 99.9% of automated attacks and is now required by most cyber insurance policies. While your team will find it annoying, the alternative of ransomware attacks and denied insurance claims is far worse for professional services firms.
Let’s talk about something most IT companies won’t discuss openly: how much managed IT services in Southern California actually cost and why.
We’ve been serving professional services firms in Southern California for over 35 years, and one of the most common questions we hear is: “What should we actually be paying for IT support?” The frustration behind that question is real. Business leaders know they need professional technology consulting, but the pricing landscape feels deliberately opaque.
So here’s an honest breakdown of the cost of managed IT support services.
The Basic Numbers for 2026
For professional services firms in the 50-150 employee range, including accounting practices, law offices, and property management companies, managed IT services in Southern California typically range from $150-$250 per user per month.
Yes, that’s a wide range for IT support costs. Why?
The lower end ($150-$175 per user) usually includes:
- Basic helpdesk support during business hours
- Standard security monitoring
- Patch management for operating systems
- Basic cloud email support (Microsoft 365 or Google Workspace)
The higher end ($200-$250 per user) typically includes:
- 24/7 helpdesk availability
- Advanced threat protection
- Compliance support (HIPAA, CMMC, PCI, SOC 2)
- Strategic technology planning
- Dedicated account management
What Most Companies Won’t Tell You About IT Services Pricing
The IT industry has markup rates that range from 200% to 1000% on certain services and products. That’s not a typo.
A business-grade laptop that costs an IT provider $800 might be sold to you for $1,600 or more. Microsoft 365 deployment licenses that cost the provider $22 per month might appear on your bill at $35 per month. Network equipment, software subscriptions, security tools – all of these commonly have substantial markups in managed IT support services.
We’re not saying this to criticize other providers. Running an IT service business has real costs: experienced technicians command high salaries in Southern California, insurance is expensive, ongoing training is necessary, and the tools we use to monitor and protect your systems aren’t cheap.
We believe in transparency about fair-priced managed IT services. You should understand what you’re paying for and why.
What “Managed Services” Actually Means
This is where the confusion really happens with IT support. “Managed IT services” can mean drastically different things depending on who’s providing them.
Some companies use “managed services” to mean “we’ll fix things when they break.” That’s not managed services. That’s break-fix support with a monthly retainer.
True managed IT services for professional services means:
Proactive monitoring. We’re watching your systems 24/7 and addressing issues before they affect your team. According to Cyber adAPT and the Aberdeen Group, proactive monitoring can reduce downtime by up to 70% compared to reactive support models.
Strategic planning. We’re not just keeping the lights on. We’re helping you plan technology investments that align with your business growth and IT roadmap development.
Security as a foundation. Security isn’t an add-on for small business IT consulting. It’s built into everything we do, from how we configure new workstations to how we manage your network access.
Vendor management. We handle relationships with software companies, internet providers, and hardware vendors. You shouldn’t need to call five different companies when something goes wrong.
The Hidden Costs of Cheap IT Support
We regularly talk with professional services firms that are paying $75-$100 per user per month for “managed services.” Here’s what usually happens with cheap IT support:
They’re getting reactive support, not proactive management. When something breaks, someone fixes it. But nobody’s watching for warning signs. Nobody’s planning for technology growth. Nobody’s ensuring compliance with industry standards.
Then something major goes wrong. A server fails. A ransomware attack hits. A compliance audit reveals security gaps. Suddenly, they’re facing emergency bills that dwarf whatever they saved on monthly IT support costs.
The Rule of Thumb for IT Support Costs
If you want a very general rule of thumb for managed IT services, expect to spend about $200 per user per month for quality services in Southern California. That should cover comprehensive support, reasonable response times, proactive monitoring, and basic security measures.
If you need additional compliance support, advanced security measures, or 24/7 availability, expect that number to increase by $50-$75 per user for professional services technology.
If someone quotes you significantly less, ask detailed questions about what’s included in managed IT support services. You might be getting a great deal, or you might be getting break-fix support disguised as managed services.
Quick and Easy
Managed IT services in Southern California cost $150-$250 per user per month, with $200 being typical for professional services firms, but many companies charging $75-$100 are providing reactive support rather than true managed services. According to CompTIA, the nationwide average is $182 per user, and cheap IT often leads to catastrophic emergency costs that exceed any monthly savings.
Remember when you could spot a phishing email because it had terrible grammar or came from a weird email address?
Those days are over.
Research from Hoxhunt showed that by March 2025, AI-generated phishing attacks had become more effective than those created by elite human security experts. The AI didn’t just catch up, but surpassed the best humans at social engineering.
Let that sink in. The people whose entire job is creating realistic phishing simulations to test your employees? AI is better at it than they are.
The Scale of the AI Phishing Problem
According to the World Economic Forum, phishing and social engineering attacks increased 42% in 2024. That was before AI really hit its stride.
The attacks aren’t just better written anymore. They’re contextual and arrive at the exact right time. They reference real projects, real people in your organization, and real deadlines.
Google’s 2026 forecast warns that attackers are using AI to create emails that are essentially indistinguishable from legitimate communication.
This is what that looks like in practice:
You receive an email from your CFO requesting an urgent invoice payment. It uses her exact writing style. It references the specific vendor you’ve been working with. It arrives right when you’d expect such a request. The email address looks right. The signature looks right. Everything looks right.
Except it’s not from your CFO. It’s from an AI that studied 50 of her previous emails and generated a perfect forgery.
Voice Cloning: The New Frontier
Email isn’t even the scariest part anymore.
A tech journalist recently demonstrated that she could clone her own voice using cheap AI tools and fool her bank’s phone system – both the automated system and a live agent – in a five-minute call.
Think about what that means for your business. Your CFO gets a call that sounds exactly like your CEO: voice, cadence, the way they clear their throat, everything. It’s asking for an urgent wire transfer for a time-sensitive deal.
How do you defend against that?
Why Traditional Phishing Training Fails Against AI
Your annual security training tells employees to look for:
- Spelling and grammar errors (AI doesn’t make these mistakes)
- Generic greetings (AI personalizes everything)
- Suspicious sender addresses (AI uses compromised legitimate accounts)
- Urgent requests (legitimate urgent requests also sound urgent)
- Links that don’t match the display text (AI uses legitimate-looking domains)
Every single indicator you’ve trained people to watch for? AI bypasses them.
What Actually Works Against AI Generated Phishing
The old training about “look for spelling errors” is dead. Your employees need to understand that verification matters more than urgency.
Use this to protect you and your team:
Slow down when things feel urgent. Urgency is the weapon. If someone’s asking for sensitive information or money transfers, that urgency should trigger caution, not immediate compliance.
Verify through a different channel. Email says it’s from your CEO? Call them on a known number. Text message from your bank? Call the number on your card, not the one in the message. Voice call asking for a transfer? Hang up and call back.
Trust your judgment about whether requests make sense. Does your CEO normally ask for wire transfers via text? Does your IT department usually request password resets through email? If the method doesn’t match the request, verify.
Create a culture where questioning is safe. Your employees need to know they won’t get fired for double-checking whether the CEO really sent that request. These attacks exploit hierarchy and time pressure.
The Reality for Professional Services Firms
The accounting firms, law offices, and property management companies we work with are particularly vulnerable to these attacks because:
- They handle sensitive financial information
- They regularly process wire transfers
- They work with clients who expect fast responses
- They have hierarchical structures that discourage questioning authority
One immigration law firm we work with almost lost $180,000 to an AI-generated email that perfectly mimicked its managing partner’s communication style, requesting an urgent retainer transfer. The only thing that saved them was an associate who thought the request was weird enough to verify in person.
That associate didn’t stop the attack because they spotted technical indicators. They stopped it because something felt off, and they were empowered to question it.
What This Means for Your Business
You need to update your security training immediately. Not next quarter. Not when the budget allows. Now.
The training needs to focus on:
- Verification procedures that work regardless of how legitimate something appears
- Creating psychological safety for employees to question urgent requests
- Understanding that AI can fake anything visual or auditory
- Practicing what to do when something seems both urgent and suspicious
You need to practice these procedures regularly. Not once a year during security awareness month. Monthly at minimum.
Because the attacks are getting better every single day. Criminals using them no longer need your employees to click a suspicious link. They need your employees to trust their eyes and ears when they shouldn’t.
The Quick and Easy: AI-generated phishing attacks now outperform human security experts, with attacks increasing 42% in 2024. AI generates emails and phone calls that are indistinguishable from legitimate communication, bypassing traditional phishing indicators such as spelling errors, generic greetings, and suspicious links. Voice cloning technology can fool both automated systems and live humans. Traditional training focusing on spotting errors no longer works. Instead, businesses need verification procedures that work regardless of appearance, cultures where questioning authority is safe, and regular practice with realistic scenarios. Professional services firms are particularly vulnerable due to their hierarchical structures and regular financial transactions. The key defense is slowing down when things feel urgent and verifying through different channels.
The uncomfortable truth is your employees are using AI tools you don’t know about. Right now. Today.
IBM’s latest research found that 20% of organizations already suffered a breach due to what they’re calling “shadow AI” – employees using unauthorized AI tools without IT’s knowledge. The kicker is that those breaches added an average of $200,000 to remediation costs.
Think about that for a second. The issue is not the technology failing or hackers breaking through your firewall. The cause is your own people, trying to do their jobs faster, pasting proprietary information into ChatGPT, Gemini, or whatever AI tool made their work easier that day.
Why Shadow AI Happens (And Why You Can’t Stop It)
Varonis found that 98% of employees use unsanctioned apps. That’s not a typo. Ninety-eight percent. If you think your company is the exception, you’re wrong.
Why does this happen? Because your employees are struggling. They’re being asked to do more with less, and they’re exhausted. Then they discover this magical tool that can summarize a 50-page document in 30 seconds or write that email they’ve been dreading. Of course, they’re going to use it.
The problem isn’t that they’re lazy or malicious. The problem is that they have no idea what happens to the data they feed into these systems. Some AI services train their models on your inputs. Some store everything you type. Some have security controls. Most don’t.
Why Banning AI Tools Doesn’t Work
Banning these tools outright works. Right? Gartner predicts that by 2027, 75% of employees will acquire or create technology outside IT’s visibility. Bans just push people to hide what they’re doing better.
This happens constantly with the accounting firms and law offices we work with. A partner bans ChatGPT, but an associate uses it on their phone anyway. Now, instead of managing the risk, you’ve just lost visibility into it entirely.
The Real Cost of Shadow AI
The financial impact goes beyond the $200,000 average breach cost. Consider what happens when:
- Your proprietary client data gets fed into a public AI model
- Your trade secrets become part of an AI training dataset
- Your confidential legal strategy gets stored on servers you don’t control
- Your financial projections end up accessible to your competitors
These aren’t theoretical risks. These are things happening right now to businesses that thought their employees would never do something that careless.
What You Actually Need to Do About Shadow AI
You need an actual policy about AI use. Not a ban. A policy.
This is what works:
Identify which AI tools are safe for your business. Not every AI tool is a security nightmare. Some have proper data handling. Some don’t train on your inputs. Figure out which ones meet your requirements.
Make approved tools easy to access. If your employees need AI to do their jobs effectively, give them a way to use it safely. The property management firms we work with that have implemented approved AI tools see almost zero shadow AI usage.
Train people on what they can and cannot share. Most people don’t realize that pasting client information into ChatGPT might expose it. They’re not trying to cause a breach. They’re trying to work faster. Teach them the difference between safe and unsafe usage.
Create a culture where people can ask questions. Your employees should feel comfortable asking, “Is this AI tool safe to use?” instead of just using it and hoping for the best.
The Bottom Line on Shadow AI
This isn’t going away. The only question is whether you’re managing it or pretending it doesn’t exist.
The firms sleeping well at night aren’t the ones who banned AI. They’re the ones who acknowledged it exists and created safe pathways for using it.
Because your employees are already using these tools, you just don’t know about it yet.
The Quick and Easy: Shadow AI, unauthorized AI tool usage by employees, has already caused breaches in 20% of organizations, costing an average of $200,000 each. With 98% of employees using unsanctioned apps and 75% projected to acquire technology outside IT visibility by 2027, banning AI tools doesn’t work. Instead, businesses need clear AI usage policies, approved tools that are easy to access, employee training on safe data sharing, and a culture that allows people to ask questions before using new tools. Technology isn’t the risk, but using it without oversight or understanding the consequences.
You would think that with all the money pouring into technology these days, we would figure out a way to stem the flood of hacking attempts, but it seems the tech bros are more focused on figuring out how replace humans with AI than keeping humans safe. And sadly, email compromises, and even more importantly, business email compromises are big business for cybercrime, so they are pouring just as much money, humans and AI into stealing their way into your email.
What this means for you
First off, you may be wondering how it is, with all the existing tools and money aimed at security, we can’t do a better job filtering out all the myriad of ways hackers keep inventing to steal our passwords, and why multi-factor doesn’t seem to make any difference in stopping them. Lately a popular method of getting access to your 2FA-protected accounts is by cloning the cookie that is created when you authenticate with your multifactor, and this is accomplished by sending you links from actual legitimate websites, like Docusign for example, where the authentication process is expected. Most people, even hardened internet warriors, aren’t trained to spot when an authentication request is “out of context” – in this case, using your Microsoft credentials to log into the Docusign website, and may also be thinking, “Even if this isn’t legit, I have 2FA so the password being stolen doesn’t matter.” Normally they would be right, but the hacker is actually counting on that 2FA prompt to print them out a fake ID that gets them past the bouncer who is only trained to check ID’s and not whether the holder presenting them is legitimate. That’s an oversimplification of what happens, but the point is that the process they use to fake you out is actually a legitimate service (and hence ignored or passed through by usual malware checks) and even the documents you might actually be granted access to are harmless, because it was all a distraction to mask the real crime of bypassing your multifactor and gaining access to your email account undetected. And from there, the mayhem begins.
How do you combat this? Aside from being ultravigilent and deeply cautious to the point of paranoia, this particular type of attack is difficult to defend against, especially for personal email accounts. As a company, there are services that can be implemented that can detect certain types of unauthorized access once they have already occurred, but as many of you probably realize, the horse is already out of the barn, and this is damage control, not prevention. This type of unauthorized access detection is only one layer of a multilayered approach to security that all companies should have to keep their employees and themselves safe.
In 2016, the Oxford Dictionary named “post-truth” as its “Word of the Year.” At the time, AI generated content was crude and easy to spot, and when it was presented as “real” no one took it seriously. There were plenty of other things to worry about: Brexit, the Panama Papers, the deaths of David Bowie, Prince, Muhammad Ali and John Glenn, numerous European terrorist attacks, Creepy Clown sightings, and the election of a US president who was (and still is) enamored with social media, a platform many of us had already noticed was having a significant detrimental effect on society in general. Fast forward nine years where I just saw a very convincing video on the internet from Jake Paul announcing that he was gay and releasing a makeup line. Except that video wasn’t real, but thousands, possibly millions thought it was.*1
What can we do?
I am asked constantly by my family, friends and clients how we are supposed to trust what we see and hear on the internet. Given just how far we have “advanced” in generating fake content that is essentially indistinguishable from reality, they are understandably concerned if not outright scared. We are far past the point of mainstream media priortizing objectivity and truth over profits. It’s clear we have plenty of politicians and leaders for whom truth is an inconvenience rather than an ideal, and the world’s richest men who are in charge of our technology seem hellbent on squeezing every last cent out of us, at the cost of our security, privacy and integrity. Unfortunately, none of us (as far as I know), is someone with enough clout and money to move this particular needle in any significant way, but we can all do something: You can continue to value truth and scientific knowledge and hold others to that same ideal. There so many ways to pursue this in your daily life that are beyond my capabilities to share with you, but there is definitely one thing I can call out in this blog: if you are going to consume content from social media (let’s face it, it’s not going anywhere anytime soon) don’t be lazy about it. Don’t just assume because someone you know on the internet posted something, that it is automatically true or to be taken at face value. We are already past the point of being able to say, “Seeing is believing,” without having to second guess ourselves, and we already know there are plenty of “people” on social media who are there purely to exploit anyone they can. We are tired. We are overworked and under overwhelming stress, and the internet is so conveniently apt at showing us exactly what we think we want to see. If you are going to value truth, you must be mindful that your social media feed is carefully tailored to show both want you want to see as well as what they want you to see, and their objective, in the end, is always profit and power frequently at the expense of truth. Knowing this is indeed half the battle, and the other half will be you, holding others accountable to truth as you hold yourself.
As a start for my own quest to seek truth on the Internet, I have found a service called Ground News (https://ground.news) that brings you the news as well as the reported bias of the news sources. I have found it useful in determining if the article I am reading might have some bias, and from that, determining if what I have read be helpful in finding out what actually is happening.
Another site that does something similar is AllSides (https://www.allsides.com/unbiased-balanced-news), another news aggregator run by a public benefit corporation, a concept that I wish were applied to many more corporations, especially the ones that seem to have a stranglehold on our daily existence.
Image by Pablo Jimeno from Pixabay
- I don’t want to give the “creator” any more internet clicks than they are already getting. If you want to see it, you know how to find it. ↩︎
I’ve written about this topic before, but it’s nice when major publications back your viewpoint. One of my favorite authors has a new book forthcoming, and as a sign of the times the title – which may have been scandalous in a previous, perhaps more innocent age – gets straight to the point: “Enshittification: Why Everything Suddenly Got Worse and What To Do About It“. And because everything these days is meta and Mr. Doctorow’s book isn’t even out, I read an advanced review of the book that contained praise as well as some criticisms which I think are valid and troubling to consider when asking the most important question.
What can we do about it?
In case you didn’t read my previous blog about this or don’t remember it (because we all have enough to worry about already, so I get it), “enshittification” is the concept that all good online services and websites will eventually be ruined by our society’s relentless pursuit of profit. The advanced review as it appears on the Current Affairs website does a pretty good job of explaining this topic, and if you don’t intend to purchase the book, I think the article provides enough of an overview for you to spot this trend in the world around you, which may or may not improve how you may feel about it. I’m going to read the book for myself before I render my own praise or criticism, but I have similar concerns to the reviewer’s when it comes to answering the question that you have all asked, “What can we do about it?” It sounds like Mr. Doctorow is calling for grassroots efforts and government intervention to counteract future enshittifications (the author seems to think it’s already too late for the likes of Amazon, Facebook, Netflix, etc. and I agree), but from where I’m sitting it seems like getting help from the government isn’t on the menu at the moment, and our grassroots are divided as we fight to maintain healthcare, livelihoods and just basic human decency. So what is my recommendation to you if your technology feels “shitty?”
Take matters into your own hands. If you have the option to use something else, do so and make sure you tell the losing platform why you moved (even if they will probably never read your feedback). If changing the technology isn’t an option, perhaps take a moment to clearly identify the crappy part for the purposes of determining if it’s something you have control or agency over (maybe a new setting or change in interface), or if it’s out of your hands, such as the price going up. If it’s out of your control, focus your energy on working around or through it, or changing something else so that you can eliminate it altogether. Using technology is unavoidable for most of us, but there is no reason to feel like you are a hostage to it, and the best way to manage this is to change the things that you can control, and asking for help or sympathy (or both!) on the things you can’t.
I’ve been working in tech long enough to remember when “automation” meant macros in Excel and AI was still the stuff of sci-fi. Today, artificial intelligence is everywhere—from customer service chatbots to advanced data analytics, predictive modeling, and content creation. It’s no longer a niche tool; it’s a foundational layer in how businesses operate. And while this explosion of AI capability is exciting, it’s also incredibly risky—especially for those who treat it like a shortcut instead of a tool.
Let me be clear: AI is not magic. It’s not intelligent in the human sense. It’s powerful, but it’s only as good as the data it learns from and the intent behind its use. I’ve watched companies implement AI without understanding how it works, leading to biased outcomes, false insights, or compliance violations. They feed it flawed data, make strategic decisions based on unverified outputs, or worse, let it replace human judgment entirely.
The danger lies not in the technology, but in the overconfidence that often accompanies it.
AI should augment decision-making, not replace it. When misused, it can erode trust, amplify existing inequalities, and expose companies to significant legal and reputational risk. If you’re using generative AI to write content, ask yourself—how do you verify it’s accurate? If you’re using AI to screen job candidates, are you confident it’s not introducing bias?
As a consultant, I encourage clients to treat AI the same way they would a junior employee: train it, supervise it, and never let it act without oversight.
The future of AI is promising, but only if we use it responsibly. Those who blindly chase efficiency without understanding the tool may find themselves solving one problem and creating five more. So take the time to understand what AI is—and more importantly, what it isn’t.
Want help making AI work for your business—safely and strategically? Reach out for a consultation.
Author’s Note: This blog post was written by ChatGPT using the following prompt, “Write a short blog from the perspective of an experienced technology consultant about the rising use of AI and the dangers it poses for those that use the tool incorrectly.” I did not touch-up or edit the text provided by that prompt in any way, shape or form other than to copy and paste it into this website. Anyone who’s followed my blog for awhile or knows me personally might have smelled something fishy, or maybe not. In reading the above, I can definitely say that I have written plenty of articles just as bland. Interestingly, ChatGPT included the last, italicised bit – it’s clearly been trained on plenty of marketing blogs like this one. I know that many of you actually read my blogs for my personal take on technology. If I were to feed my own AI engine the past 10 years of my articles so that it could perhaps get a sense for my writing style and personality, do you think it could produce more blogs that would be indistinguishable from what I wrote with my own two hands and one brain?
Image courtesy of TAW4 at FreeDigitalPhotos.net