A client forwarded me a message from her internet provider a few weeks back. It warned that certain router brands might have security issues and suggested she consider upgrading to a managed service. She wanted to know if she should be worried.
I looked at the message and told her two things. First, the warning is real and the underlying concern is legitimate. Second, the way this particular company wrote it was deliberately vague, designed to create just enough unease to push her toward paying for something she may or may not need. The two facts are not mutually exclusive, and that combination is worth unpacking.
What Started the Questions
On March 23, 2026, the FCC added all foreign-manufactured consumer-grade routers to its Covered List, which effectively bans new models from being imported or sold in the United States. The ruling cited documented cyberattack campaigns, most notably the Salt, Flax, and Volt Typhoon operations, where foreign-produced routers in homes and small offices were used as entry points to attack critical US infrastructure.
The brands affected read like a shopping list at Best Buy: TP-Link, Netgear, Asus, Linksys, Eero, Google Nest WiFi. All of them. Because virtually every consumer router on the market is manufactured outside the United States, the ban essentially covers the entire category of new product introductions until manufacturers either establish US-based production or receive individual conditional approval from the Department of Homeland Security.
Netgear has already received an exemption. Eero received conditional approval through October 2027. TP-Link, which holds roughly 65 percent of the US home router market, is still working through the process.
What This Does Not Mean
Before anyone calls me to ask if they need to throw their router in the trash, let me be direct: if you already own one of these devices and it is running fine, you are not required to do anything immediately. The FCC ruling grandfathers existing equipment. You can keep using your current router legally and indefinitely.
The ban prevents new foreign-made models from receiving FCC authorization going forward. What it does not do is criminalize the router sitting on your credenza right now.
There is, however, one real deadline buried in this that most of the coverage has glossed over. Manufacturers on the covered list have until March 1, 2027 to issue firmware updates to existing devices. After that date, unless they have secured a conditional approval, they cannot push software patches to devices already in the field. Which means a router that is fine today may gradually become a security liability as vulnerabilities emerge and fixes are no longer permitted.
Why This Matters for Your Business
What most business owners are not thinking about is the part I find most relevant for the professional services firms I work with.
The router sitting in your office is probably not the one that concerns me most right now. Business-grade networking equipment used in professional environments is generally managed differently and held to a higher standard than what you find in a consumer retail package.
What I am thinking about is the router in your employee’s home office.
You have probably had people working remotely for years now. They are accessing your systems, your client files, and your email through whatever networking equipment they set up in their living room. A lot of it is exactly the kind of foreign-manufactured consumer hardware that is now at the center of this national security discussion. Much of it has not been updated, assessed, or evaluated by anyone with any technical accountability for your business’s security.
I tell clients all the time: your security perimeter is not the four walls of your office anymore. It extends into every home where someone logs into your network. If that connection is running through a device with documented vulnerabilities and no path to a security patch after March 2027, that is a gap worth addressing.
My Honest Take
I have been watching the concerns around foreign-manufactured networking equipment for a long time. The documented attacks and vulnerabilities are real. Whether the current political moment is driving the timing of this particular ruling is a separate conversation I will spare you.
What I will say is that this is a good time to have someone take an honest look at your network, including your remote workers’ home setups, and give you a realistic assessment of where you actually stand. Not a sales pitch dressed up as a security warning. Just a straight answer about what you have, what the risks are, and what, if anything, you should actually do about it.
That is the conversation I am always happy to have.
Quick and Easy
The FCC banned new foreign-manufactured consumer routers in March 2026, citing documented national security threats. Existing devices are legally protected for now, but a March 2027 deadline for firmware updates means routers from affected manufacturers could become security liabilities. For professional services firms, the immediate priority is evaluating remote employee home networks, not just office infrastructure.
Remote work is not a temporary arrangement that professional services firms are still adjusting to. It has been five years. It is the baseline. Most firms’ security posture still treats it like a guest bedroom situation rather than a permanent part of how the business operates.
This is not about blame. The shift happened fast, priorities were elsewhere, and the security implications were not obvious until they became obvious. But by 2025, roughly 42% of employees were logging in remotely at least once a week, which means the attack surface of the average professional services firm now extends well past the office walls into home networks, personal devices, and coffee shops, whether the firm has planned for that or not.
This is what actually matters for your remote work technology setup, without the sales pitch.
The Home Network Problem Your Remote Work Technology Setup Cannot Ignore
Your office network is managed. It has a firewall, monitored access points, and someone responsible for keeping it current. Your employee’s home network has a router their ISP shipped three years ago, still running the default admin password, on firmware that has not been updated since installation.
That is not the employee’s fault. They are not network engineers. However, it is a meaningful gap, and home networks are now the entry point for roughly 38% of cyberattacks targeting remote access infrastructure.
What you can actually do about this: require that any employee working remotely connect through a company-provided VPN before accessing firm systems. A VPN encrypts the connection between the employee’s device and your network, which does not solve the home router problem but substantially reduces what a compromised home network can do to your firm’s data. This is a policy decision more than a technical one, and it is not expensive to implement.
Hybrid Work Infrastructure Planning Starts with Devices
Misconfigured access controls accounted for 24% of cloud security breaches in 2025, and a significant percentage of those trace back to personal devices accessing company systems without proper configuration.
When an employee uses a personal laptop to access your client portal, document management system, or email, that device may be running outdated software, missing security patches, or shared with other household members. The firm has no visibility into any of that.
Solid hybrid work infrastructure planning means making a deliberate choice here. Either provide company-owned devices to employees who work remotely and manage those devices centrally, or establish a clear policy for personal device use that includes minimum requirements: current operating system, enabled encryption, and a business-grade password manager. Neither is free, but both are considerably less expensive than responding to a breach.
The People Problem No Technology Solves on Its Own
This one gets less attention than devices and networks, but remote workers are three times more likely to accidentally expose data than office employees, largely because the cues and norms of an office environment are not there to slow them down.
An employee who would never print a client document and leave it at a coffee shop might share that same document through a personal email account because it was faster than logging into the firm portal. Someone who would follow office protocols automatically when surrounded by colleagues may not think twice about the same action from their kitchen.
This is an environment issue, not a character issue. The office creates passive guardrails. Remote work removes them.
What helps: clear, specific policies about how client data can be transmitted and stored outside the office, combined with regular reinforcement. Not an annual training click-through, but actual conversations with staff about specific scenarios, including the borderline ones.
The Three Remote IT Support Priorities for Professional Services Firms
If your firm is going to prioritize, these are the controls that carry the most weight.
Multi-factor authentication on everything. Not just email. Your document management system, client portal, practice management software, and accounting platforms. If an attacker gets a password, MFA is often the only thing standing between them and your client data. In 2025, 91% of companies made MFA mandatory for all remote access points. If your firm has not, that is the first thing to fix.
A written remote work security policy. It does not have to be long. It needs to exist, be specific, and be communicated to staff. It should cover which devices are permitted, how client data can and cannot be transmitted, what to do if a device is lost or compromised, and who to call. If the policy lives only in someone’s head, it is not a policy.
Endpoint management. This means having the ability to see and manage the devices that connect to your firm’s systems, including remotely wiping a device if it is lost or stolen. For firms handling sensitive client financial data, this is a baseline requirement, not a luxury. Your remote IT support provider should be able to tell you exactly what devices are connected to your environment at any given time.
What You Are Not Doing Wrong
The firms I work with that have unresolved remote work security gaps are not being careless. They built remote access solutions quickly, under pressure, and the security refinements got deferred. That is a rational response to a chaotic period.
The window for treating remote security as a work-in-progress is closing, though. Cyber insurance underwriters are increasingly scrutinizing remote work controls specifically, and firms that cannot demonstrate basic hygiene in this area are finding their coverage options narrow. Getting ahead of that is worth the effort.
If you want to walk through where your firm’s remote work technology setup actually stands right now, that is a conversation we are happy to have.
Quick and Easy: Remote work permanently expanded the attack surface of professional services firms, and most firm security policies have not kept pace. The three controls that matter most are MFA on every system, a written and communicated remote work policy, and endpoint management for devices that access firm data. These are not complicated or expensive to implement, but they require treating remote security as permanent infrastructure rather than a temporary workaround.