Look, I get it. Multi-factor authentication is a pain in the butt. It slows you down when you’re trying to get work done, it interrupts your flow with prompts at the worst possible times, and yes, it makes you feel like technology doesn’t trust you anymore. Your team is going to complain about it. Some will actively try to find workarounds. And honestly, I don’t blame them.
The thing about ransomware, though, is that it’s worse.
I’ve been managing IT for professional services firms for over three decades, and I can tell you that the conversation we have after a breach is exponentially more painful than the conversation about implementing MFA. One is an inconvenience. The other is a catastrophe.
The Uncomfortable Truth About Endpoint Security
The professional services industry is getting hammered by ransomware. Accounting firms, law offices, and property management companies are prime targets because you have exactly what criminals want: sensitive financial data, confidential client information, and typically just enough technology to be vulnerable but not enough to be fortress-like.
According to the FBI’s Internet Crime Complaint Center, ransomware complaints increased 18% in 2024, with losses exceeding $59.6 million. However, those numbers only capture reported incidents. Most small and mid-sized firms never report attacks because they’re embarrassed, worried about reputation damage, or they just paid the ransom quietly and moved on.
When someone gets ransomware into your network, it doesn’t just encrypt your files. It steals them first, then encrypts them, then threatens to publish your clients’ private information if you don’t pay. Even if you have backups, which you should, you still have a data breach on your hands. You still have to report it. Your clients still find out. Your reputation still takes a hit.
You know what the entry point is in most of these attacks? Stolen credentials. Microsoft’s Digital Defense Report found that password-based attacks increased 146% in 2024, with more than 7,000 password attacks happening every second across their platforms. Someone phished an employee’s password, logged in as them, and waltzed right through your front door like they owned the place.
What MFA Actually Does (And What It Doesn’t)
Multi-factor authentication isn’t perfect. I’m not going to pretend it’s some silver bullet that makes you invincible. Criminals have already figured out ways around it, like cookie-stealing, where they trick you into authenticating through a legitimate-looking service just to capture your session token.
Here’s what it does: it makes the cheap, easy attacks fail. The automated bot that tries 10,000 stolen passwords against your email server. The script kiddie who bought a dump of credentials on the dark web. The lazy criminal who isn’t willing to put in the extra effort. According to research from Google, implementing any form of MFA blocks 99.9% of automated attacks. Even the most basic SMS-based authentication stops the vast majority of credential stuffing attacks cold.
Think of it like locking your car doors. Will it stop a professional car thief with the right tools and motivation? No. But it will stop the opportunistic criminal who’s just walking through the parking lot trying door handles. Most cybercrime is exactly that: opportunistic.
Why Your Cyber Insurance Company Cares
Something that might make the MFA conversation easier with your team: it’s not really optional anymore. In 2026, cyber insurance requirements have gotten strict enough that most carriers won’t even quote you coverage without multi-factor authentication on all your critical systems. Email, remote access, financial systems, client portals. All of it.
I’ve seen insurance companies do post-breach audits and deny claims because MFA wasn’t implemented properly. It can’t be partially implemented, or “we were planning to roll it out.” Actually implemented and actually used. They will look at your authentication logs, and if they see that the account that got compromised didn’t have MFA enabled, that’s it. Claim denied. You’re on your own for the six-figure recovery costs.
Making It Less Terrible
The good news is that MFA in 2026 is better than it used to be. Not good, but better. You’re not stuck with those horrible SMS codes that never arrive when you need them. Modern authentication apps are faster. Hardware security keys work better. Some services even use passwordless authentication now, which sounds scarier but is actually more convenient once you get used to it.
The key is implementing it intelligently. You don’t need to make people authenticate every single time they access their email if they’re on a trusted device on your network. You can set reasonable timeout periods. You can use conditional access policies that only trigger extra authentication when something looks suspicious, like a login from an unfamiliar location.
You need to train your people not just on how to use MFA, but also on why it matters. Not with scare tactics, but with reality. The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element, whether that’s stolen credentials, social engineering, or simple mistakes. Tell your team about the law firm down the street that got hit with ransomware because someone clicked a phishing link. Tell them about the accounting practice that had client tax returns published online because their insurance claim got denied. Make it real, because it is real.
The Reality of Small Business Ransomware Protection
Look, if I’m being completely honest with you, which I always am, no security measure is going to stop a determined, sophisticated attacker who specifically targets your firm. But you’re probably not going to get specifically targeted. What you’re trying to protect against is being the easy target, the firm that criminals hit because you’re vulnerable and they know it.
Multi-factor authentication is one piece of a larger endpoint security solution. You also need proper backups, security monitoring, email filtering, security awareness training for your team, and someone who actually knows what they’re doing managing all of it. But MFA is the piece that insurance companies look for first, and for good reason.
If you haven’t implemented multi-factor authentication yet, start now. Check with your cyber insurance carrier about their specific requirements, because they vary. Get your critical systems secured first: email, financial software, anything that touches client data, and any way your team accesses your network remotely.
And when your team complains, which they will, remember that their annoyance is temporary. A ransomware attack isn’t.
Quick and Easy
Multi-factor authentication blocks 99.9% of automated attacks and is now required by most cyber insurance policies. While your team will find it annoying, the alternative of ransomware attacks and denied insurance claims is far worse for professional services firms.
Let’s talk about something most IT companies won’t discuss openly: how much managed IT services in Southern California actually cost and why.
We’ve been serving professional services firms in Southern California for over 35 years, and one of the most common questions we hear is: “What should we actually be paying for IT support?” The frustration behind that question is real. Business leaders know they need professional technology consulting, but the pricing landscape feels deliberately opaque.
So here’s an honest breakdown of the cost of managed IT support services.
The Basic Numbers for 2026
For professional services firms in the 50-150 employee range, including accounting practices, law offices, and property management companies, managed IT services in Southern California typically range from $150-$250 per user per month.
Yes, that’s a wide range for IT support costs. Why?
The lower end ($150-$175 per user) usually includes:
- Basic helpdesk support during business hours
- Standard security monitoring
- Patch management for operating systems
- Basic cloud email support (Microsoft 365 or Google Workspace)
The higher end ($200-$250 per user) typically includes:
- 24/7 helpdesk availability
- Advanced threat protection
- Compliance support (HIPAA, CMMC, PCI, SOC 2)
- Strategic technology planning
- Dedicated account management
What Most Companies Won’t Tell You About IT Services Pricing
The IT industry has markup rates that range from 200% to 1000% on certain services and products. That’s not a typo.
A business-grade laptop that costs an IT provider $800 might be sold to you for $1,600 or more. Microsoft 365 deployment licenses that cost the provider $22 per month might appear on your bill at $35 per month. Network equipment, software subscriptions, security tools – all of these commonly have substantial markups in managed IT support services.
We’re not saying this to criticize other providers. Running an IT service business has real costs: experienced technicians command high salaries in Southern California, insurance is expensive, ongoing training is necessary, and the tools we use to monitor and protect your systems aren’t cheap.
We believe in transparency about fair-priced managed IT services. You should understand what you’re paying for and why.
What “Managed Services” Actually Means
This is where the confusion really happens with IT support. “Managed IT services” can mean drastically different things depending on who’s providing them.
Some companies use “managed services” to mean “we’ll fix things when they break.” That’s not managed services. That’s break-fix support with a monthly retainer.
True managed IT services for professional services means:
Proactive monitoring. We’re watching your systems 24/7 and addressing issues before they affect your team. According to Cyber adAPT and the Aberdeen Group, proactive monitoring can reduce downtime by up to 70% compared to reactive support models.
Strategic planning. We’re not just keeping the lights on. We’re helping you plan technology investments that align with your business growth and IT roadmap development.
Security as a foundation. Security isn’t an add-on for small business IT consulting. It’s built into everything we do, from how we configure new workstations to how we manage your network access.
Vendor management. We handle relationships with software companies, internet providers, and hardware vendors. You shouldn’t need to call five different companies when something goes wrong.
The Hidden Costs of Cheap IT Support
We regularly talk with professional services firms that are paying $75-$100 per user per month for “managed services.” Here’s what usually happens with cheap IT support:
They’re getting reactive support, not proactive management. When something breaks, someone fixes it. But nobody’s watching for warning signs. Nobody’s planning for technology growth. Nobody’s ensuring compliance with industry standards.
Then something major goes wrong. A server fails. A ransomware attack hits. A compliance audit reveals security gaps. Suddenly, they’re facing emergency bills that dwarf whatever they saved on monthly IT support costs.
The Rule of Thumb for IT Support Costs
If you want a very general rule of thumb for managed IT services, expect to spend about $200 per user per month for quality services in Southern California. That should cover comprehensive support, reasonable response times, proactive monitoring, and basic security measures.
If you need additional compliance support, advanced security measures, or 24/7 availability, expect that number to increase by $50-$75 per user for professional services technology.
If someone quotes you significantly less, ask detailed questions about what’s included in managed IT support services. You might be getting a great deal, or you might be getting break-fix support disguised as managed services.
Quick and Easy
Managed IT services in Southern California cost $150-$250 per user per month, with $200 being typical for professional services firms, but many companies charging $75-$100 are providing reactive support rather than true managed services. According to CompTIA, the nationwide average is $182 per user, and cheap IT often leads to catastrophic emergency costs that exceed any monthly savings.
Remember when you could spot a phishing email because it had terrible grammar or came from a weird email address?
Those days are over.
Research from Hoxhunt showed that by March 2025, AI-generated phishing attacks had become more effective than those created by elite human security experts. The AI didn’t just catch up, but surpassed the best humans at social engineering.
Let that sink in. The people whose entire job is creating realistic phishing simulations to test your employees? AI is better at it than they are.
The Scale of the AI Phishing Problem
According to the World Economic Forum, phishing and social engineering attacks increased 42% in 2024. That was before AI really hit its stride.
The attacks aren’t just better written anymore. They’re contextual and arrive at the exact right time. They reference real projects, real people in your organization, and real deadlines.
Google’s 2026 forecast warns that attackers are using AI to create emails that are essentially indistinguishable from legitimate communication.
This is what that looks like in practice:
You receive an email from your CFO requesting an urgent invoice payment. It uses her exact writing style. It references the specific vendor you’ve been working with. It arrives right when you’d expect such a request. The email address looks right. The signature looks right. Everything looks right.
Except it’s not from your CFO. It’s from an AI that studied 50 of her previous emails and generated a perfect forgery.
Voice Cloning: The New Frontier
Email isn’t even the scariest part anymore.
A tech journalist recently demonstrated that she could clone her own voice using cheap AI tools and fool her bank’s phone system – both the automated system and a live agent – in a five-minute call.
Think about what that means for your business. Your CFO gets a call that sounds exactly like your CEO: voice, cadence, the way they clear their throat, everything. It’s asking for an urgent wire transfer for a time-sensitive deal.
How do you defend against that?
Why Traditional Phishing Training Fails Against AI
Your annual security training tells employees to look for:
- Spelling and grammar errors (AI doesn’t make these mistakes)
- Generic greetings (AI personalizes everything)
- Suspicious sender addresses (AI uses compromised legitimate accounts)
- Urgent requests (legitimate urgent requests also sound urgent)
- Links that don’t match the display text (AI uses legitimate-looking domains)
Every single indicator you’ve trained people to watch for? AI bypasses them.
What Actually Works Against AI Generated Phishing
The old training about “look for spelling errors” is dead. Your employees need to understand that verification matters more than urgency.
Use this to protect you and your team:
Slow down when things feel urgent. Urgency is the weapon. If someone’s asking for sensitive information or money transfers, that urgency should trigger caution, not immediate compliance.
Verify through a different channel. Email says it’s from your CEO? Call them on a known number. Text message from your bank? Call the number on your card, not the one in the message. Voice call asking for a transfer? Hang up and call back.
Trust your judgment about whether requests make sense. Does your CEO normally ask for wire transfers via text? Does your IT department usually request password resets through email? If the method doesn’t match the request, verify.
Create a culture where questioning is safe. Your employees need to know they won’t get fired for double-checking whether the CEO really sent that request. These attacks exploit hierarchy and time pressure.
The Reality for Professional Services Firms
The accounting firms, law offices, and property management companies we work with are particularly vulnerable to these attacks because:
- They handle sensitive financial information
- They regularly process wire transfers
- They work with clients who expect fast responses
- They have hierarchical structures that discourage questioning authority
One immigration law firm we work with almost lost $180,000 to an AI-generated email that perfectly mimicked its managing partner’s communication style, requesting an urgent retainer transfer. The only thing that saved them was an associate who thought the request was weird enough to verify in person.
That associate didn’t stop the attack because they spotted technical indicators. They stopped it because something felt off, and they were empowered to question it.
What This Means for Your Business
You need to update your security training immediately. Not next quarter. Not when the budget allows. Now.
The training needs to focus on:
- Verification procedures that work regardless of how legitimate something appears
- Creating psychological safety for employees to question urgent requests
- Understanding that AI can fake anything visual or auditory
- Practicing what to do when something seems both urgent and suspicious
You need to practice these procedures regularly. Not once a year during security awareness month. Monthly at minimum.
Because the attacks are getting better every single day. Criminals using them no longer need your employees to click a suspicious link. They need your employees to trust their eyes and ears when they shouldn’t.
The Quick and Easy: AI-generated phishing attacks now outperform human security experts, with attacks increasing 42% in 2024. AI generates emails and phone calls that are indistinguishable from legitimate communication, bypassing traditional phishing indicators such as spelling errors, generic greetings, and suspicious links. Voice cloning technology can fool both automated systems and live humans. Traditional training focusing on spotting errors no longer works. Instead, businesses need verification procedures that work regardless of appearance, cultures where questioning authority is safe, and regular practice with realistic scenarios. Professional services firms are particularly vulnerable due to their hierarchical structures and regular financial transactions. The key defense is slowing down when things feel urgent and verifying through different channels.
The uncomfortable truth is your employees are using AI tools you don’t know about. Right now. Today.
IBM’s latest research found that 20% of organizations already suffered a breach due to what they’re calling “shadow AI” – employees using unauthorized AI tools without IT’s knowledge. The kicker is that those breaches added an average of $200,000 to remediation costs.
Think about that for a second. The issue is not the technology failing or hackers breaking through your firewall. The cause is your own people, trying to do their jobs faster, pasting proprietary information into ChatGPT, Gemini, or whatever AI tool made their work easier that day.
Why Shadow AI Happens (And Why You Can’t Stop It)
Varonis found that 98% of employees use unsanctioned apps. That’s not a typo. Ninety-eight percent. If you think your company is the exception, you’re wrong.
Why does this happen? Because your employees are struggling. They’re being asked to do more with less, and they’re exhausted. Then they discover this magical tool that can summarize a 50-page document in 30 seconds or write that email they’ve been dreading. Of course, they’re going to use it.
The problem isn’t that they’re lazy or malicious. The problem is that they have no idea what happens to the data they feed into these systems. Some AI services train their models on your inputs. Some store everything you type. Some have security controls. Most don’t.
Why Banning AI Tools Doesn’t Work
Banning these tools outright works. Right? Gartner predicts that by 2027, 75% of employees will acquire or create technology outside IT’s visibility. Bans just push people to hide what they’re doing better.
This happens constantly with the accounting firms and law offices we work with. A partner bans ChatGPT, but an associate uses it on their phone anyway. Now, instead of managing the risk, you’ve just lost visibility into it entirely.
The Real Cost of Shadow AI
The financial impact goes beyond the $200,000 average breach cost. Consider what happens when:
- Your proprietary client data gets fed into a public AI model
- Your trade secrets become part of an AI training dataset
- Your confidential legal strategy gets stored on servers you don’t control
- Your financial projections end up accessible to your competitors
These aren’t theoretical risks. These are things happening right now to businesses that thought their employees would never do something that careless.
What You Actually Need to Do About Shadow AI
You need an actual policy about AI use. Not a ban. A policy.
This is what works:
Identify which AI tools are safe for your business. Not every AI tool is a security nightmare. Some have proper data handling. Some don’t train on your inputs. Figure out which ones meet your requirements.
Make approved tools easy to access. If your employees need AI to do their jobs effectively, give them a way to use it safely. The property management firms we work with that have implemented approved AI tools see almost zero shadow AI usage.
Train people on what they can and cannot share. Most people don’t realize that pasting client information into ChatGPT might expose it. They’re not trying to cause a breach. They’re trying to work faster. Teach them the difference between safe and unsafe usage.
Create a culture where people can ask questions. Your employees should feel comfortable asking, “Is this AI tool safe to use?” instead of just using it and hoping for the best.
The Bottom Line on Shadow AI
This isn’t going away. The only question is whether you’re managing it or pretending it doesn’t exist.
The firms sleeping well at night aren’t the ones who banned AI. They’re the ones who acknowledged it exists and created safe pathways for using it.
Because your employees are already using these tools, you just don’t know about it yet.
The Quick and Easy: Shadow AI, unauthorized AI tool usage by employees, has already caused breaches in 20% of organizations, costing an average of $200,000 each. With 98% of employees using unsanctioned apps and 75% projected to acquire technology outside IT visibility by 2027, banning AI tools doesn’t work. Instead, businesses need clear AI usage policies, approved tools that are easy to access, employee training on safe data sharing, and a culture that allows people to ask questions before using new tools. Technology isn’t the risk, but using it without oversight or understanding the consequences.
I’ve written about this topic before, but it’s nice when major publications back your viewpoint. One of my favorite authors has a new book forthcoming, and as a sign of the times the title – which may have been scandalous in a previous, perhaps more innocent age – gets straight to the point: “Enshittification: Why Everything Suddenly Got Worse and What To Do About It“. And because everything these days is meta and Mr. Doctorow’s book isn’t even out, I read an advanced review of the book that contained praise as well as some criticisms which I think are valid and troubling to consider when asking the most important question.
What can we do about it?
In case you didn’t read my previous blog about this or don’t remember it (because we all have enough to worry about already, so I get it), “enshittification” is the concept that all good online services and websites will eventually be ruined by our society’s relentless pursuit of profit. The advanced review as it appears on the Current Affairs website does a pretty good job of explaining this topic, and if you don’t intend to purchase the book, I think the article provides enough of an overview for you to spot this trend in the world around you, which may or may not improve how you may feel about it. I’m going to read the book for myself before I render my own praise or criticism, but I have similar concerns to the reviewer’s when it comes to answering the question that you have all asked, “What can we do about it?” It sounds like Mr. Doctorow is calling for grassroots efforts and government intervention to counteract future enshittifications (the author seems to think it’s already too late for the likes of Amazon, Facebook, Netflix, etc. and I agree), but from where I’m sitting it seems like getting help from the government isn’t on the menu at the moment, and our grassroots are divided as we fight to maintain healthcare, livelihoods and just basic human decency. So what is my recommendation to you if your technology feels “shitty?”
Take matters into your own hands. If you have the option to use something else, do so and make sure you tell the losing platform why you moved (even if they will probably never read your feedback). If changing the technology isn’t an option, perhaps take a moment to clearly identify the crappy part for the purposes of determining if it’s something you have control or agency over (maybe a new setting or change in interface), or if it’s out of your hands, such as the price going up. If it’s out of your control, focus your energy on working around or through it, or changing something else so that you can eliminate it altogether. Using technology is unavoidable for most of us, but there is no reason to feel like you are a hostage to it, and the best way to manage this is to change the things that you can control, and asking for help or sympathy (or both!) on the things you can’t.
I’ve been working in tech long enough to remember when “automation” meant macros in Excel and AI was still the stuff of sci-fi. Today, artificial intelligence is everywhere—from customer service chatbots to advanced data analytics, predictive modeling, and content creation. It’s no longer a niche tool; it’s a foundational layer in how businesses operate. And while this explosion of AI capability is exciting, it’s also incredibly risky—especially for those who treat it like a shortcut instead of a tool.
Let me be clear: AI is not magic. It’s not intelligent in the human sense. It’s powerful, but it’s only as good as the data it learns from and the intent behind its use. I’ve watched companies implement AI without understanding how it works, leading to biased outcomes, false insights, or compliance violations. They feed it flawed data, make strategic decisions based on unverified outputs, or worse, let it replace human judgment entirely.
The danger lies not in the technology, but in the overconfidence that often accompanies it.
AI should augment decision-making, not replace it. When misused, it can erode trust, amplify existing inequalities, and expose companies to significant legal and reputational risk. If you’re using generative AI to write content, ask yourself—how do you verify it’s accurate? If you’re using AI to screen job candidates, are you confident it’s not introducing bias?
As a consultant, I encourage clients to treat AI the same way they would a junior employee: train it, supervise it, and never let it act without oversight.
The future of AI is promising, but only if we use it responsibly. Those who blindly chase efficiency without understanding the tool may find themselves solving one problem and creating five more. So take the time to understand what AI is—and more importantly, what it isn’t.
Want help making AI work for your business—safely and strategically? Reach out for a consultation.
Author’s Note: This blog post was written by ChatGPT using the following prompt, “Write a short blog from the perspective of an experienced technology consultant about the rising use of AI and the dangers it poses for those that use the tool incorrectly.” I did not touch-up or edit the text provided by that prompt in any way, shape or form other than to copy and paste it into this website. Anyone who’s followed my blog for awhile or knows me personally might have smelled something fishy, or maybe not. In reading the above, I can definitely say that I have written plenty of articles just as bland. Interestingly, ChatGPT included the last, italicised bit – it’s clearly been trained on plenty of marketing blogs like this one. I know that many of you actually read my blogs for my personal take on technology. If I were to feed my own AI engine the past 10 years of my articles so that it could perhaps get a sense for my writing style and personality, do you think it could produce more blogs that would be indistinguishable from what I wrote with my own two hands and one brain?
Image courtesy of TAW4 at FreeDigitalPhotos.net
We’ve discussed in previous blogs how technology things seem to be getting worse from just about every angle, whether it’s cost, quality or security. We can attribute a large chunk of this downward trend to the increasing profitability of cybercrime, which is itself a vicious, amplifying spiral of escalation. The more we try to keep ourselves safe, the more complicated it becomes to do so, and most regular folks don’t have the training or endurance to keep up, especially if you are a part of the growing elderly generations that are forced to use technology they barely understand just to stay alive and keep in contact with friends and family. With the recent (in my opinion ill-advised) downsizing the Cybersecurity and Infrastructure Security Agency (CISA) much of the this country’s organizational strength and operational efficiency in cataloging and combatting cybersecurity threats will be abandoned.
What this means for all of us
Regardless of whether you are a big or small organization, CISA’s leadership and work provided foundational guidance on all existing cybersecurity threats while constantly researching, investigating and publishing information on new threats as they discovered. One of the main reasons that governments exist is to provide funding, resources and scaled force for tasks that cannot (and should not) be handled by smaller groups or for-profit institutions, such as military defense, mail delivery, and national security. As has been demonstrated time and time again, for-profit companies cannot be trusted to put people before profits, and security oversight is definitely not something you want to enshittify. And yet, that is exactly where we are. In the absence of CISA leadership, organizations, whether they be ad-hoc coalitions of state-level agencies or, most likely, for-profit companies in the security industry, are now scrambling to fill the gigantic, CISA-shaped hole in our nation’s cybersecurity. Let’s be clear, security for small businesses was already well on its way to becoming difficult, expensive and onerous. Eliminating national leadership will most definitely lead to a fracturing of an already complicated security framework that will most assuredly weigh very heavily on those who can least afford to shoulder a burden that was formerly carried by those trained, equipped and funded to do so.










