Remote work is no longer a temporary arrangement that your firm is managing. It’s how your people work now, and the security gaps it created are still wide open.
Most professional services firms handled the transition to remote work the same way. They handed out laptops, set up VPN access, and called it done. That approach was fine in 2020 when everyone was scrambling. In 2025, it’s a liability.
The firms we work with across accounting, law, and property management all share similar setups. Attorneys reviewing client files from home networks, accountants accessing tax software from personal devices, and property managers processing payments from coffee shops. Every one of those scenarios introduces a risk that a basic VPN was never designed to cover.
Your Home Network Is Not Your Firm’s Network
Office networks are managed. Home networks are not. That difference is significant.
When your staff works from home, they’re connecting through consumer-grade routers that often run outdated firmware, have never had their default passwords changed, and share bandwidth with every smart TV, gaming console, and doorbell camera in the house. Your firm’s data is traveling through that environment.
The fix is not complicated. Requiring employees to connect through a business VPN is a start, but it’s not sufficient on its own. The stronger approach is zero-trust network access, which means every connection is verified before it reaches your systems, regardless of its origin. This is increasingly standard for firms handling sensitive client data, and it also matters for cyber insurance qualification.
If your current IT setup does not include a defined remote access policy, that gap should be addressed first.
Multi-Factor Authentication Is Not Optional
If your staff can log into client files, billing systems, or email with just a username and password, your firm is exposed. Full stop.
According to Microsoft, multi-factor authentication (MFA) blocks over 99.9% of automated account compromise attacks. It is the single highest-return security measure available to small and mid-sized firms, and it costs almost nothing to implement correctly.
The challenge we see most often is not firms refusing to implement MFA. It’s firms that enabled it inconsistently, or skipped certain applications because they were inconvenient. An accounting firm might have MFA on email but not on their practice management software. A law office might have it enabled for partners but not for support staff.
That inconsistency is where breaches happen.
MFA needs to be applied uniformly across every application that accesses client data. That includes email, document storage, billing, and any line-of-business software your staff uses remotely. Hybrid work infrastructure planning should treat authentication as a foundation, not an afterthought.
Devices Are the Weakest Link in a Distributed Workforce
When everyone worked from the office, your IT team could see every device on the network. They could push updates, enforce policies, and spot problems. Remote work changed that dynamic completely.
The device your paralegal is using at home right now, are you certain it has current security patches? Do you know whether it’s running endpoint protection? If it were lost or stolen, could your team wipe it remotely?
For professional services firms, the answers to those questions need to be yes. Client confidentiality requirements, insurance obligations, and, in many cases, bar association or state CPA board standards require it.
Device management for remote employees means a few specific things in practice. Every firm-issued device should have endpoint detection and response software installed. Automatic updates should be enforced, not left to the discretion of individual employees. Also, remote wipe capability should be configured before devices leave the office, not after something goes wrong.
Personal Devices Are a Different Problem
Many firms allow employees to use personal computers or phones to access work systems. This is common and often unavoidable, particularly in smaller offices. It is also genuinely difficult to manage from a security standpoint.
You cannot install corporate security software on a personal device without creating legal and privacy complications. What you can do is control what those devices can access and how they can access it.
Mobile device management policies can enforce minimum security standards before a personal device is granted access to firm systems. Requiring a PIN, enabling device encryption, and preventing downloads of client files to local storage can all be enforced through the right configuration, even on personal devices. Your remote IT support strategy should account for this distinction.
If your firm has not made a clear decision about personal device access, it is worth making one now. Either allow it with defined controls in place, or restrict it and provide firm-issued devices where needed.
The Security Conversation You Are Not Having With Your Staff
Most data breaches in professional services firms do not start with sophisticated attacks. They start with a staff member clicking a link in a phishing email while working from home, without the informal safeguards that exist in a physical workplace.
In an office, someone might turn to a colleague and ask, “Did you see this email from a client?” That quick check happens naturally. Remote employees make those judgment calls alone.
Security awareness training is not a one-time checkbox. It needs to be ongoing, specific to the threats targeting professional services firms, and directly tied to the tools your staff uses. Credential theft targeting law firms and accounting practices is a documented and growing problem. Your training program should reflect that.
What This Looks Like in Practice
Getting remote work security right for a professional services firm does not require a large IT budget. It requires a clear-eyed assessment of where your gaps are, and a plan to close them in order of priority.
Start with an honest inventory. Which applications can staff access remotely? Which devices are being used? Is MFA enabled everywhere it should be? Are remote access policies documented?
From there, the path forward is usually straightforward. The firms that struggle are the ones that have never asked the questions.
If you want to run through that inventory, C2 Technology Partners offers a no-pressure remote work security assessment for professional services firms in Southern California. It takes about an hour and gives you a clear picture of where you stand.
Your software vendor does not care whether your business survives an outage, a price increase, or a forced platform migration. They care about your renewal. Those are not the same thing, and the sooner you build your IT strategy around that fact, the better off you will be.
I want to be fair here. I am not saying software vendors are villains. They are businesses. They have investors, payroll, and pressure to grow revenue. However, their incentives are structurally misaligned with yours, and pretending otherwise costs businesses money every single year.
What Vendor Mercenary Behavior Actually Looks Like
It rarely announces itself. It shows up in the details.
Licensing that stores your data in proprietary formats you cannot easily export. Price increases that arrive with 30 days’ notice, which gives you no realistic time to evaluate alternatives, negotiate, or move. Support tiers that make what used to be a standard service request into a premium feature. “Integration partnerships” that are really artificial barriers to using competing tools. Security features that exist at enterprise pricing tiers but not the small business plan you are on, which means the capability exists but the vendor has decided your size does not merit access to it.
I see the Microsoft 365 markup issue all the time in this industry. You can look up Microsoft’s pricing directly. A lot of IT firms mark up those licenses anywhere from 200 to 1,000 percent without ever explaining what the markup covers or why. At C2, we tell clients exactly what we are marking up and why. That is not the industry norm. It should be.
None of the behaviors I described above are illegal. Most of them are rational from the vendor’s perspective. But they are not aligned with your interests, and knowing that going in is different from figuring it out when you are locked in.
The Lock-in Nobody Notices Until They Try to Leave
The most expensive vendor relationship is not the one with the highest monthly bill. It is the one you cannot exit without a major disruption to your business.
Think about your practice management software, your document storage platform, your client portal. If you decided tomorrow that you wanted to move to a competing product, what would that actually look like? How long would it take? How much would it cost? What data might you lose or have to manually recreate?
For most professional services firms, the honest answer is “more than we want to think about.” That is not always a problem. Some vendor relationships are worth the dependency because the switching cost is genuinely higher than the cost of accepting the terms. However, you should arrive at that conclusion consciously, not by default.
The firms that get hurt are the ones that discover their exposure when the vendor raises prices by 40 percent and the realistic alternative is six months of migration work at the worst possible time.
What You Can Realistically Manage Yourself
I try to be honest with clients about the line between what they can handle and what they should bring to us.
Things most professional services firms can manage without IT help: exporting your own data periodically to verify you actually can, keeping a plain-language record of what tools you use and what they cost, reading renewal notices before approving them, and maintaining a vendor contact list somewhere outside the software itself. These sound obvious. Most businesses do not do them.
Things you should probably not try to manage without help: migrating data between platforms, evaluating the security implications of a new vendor contract, negotiating enterprise licensing terms, or building redundancy around a tool that is critical to daily operations.
Being clear about that line is more useful than pretending either that you can handle everything or that you need to outsource every decision.
Three Things You Can Do This Month
Export a copy of your data from your two most critical platforms. Just to see if you can. The experience of trying will tell you more than any vendor FAQ. If the export option does not exist or the output is unusable, that is information worth having now.
Read the terms of your next software renewal before you approve it. Look specifically for language about data portability, price adjustment clauses, and what happens to your data if you cancel. It will not be exciting reading. It will be useful.
Ask your IT partner: if we needed to move off this platform in 90 days, what would that actually look like? If your IT partner cannot answer that question clearly and specifically, that is also information worth having.
The Honest Part
Some vendor lock-in is unavoidable and some of it is worth accepting. The goal is not to be vendor-free. It is to make those choices with your eyes open rather than discovering your exposure when the leverage has already shifted entirely to the vendor’s side.
The firms I have watched get hit hardest by this are not the ones that made bad decisions. They are the ones that made no decision at all, and let default inertia build dependencies they were not aware of until something forced them to look.
Technology is a tool. Like any tool, it can be built improperly, it can be misused, and it can fail at the worst possible moment. Understanding who actually controls that tool, and what happens when their priorities stop aligning with yours, is part of running a business in 2026. It is just not a part anyone talks about much.
If you want to take stock of where your real dependencies are and what your options look like, we are happy to have that conversation.
Quick and Easy: Software vendors build their businesses around keeping you subscribed, not around making it easy to leave, and that is a rational business decision that just happens to conflict with yours. Understanding which tools your firm genuinely cannot exit quickly, and what that exposure actually costs, is one of the most underrated parts of technology planning for professional services firms. Start by trying to export your own data and reading the next renewal notice before you click approve.
I need to tell you about a conversation I had last year with a property management firm that thought they had off-site backup. Their office manager was taking home an external hard drive every Friday night and bringing it back Monday morning. When I asked them what would happen if there was a fire in the office on a Tuesday, they suddenly realized their “off-site” backup was sitting in a drawer ten feet from the server it was supposed to be protecting.
This is more common than you’d think. Lots of businesses believe they have off-site backup when what they actually have is backup that occasionally leaves the building but spends most of its time in the same disaster zone as their primary data.
What Off-Site Actually Means
Off-site backup means your data is stored in a location that is geographically separate from your primary location and would not be affected by any disaster that could reasonably hit your main office. The point is to protect you from localized disasters: fires, floods, theft, ransomware, power surges, angry former employees, and all the other ways that everything in one physical location can be destroyed or compromised simultaneously.
According to FEMA’s disaster statistics, 40% of businesses never reopen after a disaster, and another 25% fail within one year. Off-site backup is your insurance policy against being in those statistics.
Cloud backup is genuinely off-site. When your data is stored in a data center in another state, a fire in your office doesn’t touch it. A flood in your building doesn’t reach it. Ransomware that encrypts every computer on your network can’t encrypt data that’s not connected to your network at that moment.
The Problems with ‘Portable’ Off-Site Backup
The external hard drive that goes home with an employee seems like a reasonable approach, and it’s better than nothing, but it has some serious problems that most businesses don’t think about until it’s too late.
First, it’s only off-site part of the time. If your disaster recovery planning assumes you always have an off-site backup available, but that backup is actually in the building 70% of the time, your plan has a 70% chance of failing when you need it.
Second, portable drives get lost, damaged, or stolen. They get left in cars that get broken into. They get knocked off desks. They get erased accidentally. They get run over in parking lots. I’ve seen all of these happen. Kroll Ontrack’s data recovery statistics show that portable drives have a 25% higher failure rate than stationary drives, primarily due to physical damage from transport and handling.
Third, and this is the big one that nobody thinks about, portable drives that get plugged into your network regularly can be compromised by ransomware just like everything else on your network. If your backup drive is connected to an infected computer when the ransomware decides to encrypt everything it can reach, congratulations, your backup just got encrypted too.
The Ransomware Problem with Connected Backups
Modern ransomware is sophisticated. According to Sophos’s State of Ransomware 2024 report, 94% of ransomware attacks attempt to compromise backups. They specifically look for backup drives, backup software, and cloud backup credentials. The entire point is to make sure you can’t recover your data without paying the ransom.
This is why business continuity planning requires truly isolated off-site backup. If your backup can be accessed from your network, it can potentially be compromised from your network. Cloud backup services that use immutable storage or versioning can protect against this. A backup drive that never connects to your network can protect against this. A backup drive that plugs in every Friday is vulnerable.
What Actually Counts as Off-Site
Cloud backup with a reputable provider absolutely counts. Services like Backblaze, Carbonite, Datto, or Veeam’s cloud offerings store your data in professional data centers that are geographically distant from your location. They use redundant storage across multiple facilities, so even if one data center has a problem, your data still exists somewhere else.
Tape backups that are physically stored off-site count. Some firms still use tape drives and rotate tapes to a safe deposit box or storage facility. This is old school, but it works. The tapes are genuinely off-site, genuinely disconnected from any network, and genuinely protected from local disasters.
Replication to a second office location can count, if you actually have a second office location that’s far enough away to not be affected by the same disaster as your primary location. A second office across town works for fire or theft. A second office in the same building does not work for anything.
The Hybrid Approach That Actually Works
For most professional services firms I work with, the answer is a hybrid approach. You keep local backup for fast recovery from common problems like accidental deletions or hard drive failures. You keep true off-site backup in the cloud for disaster recovery. And you test both regularly to make sure they actually work.
The local backup gets you back up and running in hours when someone accidentally deletes an important folder. The off-site backup gets you back up and running in days when your office floods and destroys all your hardware. Different tools for different scenarios, both important.
This is what professional disaster recovery planning looks like. Not just having backup, but having the right kinds of backup in the right locations for the right purposes. It’s not exciting. It’s not sexy. But it’s what keeps your business alive when everything goes wrong.
Quick and Easy
True off-site backup must be geographically separated from your primary location and protected from the same disasters. Cloud backup meets this requirement while portable drives that regularly connect to your network don’t, as modern ransomware specifically targets connected backup devices during attacks.
A client forwarded me a message from her internet provider a few weeks back. It warned that certain router brands might have security issues and suggested she consider upgrading to a managed service. She wanted to know if she should be worried.
I looked at the message and told her two things. First, the warning is real and the underlying concern is legitimate. Second, the way this particular company wrote it was deliberately vague, designed to create just enough unease to push her toward paying for something she may or may not need. The two facts are not mutually exclusive, and that combination is worth unpacking.
What Started the Questions
On March 23, 2026, the FCC added all foreign-manufactured consumer-grade routers to its Covered List, which effectively bans new models from being imported or sold in the United States. The ruling cited documented cyberattack campaigns, most notably the Salt, Flax, and Volt Typhoon operations, where foreign-produced routers in homes and small offices were used as entry points to attack critical US infrastructure.
The brands affected read like a shopping list at Best Buy: TP-Link, Netgear, Asus, Linksys, Eero, Google Nest WiFi. All of them. Because virtually every consumer router on the market is manufactured outside the United States, the ban essentially covers the entire category of new product introductions until manufacturers either establish US-based production or receive individual conditional approval from the Department of Homeland Security.
Netgear has already received an exemption. Eero received conditional approval through October 2027. TP-Link, which holds roughly 65 percent of the US home router market, is still working through the process.
What This Does Not Mean
Before anyone calls me to ask if they need to throw their router in the trash, let me be direct: if you already own one of these devices and it is running fine, you are not required to do anything immediately. The FCC ruling grandfathers existing equipment. You can keep using your current router legally and indefinitely.
The ban prevents new foreign-made models from receiving FCC authorization going forward. What it does not do is criminalize the router sitting on your credenza right now.
There is, however, one real deadline buried in this that most of the coverage has glossed over. Manufacturers on the covered list have until March 1, 2027 to issue firmware updates to existing devices. After that date, unless they have secured a conditional approval, they cannot push software patches to devices already in the field. Which means a router that is fine today may gradually become a security liability as vulnerabilities emerge and fixes are no longer permitted.
Why This Matters for Your Business
What most business owners are not thinking about is the part I find most relevant for the professional services firms I work with.
The router sitting in your office is probably not the one that concerns me most right now. Business-grade networking equipment used in professional environments is generally managed differently and held to a higher standard than what you find in a consumer retail package.
What I am thinking about is the router in your employee’s home office.
You have probably had people working remotely for years now. They are accessing your systems, your client files, and your email through whatever networking equipment they set up in their living room. A lot of it is exactly the kind of foreign-manufactured consumer hardware that is now at the center of this national security discussion. Much of it has not been updated, assessed, or evaluated by anyone with any technical accountability for your business’s security.
I tell clients all the time: your security perimeter is not the four walls of your office anymore. It extends into every home where someone logs into your network. If that connection is running through a device with documented vulnerabilities and no path to a security patch after March 2027, that is a gap worth addressing.
My Honest Take
I have been watching the concerns around foreign-manufactured networking equipment for a long time. The documented attacks and vulnerabilities are real. Whether the current political moment is driving the timing of this particular ruling is a separate conversation I will spare you.
What I will say is that this is a good time to have someone take an honest look at your network, including your remote workers’ home setups, and give you a realistic assessment of where you actually stand. Not a sales pitch dressed up as a security warning. Just a straight answer about what you have, what the risks are, and what, if anything, you should actually do about it.
That is the conversation I am always happy to have.
Quick and Easy
The FCC banned new foreign-manufactured consumer routers in March 2026, citing documented national security threats. Existing devices are legally protected for now, but a March 2027 deadline for firmware updates means routers from affected manufacturers could become security liabilities. For professional services firms, the immediate priority is evaluating remote employee home networks, not just office infrastructure.
Earth Day feels like the right time to talk about technology waste, not because I am particularly sentimental about the occasion, but because most professional services firms are sitting on a device lifecycle management problem that is quietly costing them money. Nobody is talking about it in those terms.
I am also going to be honest about something upfront: sustainable technology practices are good for the environment, but I have never once convinced a business to change its approach to hardware solely for environmental reasons. What actually moves the needle is the operational and financial argument. The good news is that the same decisions that reduce e-waste also reduce costs and risk. So the environmental benefit is, in this case, the bonus.
Why Device Lifecycle Management Is a Business Problem First
Most professional services firms I work with do not have a formal device lifecycle management policy. What they have is a replacement habit: when a computer stops working acceptably, or when a staff member complains loudly enough, a new one gets purchased.
The result is an office full of machines of wildly different ages and configurations. Some are running operating systems that are no longer receiving security updates. Some are brand new. Most have not been inventoried in years. That is a security problem as much as an environmental one, and it is also expensive in ways that do not show up on any single invoice.
A reasonable device lifecycle for business computers is three to five years, depending on the workload. Below that range, you are replacing hardware before you can extract reasonable value from it. Above it, you are running machines that are slower than they should be, less secure than they need to be, and more likely to fail at an inopportune time. The operating cost of an aging machine in support time, productivity loss, and security risk tends to exceed the cost of replacement well before the hardware visibly gives out.
Responsible Workstation Setup Includes Planning What Happens at End of Life
When a device reaches the end of its useful life at your firm, a few steps need to be taken before it goes anywhere.
Data must be wiped, not deleted. Wiped. Deleting files does not remove them from a hard drive in a way that prevents recovery. A proper wipe overwrites the storage, making recovery practically impossible. If you are sending devices to a recycler or donating them, this step is not optional. Your clients’ data has been on those machines.
Devices that are still functional but no longer appropriate for primary staff may have a second life. Many nonprofits and schools accept used business equipment. If the device has been properly wiped and is running a current operating system, it can provide meaningful value elsewhere rather than going straight to a landfill.
For devices genuinely at the end of life, find a certified e-waste recycler. Most municipalities in Southern California have periodic e-waste collection events. A certified recycler ensures that the materials inside, some of which are genuinely hazardous if handled carelessly, are processed correctly.
Technology Planning for Business Growth Means Replacing Reactively Less Often
One of the most useful things a professional services firm can do, for both its operations and its environmental footprint, is move from reactive device replacement to planned refresh cycles.
Practically, this means knowing what hardware you have, when it was purchased, and when it is due for replacement. A simple spreadsheet works. When you know three years in advance that a wave of machines will need replacing, you can budget for it, plan the transition, and avoid the operational disruption of emergency replacements during busy periods. Tax season is a terrible time to discover that a staff member’s computer has finally given out.
It also means you stop buying machines during crisis conditions, which is almost always when the worst purchasing decisions are made. When the controller’s computer dies the week before a filing deadline, you buy whatever is available and ship it overnight. When you plan a refresh 12 months out, you have time to evaluate what your staff actually needs and buy accordingly. That is both better technology planning for business growth and considerably less expensive.
The Software Side of Sustainable Technology
Physical hardware is not the only place where waste accumulates. Software subscriptions are the other.
Most firms are paying for licenses they are not using, for platforms that have been partially replaced by something else, or for features within a platform that nobody has ever turned on. A software audit, a straightforward review of what you are subscribed to, who is using it, and whether the cost is justified, is something most firms have never done systematically.
It is not a complex exercise, and it consistently identifies funds that can be reallocated to what actually matters. I have never done one for a client and come up empty.
The Practical Starting Point
If you want to do something concrete this month that addresses all of the above, take an inventory. Pull together a list of every computer, laptop, and tablet used in your firm, when it was purchased, and who uses it. If you do not know when something was purchased, a good IT partner can usually determine that from the device’s system information.
Once you have that list, you have the information you need to make actual decisions about device lifecycle management, rather than just reacting to the next thing that breaks.
If you would like help pulling that inventory together or thinking through a refresh and workstation setup strategy, reach out. It is a straightforward conversation, and the starting point is almost always simpler than people expect.
Quick and Easy: Most professional services firms lack a device lifecycle management plan, which means they replace hardware reactively under pressure, run aging machines that pose security risks, and generate more e-waste than necessary. Moving to a planned three-to-five-year refresh cycle, properly wiping devices before retirement, and auditing unused software subscriptions addresses all three problems at once and often saves money.
Tax season is the best stress test your technology will ever get. And it is completely free. You did not ask for it, you cannot opt out, and every year between January and April your systems will tell you exactly where the cracks are. The question is whether you are paying attention.
I work with accounting firms as managed IT clients, and I have worked with several more over the years. The pattern is consistent enough that I could describe it before the season starts: the issues that barely registered in November become full-blown crises in March, usually at the worst possible moment, because that is what technology is reliably good at.
Why Tax Season Is the Real Measure of Your IT Support for Accounting Firms
The most common issues that surface during peak filing season are not new problems. They are old problems that finally got loud enough to demand attention.
Slow systems are the most common complaint, and the cause is almost never a mystery. Machines that are three or four years old, running software that has grown steadily more demanding, start struggling under the weight of high-volume processing. The firm has lived with the sluggishness for months because it was tolerable. In March, when everyone is working longer hours and deadlines are immovable, tolerating it is no longer an option.
Remote access failures are the second most common issue. Hybrid teams that work fine under normal conditions hit their limits when everyone is remote simultaneously and the VPN was never sized for that load. Or a staff member is working from home on a personal device with outdated software that creates compatibility problems with cloud-based tax platforms.
Cloud platform slowdowns round out the top three. Accounting firms run on software like Lacerte, CCH, UltraTax, or Drake. When those platforms slow down or have service interruptions during filing season, it is not just inconvenient. According to one analysis, a single hour of downtime at a ten-person firm with a $200 average billable rate can cost over $1,000 in lost productivity and that does not count the backlog that builds, the client frustration, or the staff morale hit.
What Tax Season Actually Reveals About Professional Services Technology
Beyond the specific failures, tax season exposes something more fundamental: whether your firm has professional services technology built for how you actually work, or built for how you worked five years ago.
An accounting firm with no coherent IT support plan tends to normalize the warning signs until they stop feeling like warning signs. Work slows and nobody identifies why. Staff develop workarounds for software that does not behave reliably. Files end up saved in inconsistent locations because nobody established a protocol. None of these are catastrophic on their own, but under peak-season pressure, they compound.
The other thing tax season reveals is your security posture. Accounting firms are high-value targets because they hold a concentration of financial data that is genuinely valuable to criminals. Firms in regulated states like California face stricter data privacy requirements than many owners realize. A ransomware attack the week before the April deadline is not a hypothetical scenario for accounting firms. It happens.
Workflow Optimization Starts with Honest Post-Season Analysis
The instinct after surviving a rough tax season is to exhale, finish the remaining client work, and deal with technology problems later. I understand that instinct. Unfortunately, later tends to become next January, when you are headed into the same situation again.
A post-tax-season review does not have to be comprehensive or expensive. A few honest questions are a reasonable place to start.
What specifically slowed down or broke during the season? Write it down while it is fresh. “The system felt slow” is less useful than “CCH was taking four minutes to load on Maria’s machine starting around March 10.”
Were there any near-misses? Security alerts, unusual login attempts, or phishing emails that someone caught? Those matter too.
What workarounds did your team create? Workarounds are symptoms. They tell you where the official process broke down, which is exactly where your IT attention should go next.
If you have a managed IT partner, share that list with them. If you do not, and your tax season was rougher than it needed to be, that list is a good starting point for a conversation about what a proactive approach to IT support for accounting firms actually looks like.
The goal is not to over-engineer your environment. It is to make sure the systems your firm runs on are built for the way you actually work, not just adequate for a slow Tuesday in October.
Quick and Easy: Tax season reliably surfaces every technology problem your accounting firm has been tolerating, from aging hardware to under-sized VPNs to security gaps, because pressure turns inconveniences into crises. The firms that come out ahead are the ones that treat the post-season debrief as useful data instead of something to forget as quickly as possible. Write down what broke, what slowed down, and what workarounds your team created, then fix those things before next January.
Many businesses, when trying to get their processes in order, debate whether using Microsoft 365 or Google Workspace would work best for their needs. Although the business world tends to “expect” Microsoft applications, there are those who fully utilize Google.
Here’s the honest truth: both platforms are good. Both will handle your email, calendar, file storage, and collaboration needs. Both have gotten dramatically better in the past few years. And both will cost you roughly the same amount of money. So if you’re expecting me to tell you that one is objectively superior to the other, you’re going to be disappointed.
What I can tell you is which one works better for the specific ways that accounting firms, law offices, and property management companies actually work.
Where Microsoft 365 Wins
For law firms specifically, Microsoft 365 is usually the better choice, and the reason comes down to two things: document formatting and industry expectations.
Legal documents require precise formatting. Numbered paragraphs, specific indentation, complex tables, cross-references, and redlining that tracks every change made by every attorney who touches a document. Microsoft Word is still the gold standard for this kind of work. Google Docs has gotten better, but it’s still not quite there for complex legal documents. According to ABA’s 2024 Legal Technology Survey, 94% of law firms still use Microsoft Word as their primary document creation tool.
The second issue is client expectations. When you send a legal document to a client or opposing counsel, they expect to receive a .docx file. They expect to be able to open it in Word, make their comments using Word’s track changes feature, and send it back. You can absolutely do this workflow with Google Workspace, but it creates friction. You’re constantly converting files, worrying about whether formatting survived the conversion, and explaining to clients why your documents look slightly different.
Microsoft 365 also integrates better with practice management software that law firms use. Most legal-specific software was built with Microsoft in mind. The integrations are tighter, the compatibility is better, and you spend less time fighting with your tools.
Where Google Workspace Makes Sense
That said, Google Workspace isn’t a bad choice, and for some firms it’s actually the better option. If your firm is smaller, more nimble, and doesn’t have decades of document templates built in Microsoft Word, Google Workspace can be easier to manage and more intuitive for people who aren’t deeply technical.
Google Workspace setup is simpler than Microsoft 365 deployment. There are fewer moving parts, fewer configuration options, and less that can go wrong. For a 5-person law office that just needs email, calendars, and basic document collaboration, Google Workspace gets you up and running faster with less complexity.
Google’s collaboration features are also more intuitive. Multiple people can edit a document simultaneously, and it just works. With Microsoft 365, you can do the same thing, but it requires OneDrive and specific versions of Office apps, and there’s more that can go sideways.
The Real Cost Comparison
Price-wise, they’re comparable. Microsoft 365 Business Standard runs about $12.50 per user per month. Google Workspace Business Standard is $12 per user per month. You’re not making this decision based on a 50-cent difference. The real costs come from cloud migration support, training your staff, and potential productivity loss during the transition.
According to Forrester’s Total Economic Impact study, organizations switching platforms experience an average productivity dip of 15-20% for the first 2-3 months while people adjust. That’s the real cost you need to factor in. If you’ve been using Microsoft for 20 years, switching to Google isn’t just a technology change, it’s a workflow change.
What About Hybrid Approaches?
Some firms try to split the difference by using Gmail with Microsoft Office apps. This mostly works, but it creates its own complications. You lose some of the tight integration between email and calendar. File storage gets confusing when people aren’t sure whether to save things in Google Drive or OneDrive. And you’re paying for redundant services.
I generally don’t recommend hybrid approaches unless you have a specific technical reason that requires it. Pick one platform and commit to it fully. Your people will be happier, your IT management will be simpler, and you’ll spend less time troubleshooting weird compatibility issues.
Making the Decision
For most law firms and accounting practices I work with, Microsoft 365 is the right choice. The document compatibility, the industry standard status, and the integration with other professional services software outweigh the slightly steeper learning curve and more complex administration.
But if you’re a smaller firm, if you don’t have complex document formatting needs, or if you value simplicity over feature depth, Google Workspace is a perfectly viable option. The key is making the decision based on your actual workflow, not on what some article on the internet told you was “better.”
Quick and Easy
For law firms and accounting practices, Microsoft 365 is usually the better choice due to document formatting requirements and industry standard expectations. Google Workspace works well for smaller firms prioritizing simplicity, but both platforms require careful cloud migration support and training to avoid productivity loss.
Look, I get it. Multi-factor authentication is a pain in the butt. It slows you down when you’re trying to get work done, it interrupts your flow with prompts at the worst possible times, and yes, it makes you feel like technology doesn’t trust you anymore. Your team is going to complain about it. Some will actively try to find workarounds. And honestly, I don’t blame them.
The thing about ransomware, though, is that it’s worse.
I’ve been managing IT for professional services firms for over three decades, and I can tell you that the conversation we have after a breach is exponentially more painful than the conversation about implementing MFA. One is an inconvenience. The other is a catastrophe.
The Uncomfortable Truth About Endpoint Security
The professional services industry is getting hammered by ransomware. Accounting firms, law offices, and property management companies are prime targets because you have exactly what criminals want: sensitive financial data, confidential client information, and typically just enough technology to be vulnerable but not enough to be fortress-like.
According to the FBI’s Internet Crime Complaint Center, ransomware complaints increased 18% in 2024, with losses exceeding $59.6 million. However, those numbers only capture reported incidents. Most small and mid-sized firms never report attacks because they’re embarrassed, worried about reputation damage, or they just paid the ransom quietly and moved on.
When someone gets ransomware into your network, it doesn’t just encrypt your files. It steals them first, then encrypts them, then threatens to publish your clients’ private information if you don’t pay. Even if you have backups, which you should, you still have a data breach on your hands. You still have to report it. Your clients still find out. Your reputation still takes a hit.
You know what the entry point is in most of these attacks? Stolen credentials. Microsoft’s Digital Defense Report found that password-based attacks increased 146% in 2024, with more than 7,000 password attacks happening every second across their platforms. Someone phished an employee’s password, logged in as them, and waltzed right through your front door like they owned the place.
What MFA Actually Does (And What It Doesn’t)
Multi-factor authentication isn’t perfect. I’m not going to pretend it’s some silver bullet that makes you invincible. Criminals have already figured out ways around it, like cookie-stealing, where they trick you into authenticating through a legitimate-looking service just to capture your session token.
Here’s what it does: it makes the cheap, easy attacks fail. The automated bot that tries 10,000 stolen passwords against your email server. The script kiddie who bought a dump of credentials on the dark web. The lazy criminal who isn’t willing to put in the extra effort. According to research from Google, implementing any form of MFA blocks 99.9% of automated attacks. Even the most basic SMS-based authentication stops the vast majority of credential stuffing attacks cold.
Think of it like locking your car doors. Will it stop a professional car thief with the right tools and motivation? No. But it will stop the opportunistic criminal who’s just walking through the parking lot trying door handles. Most cybercrime is exactly that: opportunistic.
Why Your Cyber Insurance Company Cares
Something that might make the MFA conversation easier with your team: it’s not really optional anymore. In 2026, cyber insurance requirements have gotten strict enough that most carriers won’t even quote you coverage without multi-factor authentication on all your critical systems. Email, remote access, financial systems, client portals. All of it.
I’ve seen insurance companies do post-breach audits and deny claims because MFA wasn’t implemented properly. It can’t be partially implemented, or “we were planning to roll it out.” Actually implemented and actually used. They will look at your authentication logs, and if they see that the account that got compromised didn’t have MFA enabled, that’s it. Claim denied. You’re on your own for the six-figure recovery costs.
Making It Less Terrible
The good news is that MFA in 2026 is better than it used to be. Not good, but better. You’re not stuck with those horrible SMS codes that never arrive when you need them. Modern authentication apps are faster. Hardware security keys work better. Some services even use passwordless authentication now, which sounds scarier but is actually more convenient once you get used to it.
The key is implementing it intelligently. You don’t need to make people authenticate every single time they access their email if they’re on a trusted device on your network. You can set reasonable timeout periods. You can use conditional access policies that only trigger extra authentication when something looks suspicious, like a login from an unfamiliar location.
You need to train your people not just on how to use MFA, but also on why it matters. Not with scare tactics, but with reality. The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element, whether that’s stolen credentials, social engineering, or simple mistakes. Tell your team about the law firm down the street that got hit with ransomware because someone clicked a phishing link. Tell them about the accounting practice that had client tax returns published online because their insurance claim got denied. Make it real, because it is real.
The Reality of Small Business Ransomware Protection
Look, if I’m being completely honest with you, which I always am, no security measure is going to stop a determined, sophisticated attacker who specifically targets your firm. But you’re probably not going to get specifically targeted. What you’re trying to protect against is being the easy target, the firm that criminals hit because you’re vulnerable and they know it.
Multi-factor authentication is one piece of a larger endpoint security solution. You also need proper backups, security monitoring, email filtering, security awareness training for your team, and someone who actually knows what they’re doing managing all of it. But MFA is the piece that insurance companies look for first, and for good reason.
If you haven’t implemented multi-factor authentication yet, start now. Check with your cyber insurance carrier about their specific requirements, because they vary. Get your critical systems secured first: email, financial software, anything that touches client data, and any way your team accesses your network remotely.
And when your team complains, which they will, remember that their annoyance is temporary. A ransomware attack isn’t.
Quick and Easy
Multi-factor authentication blocks 99.9% of automated attacks and is now required by most cyber insurance policies. While your team will find it annoying, the alternative of ransomware attacks and denied insurance claims is far worse for professional services firms.
Let’s talk about something most IT companies won’t discuss openly: how much managed IT services in Southern California actually cost and why.
We’ve been serving professional services firms in Southern California for over 35 years, and one of the most common questions we hear is: “What should we actually be paying for IT support?” The frustration behind that question is real. Business leaders know they need professional technology consulting, but the pricing landscape feels deliberately opaque.
So here’s an honest breakdown of the cost of managed IT support services.
The Basic Numbers for 2026
For professional services firms in the 50-150 employee range, including accounting practices, law offices, and property management companies, managed IT services in Southern California typically range from $150-$250 per user per month.
Yes, that’s a wide range for IT support costs. Why?
The lower end ($150-$175 per user) usually includes:
- Basic helpdesk support during business hours
- Standard security monitoring
- Patch management for operating systems
- Basic cloud email support (Microsoft 365 or Google Workspace)
The higher end ($200-$250 per user) typically includes:
- 24/7 helpdesk availability
- Advanced threat protection
- Compliance support (HIPAA, CMMC, PCI, SOC 2)
- Strategic technology planning
- Dedicated account management
What Most Companies Won’t Tell You About IT Services Pricing
The IT industry has markup rates that range from 200% to 1000% on certain services and products. That’s not a typo.
A business-grade laptop that costs an IT provider $800 might be sold to you for $1,600 or more. Microsoft 365 deployment licenses that cost the provider $22 per month might appear on your bill at $35 per month. Network equipment, software subscriptions, security tools – all of these commonly have substantial markups in managed IT support services.
We’re not saying this to criticize other providers. Running an IT service business has real costs: experienced technicians command high salaries in Southern California, insurance is expensive, ongoing training is necessary, and the tools we use to monitor and protect your systems aren’t cheap.
We believe in transparency about fair-priced managed IT services. You should understand what you’re paying for and why.
What “Managed Services” Actually Means
This is where the confusion really happens with IT support. “Managed IT services” can mean drastically different things depending on who’s providing them.
Some companies use “managed services” to mean “we’ll fix things when they break.” That’s not managed services. That’s break-fix support with a monthly retainer.
True managed IT services for professional services means:
Proactive monitoring. We’re watching your systems 24/7 and addressing issues before they affect your team. According to Cyber adAPT and the Aberdeen Group, proactive monitoring can reduce downtime by up to 70% compared to reactive support models.
Strategic planning. We’re not just keeping the lights on. We’re helping you plan technology investments that align with your business growth and IT roadmap development.
Security as a foundation. Security isn’t an add-on for small business IT consulting. It’s built into everything we do, from how we configure new workstations to how we manage your network access.
Vendor management. We handle relationships with software companies, internet providers, and hardware vendors. You shouldn’t need to call five different companies when something goes wrong.
The Hidden Costs of Cheap IT Support
We regularly talk with professional services firms that are paying $75-$100 per user per month for “managed services.” Here’s what usually happens with cheap IT support:
They’re getting reactive support, not proactive management. When something breaks, someone fixes it. But nobody’s watching for warning signs. Nobody’s planning for technology growth. Nobody’s ensuring compliance with industry standards.
Then something major goes wrong. A server fails. A ransomware attack hits. A compliance audit reveals security gaps. Suddenly, they’re facing emergency bills that dwarf whatever they saved on monthly IT support costs.
The Rule of Thumb for IT Support Costs
If you want a very general rule of thumb for managed IT services, expect to spend about $200 per user per month for quality services in Southern California. That should cover comprehensive support, reasonable response times, proactive monitoring, and basic security measures.
If you need additional compliance support, advanced security measures, or 24/7 availability, expect that number to increase by $50-$75 per user for professional services technology.
If someone quotes you significantly less, ask detailed questions about what’s included in managed IT support services. You might be getting a great deal, or you might be getting break-fix support disguised as managed services.
Quick and Easy
Managed IT services in Southern California cost $150-$250 per user per month, with $200 being typical for professional services firms, but many companies charging $75-$100 are providing reactive support rather than true managed services. According to CompTIA, the nationwide average is $182 per user, and cheap IT often leads to catastrophic emergency costs that exceed any monthly savings.
Remember when you could spot a phishing email because it had terrible grammar or came from a weird email address?
Those days are over.
Research from Hoxhunt showed that by March 2025, AI-generated phishing attacks had become more effective than those created by elite human security experts. The AI didn’t just catch up, but surpassed the best humans at social engineering.
Let that sink in. The people whose entire job is creating realistic phishing simulations to test your employees? AI is better at it than they are.
The Scale of the AI Phishing Problem
According to the World Economic Forum, phishing and social engineering attacks increased 42% in 2024. That was before AI really hit its stride.
The attacks aren’t just better written anymore. They’re contextual and arrive at the exact right time. They reference real projects, real people in your organization, and real deadlines.
Google’s 2026 forecast warns that attackers are using AI to create emails that are essentially indistinguishable from legitimate communication.
This is what that looks like in practice:
You receive an email from your CFO requesting an urgent invoice payment. It uses her exact writing style. It references the specific vendor you’ve been working with. It arrives right when you’d expect such a request. The email address looks right. The signature looks right. Everything looks right.
Except it’s not from your CFO. It’s from an AI that studied 50 of her previous emails and generated a perfect forgery.
Voice Cloning: The New Frontier
Email isn’t even the scariest part anymore.
A tech journalist recently demonstrated that she could clone her own voice using cheap AI tools and fool her bank’s phone system – both the automated system and a live agent – in a five-minute call.
Think about what that means for your business. Your CFO gets a call that sounds exactly like your CEO: voice, cadence, the way they clear their throat, everything. It’s asking for an urgent wire transfer for a time-sensitive deal.
How do you defend against that?
Why Traditional Phishing Training Fails Against AI
Your annual security training tells employees to look for:
- Spelling and grammar errors (AI doesn’t make these mistakes)
- Generic greetings (AI personalizes everything)
- Suspicious sender addresses (AI uses compromised legitimate accounts)
- Urgent requests (legitimate urgent requests also sound urgent)
- Links that don’t match the display text (AI uses legitimate-looking domains)
Every single indicator you’ve trained people to watch for? AI bypasses them.
What Actually Works Against AI Generated Phishing
The old training about “look for spelling errors” is dead. Your employees need to understand that verification matters more than urgency.
Use this to protect you and your team:
Slow down when things feel urgent. Urgency is the weapon. If someone’s asking for sensitive information or money transfers, that urgency should trigger caution, not immediate compliance.
Verify through a different channel. Email says it’s from your CEO? Call them on a known number. Text message from your bank? Call the number on your card, not the one in the message. Voice call asking for a transfer? Hang up and call back.
Trust your judgment about whether requests make sense. Does your CEO normally ask for wire transfers via text? Does your IT department usually request password resets through email? If the method doesn’t match the request, verify.
Create a culture where questioning is safe. Your employees need to know they won’t get fired for double-checking whether the CEO really sent that request. These attacks exploit hierarchy and time pressure.
The Reality for Professional Services Firms
The accounting firms, law offices, and property management companies we work with are particularly vulnerable to these attacks because:
- They handle sensitive financial information
- They regularly process wire transfers
- They work with clients who expect fast responses
- They have hierarchical structures that discourage questioning authority
One immigration law firm we work with almost lost $180,000 to an AI-generated email that perfectly mimicked its managing partner’s communication style, requesting an urgent retainer transfer. The only thing that saved them was an associate who thought the request was weird enough to verify in person.
That associate didn’t stop the attack because they spotted technical indicators. They stopped it because something felt off, and they were empowered to question it.
What This Means for Your Business
You need to update your security training immediately. Not next quarter. Not when the budget allows. Now.
The training needs to focus on:
- Verification procedures that work regardless of how legitimate something appears
- Creating psychological safety for employees to question urgent requests
- Understanding that AI can fake anything visual or auditory
- Practicing what to do when something seems both urgent and suspicious
You need to practice these procedures regularly. Not once a year during security awareness month. Monthly at minimum.
Because the attacks are getting better every single day. Criminals using them no longer need your employees to click a suspicious link. They need your employees to trust their eyes and ears when they shouldn’t.
The Quick and Easy: AI-generated phishing attacks now outperform human security experts, with attacks increasing 42% in 2024. AI generates emails and phone calls that are indistinguishable from legitimate communication, bypassing traditional phishing indicators such as spelling errors, generic greetings, and suspicious links. Voice cloning technology can fool both automated systems and live humans. Traditional training focusing on spotting errors no longer works. Instead, businesses need verification procedures that work regardless of appearance, cultures where questioning authority is safe, and regular practice with realistic scenarios. Professional services firms are particularly vulnerable due to their hierarchical structures and regular financial transactions. The key defense is slowing down when things feel urgent and verifying through different channels.