Every vendor in the technology industry will tell you to move to the cloud. What they won’t tell you is whether moving to the cloud is the right decision for your firm.
I’ve been doing this for 35 years. I’ve watched the industry cycle through mainframes, desktops, servers, and the cloud, and in every era, the companies selling infrastructure find a way to make their solution sound like the only one that makes sense. The cloud is genuinely useful, but also genuinely oversold. My job is to tell you which is which for your specific situation.
What “The Cloud” Means for a Professional Services Firm
Before we get into when to migrate and when not to, let’s be clear about what we’re talking about.
When most firms ask about cloud migration, they’re usually asking about one of three things: moving email and productivity tools to a hosted platform like Microsoft 365 or Google Workspace, moving file storage and document management off local servers and into a cloud service, or moving line-of-business software like practice management, accounting, or property management platforms to hosted versions.
These are different decisions with different tradeoffs. Treating them as one question is where a lot of firms go wrong.
Where Cloud Migration Makes Clear Sense
Email and productivity tools
This one is mostly settled. Running your own on-premises Exchange server to host email for a 50-person accounting firm stopped making practical sense years ago. Microsoft 365 deployment handles uptime, security patching, spam filtering, and backups at a cost that no small firm can match when running their own infrastructure.
The same goes for collaboration tools. When your attorneys or accountants work from multiple locations, cloud-based document access and real-time collaboration in Microsoft 365 or Google Workspace are genuinely better than the alternatives. This is a cloud migration decision where the answer is almost always yes.
One thing to watch: deployment matters as much as the decision to migrate. A poorly configured Microsoft 365 environment with the wrong license tier, no multi-factor authentication, and default security settings is not better than what you had before. Cloud migration support from someone who knows professional services firm requirements is not optional. It’s the part that makes the migration work.
This is also a decision that intersects with your firm’s specific software needs. If you’re weighing which platform fits best, the considerations for law firms and accounting practices differ enough to warrant a closer look. We cover that comparison in detail.
.
Remote and hybrid work infrastructure
If your team works from anywhere, cloud infrastructure is not a preference, it’s a practical requirement. Local servers that staff can only access via a fragile VPN setup, or document storage that lives only on office desktops, break down quickly in a distributed work environment.
Cloud-based file storage, access controls, and productivity platforms built for remote access are what make hybrid work viable. For firms that have embraced any degree of remote work, this is another area where the migration decision usually has a clear answer. For a closer look at the security side of that equation, Remote work security for professional services firms is worth reading alongside this post.
Disaster recovery and backup
Your backup strategy should have a cloud component. Full stop. Local backups that reside in the same building as the systems they back up are not a recovery strategy. They’re a false sense of security. Cloud-based backup solves that problem directly, and the cost is low enough that there’s no reasonable argument against it for any firm.
Where the Cloud Argument Gets Weaker
Specialized line-of-business software
Many professional services firms run software that is specific to their industry. Tax platforms, legal document management systems, and property management databases. The hosted versions of these applications are not always better than on-premises versions, and they are often significantly more expensive on a per-user subscription model.
Before migrating a line-of-business application to a hosted cloud version, do the math. What is the annual cost per user for the cloud version versus the cost of running the application on your existing server infrastructure? Include the IT support cost for server maintenance, but be honest about it. For firms with managed IT support already in place, the incremental cost of maintaining a single application server is often lower than many assume.
There are cases where the cloud version wins. There are cases where it doesn’t. The calculation is worth doing before the vendor does it for you.
When your connection is the problem
Cloud infrastructure runs on internet connectivity. If your office has unreliable internet or your team works in locations with limited bandwidth, moving critical applications to the cloud can create a reliability problem that didn’t exist before.
I’ve seen firms migrate enthusiastically, then discover that their 25-person office shares a business internet connection that simply wasn’t designed for the load. Before any significant cloud migration, your network infrastructure needs an honest assessment. This step is skipped more often than it should be.
When compliance requirements restrict your options
Accounting firms, law offices, and property management companies handle sensitive client data. Depending on your specific situation, the cloud environment you choose and how it’s configured may need to meet particular security and compliance standards.
This doesn’t mean you can’t use cloud platforms. Microsoft 365 and Google Workspace both have configurations that meet demanding compliance requirements. This means the migration needs to be designed with those requirements in mind, not retrofitted after the fact. If your cyber insurance requires specific data handling controls, or your clients have contractual requirements around data residency, those need to be on the table before you sign up for a cloud service.
Cyber insurance requirements around data handling have tightened considerably in the past two years. Understanding what your policy requires is a conversation in itself.
The Question Nobody Asks
I find myself having this conversation fairly often. A managing partner or office manager tells me they want to move everything to the cloud. When I ask why, the answer is usually something like, “because that’s where everything is going” or “because our current setup is frustrating.”
Those are not the same problem, and they don’t have the same solution.
If your current setup is frustrating because local servers are aging, backups are unreliable, and remote access is painful, cloud migration probably does solve that. If your current setup is frustrating because your software is poorly configured, your hardware is underpowered, or your IT support isn’t keeping up, migrating to the cloud can move the same problems into a new environment and add a subscription fee on top.
The cloud is a location, not a fix.
Before any migration conversation, I recommend an honest technology assessment. What’s breaking? What does your team need? What does it cost to solve the problem on-premises versus in the cloud? Once you have real answers to those questions, the right path forward is usually obvious.
If you want to work through that assessment for your firm, that’s a conversation worth having. C2 Technology Partners works exclusively with professional services firms in Southern California, and we’ve been through this decision enough times to give you a straight answer without a sales agenda attached.
Primary Keyword: cloud migration support
Secondary Keywords: Microsoft 365 deployment, Google Workspace setup
Meta Description (155 chars): Not everything belongs in the cloud. When cloud migration makes sense for professional services firms, and when on-premises is still the better choice.
I have had this conversation more times than I can count. Someone buys a laptop at Costco for $300, hands it to a paralegal or a bookkeeper, and calls it a day. Six months later, they’re on the phone with me, wondering why everything is slow and what we’re going to do about it.
What I tell them is that the $300 laptop and the $1,300 laptop look almost identical in the store: same screen, same keyboard, same ports. On the surface, they act the same, too, for about the first three months. After that, the differences become very clear, and they’re the kind of differences that cost you real money.
What You’re Paying For
Consumer-grade laptops sold at big box retailers are built to a price point. That’s not an opinion, it’s a manufacturing reality.
The components inside a budget machine are sourced for cost, not durability. The processor handles basic tasks but struggles under the load of business software. The storage drives are slower and wear out faster. The build quality is lighter because lighter means cheaper materials, and cheaper materials mean shorter lifespans. Memory is often the minimum required for the thing to boot.
Business-class laptops are built differently. The processors are selected for sustained workloads. The storage is faster and rated for higher read-write cycles. The chassis is more durable because the people buying them need them to last four or five years, not one or two. Quality assurance testing is more rigorous because the buyer notices when a machine fails.
None of that is marketing. It’s component selection.
The Real Math on Cheap Technology
A $300 laptop that lasts two years before becoming a productivity problem costs your firm significantly more than the purchase price.
Consider what happens when that machine starts underperforming. Staff spend time waiting on slow load times. IT support time goes up. If the device fails outright, you’re dealing with downtime, potential data recovery costs, and the disruption of getting a replacement deployed quickly. Factor in lost billable hours for the person who can’t work normally during any of that.
Research cited by Atlassian puts the average cost of IT downtime at $5,600 per minute, and a failing laptop is a reliable, recurring source of exactly that kind of unplanned outage.
A $1,300 machine that stays reliable for four to five years, with minimal support overhead, almost always wins on total cost. The math isn’t complicated once you stop looking at the purchase price in isolation.
The Quality Decline Problem Nobody Talks About
This topic is personal for me. I was a Dell advocate for years: reliable machines, consistent business-line products, and good support. I can’t say that anymore. I won’t recommend most of their consumer products today, and I’m not alone in that assessment.
The decline in the quality of technology hardware has been real and measurable over the past decade. What most people don’t know is why.
Before the pandemic, a series of disasters hit semiconductor and component manufacturers across Asia, particularly in Taiwan, Japan, and Malaysia. Floods, fires, and factory shutdowns degraded supply chains that had taken decades to build. That infrastructure has not fully recovered.
Then the pandemic hit, which compounded everything. Component shortages forced manufacturers to substitute materials and suppliers at every level of the supply chain. Some of those substitutions became permanent because the economics worked in the short term.
Layered on top of that is a straightforward business reality: public companies face relentless pressure to extract margin from their products. The easiest place to find margin without raising prices is to reduce the quality of what’s inside the box. Consumers rarely crack open their laptops to inspect the components. That created an opening, and many manufacturers took it.
The result is that you cannot shop by brand name the way you could ten years ago. A brand that produced excellent business hardware in 2015 may be producing mediocre hardware today from the same product line.
What This Means for Device Lifecycle Management
Workstation setup and deployment for professional services firms need to account for all of this.
A replacement cycle of four to five years is standard guidance for business-class hardware, but only if you’re buying business-class hardware to begin with. Consumer devices often can’t make it that far without significant performance degradation, which means you’re replacing them more frequently and paying IT support costs along the way.
The firms I work with that invest in quality hardware upfront have more predictable technology budgets and fewer emergency support calls. The ones that buy cheap get a short-term win on the purchase order and a long-term headache on everything else.
Spend $1,300 on a machine that your attorney or accountant uses reliably for five years, and you’ve spent $260 per year on that device. Buy a $300 machine that needs replacing in two years, and the per-year cost is $150 before you count a single hour of downtime or support.
The numbers get closer than people expect.
A Practical Buying Framework
When I’m advising firms on device procurement, I look at a few specific factors.
What software are these users running? Tax and legal software is resource-intensive. A machine sized for web browsing and email will struggle with it. Match the device to the actual workload, not to the lowest acceptable price.
Who is the user? A partner at a law firm or a CPA signing off on returns needs a reliable machine without fail. An intern doing administrative work might be fine with something less expensive. Not every seat requires the same investment.
What’s the warranty and support structure? Business-class machines from reputable manufacturers typically come with on-site service warranties. Consumer devices don’t. For a 50-person professional services firm, that distinction matters when something breaks.
Finally, what does replacement cost your firm? Include IT labor for setup and deployment, any data migration, and the disruption to the person whose machine just died.
Once you factor all of that in, the $300 laptop rarely looks like the savings it appeared to be at checkout.
Technology planning for business growth means treating your devices as assets rather than expenses. A device lifecycle management strategy, built around quality hardware and realistic replacement cycles, will cost your firm less over time and save you more headaches than I can count.
If you’re not sure whether your current hardware is serving your team well or quietly costing you, reach out. We do this assessment regularly for professional services firms across Southern California, and the conversation doesn’t cost you anything.
Remote work is no longer a temporary arrangement that your firm is managing. It’s how your people work now, and the security gaps it created are still wide open.
Most professional services firms handled the transition to remote work the same way. They handed out laptops, set up VPN access, and called it done. That approach was fine in 2020 when everyone was scrambling. In 2025, it’s a liability.
The firms we work with across accounting, law, and property management all share similar setups. Attorneys reviewing client files from home networks, accountants accessing tax software from personal devices, and property managers processing payments from coffee shops. Every one of those scenarios introduces a risk that a basic VPN was never designed to cover.
Your Home Network Is Not Your Firm’s Network
Office networks are managed. Home networks are not. That difference is significant.
When your staff works from home, they’re connecting through consumer-grade routers that often run outdated firmware, have never had their default passwords changed, and share bandwidth with every smart TV, gaming console, and doorbell camera in the house. Your firm’s data is traveling through that environment.
The fix is not complicated. Requiring employees to connect through a business VPN is a start, but it’s not sufficient on its own. The stronger approach is zero-trust network access, which means every connection is verified before it reaches your systems, regardless of its origin. This is increasingly standard for firms handling sensitive client data, and it also matters for cyber insurance qualification.
If your current IT setup does not include a defined remote access policy, that gap should be addressed first.
Multi-Factor Authentication Is Not Optional
If your staff can log into client files, billing systems, or email with just a username and password, your firm is exposed. Full stop.
According to Microsoft, multi-factor authentication (MFA) blocks over 99.9% of automated account compromise attacks. It is the single highest-return security measure available to small and mid-sized firms, and it costs almost nothing to implement correctly.
The challenge we see most often is not firms refusing to implement MFA. It’s firms that enabled it inconsistently, or skipped certain applications because they were inconvenient. An accounting firm might have MFA on email but not on their practice management software. A law office might have it enabled for partners but not for support staff.
That inconsistency is where breaches happen.
MFA needs to be applied uniformly across every application that accesses client data. That includes email, document storage, billing, and any line-of-business software your staff uses remotely. Hybrid work infrastructure planning should treat authentication as a foundation, not an afterthought.
Devices Are the Weakest Link in a Distributed Workforce
When everyone worked from the office, your IT team could see every device on the network. They could push updates, enforce policies, and spot problems. Remote work changed that dynamic completely.
The device your paralegal is using at home right now, are you certain it has current security patches? Do you know whether it’s running endpoint protection? If it were lost or stolen, could your team wipe it remotely?
For professional services firms, the answers to those questions need to be yes. Client confidentiality requirements, insurance obligations, and, in many cases, bar association or state CPA board standards require it.
Device management for remote employees means a few specific things in practice. Every firm-issued device should have endpoint detection and response software installed. Automatic updates should be enforced, not left to the discretion of individual employees. Also, remote wipe capability should be configured before devices leave the office, not after something goes wrong.
Personal Devices Are a Different Problem
Many firms allow employees to use personal computers or phones to access work systems. This is common and often unavoidable, particularly in smaller offices. It is also genuinely difficult to manage from a security standpoint.
You cannot install corporate security software on a personal device without creating legal and privacy complications. What you can do is control what those devices can access and how they can access it.
Mobile device management policies can enforce minimum security standards before a personal device is granted access to firm systems. Requiring a PIN, enabling device encryption, and preventing downloads of client files to local storage can all be enforced through the right configuration, even on personal devices. Your remote IT support strategy should account for this distinction.
If your firm has not made a clear decision about personal device access, it is worth making one now. Either allow it with defined controls in place, or restrict it and provide firm-issued devices where needed.
The Security Conversation You Are Not Having With Your Staff
Most data breaches in professional services firms do not start with sophisticated attacks. They start with a staff member clicking a link in a phishing email while working from home, without the informal safeguards that exist in a physical workplace.
In an office, someone might turn to a colleague and ask, “Did you see this email from a client?” That quick check happens naturally. Remote employees make those judgment calls alone.
Security awareness training is not a one-time checkbox. It needs to be ongoing, specific to the threats targeting professional services firms, and directly tied to the tools your staff uses. Credential theft targeting law firms and accounting practices is a documented and growing problem. Your training program should reflect that.
What This Looks Like in Practice
Getting remote work security right for a professional services firm does not require a large IT budget. It requires a clear-eyed assessment of where your gaps are, and a plan to close them in order of priority.
Start with an honest inventory. Which applications can staff access remotely? Which devices are being used? Is MFA enabled everywhere it should be? Are remote access policies documented?
From there, the path forward is usually straightforward. The firms that struggle are the ones that have never asked the questions.
If you want to run through that inventory, C2 Technology Partners offers a no-pressure remote work security assessment for professional services firms in Southern California. It takes about an hour and gives you a clear picture of where you stand.
Your software vendor does not care whether your business survives an outage, a price increase, or a forced platform migration. They care about your renewal. Those are not the same thing, and the sooner you build your IT strategy around that fact, the better off you will be.
I want to be fair here. I am not saying software vendors are villains. They are businesses. They have investors, payroll, and pressure to grow revenue. However, their incentives are structurally misaligned with yours, and pretending otherwise costs businesses money every single year.
What Vendor Mercenary Behavior Actually Looks Like
It rarely announces itself. It shows up in the details.
Licensing that stores your data in proprietary formats you cannot easily export. Price increases that arrive with 30 days’ notice, which gives you no realistic time to evaluate alternatives, negotiate, or move. Support tiers that make what used to be a standard service request into a premium feature. “Integration partnerships” that are really artificial barriers to using competing tools. Security features that exist at enterprise pricing tiers but not the small business plan you are on, which means the capability exists but the vendor has decided your size does not merit access to it.
I see the Microsoft 365 markup issue all the time in this industry. You can look up Microsoft’s pricing directly. A lot of IT firms mark up those licenses anywhere from 200 to 1,000 percent without ever explaining what the markup covers or why. At C2, we tell clients exactly what we are marking up and why. That is not the industry norm. It should be.
None of the behaviors I described above are illegal. Most of them are rational from the vendor’s perspective. But they are not aligned with your interests, and knowing that going in is different from figuring it out when you are locked in.
The Lock-in Nobody Notices Until They Try to Leave
The most expensive vendor relationship is not the one with the highest monthly bill. It is the one you cannot exit without a major disruption to your business.
Think about your practice management software, your document storage platform, your client portal. If you decided tomorrow that you wanted to move to a competing product, what would that actually look like? How long would it take? How much would it cost? What data might you lose or have to manually recreate?
For most professional services firms, the honest answer is “more than we want to think about.” That is not always a problem. Some vendor relationships are worth the dependency because the switching cost is genuinely higher than the cost of accepting the terms. However, you should arrive at that conclusion consciously, not by default.
The firms that get hurt are the ones that discover their exposure when the vendor raises prices by 40 percent and the realistic alternative is six months of migration work at the worst possible time.
What You Can Realistically Manage Yourself
I try to be honest with clients about the line between what they can handle and what they should bring to us.
Things most professional services firms can manage without IT help: exporting your own data periodically to verify you actually can, keeping a plain-language record of what tools you use and what they cost, reading renewal notices before approving them, and maintaining a vendor contact list somewhere outside the software itself. These sound obvious. Most businesses do not do them.
Things you should probably not try to manage without help: migrating data between platforms, evaluating the security implications of a new vendor contract, negotiating enterprise licensing terms, or building redundancy around a tool that is critical to daily operations.
Being clear about that line is more useful than pretending either that you can handle everything or that you need to outsource every decision.
Three Things You Can Do This Month
Export a copy of your data from your two most critical platforms. Just to see if you can. The experience of trying will tell you more than any vendor FAQ. If the export option does not exist or the output is unusable, that is information worth having now.
Read the terms of your next software renewal before you approve it. Look specifically for language about data portability, price adjustment clauses, and what happens to your data if you cancel. It will not be exciting reading. It will be useful.
Ask your IT partner: if we needed to move off this platform in 90 days, what would that actually look like? If your IT partner cannot answer that question clearly and specifically, that is also information worth having.
The Honest Part
Some vendor lock-in is unavoidable and some of it is worth accepting. The goal is not to be vendor-free. It is to make those choices with your eyes open rather than discovering your exposure when the leverage has already shifted entirely to the vendor’s side.
The firms I have watched get hit hardest by this are not the ones that made bad decisions. They are the ones that made no decision at all, and let default inertia build dependencies they were not aware of until something forced them to look.
Technology is a tool. Like any tool, it can be built improperly, it can be misused, and it can fail at the worst possible moment. Understanding who actually controls that tool, and what happens when their priorities stop aligning with yours, is part of running a business in 2026. It is just not a part anyone talks about much.
If you want to take stock of where your real dependencies are and what your options look like, we are happy to have that conversation.
Quick and Easy: Software vendors build their businesses around keeping you subscribed, not around making it easy to leave, and that is a rational business decision that just happens to conflict with yours. Understanding which tools your firm genuinely cannot exit quickly, and what that exposure actually costs, is one of the most underrated parts of technology planning for professional services firms. Start by trying to export your own data and reading the next renewal notice before you click approve.
I need to tell you about a conversation I had last year with a property management firm that thought they had off-site backup. Their office manager was taking home an external hard drive every Friday night and bringing it back Monday morning. When I asked them what would happen if there was a fire in the office on a Tuesday, they suddenly realized their “off-site” backup was sitting in a drawer ten feet from the server it was supposed to be protecting.
This is more common than you’d think. Lots of businesses believe they have off-site backup when what they actually have is backup that occasionally leaves the building but spends most of its time in the same disaster zone as their primary data.
What Off-Site Actually Means
Off-site backup means your data is stored in a location that is geographically separate from your primary location and would not be affected by any disaster that could reasonably hit your main office. The point is to protect you from localized disasters: fires, floods, theft, ransomware, power surges, angry former employees, and all the other ways that everything in one physical location can be destroyed or compromised simultaneously.
According to FEMA’s disaster statistics, 40% of businesses never reopen after a disaster, and another 25% fail within one year. Off-site backup is your insurance policy against being in those statistics.
Cloud backup is genuinely off-site. When your data is stored in a data center in another state, a fire in your office doesn’t touch it. A flood in your building doesn’t reach it. Ransomware that encrypts every computer on your network can’t encrypt data that’s not connected to your network at that moment.
The Problems with ‘Portable’ Off-Site Backup
The external hard drive that goes home with an employee seems like a reasonable approach, and it’s better than nothing, but it has some serious problems that most businesses don’t think about until it’s too late.
First, it’s only off-site part of the time. If your disaster recovery planning assumes you always have an off-site backup available, but that backup is actually in the building 70% of the time, your plan has a 70% chance of failing when you need it.
Second, portable drives get lost, damaged, or stolen. They get left in cars that get broken into. They get knocked off desks. They get erased accidentally. They get run over in parking lots. I’ve seen all of these happen. Kroll Ontrack’s data recovery statistics show that portable drives have a 25% higher failure rate than stationary drives, primarily due to physical damage from transport and handling.
Third, and this is the big one that nobody thinks about, portable drives that get plugged into your network regularly can be compromised by ransomware just like everything else on your network. If your backup drive is connected to an infected computer when the ransomware decides to encrypt everything it can reach, congratulations, your backup just got encrypted too.
The Ransomware Problem with Connected Backups
Modern ransomware is sophisticated. According to Sophos’s State of Ransomware 2024 report, 94% of ransomware attacks attempt to compromise backups. They specifically look for backup drives, backup software, and cloud backup credentials. The entire point is to make sure you can’t recover your data without paying the ransom.
This is why business continuity planning requires truly isolated off-site backup. If your backup can be accessed from your network, it can potentially be compromised from your network. Cloud backup services that use immutable storage or versioning can protect against this. A backup drive that never connects to your network can protect against this. A backup drive that plugs in every Friday is vulnerable.
What Actually Counts as Off-Site
Cloud backup with a reputable provider absolutely counts. Services like Backblaze, Carbonite, Datto, or Veeam’s cloud offerings store your data in professional data centers that are geographically distant from your location. They use redundant storage across multiple facilities, so even if one data center has a problem, your data still exists somewhere else.
Tape backups that are physically stored off-site count. Some firms still use tape drives and rotate tapes to a safe deposit box or storage facility. This is old school, but it works. The tapes are genuinely off-site, genuinely disconnected from any network, and genuinely protected from local disasters.
Replication to a second office location can count, if you actually have a second office location that’s far enough away to not be affected by the same disaster as your primary location. A second office across town works for fire or theft. A second office in the same building does not work for anything.
The Hybrid Approach That Actually Works
For most professional services firms I work with, the answer is a hybrid approach. You keep local backup for fast recovery from common problems like accidental deletions or hard drive failures. You keep true off-site backup in the cloud for disaster recovery. And you test both regularly to make sure they actually work.
The local backup gets you back up and running in hours when someone accidentally deletes an important folder. The off-site backup gets you back up and running in days when your office floods and destroys all your hardware. Different tools for different scenarios, both important.
This is what professional disaster recovery planning looks like. Not just having backup, but having the right kinds of backup in the right locations for the right purposes. It’s not exciting. It’s not sexy. But it’s what keeps your business alive when everything goes wrong.
Quick and Easy
True off-site backup must be geographically separated from your primary location and protected from the same disasters. Cloud backup meets this requirement while portable drives that regularly connect to your network don’t, as modern ransomware specifically targets connected backup devices during attacks.
A client forwarded me a message from her internet provider a few weeks back. It warned that certain router brands might have security issues and suggested she consider upgrading to a managed service. She wanted to know if she should be worried.
I looked at the message and told her two things. First, the warning is real and the underlying concern is legitimate. Second, the way this particular company wrote it was deliberately vague, designed to create just enough unease to push her toward paying for something she may or may not need. The two facts are not mutually exclusive, and that combination is worth unpacking.
What Started the Questions
On March 23, 2026, the FCC added all foreign-manufactured consumer-grade routers to its Covered List, which effectively bans new models from being imported or sold in the United States. The ruling cited documented cyberattack campaigns, most notably the Salt, Flax, and Volt Typhoon operations, where foreign-produced routers in homes and small offices were used as entry points to attack critical US infrastructure.
The brands affected read like a shopping list at Best Buy: TP-Link, Netgear, Asus, Linksys, Eero, Google Nest WiFi. All of them. Because virtually every consumer router on the market is manufactured outside the United States, the ban essentially covers the entire category of new product introductions until manufacturers either establish US-based production or receive individual conditional approval from the Department of Homeland Security.
Netgear has already received an exemption. Eero received conditional approval through October 2027. TP-Link, which holds roughly 65 percent of the US home router market, is still working through the process.
What This Does Not Mean
Before anyone calls me to ask if they need to throw their router in the trash, let me be direct: if you already own one of these devices and it is running fine, you are not required to do anything immediately. The FCC ruling grandfathers existing equipment. You can keep using your current router legally and indefinitely.
The ban prevents new foreign-made models from receiving FCC authorization going forward. What it does not do is criminalize the router sitting on your credenza right now.
There is, however, one real deadline buried in this that most of the coverage has glossed over. Manufacturers on the covered list have until March 1, 2027 to issue firmware updates to existing devices. After that date, unless they have secured a conditional approval, they cannot push software patches to devices already in the field. Which means a router that is fine today may gradually become a security liability as vulnerabilities emerge and fixes are no longer permitted.
Why This Matters for Your Business
What most business owners are not thinking about is the part I find most relevant for the professional services firms I work with.
The router sitting in your office is probably not the one that concerns me most right now. Business-grade networking equipment used in professional environments is generally managed differently and held to a higher standard than what you find in a consumer retail package.
What I am thinking about is the router in your employee’s home office.
You have probably had people working remotely for years now. They are accessing your systems, your client files, and your email through whatever networking equipment they set up in their living room. A lot of it is exactly the kind of foreign-manufactured consumer hardware that is now at the center of this national security discussion. Much of it has not been updated, assessed, or evaluated by anyone with any technical accountability for your business’s security.
I tell clients all the time: your security perimeter is not the four walls of your office anymore. It extends into every home where someone logs into your network. If that connection is running through a device with documented vulnerabilities and no path to a security patch after March 2027, that is a gap worth addressing.
My Honest Take
I have been watching the concerns around foreign-manufactured networking equipment for a long time. The documented attacks and vulnerabilities are real. Whether the current political moment is driving the timing of this particular ruling is a separate conversation I will spare you.
What I will say is that this is a good time to have someone take an honest look at your network, including your remote workers’ home setups, and give you a realistic assessment of where you actually stand. Not a sales pitch dressed up as a security warning. Just a straight answer about what you have, what the risks are, and what, if anything, you should actually do about it.
That is the conversation I am always happy to have.
Quick and Easy
The FCC banned new foreign-manufactured consumer routers in March 2026, citing documented national security threats. Existing devices are legally protected for now, but a March 2027 deadline for firmware updates means routers from affected manufacturers could become security liabilities. For professional services firms, the immediate priority is evaluating remote employee home networks, not just office infrastructure.
Earth Day feels like the right time to talk about technology waste, not because I am particularly sentimental about the occasion, but because most professional services firms are sitting on a device lifecycle management problem that is quietly costing them money. Nobody is talking about it in those terms.
I am also going to be honest about something upfront: sustainable technology practices are good for the environment, but I have never once convinced a business to change its approach to hardware solely for environmental reasons. What actually moves the needle is the operational and financial argument. The good news is that the same decisions that reduce e-waste also reduce costs and risk. So the environmental benefit is, in this case, the bonus.
Why Device Lifecycle Management Is a Business Problem First
Most professional services firms I work with do not have a formal device lifecycle management policy. What they have is a replacement habit: when a computer stops working acceptably, or when a staff member complains loudly enough, a new one gets purchased.
The result is an office full of machines of wildly different ages and configurations. Some are running operating systems that are no longer receiving security updates. Some are brand new. Most have not been inventoried in years. That is a security problem as much as an environmental one, and it is also expensive in ways that do not show up on any single invoice.
A reasonable device lifecycle for business computers is three to five years, depending on the workload. Below that range, you are replacing hardware before you can extract reasonable value from it. Above it, you are running machines that are slower than they should be, less secure than they need to be, and more likely to fail at an inopportune time. The operating cost of an aging machine in support time, productivity loss, and security risk tends to exceed the cost of replacement well before the hardware visibly gives out.
Responsible Workstation Setup Includes Planning What Happens at End of Life
When a device reaches the end of its useful life at your firm, a few steps need to be taken before it goes anywhere.
Data must be wiped, not deleted. Wiped. Deleting files does not remove them from a hard drive in a way that prevents recovery. A proper wipe overwrites the storage, making recovery practically impossible. If you are sending devices to a recycler or donating them, this step is not optional. Your clients’ data has been on those machines.
Devices that are still functional but no longer appropriate for primary staff may have a second life. Many nonprofits and schools accept used business equipment. If the device has been properly wiped and is running a current operating system, it can provide meaningful value elsewhere rather than going straight to a landfill.
For devices genuinely at the end of life, find a certified e-waste recycler. Most municipalities in Southern California have periodic e-waste collection events. A certified recycler ensures that the materials inside, some of which are genuinely hazardous if handled carelessly, are processed correctly.
Technology Planning for Business Growth Means Replacing Reactively Less Often
One of the most useful things a professional services firm can do, for both its operations and its environmental footprint, is move from reactive device replacement to planned refresh cycles.
Practically, this means knowing what hardware you have, when it was purchased, and when it is due for replacement. A simple spreadsheet works. When you know three years in advance that a wave of machines will need replacing, you can budget for it, plan the transition, and avoid the operational disruption of emergency replacements during busy periods. Tax season is a terrible time to discover that a staff member’s computer has finally given out.
It also means you stop buying machines during crisis conditions, which is almost always when the worst purchasing decisions are made. When the controller’s computer dies the week before a filing deadline, you buy whatever is available and ship it overnight. When you plan a refresh 12 months out, you have time to evaluate what your staff actually needs and buy accordingly. That is both better technology planning for business growth and considerably less expensive.
The Software Side of Sustainable Technology
Physical hardware is not the only place where waste accumulates. Software subscriptions are the other.
Most firms are paying for licenses they are not using, for platforms that have been partially replaced by something else, or for features within a platform that nobody has ever turned on. A software audit, a straightforward review of what you are subscribed to, who is using it, and whether the cost is justified, is something most firms have never done systematically.
It is not a complex exercise, and it consistently identifies funds that can be reallocated to what actually matters. I have never done one for a client and come up empty.
The Practical Starting Point
If you want to do something concrete this month that addresses all of the above, take an inventory. Pull together a list of every computer, laptop, and tablet used in your firm, when it was purchased, and who uses it. If you do not know when something was purchased, a good IT partner can usually determine that from the device’s system information.
Once you have that list, you have the information you need to make actual decisions about device lifecycle management, rather than just reacting to the next thing that breaks.
If you would like help pulling that inventory together or thinking through a refresh and workstation setup strategy, reach out. It is a straightforward conversation, and the starting point is almost always simpler than people expect.
Quick and Easy: Most professional services firms lack a device lifecycle management plan, which means they replace hardware reactively under pressure, run aging machines that pose security risks, and generate more e-waste than necessary. Moving to a planned three-to-five-year refresh cycle, properly wiping devices before retirement, and auditing unused software subscriptions addresses all three problems at once and often saves money.
Tax season is the best stress test your technology will ever get. And it is completely free. You did not ask for it, you cannot opt out, and every year between January and April your systems will tell you exactly where the cracks are. The question is whether you are paying attention.
I work with accounting firms as managed IT clients, and I have worked with several more over the years. The pattern is consistent enough that I could describe it before the season starts: the issues that barely registered in November become full-blown crises in March, usually at the worst possible moment, because that is what technology is reliably good at.
Why Tax Season Is the Real Measure of Your IT Support for Accounting Firms
The most common issues that surface during peak filing season are not new problems. They are old problems that finally got loud enough to demand attention.
Slow systems are the most common complaint, and the cause is almost never a mystery. Machines that are three or four years old, running software that has grown steadily more demanding, start struggling under the weight of high-volume processing. The firm has lived with the sluggishness for months because it was tolerable. In March, when everyone is working longer hours and deadlines are immovable, tolerating it is no longer an option.
Remote access failures are the second most common issue. Hybrid teams that work fine under normal conditions hit their limits when everyone is remote simultaneously and the VPN was never sized for that load. Or a staff member is working from home on a personal device with outdated software that creates compatibility problems with cloud-based tax platforms.
Cloud platform slowdowns round out the top three. Accounting firms run on software like Lacerte, CCH, UltraTax, or Drake. When those platforms slow down or have service interruptions during filing season, it is not just inconvenient. According to one analysis, a single hour of downtime at a ten-person firm with a $200 average billable rate can cost over $1,000 in lost productivity and that does not count the backlog that builds, the client frustration, or the staff morale hit.
What Tax Season Actually Reveals About Professional Services Technology
Beyond the specific failures, tax season exposes something more fundamental: whether your firm has professional services technology built for how you actually work, or built for how you worked five years ago.
An accounting firm with no coherent IT support plan tends to normalize the warning signs until they stop feeling like warning signs. Work slows and nobody identifies why. Staff develop workarounds for software that does not behave reliably. Files end up saved in inconsistent locations because nobody established a protocol. None of these are catastrophic on their own, but under peak-season pressure, they compound.
The other thing tax season reveals is your security posture. Accounting firms are high-value targets because they hold a concentration of financial data that is genuinely valuable to criminals. Firms in regulated states like California face stricter data privacy requirements than many owners realize. A ransomware attack the week before the April deadline is not a hypothetical scenario for accounting firms. It happens.
Workflow Optimization Starts with Honest Post-Season Analysis
The instinct after surviving a rough tax season is to exhale, finish the remaining client work, and deal with technology problems later. I understand that instinct. Unfortunately, later tends to become next January, when you are headed into the same situation again.
A post-tax-season review does not have to be comprehensive or expensive. A few honest questions are a reasonable place to start.
What specifically slowed down or broke during the season? Write it down while it is fresh. “The system felt slow” is less useful than “CCH was taking four minutes to load on Maria’s machine starting around March 10.”
Were there any near-misses? Security alerts, unusual login attempts, or phishing emails that someone caught? Those matter too.
What workarounds did your team create? Workarounds are symptoms. They tell you where the official process broke down, which is exactly where your IT attention should go next.
If you have a managed IT partner, share that list with them. If you do not, and your tax season was rougher than it needed to be, that list is a good starting point for a conversation about what a proactive approach to IT support for accounting firms actually looks like.
The goal is not to over-engineer your environment. It is to make sure the systems your firm runs on are built for the way you actually work, not just adequate for a slow Tuesday in October.
Quick and Easy: Tax season reliably surfaces every technology problem your accounting firm has been tolerating, from aging hardware to under-sized VPNs to security gaps, because pressure turns inconveniences into crises. The firms that come out ahead are the ones that treat the post-season debrief as useful data instead of something to forget as quickly as possible. Write down what broke, what slowed down, and what workarounds your team created, then fix those things before next January.
Many businesses, when trying to get their processes in order, debate whether using Microsoft 365 or Google Workspace would work best for their needs. Although the business world tends to “expect” Microsoft applications, there are those who fully utilize Google.
Here’s the honest truth: both platforms are good. Both will handle your email, calendar, file storage, and collaboration needs. Both have gotten dramatically better in the past few years. And both will cost you roughly the same amount of money. So if you’re expecting me to tell you that one is objectively superior to the other, you’re going to be disappointed.
What I can tell you is which one works better for the specific ways that accounting firms, law offices, and property management companies actually work.
Where Microsoft 365 Wins
For law firms specifically, Microsoft 365 is usually the better choice, and the reason comes down to two things: document formatting and industry expectations.
Legal documents require precise formatting. Numbered paragraphs, specific indentation, complex tables, cross-references, and redlining that tracks every change made by every attorney who touches a document. Microsoft Word is still the gold standard for this kind of work. Google Docs has gotten better, but it’s still not quite there for complex legal documents. According to ABA’s 2024 Legal Technology Survey, 94% of law firms still use Microsoft Word as their primary document creation tool.
The second issue is client expectations. When you send a legal document to a client or opposing counsel, they expect to receive a .docx file. They expect to be able to open it in Word, make their comments using Word’s track changes feature, and send it back. You can absolutely do this workflow with Google Workspace, but it creates friction. You’re constantly converting files, worrying about whether formatting survived the conversion, and explaining to clients why your documents look slightly different.
Microsoft 365 also integrates better with practice management software that law firms use. Most legal-specific software was built with Microsoft in mind. The integrations are tighter, the compatibility is better, and you spend less time fighting with your tools.
Where Google Workspace Makes Sense
That said, Google Workspace isn’t a bad choice, and for some firms it’s actually the better option. If your firm is smaller, more nimble, and doesn’t have decades of document templates built in Microsoft Word, Google Workspace can be easier to manage and more intuitive for people who aren’t deeply technical.
Google Workspace setup is simpler than Microsoft 365 deployment. There are fewer moving parts, fewer configuration options, and less that can go wrong. For a 5-person law office that just needs email, calendars, and basic document collaboration, Google Workspace gets you up and running faster with less complexity.
Google’s collaboration features are also more intuitive. Multiple people can edit a document simultaneously, and it just works. With Microsoft 365, you can do the same thing, but it requires OneDrive and specific versions of Office apps, and there’s more that can go sideways.
The Real Cost Comparison
Price-wise, they’re comparable. Microsoft 365 Business Standard runs about $12.50 per user per month. Google Workspace Business Standard is $12 per user per month. You’re not making this decision based on a 50-cent difference. The real costs come from cloud migration support, training your staff, and potential productivity loss during the transition.
According to Forrester’s Total Economic Impact study, organizations switching platforms experience an average productivity dip of 15-20% for the first 2-3 months while people adjust. That’s the real cost you need to factor in. If you’ve been using Microsoft for 20 years, switching to Google isn’t just a technology change, it’s a workflow change.
What About Hybrid Approaches?
Some firms try to split the difference by using Gmail with Microsoft Office apps. This mostly works, but it creates its own complications. You lose some of the tight integration between email and calendar. File storage gets confusing when people aren’t sure whether to save things in Google Drive or OneDrive. And you’re paying for redundant services.
I generally don’t recommend hybrid approaches unless you have a specific technical reason that requires it. Pick one platform and commit to it fully. Your people will be happier, your IT management will be simpler, and you’ll spend less time troubleshooting weird compatibility issues.
Making the Decision
For most law firms and accounting practices I work with, Microsoft 365 is the right choice. The document compatibility, the industry standard status, and the integration with other professional services software outweigh the slightly steeper learning curve and more complex administration.
But if you’re a smaller firm, if you don’t have complex document formatting needs, or if you value simplicity over feature depth, Google Workspace is a perfectly viable option. The key is making the decision based on your actual workflow, not on what some article on the internet told you was “better.”
Quick and Easy
For law firms and accounting practices, Microsoft 365 is usually the better choice due to document formatting requirements and industry standard expectations. Google Workspace works well for smaller firms prioritizing simplicity, but both platforms require careful cloud migration support and training to avoid productivity loss.
Look, I get it. Multi-factor authentication is a pain in the butt. It slows you down when you’re trying to get work done, it interrupts your flow with prompts at the worst possible times, and yes, it makes you feel like technology doesn’t trust you anymore. Your team is going to complain about it. Some will actively try to find workarounds. And honestly, I don’t blame them.
The thing about ransomware, though, is that it’s worse.
I’ve been managing IT for professional services firms for over three decades, and I can tell you that the conversation we have after a breach is exponentially more painful than the conversation about implementing MFA. One is an inconvenience. The other is a catastrophe.
The Uncomfortable Truth About Endpoint Security
The professional services industry is getting hammered by ransomware. Accounting firms, law offices, and property management companies are prime targets because you have exactly what criminals want: sensitive financial data, confidential client information, and typically just enough technology to be vulnerable but not enough to be fortress-like.
According to the FBI’s Internet Crime Complaint Center, ransomware complaints increased 18% in 2024, with losses exceeding $59.6 million. However, those numbers only capture reported incidents. Most small and mid-sized firms never report attacks because they’re embarrassed, worried about reputation damage, or they just paid the ransom quietly and moved on.
When someone gets ransomware into your network, it doesn’t just encrypt your files. It steals them first, then encrypts them, then threatens to publish your clients’ private information if you don’t pay. Even if you have backups, which you should, you still have a data breach on your hands. You still have to report it. Your clients still find out. Your reputation still takes a hit.
You know what the entry point is in most of these attacks? Stolen credentials. Microsoft’s Digital Defense Report found that password-based attacks increased 146% in 2024, with more than 7,000 password attacks happening every second across their platforms. Someone phished an employee’s password, logged in as them, and waltzed right through your front door like they owned the place.
What MFA Actually Does (And What It Doesn’t)
Multi-factor authentication isn’t perfect. I’m not going to pretend it’s some silver bullet that makes you invincible. Criminals have already figured out ways around it, like cookie-stealing, where they trick you into authenticating through a legitimate-looking service just to capture your session token.
Here’s what it does: it makes the cheap, easy attacks fail. The automated bot that tries 10,000 stolen passwords against your email server. The script kiddie who bought a dump of credentials on the dark web. The lazy criminal who isn’t willing to put in the extra effort. According to research from Google, implementing any form of MFA blocks 99.9% of automated attacks. Even the most basic SMS-based authentication stops the vast majority of credential stuffing attacks cold.
Think of it like locking your car doors. Will it stop a professional car thief with the right tools and motivation? No. But it will stop the opportunistic criminal who’s just walking through the parking lot trying door handles. Most cybercrime is exactly that: opportunistic.
Why Your Cyber Insurance Company Cares
Something that might make the MFA conversation easier with your team: it’s not really optional anymore. In 2026, cyber insurance requirements have gotten strict enough that most carriers won’t even quote you coverage without multi-factor authentication on all your critical systems. Email, remote access, financial systems, client portals. All of it.
I’ve seen insurance companies do post-breach audits and deny claims because MFA wasn’t implemented properly. It can’t be partially implemented, or “we were planning to roll it out.” Actually implemented and actually used. They will look at your authentication logs, and if they see that the account that got compromised didn’t have MFA enabled, that’s it. Claim denied. You’re on your own for the six-figure recovery costs.
Making It Less Terrible
The good news is that MFA in 2026 is better than it used to be. Not good, but better. You’re not stuck with those horrible SMS codes that never arrive when you need them. Modern authentication apps are faster. Hardware security keys work better. Some services even use passwordless authentication now, which sounds scarier but is actually more convenient once you get used to it.
The key is implementing it intelligently. You don’t need to make people authenticate every single time they access their email if they’re on a trusted device on your network. You can set reasonable timeout periods. You can use conditional access policies that only trigger extra authentication when something looks suspicious, like a login from an unfamiliar location.
You need to train your people not just on how to use MFA, but also on why it matters. Not with scare tactics, but with reality. The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element, whether that’s stolen credentials, social engineering, or simple mistakes. Tell your team about the law firm down the street that got hit with ransomware because someone clicked a phishing link. Tell them about the accounting practice that had client tax returns published online because their insurance claim got denied. Make it real, because it is real.
The Reality of Small Business Ransomware Protection
Look, if I’m being completely honest with you, which I always am, no security measure is going to stop a determined, sophisticated attacker who specifically targets your firm. But you’re probably not going to get specifically targeted. What you’re trying to protect against is being the easy target, the firm that criminals hit because you’re vulnerable and they know it.
Multi-factor authentication is one piece of a larger endpoint security solution. You also need proper backups, security monitoring, email filtering, security awareness training for your team, and someone who actually knows what they’re doing managing all of it. But MFA is the piece that insurance companies look for first, and for good reason.
If you haven’t implemented multi-factor authentication yet, start now. Check with your cyber insurance carrier about their specific requirements, because they vary. Get your critical systems secured first: email, financial software, anything that touches client data, and any way your team accesses your network remotely.
And when your team complains, which they will, remember that their annoyance is temporary. A ransomware attack isn’t.
Quick and Easy
Multi-factor authentication blocks 99.9% of automated attacks and is now required by most cyber insurance policies. While your team will find it annoying, the alternative of ransomware attacks and denied insurance claims is far worse for professional services firms.