A client forwarded me a message from her internet provider a few weeks back. It warned that certain router brands might have security issues and suggested she consider upgrading to a managed service. She wanted to know if she should be worried.
I looked at the message and told her two things. First, the warning is real and the underlying concern is legitimate. Second, the way this particular company wrote it was deliberately vague, designed to create just enough unease to push her toward paying for something she may or may not need. The two facts are not mutually exclusive, and that combination is worth unpacking.
What Started the Questions
On March 23, 2026, the FCC added all foreign-manufactured consumer-grade routers to its Covered List, which effectively bans new models from being imported or sold in the United States. The ruling cited documented cyberattack campaigns, most notably the Salt, Flax, and Volt Typhoon operations, where foreign-produced routers in homes and small offices were used as entry points to attack critical US infrastructure.
The brands affected read like a shopping list at Best Buy: TP-Link, Netgear, Asus, Linksys, Eero, Google Nest WiFi. All of them. Because virtually every consumer router on the market is manufactured outside the United States, the ban essentially covers the entire category of new product introductions until manufacturers either establish US-based production or receive individual conditional approval from the Department of Homeland Security.
Netgear has already received an exemption. Eero received conditional approval through October 2027. TP-Link, which holds roughly 65 percent of the US home router market, is still working through the process.
What This Does Not Mean
Before anyone calls me to ask if they need to throw their router in the trash, let me be direct: if you already own one of these devices and it is running fine, you are not required to do anything immediately. The FCC ruling grandfathers existing equipment. You can keep using your current router legally and indefinitely.
The ban prevents new foreign-made models from receiving FCC authorization going forward. What it does not do is criminalize the router sitting on your credenza right now.
There is, however, one real deadline buried in this that most of the coverage has glossed over. Manufacturers on the covered list have until March 1, 2027 to issue firmware updates to existing devices. After that date, unless they have secured a conditional approval, they cannot push software patches to devices already in the field. Which means a router that is fine today may gradually become a security liability as vulnerabilities emerge and fixes are no longer permitted.
Why This Matters for Your Business
What most business owners are not thinking about is the part I find most relevant for the professional services firms I work with.
The router sitting in your office is probably not the one that concerns me most right now. Business-grade networking equipment used in professional environments is generally managed differently and held to a higher standard than what you find in a consumer retail package.
What I am thinking about is the router in your employee’s home office.
You have probably had people working remotely for years now. They are accessing your systems, your client files, and your email through whatever networking equipment they set up in their living room. A lot of it is exactly the kind of foreign-manufactured consumer hardware that is now at the center of this national security discussion. Much of it has not been updated, assessed, or evaluated by anyone with any technical accountability for your business’s security.
I tell clients all the time: your security perimeter is not the four walls of your office anymore. It extends into every home where someone logs into your network. If that connection is running through a device with documented vulnerabilities and no path to a security patch after March 2027, that is a gap worth addressing.
My Honest Take
I have been watching the concerns around foreign-manufactured networking equipment for a long time. The documented attacks and vulnerabilities are real. Whether the current political moment is driving the timing of this particular ruling is a separate conversation I will spare you.
What I will say is that this is a good time to have someone take an honest look at your network, including your remote workers’ home setups, and give you a realistic assessment of where you actually stand. Not a sales pitch dressed up as a security warning. Just a straight answer about what you have, what the risks are, and what, if anything, you should actually do about it.
That is the conversation I am always happy to have.
Quick and Easy
The FCC banned new foreign-manufactured consumer routers in March 2026, citing documented national security threats. Existing devices are legally protected for now, but a March 2027 deadline for firmware updates means routers from affected manufacturers could become security liabilities. For professional services firms, the immediate priority is evaluating remote employee home networks, not just office infrastructure.
I need to tell you something that might make you uncomfortable: your employees aren’t stupid for clicking that phishing email. They’re human.
I’ve been doing this for 35 years, and I’ve watched the conversation around cybersecurity training evolve from “teach people to be more careful” to something far more honest. The problem isn’t your people. The problem is that the internet changed, and most business leaders don’t realize how much.
The Internet Used to Be Smaller
When I started in technology, the bad actors on the internet were relatively unsophisticated. You could spot a phishing email because it had terrible grammar, pixelated logos, and came from an email address like “[email protected].” Your team could learn to recognize red flags because they were obvious.
That world doesn’t exist anymore.
It’s Not Personal Anymore. It’s Like Radiation.
Cybersecurity threats used to be like someone specifically targeting you. Now, they’re more like radiation or pollution. You’re swimming in it constantly, and it’s affecting everyone simultaneously.
According to the FBI’s Internet Crime Report, Americans lost over $12.5 billion to cybercrime in 2023, a 22% increase from the previous year. What that number doesn’t capture: the sophistication of phishing attacks has increased even faster than the financial losses.
AI-powered phishing attacks now analyze your writing style from your social media posts. They know which vendors you work with because that information is publicly available. They can create emails that look exactly like internal communications because they’ve studied how your company writes.
Your employees are facing cybersecurity threats that would have fooled security professionals five years ago.
What Does This Mean for You?
If you’re a managing partner at a law firm or an accounting practice, you need to stop thinking about security awareness training as “teaching people not to click bad links.” That approach assumes the problem is user error. The actual problem is environmental.
Think about it this way: if someone gets sick from polluted water, you don’t just tell them to “be more careful about what they drink.” You acknowledge that the water supply has a problem, and you implement systems to address it.
The same logic applies to cybersecurity for professional services firms.
The Real Solution Isn’t Just Training
Don’t get me wrong. Employee cybersecurity training matters. Your team should know what modern phishing looks like. They should understand that requests for urgent wire transfers need verification. They should recognize that real IT support never asks for passwords via email.
But training alone won’t solve this, because phishing prevention challenges evolve faster than training programs can keep up.
According to Verizon’s Data Breach Investigations Report, 60% of breaches involved the human element, but that statistic is misleading. It makes it sound like humans are the weak link. The reality is that humans are the target because attackers know that sophisticated social engineering is more effective than trying to hack into security systems.
What Actually Works for Small Business Ransomware Protection
After three decades of watching this problem evolve, this is what I tell professional services firms:
Layer your defenses with multi-factor authentication. MFA isn’t fun. It’s annoying. Your team will complain about endpoint security solutions. Implement it anyway. Multi-factor authentication stops most attacks, even if someone clicks a phishing link, because the attacker still can’t get into your systems without that second factor.
Make reporting easy. The worst thing you can do is create an environment where people are afraid to admit they clicked something suspicious. I’ve seen security incidents that could have been contained in minutes turn into disasters because someone was too embarrassed to report what happened.
Accept that failures will happen. Technology fails. People make mistakes. If you expect perfection, you’re setting yourself up for catastrophe. Plan for the reality that someone will eventually click something they shouldn’t.
Use email filtering that actually works. Most professional services firms are using whatever spam filter came with their email service. That’s not enough anymore. Invest in advanced threat protection that can catch sophisticated phishing attempts before they reach your team’s inboxes.
The internet changed. Your security policy development needs to change with it. Not because your people aren’t smart enough, but because the phishing prevention challenges are designed by professionals whose full-time job is defeating security measures.
What does this mean for you? It means stop blaming your team and start building better endpoint security solutions. That’s how professional services firms actually stay secure in 2026.
Quick and Easy
AI-powered phishing attacks are too sophisticated for training alone to stop, so professional services firms need multi-factor authentication, advanced email filtering, and systems that assume someone will eventually click something suspicious. According to the FBI, cybercrime losses exceeded $12.5 billion in 2023, and your employees face threats from social engineers whose full-time job is to target them.
Remember when you could spot a phishing email because it had terrible grammar or came from a weird email address?
Those days are over.
Research from Hoxhunt showed that by March 2025, AI-generated phishing attacks had become more effective than those created by elite human security experts. The AI didn’t just catch up, but surpassed the best humans at social engineering.
Let that sink in. The people whose entire job is creating realistic phishing simulations to test your employees? AI is better at it than they are.
The Scale of the AI Phishing Problem
According to the World Economic Forum, phishing and social engineering attacks increased 42% in 2024. That was before AI really hit its stride.
The attacks aren’t just better written anymore. They’re contextual and arrive at the exact right time. They reference real projects, real people in your organization, and real deadlines.
Google’s 2026 forecast warns that attackers are using AI to create emails that are essentially indistinguishable from legitimate communication.
This is what that looks like in practice:
You receive an email from your CFO requesting an urgent invoice payment. It uses her exact writing style. It references the specific vendor you’ve been working with. It arrives right when you’d expect such a request. The email address looks right. The signature looks right. Everything looks right.
Except it’s not from your CFO. It’s from an AI that studied 50 of her previous emails and generated a perfect forgery.
Voice Cloning: The New Frontier
Email isn’t even the scariest part anymore.
A tech journalist recently demonstrated that she could clone her own voice using cheap AI tools and fool her bank’s phone system – both the automated system and a live agent – in a five-minute call.
Think about what that means for your business. Your CFO gets a call that sounds exactly like your CEO: voice, cadence, the way they clear their throat, everything. It’s asking for an urgent wire transfer for a time-sensitive deal.
How do you defend against that?
Why Traditional Phishing Training Fails Against AI
Your annual security training tells employees to look for:
- Spelling and grammar errors (AI doesn’t make these mistakes)
- Generic greetings (AI personalizes everything)
- Suspicious sender addresses (AI uses compromised legitimate accounts)
- Urgent requests (legitimate urgent requests also sound urgent)
- Links that don’t match the display text (AI uses legitimate-looking domains)
Every single indicator you’ve trained people to watch for? AI bypasses them.
What Actually Works Against AI Generated Phishing
The old training about “look for spelling errors” is dead. Your employees need to understand that verification matters more than urgency.
Use this to protect you and your team:
Slow down when things feel urgent. Urgency is the weapon. If someone’s asking for sensitive information or money transfers, that urgency should trigger caution, not immediate compliance.
Verify through a different channel. Email says it’s from your CEO? Call them on a known number. Text message from your bank? Call the number on your card, not the one in the message. Voice call asking for a transfer? Hang up and call back.
Trust your judgment about whether requests make sense. Does your CEO normally ask for wire transfers via text? Does your IT department usually request password resets through email? If the method doesn’t match the request, verify.
Create a culture where questioning is safe. Your employees need to know they won’t get fired for double-checking whether the CEO really sent that request. These attacks exploit hierarchy and time pressure.
The Reality for Professional Services Firms
The accounting firms, law offices, and property management companies we work with are particularly vulnerable to these attacks because:
- They handle sensitive financial information
- They regularly process wire transfers
- They work with clients who expect fast responses
- They have hierarchical structures that discourage questioning authority
One immigration law firm we work with almost lost $180,000 to an AI-generated email that perfectly mimicked its managing partner’s communication style, requesting an urgent retainer transfer. The only thing that saved them was an associate who thought the request was weird enough to verify in person.
That associate didn’t stop the attack because they spotted technical indicators. They stopped it because something felt off, and they were empowered to question it.
What This Means for Your Business
You need to update your security training immediately. Not next quarter. Not when the budget allows. Now.
The training needs to focus on:
- Verification procedures that work regardless of how legitimate something appears
- Creating psychological safety for employees to question urgent requests
- Understanding that AI can fake anything visual or auditory
- Practicing what to do when something seems both urgent and suspicious
You need to practice these procedures regularly. Not once a year during security awareness month. Monthly at minimum.
Because the attacks are getting better every single day. Criminals using them no longer need your employees to click a suspicious link. They need your employees to trust their eyes and ears when they shouldn’t.
The Quick and Easy: AI-generated phishing attacks now outperform human security experts, with attacks increasing 42% in 2024. AI generates emails and phone calls that are indistinguishable from legitimate communication, bypassing traditional phishing indicators such as spelling errors, generic greetings, and suspicious links. Voice cloning technology can fool both automated systems and live humans. Traditional training focusing on spotting errors no longer works. Instead, businesses need verification procedures that work regardless of appearance, cultures where questioning authority is safe, and regular practice with realistic scenarios. Professional services firms are particularly vulnerable due to their hierarchical structures and regular financial transactions. The key defense is slowing down when things feel urgent and verifying through different channels.
I’ve put enough notches in my cyberbelt to speak with confidence on tech security and I’m reasonably sure most of you take me seriously, but it’s nice when the President of the United States backs up your message about the state of cybersecurity, especially when that message is that our work has only just begun. In a Wall Street Journal Op Ed piece published today, President Obama announced an aggressive plan to improve America’s cybersecurity profile, starting with increasing the nation’s budget on technology security to $19 billion. Three billion of that planned increase is targeted at upgrading Federal computer systems, many of which he recognizes as being woefully past due for an upgrade. And as is always the case, those computer upgrades are going to need tech-savvy hands, hopefully supplied by a tech-focused “Peace Corps” initiative and a new cybersecurity Center of Excellence which will formed as a collaboration point between the government and private sector. Some of this new money will also fund a national security awareness campaign (and you thought my password nagging was bad!). To cap it off, he is also calling for the creation of a bi-partisan Commission on Enhancing National Cybersecurity and creating a new national Chief Information Security Officer.
What this means for you:
In the short run, not much is going to change for you or your organization, even if you happen to work for or with an organization that might be first in line for Federally-funded computer upgrades. Federal programs never move swiftly, and I doubt this one will be any different. In order for any problem to be solved, it must be first acknowledged. Allocating money (however trivial it may seem in the face of our defense spend) is an important step in the right direction. Many business both big and small fail to budget for security issues, sometimes through willful denial, and most often because of a lack of understanding about how important cybersecurity has become. We all know the government regularly gets low grades on their technology proficiency – hopefully money won’t be a part of that problem going forward. The more important lesson here is that while money does help, talent, cooperation and a plan to change are crucial to developing a sound security policy, whether you are the federal government or sole proprietor.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net