Two years ago, that sentence would have sounded like paranoid fiction. It does not sound like that right now.
I want to be clear upfront: I’m not here to argue politics. I genuinely do not care which side of the DOGE debate you’re on. What I do care about is that the data situation quietly unfolding within the Social Security Administration has real consequences for your business, your employees, and your clients, and most people are not paying attention.
Let me explain what happened, and more importantly, what it means for you specifically.
What Actually Happened
The Department of Government Efficiency, working inside the Social Security Administration, allegedly copied the entire NUMIDENT database to a cloud environment that bypassed the agency’s standard security protocols. According to a whistleblower complaint filed by the SSA’s former chief data officer, Charles Borges, this was done despite court orders limiting DOGE’s access to the agency’s systems.
The NUMIDENT is not just Social Security numbers. It is every record ever submitted in an application for a Social Security card: names, dates of birth, citizenship status, race and ethnicity, phone numbers, home addresses, and parents’ names and Social Security numbers. For more than 300 million Americans.
Court filings later revealed that DOGE employees used a third-party Cloudflare server not approved for SSA data, sent a password-protected file containing private records to outside affiliates, and that the SSA still cannot fully account for what was left in its systems or where it went. The Department of Justice has acknowledged in court filings that earlier statements about the scope of access were inaccurate.
Borges, per his complaint, warned his superiors that the agency might one day be forced to reissue every Social Security number in the country. A Senate investigation put the risk of a catastrophic breach at 65 percent.
Why This Is Different from Every Other Breach
Most data incidents involve something replaceable. Credit card compromised? You get a new one. Password exposed? Reset it. Account hacked? Recover it.
A Social Security number does not work that way. It is the root credential for your credit history, your tax filings, your employment verifications, your professional licenses, your Medicare records, and your background check history. Getting a new one, in the rare cases the SSA permits it, creates nearly as many problems as it solves, because nothing else in your financial life knows about the change.
If this data ends up in the wrong hands, the damage will not look like a fraud alert next week. It looks like a suspicious loan application two years from now or a tax return filed in your employee’s name before they can file their own. It could look like a wire transfer request that sounds exactly like your CFO, because someone has enough personal details to make it convincing.
The Three Business Risks Worth Taking Seriously
Your employees are now higher-value social engineering targets. If bad actors have an employee’s SSN, home address, employer, and parents’ names, they can construct pretexts that are genuinely hard to detect. Not a generic phishing email. A targeted call that opens with information that sounds like insider knowledge. Professional services firms, where staff regularly handle client funds and sensitive documents, are exactly the kind of target that makes this worthwhile for a criminal.
Your clients are downstream of whatever happens to your team. Accounting firms, law offices, and property management companies hold sensitive financial and personal data on behalf of other people. If an employee identity compromise creates an intrusion into your systems, your clients have a problem too. The liability runs in both directions and it runs fast.
The verification systems your business relies on may become unreliable. If large-scale SSN fraud materializes from this exposure, financial institutions will respond by tightening verification processes. Credit applications, employment checks, and background verifications may get slower, more expensive, or more complicated across the board. That is an operational headache even for firms that do not experience a direct breach.
What You Can Actually Do
None of this requires an expensive platform purchase or a consultant’s SOW. It mostly requires an afternoon and some attention.
Tell your team what happened in plain language. Informed employees are harder to manipulate. A staff that knows their personal data is out there is less likely to be fooled by a pretext that uses it.
Encourage everyone to freeze their credit at all three bureaus. It is free, it is reversible when needed, and it is still the most effective individual defense against identity fraud available. Experian, Equifax, and TransUnion all allow you to do it online.
Set up an alert through ssa.gov so you receive notification if anyone attempts to access Social Security benefits using your number.
Review your cybersecurity insurance policy for social engineering coverage specifically. Many policies cover breaches of company systems but have lower limits, or outright exclusions, for employee identity compromise that creates a business loss. Find out before you need to know.
If your firm does not have a written process for what to do when an employee reports identity theft, write one. It does not have to be long. It just has to exist before you need it.
The Bigger Picture
I have written before about the way cybersecurity threats have become environmental. They are not targeted at you specifically. They are more like pollution: pervasive, ongoing, not always visible, and best managed through preparation rather than reaction.
What makes this particular situation harder is that the exposure did not come from a criminal enterprise. It came from inside the institutions we were told to trust with our most sensitive information. That is a more uncomfortable conversation. But avoiding it does not change the exposure.
The firms that handle this well are not the ones with the most sophisticated tools. They are the ones that thought through what they would do before something went wrong, rather than figuring it out in the middle of it.
If you want to talk through what your firm’s actual risk picture looks like right now, reach out. That conversation is always free.
Quick and Easy: DOGE allegedly copied the Social Security Administration’s entire national database to an unauthorized cloud server, and the agency’s own cybersecurity officials raised the possibility of having to reissue every SSN in the country as a worst-case outcome. For professional services firms, the real risks are targeted social engineering of your employees, downstream exposure of your clients, and potential disruption to financial verification processes. The practical responses are mostly free and can be put in place this week.
You just don’t know it yet.
I had a conversation recently with a client that stopped me cold. One of their employees had been using a paid AI chatbot to help with administrative work. She was saving herself hours a day. She was sharp, resourceful, and genuinely proud of what she figured out on her own. Unfortunately, she had absolutely no idea she had been feeding client data into a third-party system that her company had never reviewed, approved, or consented to on behalf of the people whose information she was sharing.
When I asked her point blank, “Are you putting client data in there?” she said yes. Then, when I explained what that actually meant, she was horrified. Not because she did something malicious. Because she had no idea there was anything to be horrified about.
That’s the conversation I keep having right now, and I think a lot of business owners need to hear it.
The Part Nobody Explains
What most people do not understand about AI tools is that when you type something into a chatbot, that information does not necessarily stay with you. Depending on the platform, the service’s terms of use, and whatever privacy settings exist in your account, that data may be used to train the model. It may be retained. It may be stored on servers you have no visibility into.
Now, I am not here to tell you that every AI company is doing something sinister. Some are genuinely more careful than others. However, even the most responsible provider operates under a simple truth: unless the platform explicitly states it will not use your data for training purposes, and unless your clients have given you consent to share their information with that platform, you are operating in a gray area.
In professional services, gray areas often become very expensive problems.
The Real Risk for Accounting Firms, Law Offices, and Property Managers
Think about what your employees handle: client financials, legal correspondence, lease agreements, Social Security numbers, medical expense records, and attorney-client communications. This is not generic business information. This is sensitive, regulated, and in many cases privileged data.
Sharing that information with an AI tool, even to do something as mundane as drafting a summary or cleaning up a spreadsheet, is a data-sharing event. The fact that it feels like a productivity shortcut does not change what it actually is.
Cyber insurance carriers are already paying attention to this. Compliance frameworks are catching up. When something goes wrong, the fact that the employee “didn’t know” is not going to satisfy the client whose information ended up somewhere it was never supposed to be.
What I Tell My Clients to Do Right Now
You do not need to ban AI tools. I am not suggesting that. Some of them are genuinely useful and, in the right context, safe. However, you do need to stop pretending this is not happening in your office.
Start with a basic policy. It does not have to be long. It does not have to be complicated. It should answer three questions: which AI tools are approved for use, what categories of data can and cannot be entered into those tools, and who is responsible for reviewing and updating that guidance as things change. Because they will change, probably faster than any of us would like.
Then you need to have the conversation. Not a scary, disciplinary conversation, but a practical one. Most employees using these tools are doing so to do their jobs better. They deserve to understand the actual risks so they can make informed decisions, not get caught off guard as my client’s employee did.
A Word on the AI Companies Themselves
I get asked a lot about which AI providers are the most trustworthy. Honestly, that question is harder to answer than it sounds. This space is constantly shifting, and companies that have solid policies today often quietly revise them later.
What I tell people is this: do not base your data-handling decisions on trust alone. Base them on what the agreement actually says, what your compliance requirements demand, and whether you have any business reason to take on the risk. Copilot, for example, operates within Microsoft’s walled environment, which at least limits where your data can go. Even that is not a blank check to input anything and everything without thinking.
The honest answer is that we are all figuring this out as we go. Even me. The responsible thing is to proceed carefully, ask questions, and not assume that a productivity gain justifies a compliance violation.
Quick and Easy
Employees at professional services firms routinely enter client data into AI tools without understanding the associated privacy and compliance risks. A simple internal policy covering approved tools and prohibited data categories is not a luxury at this point. It is a basic part of running a responsible business.
In January 2026, a mid-sized accounting firm in Orange County received notice that its cyber insurance claim had been denied. They’d been hit with ransomware, had to shut down operations for five days, lost client data, and faced reporting requirements to multiple regulatory bodies. The recovery cost exceeded $300,000. Their insurance policy had a $2 million limit for cyber incidents. However, the carrier denied the claim in full after their post-breach audit revealed the firm wasn’t consistently enforcing the security controls it had attested were in place when it purchased the policy.
This is not an isolated incident. It’s the new reality of cyber insurance in 2026.
Why Insurance Requirements Have Gotten Stricter
Cyber insurance carriers have been getting hammered by claims. According to Fitch Ratings’ analysis, cyber insurance claims increased 74% year over year, with the average ransom payment reaching $2.73 million in 2024. Ransomware attacks have increased in frequency and sophistication, and insurance companies have responded by tightening underwriting requirements and becoming much more aggressive in verifying that firms actually maintain the security posture they claim to have.
For professional services firms such as accounting practices, law offices, and property management companies, this creates a significant challenge. You need cyber insurance because the risk is genuine and the potential costs are catastrophic. IBM’s Cost of a Data Breach Report 2024 found that the average cost of a data breach reached $4.4 million, with smaller businesses often facing costs that threaten their survival. However, maintaining coverage now requires implementing and documenting security measures that many smaller firms haven’t traditionally prioritized.
The Security Controls That Matter Most
Let’s be specific about what cyber insurance carriers are requiring in 2026. These aren’t suggestions. These are baseline requirements that most carriers won’t negotiate on.
Multi-factor authentication must be enabled on all accounts that have access to email, financial systems, client data, and remote access to your network. According to Marsh McLennan’s 2025 Cyber Insurance Market Report, 99% of cyber insurance applications now include specific questions about MFA implementation, and 87% of carriers require it as a condition of coverage.
Regular backups with offline or immutable copies are mandatory. You need to prove you’re backing up critical data daily, testing restoration regularly, and keeping at least one backup copy that ransomware can’t reach. Carriers want to see evidence of the 3-2-1 backup rule: three copies of your data, on two different types of media, with one copy offsite and offline.
Endpoint protection that goes beyond basic antivirus is required. This means managed detection and response, not just a set-it-and-forget-it antivirus program you installed three years ago. Carriers want to see that you’re actively monitoring for threats, updating security software promptly, and have someone watching your systems who can respond when something looks wrong.
Security awareness training for all employees has moved from recommended to required, and it is not limited to a single training session at hire. Research from KnowBe4’s 2024 Phishing Benchmarking Report showed that organizations with ongoing quarterly training reduced susceptibility to phishing attacks by 86% compared to those with annual or no training. Carriers are looking for documented, ongoing training with testing.
Email security beyond your standard spam filter is increasingly common as a requirement. The majority of successful attacks start with email, so carriers are paying close attention to what you have in place to filter out malicious messages before they reach your employees.
The Documentation Burden
What catches many firms off guard is the fact that having these controls in place isn’t enough. You need to document that you have them, document that you’re maintaining them, and be prepared to prove it when your carrier asks.
This means maintaining security policies that spell out your requirements. Not generic templates you downloaded from the internet, but actual policies that reflect what you’re really doing. It means keeping records of your training sessions, your backup tests, your security updates, and your incident response procedures.
When you apply for cyber insurance or renew your policy, you’ll fill out detailed security questionnaires. These are getting longer and more technical every year. Your answers need to be accurate because if there’s a claim, the carrier will audit what you actually had in place versus what you said you had in place. Any discrepancies can and will be used to deny coverage.
What Compliance Readiness Actually Looks Like
Compliance readiness for small business cyber insurance isn’t about being perfect. It’s about being honest about your current state and having a plan to address gaps. If you’re a 15-person law office, nobody expects you to have an enterprise-grade security operations center. But they do expect you to have implemented the baseline security controls appropriate for your size and risk profile.
This means conducting regular risk assessments to identify your vulnerabilities, maintaining an incident response plan so you know what to do when something goes wrong, testing your backups periodically rather than assuming they work, and being realistic about your technical capabilities and getting help where you need it.
Many professional services firms are finding that they need outside assistance to meet insurance requirements. This isn’t a failure of your systems, but a recognition that security policy development and ongoing security management require expertise that most small and mid-sized firms lack in-house.
Taking Action Before Renewal
If your cyber insurance renewal is coming up, start your security audit now, not two weeks before your policy expires. Your audit should include:
- Working through the security questionnaire carefully
- Honestly assessing where you stand on each requirement
- Developing a realistic timeline and budget to address any areas where you are not compliant
Understand that improving your security posture may actually reduce your premiums or increase your coverage options. Carriers are willing to work with firms that demonstrate a serious commitment to security and consistent progress. What they won’t tolerate is firms that misrepresent their security controls or ignore requirements after purchase.
If you’re getting quoted higher premiums or having trouble finding coverage, the problem is probably in your current security posture, not the insurance market. Rather than shopping for a cheaper carrier that asks fewer questions, focus on getting your security house in order. The savings from slightly cheaper insurance won’t help you if your claim gets denied when you actually need coverage.
For professional services firms serving clients in accounting, legal, or property management, your security posture is increasingly part of your professional responsibility. Your clients trust you with sensitive information. They expect you to protect it. Meeting cyber insurance requirements in 2026 is really about meeting the baseline expectations of professional data stewardship.
Quick and Easy
Cyber insurance claims increased 74% in 2024, forcing carriers to require documented security controls, including MFA, tested offline backups, endpoint protection, and ongoing security training. Professional services firms must implement and document these controls accurately to avoid claim denials in the event of a breach.
I need to tell you something that might make you uncomfortable: your employees aren’t stupid for clicking that phishing email. They’re human.
I’ve been doing this for 35 years, and I’ve watched the conversation around cybersecurity training evolve from “teach people to be more careful” to something far more honest. The problem isn’t your people. The problem is that the internet changed, and most business leaders don’t realize how much.
The Internet Used to Be Smaller
When I started in technology, the bad actors on the internet were relatively unsophisticated. You could spot a phishing email because it had terrible grammar, pixelated logos, and came from an email address like “[email protected].” Your team could learn to recognize red flags because they were obvious.
That world doesn’t exist anymore.
It’s Not Personal Anymore. It’s Like Radiation.
Cybersecurity threats used to be like someone specifically targeting you. Now, they’re more like radiation or pollution. You’re swimming in it constantly, and it’s affecting everyone simultaneously.
According to the FBI’s Internet Crime Report, Americans lost over $12.5 billion to cybercrime in 2023, a 22% increase from the previous year. What that number doesn’t capture: the sophistication of phishing attacks has increased even faster than the financial losses.
AI-powered phishing attacks now analyze your writing style from your social media posts. They know which vendors you work with because that information is publicly available. They can create emails that look exactly like internal communications because they’ve studied how your company writes.
Your employees are facing cybersecurity threats that would have fooled security professionals five years ago.
What Does This Mean for You?
If you’re a managing partner at a law firm or an accounting practice, you need to stop thinking about security awareness training as “teaching people not to click bad links.” That approach assumes the problem is user error. The actual problem is environmental.
Think about it this way: if someone gets sick from polluted water, you don’t just tell them to “be more careful about what they drink.” You acknowledge that the water supply has a problem, and you implement systems to address it.
The same logic applies to cybersecurity for professional services firms.
The Real Solution Isn’t Just Training
Don’t get me wrong. Employee cybersecurity training matters. Your team should know what modern phishing looks like. They should understand that requests for urgent wire transfers need verification. They should recognize that real IT support never asks for passwords via email.
But training alone won’t solve this, because phishing prevention challenges evolve faster than training programs can keep up.
According to Verizon’s Data Breach Investigations Report, 60% of breaches involved the human element, but that statistic is misleading. It makes it sound like humans are the weak link. The reality is that humans are the target because attackers know that sophisticated social engineering is more effective than trying to hack into security systems.
What Actually Works for Small Business Ransomware Protection
After three decades of watching this problem evolve, this is what I tell professional services firms:
Layer your defenses with multi-factor authentication. MFA isn’t fun. It’s annoying. Your team will complain about endpoint security solutions. Implement it anyway. Multi-factor authentication stops most attacks, even if someone clicks a phishing link, because the attacker still can’t get into your systems without that second factor.
Make reporting easy. The worst thing you can do is create an environment where people are afraid to admit they clicked something suspicious. I’ve seen security incidents that could have been contained in minutes turn into disasters because someone was too embarrassed to report what happened.
Accept that failures will happen. Technology fails. People make mistakes. If you expect perfection, you’re setting yourself up for catastrophe. Plan for the reality that someone will eventually click something they shouldn’t.
Use email filtering that actually works. Most professional services firms are using whatever spam filter came with their email service. That’s not enough anymore. Invest in advanced threat protection that can catch sophisticated phishing attempts before they reach your team’s inboxes.
The internet changed. Your security policy development needs to change with it. Not because your people aren’t smart enough, but because the phishing prevention challenges are designed by professionals whose full-time job is defeating security measures.
What does this mean for you? It means stop blaming your team and start building better endpoint security solutions. That’s how professional services firms actually stay secure in 2026.
Quick and Easy
AI-powered phishing attacks are too sophisticated for training alone to stop, so professional services firms need multi-factor authentication, advanced email filtering, and systems that assume someone will eventually click something suspicious. According to the FBI, cybercrime losses exceeded $12.5 billion in 2023, and your employees face threats from social engineers whose full-time job is to target them.
Most of you have known about this aspect of Internet life for awhile now: everything we do is tracked, even in “incognito” mode and behind VPNs. And while some of the obvious indentifying bits of your transactions may be obscured by privacy tools most don’t even bother to use, everything we do is logged, categorized and analyzed down to the minute and individual, and across years and world-wide demographic groups. Any which way the data can be sliced, diced and sorted, it has and will be for the forseeable future. Data has been the gold-rush of the 21st century for several years now, and you’ve most likely started to sense the bubble of information that seems to follow you everywhere you go.
What on earth are you talking about?
By now, you’ve probably heard the term “algorithm” used to discuss various things, like search results, or page rankings, or advertising. Unless you happened to be immersed in a profession that deals with them all day long, you probably only have a vague sense of the impact algorithms have on your daily life. I could go on and on about how it works, but the easiest way to demonstrate how effective it is will be just to show you.
Assuming you have either a TikTok or YouTube account that you have used for at least a few months, try opening up a browser tab to either site while you are logged in, and another incognito tab while are not logged in. Even minimal use of an account will drastically change what the site presents to you on the front page. Now think about everywhere you log in: Facebook, Spotify, Amazon, Netflix, Gmail, Instagram. All of them have extremely specific and voluminous data profiles on every aspect of how you use their site, and they are constantly feeding that data to algorithms that constantly inform what and how content is presented to you. While this can be pleasing or even comforting at first, it also has the knock-on effect of not showing us things we don’t want to see, even when it may be important for us to have that exposure. Humans, in their “default” state, will gravitate to what is comfortable and familiar, and the internet continues to reinforce this is as vicious, feedback loop that is definitely turning out to be detrimental to compassion, curiousity and emotional growth.
Interestingly enough, most data algorithms also seem to follow a well-known phenomenon known as the the “Observer’s Effect” where the properties of the observed object change just because it is being observed. You can be certain that the minute you try to poke at the algorithm surrounding you on a particular platform, it will definitely observe you observing it, and depending on that platform’s intent for your interactions with it, will alter itself to maybe make it less obvious that you are being manipulated. Now wrap your head around that and add the fact that nearly all of our “news” is coming from platforms that actively know you are watching and can adjust what you consume based on agendas that most likely involve monetization and not just sharing information, and you get a sense for just how far down the rabbit hole we have fallen.
Image courtesy of TAW4 at FreeDigitalPhotos.net