People leave jobs. It happens at every firm, and it's usually fine. A professional transition, a two-week notice, a farewell lunch. The IT side of that departure, though, is one of the highest-risk moments in the lifecycle of a small professional services firm, and most firms handle it with something between a checklist on a Post-it note and nothing at all.

Here's what I see when I come into a firm that's never had a formal offboarding process: email accounts still active weeks after a departure. Shared passwords that the former employee knows and that nobody has changed. Personal devices with client data on them that were never wiped. Access to the client portal, the billing system, the e-signature platform are all still live, because those vendor portals aren't connected to your M365 offboarding flow and someone forgot to log in and remove the account manually.

None of that is malicious, usually. Most former employees aren't trying to do anything with that lingering access. But "not malicious" and "not a risk" are different things.

The M365 side is the part most firms at least attempt. Disable the account, set up an out-of-office, maybe convert to a shared mailbox so a colleague can monitor it. That's the right instinct, but the execution often has gaps.

The complete M365 offboarding sequence is straightforward, but it needs to be executed deliberately: block sign-in in Entra ID, revoke sign-in sessions, review and revoke any app permissions the account had granted to third-party applications, remove from distribution lists and shared mailboxes, handle mailbox continuity, and make a plan for the user's OneDrive before the account is deleted. Missing one of those steps is how access lingers.

The session revocation step gets skipped more than it should. Blocking sign-in does not necessarily invalidate every existing token immediately. Revoking sessions is the part that forces reauthentication more aggressively across the Microsoft side of the house. They're two separate actions in Entra ID, and both matter.

On OneDrive specifically: admins can grant access to a former employee's files, but that access window is time-bound once the account is deleted. Don't assume the data is safe to ignore until you get to it.

The vendor portals are where most firms have the largest exposure, and the hardest problem.

Your practice management system, billing platform, e-signature tool, document storage, client portal; it’s likely none of these automatically knows that someone left your firm unless you have Single Sign On enabled. They only know what you tell them. If you don't log into each one and remove the account, access persists indefinitely.

This is exactly why the vendor inventory from the vendor attack surface article matters in a different way here. You can't offboard someone from a tool you forgot you have. The same list you build to assess vendor risk is the list you work through on every departure.

The standard I recommend: treat vendor offboarding as a checklist that gets completed within 24 hours of a departure, not within the same week, and not "when someone gets to it." For the highest-sensitivity platforms — anything with client financial data, executed agreements, or communications — it needs to happen the same day.

The device question is awkward but necessary.

If the departing employee had a company-managed device, that's straightforward: wipe it through Intune before or during their last day. If they were using a personal device under a real BYOD policy, you can usually remove corporate data from managed apps without touching their personal content. What Intune cannot do is claw back files that were saved outside the managed environment.

The harder conversation is the personal device that was never enrolled at all. If someone was accessing client email or documents on their personal phone without any MDM enrollment, you have no remote wipe capability. The Microsoft 365 data those apps cached lives on a device you don't control. This is the BYOD policy gap in practical terms, and it's one of the reasons the "we'll deal with device management later" conversation has a real cost.

The data question is the one firms are most reluctant to address directly, because it feels adversarial.

Microsoft Purview audit logs can help you review what was accessed, downloaded, shared, or otherwise acted on around the time of a departure. Running that review isn't accusing anyone of anything. It's basic due diligence, and most of the time you'll find nothing notable and move on. For the ones where you don't, you'll be glad you looked.

The firms that handle this well aren't doing anything exotic. They have a written offboarding checklist that covers M365, vendors, devices, and data review. They assign one person responsibility for completing it. They complete it within 24 hours of a departure, or same day for unplanned ones.

That's it. The gap between firms that handle departures cleanly and firms that discover access problems six months later usually isn't resources or technology. It's whether someone wrote down the steps and made them someone's job to execute.

If you're an Athencia One client, this checklist already exists for your firm, simply reach out and we'll review it with you. If you're not yet a client and want a starting point, you can find our professional services page to learn more about how we can help you build one.

Most professional services firms that carry cyber insurance bought the policy the same way they bought their general liability policy: they answered the questions, paid the premium, and filed it away.

That's fine until you need to file a claim. Then the application and the policy wording start to matter a lot more than most firms expect. Cyber policies are heavily customized, and the answers given during underwriting can become very important if a claim later turns on whether the controls you described were actually in place.

The point isn't that every disputed claim gets denied. It's that a lot of firms have never compared their policy language, underwriting answers, and actual operating environment closely enough to know where a dispute could start.

The coverage question first, because it's worth understanding what you're actually buying.

Cyber policies often include a mix of first-party and third-party coverage. Common buckets can include forensic investigation, breach response costs, legal defense, certain regulatory expenses, cyber extortion coverage, and some form of business interruption. But "often" is the key word. Coverage structure, exclusions, waiting periods, and sublimits vary substantially by policy and carrier.

Sublimits are common, including for cyber-crime losses and business interruption caused by a dependent third party. The headline policy limit is less meaningful than the sublimits for the scenarios most likely to affect you, and most firms haven't read that section carefully.

Social engineering and funds transfer fraud deserve special attention because policy language in that area varies widely. In some programs, coverage may require an endorsement or may be subject to narrow wording or low sublimits. That's the kind of detail worth reviewing before a loss, not during one.

The application is where this gets operationally relevant.

When you applied for your policy, you were asked about MFA, endpoint protection, backups, incident response, and likely several other controls. The answers you gave are now part of the underwriting record. If a claim later implicates a control you represented on that application, and the investigation reveals the control wasn't in place or wasn't functioning the way you described, you may have a coverage problem, and in the worst cases, a serious dispute over the validity or scope of coverage.

The Travelers v. ICS case is the cautionary example. The dispute centered on alleged misrepresentations about MFA in the application. The policy was ultimately rescinded by stipulation. That's not a fine-print technicality. It's the practical consequence of an application answer that didn't reflect operational reality.

Underwriting has also become more exacting. The safer operating assumption is that you should be able to support your application answers with actual evidence, not just a good-faith belief that the controls exist.

The practical things to do before your next renewal.

Pull the policy, the declarations, any endorsements, and your most recent application or renewal questionnaire. Read them together. The gaps between what you said you have and what you actually have are worth finding now rather than later.

Compare your answers to actual controls: MFA enforcement, backup testing, EDR deployment, vendor access management, incident response documentation. Not intended controls. Current, verified ones.

Identify what evidence you could produce quickly if asked: restore test records, access review exports, security configuration screenshots, policy acknowledgments. If you can't produce that evidence within 72 hours, that's a gap.

Check for sublimits and any separate treatment of social engineering and funds transfer fraud. Know what those limits are before you're in a situation that triggers them.

And involve your broker, IT or security lead, and legal counsel together — not in separate conversations. The policy, the controls, and the documentation need to be reviewed as a system.

The connection to your managed IT setup is direct. If your Athencia One environment is configured correctly — MFA enforced, Huntress running and monitored, Dropsuite and Slide backups tested regularly — you're not just more secure, you're in a better position to support the representations you made when you bought the policy.

Cyber insurance works best when it's backed by the controls it assumes you have. The firms that discover a gap usually discover it at the worst possible time.

Let me skip the part where I tell you AI is transforming everything and get to the part that's actually useful.

First, a quick clarification worth making: if your firm is already on a qualifying Microsoft 365 plan, you likely have access to Copilot Chat at no extra charge. It's a web-grounded AI assistant built into M365, and it's useful for general questions and drafting. What this article is about is the paid Copilot add-on, Microsoft 365 Copilot Business, which is what unlocks deep integration with your actual work: your emails, your documents, your Teams meetings, your calendar.

That add-on is $21 per user per month on an annual commitment, or $25.20 month-to-month, on top of a qualifying Microsoft 365 plan. There's a promotional rate of $18/user running through June 2026 if you're looking at this now. For a 15-person firm, you're looking at roughly $3,780 a year at standard pricing. Whether that makes sense depends entirely on whether the people using it actually save enough time to justify it, and on whether the deployment was done right, which we covered separately.

Assuming it was: here's what it's realistically good for in a professional services context, and where it falls flat.

Where it earns its keep

Meeting recaps are the most immediate win, and they're not close. If your team runs on Teams meetings — client calls, internal syncs, matter reviews — Copilot can generate a structured summary of what was discussed, what was decided, and what the action items are, within minutes of the call ending. For anyone who has spent 20 minutes writing up meeting notes that they then send to a client, this is the obvious one. The quality is good. You still review it, but the draft is there.

Email drafting is the second one. Not generating emails from scratch but taking a thread that's gotten long and complicated and either summarizing what's been discussed or drafting a response given context you provide. For partners and senior staff who are in their inbox constantly, this adds up.

Document summarization is useful in specific situations. If you're reviewing a long contract, a set of financial statements, or a research memo before a client meeting, Copilot can pull out the key points and flag things that need attention. It won't replace a careful read for anything high stakes, but it's a solid first pass.

The Teams transcript tie-in is underrated. Copilot can summarize meetings, identify action items, and answer follow-up questions about what was discussed, but if you want that post-meeting usefulness, live transcription needs to be part of the workflow. For practices where oral commitments and follow-through matter, that kind of institutional memory is genuinely useful.

Where it doesn't deliver

Legal research is not Copilot's job. It doesn't have access to Westlaw or Lexis, and like any large language model it can produce plausible-sounding citations that don't exist. Anything that requires authoritative sourcing should stay in purpose-built legal research tools. Copilot can help you work with documents you already have; it can't reliably go find things you don't.

First-draft work product is possible but requires careful handling. Copilot can write a first draft of a client letter or internal memo that's pretty good; structurally sound, appropriate tone, but it needs review the same way any associate's work would. The risk isn't that it's obviously wrong; it's that it's subtly wrong in ways that only careful review catches. The firms that have gotten into trouble with AI-generated content are the ones that treated the output as final rather than as a starting point.

Financial analysis has limits. Copilot can work with Excel and pull numbers into summaries, but it's not an analyst. For anything where the accuracy of the numbers has real consequences, you want a human checking the math.

The honest ROI question

At $21 per user, the math works if people actually use it. That sounds obvious, but Copilot adoption follows the same pattern as most productivity tools: the enthusiastic early adopters get real value quickly; the reluctant users have it sit in their toolbar for six months unused.

The firms that see the best return are the ones that identified two or three specific use cases for their practice such as meeting summaries, email drafting, and document review, and then made those the focus of their rollout rather than trying to turn Copilot into everything at once.

Whether the license pays for itself depends on your team's billing rates, internal labor costs, and which workflows you're actually improving. The firms that tend to justify it fastest are the ones using it heavily for meetings, email, and document-heavy work, which is where the time savings are visible and recurring rather than occasional.

The harder question is whether your tenant is ready for it. If you haven't done the permissions and data governance work first, you're not getting consistent productivity gains, you're getting a tool that works unpredictably and occasionally surfaces things it shouldn't. That's the conversation from the other article in this series, and it's worth having before you make the purchasing decision.

Microsoft 365 Copilot is genuinely useful. I'll say that upfront because a lot of IT writing about AI tools defaults to either breathless enthusiasm or dire warning, and this is going to be neither. It's a real productivity tool, and for professional services firms that live in Word, Outlook, and Teams, it's worth having.

But there's a conversation that needs to happen before you flip the switch, and most firms are skipping it.

Copilot works by surfacing information from across your Microsoft 365 tenant. When you ask it to summarize recent activity on a matter, draft a client email, or pull together notes from the last three meetings, it draws on emails, documents, Teams conversations, and calendar events. Essentially whatever it can reach given the permissions of the person asking.

That last part is the one to pay attention to. Given the permissions of the person asking.

If your SharePoint permissions have drifted — and at most small firms, they have — Copilot will surface whatever those permissions allow. If a paralegal technically has read access to a partner's client folder because someone shared it two years ago and nobody cleaned it up, Copilot doesn't know that was an accident. It will use that data. If an old employee account was never fully deprovisioned, or guest access was granted for a project two years ago and never removed, Copilot doesn't ask questions. It just answers them.

The tool respects your permissions model. The problem is that most firms' permissions model doesn't actually reflect their intentions.

This is why the technical prep matters before deployment, not after.

The first thing to audit is your SharePoint and OneDrive sharing state. In a lot of small firms, this has accumulated years of "share with anyone" links, folders that were opened up for a contractor and never closed, and documents sitting in places that made sense in 2019 but don't anymore. A Copilot readiness review — something we do as part of Athencia One Complete onboarding — starts here. What's shared, with whom, and does it still make sense.

The second is sensitivity labels. These are Microsoft Purview features that let you tag content as Confidential, Client Privileged, Internal Only, and so on. Labels travel with the document. They can enforce encryption and usage restrictions, and Copilot honors those protections when a user interacts with labeled content. For a law firm or an accounting practice, getting labels applied to your active matter files before Copilot goes live is the difference between a tool that helps and one that creates a compliance problem.

Microsoft has also started adding more targeted controls aimed at reducing accidental oversharing from SharePoint while you clean up the underlying permissions. They help, but they are not a substitute for fixing the permissions model itself.

The third is Entra ID access hygiene. Old accounts. Accounts for people who left. Service accounts with more permissions than they need. Guest access that was set up for a client portal demo and never removed. Copilot can surface information from across Microsoft 365 that the user already has permission to access, which is exactly why stale access and oversharing need attention before rollout. Running an access review before deployment closes the doors you forgot were open.

None of this is complicated in the way that enterprise security projects are complicated. It's detailed and it takes time, but it's not technically exotic. The harder part is that it requires someone to actually go through the tenant systematically rather than spot-checking.

The firms that get the most out of Copilot, and they do get a lot out of it, which we'll cover separately, are the ones that treated deployment as a reason to finally clean up their data governance. Not because Microsoft requires it, but because you don't want to discover that your permissions model has been wrong for three years via an awkward Copilot response in a client meeting.

If you're planning to roll out Copilot and want to know what your tenant actually looks like before you do, that's exactly the kind of assessment we run as part of onboarding. It's worth doing regardless of Copilot; the cleanup pays dividends across your whole M365 footprint. Copilot just makes it urgent.

Copilot is not the security problem. Copilot is the thing that reveals whether your permissions model already was one.

Let me tell you about a pattern I've seen more times than I can count.

A firm gets a new client portal, or a new matter management system, or a new whatever. The person who sets it up picks a password. Then, because it needs to be shared with two other people, they email it or text it. Then someone else joins the team and gets the password in a Slack message. Then the person who set it up originally leaves, and nobody changes it because nobody's entirely sure who else might be using it, and it's been a year and a half, and everything is fine.

This is how credentials work at a lot of small professional services firms. It's not malicious. It's just how things evolve when nobody's managing it.

If you buy the 80/20 view of SMB cybersecurity, most problems don't start with anything exotic. They start with credentials that are stolen, reused, shared too casually, or never cleaned up when someone leaves. The firm that got phished usually didn't lose data because it was singled out by a nation-state. It lost data because someone reused a password that had already been exposed somewhere else, and nobody had a system in place to catch it or contain it.

A password manager doesn't solve every problem. But it does address a category of risk that shows up again and again in real-world incidents, especially in smaller firms where credential sharing tends to happen informally.

1Password is the tool we include with Athencia One Complete, and I want to be specific about why.

The choice wasn't arbitrary. 1Password publishes its security model publicly, and its architecture is designed so that 1Password itself cannot read your vault contents. That matters when you're deciding whether to trust a third party with the keys to your firm. They go through regular third-party audits, and their security documentation is available for anyone who wants to review it before committing.

The other reason is the business features. 1Password Teams and Business give you actual administrative control. You can enforce policies, control vault access, monitor sign-in activity, and suspend or remove users cleanly when someone leaves the firm. That's a very different situation from passing passwords around in email, chat, or a shared spreadsheet.

The rollout question is usually where this conversation gets complicated.

For a 15-person firm, setup is straightforward. You create the organization account, invite the team, and let people migrate their saved credentials in at their own pace. The product is consumer-grade in terms of usability, so people figure it out on their own.

The harder part is the partner who's been doing it their way for 25 years and has strong opinions about new systems. I've met this person at almost every firm I've worked with. My advice, for what it's worth: don't try to convince them that their current approach is wrong. Show them that the new one is easier. Most resistance to password managers is about the perceived inconvenience, not actual principled objection. Once someone's used autofill for a week and realized they never have to remember the client portal password again, the argument usually ends.

The other thing that helps is starting with the shared accounts, otherwise known as the logins that belong to the firm rather than any individual. Practice management system, billing platform, the admin account for whatever cloud service. Get those in a Shared Vault in 1Password, get the right people access, and retire whatever the current credential-sharing method is. That's visible, immediate, and doesn't require anyone to change their personal habits yet.

There's one scenario worth being specific about, because it comes up.

When someone leaves the firm, you need to be able to revoke their access to everything. Not just their M365 account, but the vendor portals, the specialized tools, the accounts that were shared with them. If your current answer is "we change the passwords we remember they had access to," you're leaving gaps. 1Password's admin dashboard makes it auditable. You can see what they had access to, revoke their access centrally, and identify which shared credentials need to be changed. That's still work — removing someone from 1Password doesn't automatically update passwords on external systems — but it's auditable work instead of guesswork.

That matters. Departures are one of the most common moments when credential exposure happens, and it's almost never intentional. It's just that nobody got around to changing the passwords.

We include 1Password in Athencia One Complete because password management isn't a luxury item. At this point it's basic hygiene, the same way MFA is, the same way patching is. The cost of not having it doesn't usually show up until something goes wrong, which is exactly the kind of risk that's hard to take seriously until it isn't hypothetical anymore.

If you're an Athencia One Complete client and you haven't gotten your 1Password deployment set up yet, reach out. It takes less time than most firms expect, and the payoff starts immediately.

I've heard some version of this sentence in almost every initial conversation I've had with a small business owner: "IT isn't really a problem for us."

And I believe them. I do. They're not lying, and they're not being naive. They mean that nobody is calling them at 2am about a server, that email is working, that the team can log in every morning and get their work done. By any reasonable definition, things are fine.

The problem is that "fine" is doing a lot of work in that sentence.

Here's the number that tends to get people's attention: cyber incidents routinely turn into six-figure losses. Claims data shows that when recovery costs are involved, the average incident cost lands well into that range, before you even get to the operational fallout that follows. Those costs can include breach investigation, notification, legal expense, regulatory response, and the business interruption that comes with trying to put the pieces back together.

A serious breach can be existential for a small firm, not just because of the direct cost, but because the bill rarely arrives alone. It tends to come with downtime, client anxiety, cleanup work, and a reputational hit that shows up later in lost opportunities.

None of that is "fine."

The harder version of this conversation is the one that doesn't involve a breach at all.

Every hour a lawyer can't access a matter file because something broke is a billable hour that doesn't get billed. Every time someone works around a broken process by keeping client data in a personal Dropbox because the shared drive is a mess, using their personal email because the work account is acting up, or ignoring MFA prompts because they've been clicking through them for so long that it's become muscle memory, that's a security decision being made by someone who's just trying to get their work done.

Nobody means to create risk. But informal workarounds are where most small-firm exposure actually lives, and they accumulate invisibly precisely because things are "fine."

There's also a business continuity angle that gets less attention than it deserves.

When was the last time you checked whether your backups actually restore? Not whether the backup job says it completed, but whether you can actually get your data back, in a usable state, within a timeframe your firm could survive. A lot of businesses find out the answer to that question at the worst possible moment.

Similarly: if your one person who manages IT-adjacent things is out, who covers it? If Microsoft has an outage that takes down Teams and email for a day, what does your business actually do? These aren't edge cases. They're events that happen, and the firms that handle them well are the ones that thought about them before they happened.

I'm not making the case for anxiety. I'm making the case for visibility.

The firms that feel most confident about their IT aren't necessarily the ones spending the most on it. They're the ones that actually know what's running, who has access to what, whether their backups are valid, and what the status of their environment is at any given moment. They're not guessing. They're not hoping. They know.

That's the whole premise behind how we built Athencia One. Not to add more alerts to your day, but to give you a clear read on where things actually stand, so "IT is fine" means something specific, not just the absence of a crisis you happen to be aware of.

The cost of knowing is a lot lower than the cost of finding out.

I was reading something this week that I could not stop thinking about. A detailed investigation into a well-known compliance platform (the kind that promises SOC 2 certification in days, powered by AI, trusted by hundreds of companies). The investigation was thorough and the evidence was hard to argue with. The platform was generating audit report conclusions before any independent auditor had looked at anything. Policies described security controls that did not exist. Trust pages went live before a single piece of work was done. Clients ended up with clean reports that did not reflect their actual security posture, and in some cases they were unknowingly walking into regulatory exposure because of it.

I am not going to name the company. They published a response and the back-and-forth is already everywhere. What I will say is that reading it made me want to write down exactly how Athencia Comply is built and why, because the auditor independence question sits at the center of all of it.

Why the auditor independence rule exists

Here is the thing that gets blurred most often. A compliance certification is not just documentation. It is an attestation: a statement by a qualified, independent third party that they reviewed your controls, tested your evidence, and reached their own conclusion.

The auditor has to be independent. Not affiliated with whoever helped you build the controls. This is not a technicality or a bureaucratic formality. It is the entire mechanism that makes the certification mean anything to the people you are showing it to.

When the same platform that sells you a compliance program also supplies the auditor conclusions, or routes reports through firms that sign off without doing independent testing, you do not have a certification. You have a document with someone's signature on it.

The accounting profession has spent decades earning the credibility behind that signature. That credibility is what enterprise clients and regulators are relying on when they accept your SOC 2 report or your HIPAA attestation. When it is hollow, everyone loses.

What this meant for how I built Comply

When I was figuring out how Athencia Comply should work, the auditor independence question was the first thing I had to answer clearly.

Athencia is a managed IT company. We configure your Microsoft 365 environment, deploy your security stack through Athencia One Complete, write policies that reflect how your business actually operates, and organize the evidence an auditor will need. That is our lane and we are good at it.

We are not a CPA firm. We cannot issue a SOC 2 opinion. We do not have accreditation to certify ISO 27001. Those belong to independent auditors, and we refer clients to them when they are ready, with no financial stake in which firm they choose.

That separation was a deliberate choice. The value of what we build depends on it being real, and an independent auditor who verifies our work and reaches their own conclusion is the proof of that. It also means clients know exactly what they are getting. We are preparing you for an audit. The audit is a separate engagement with a separate party.

The three things compliance actually requires

I explain this the same way every time.

First, someone has to build and implement your security controls. MFA, device management, access policies, logging, encryption, incident response procedures. This is the actual security work, and it has to be done before an auditor shows up.

Second, someone has to collect and organize the evidence that the controls are working. Configuration exports, training records, access review logs, vendor agreements, policies. Organized and current, not assembled the week before the audit.

Third, an independent auditor has to review the evidence, do their own testing, and reach their own conclusions. Then they sign a report.

A compliance vendor can legitimately help with the first two. Nobody except an independent auditor can do the third. The problems start when that line gets blurred.

What to ask before you hire any compliance vendor

I put together a short checklist covering the questions I would ask any compliance vendor before signing. It is not long. It covers who actually does what, what the auditor relationship looks like, and how to tell if the policies you are getting actually match your environment.

If you are currently evaluating compliance software or a compliance MSP, or if you signed up for something and you are not entirely sure what you got, this checklist is worth running through.

Download the Compliance Vendor Checklist

It is free. No pitch after you download it. If you want to talk through what you find, feel free to book 15 minutes on my calendar.

Jeremy

Athencia Comply is a compliance readiness service for professional services firms. We build the controls, write the policies, collect the evidence, and prepare you for an independent audit. Learn more at athencia.com/athencia-comply.

There's a question I ask every prospective client during our first conversation, and the answers are almost always the same. I ask them to name every piece of software their team uses to do their jobs. Not just the obvious stuff — Microsoft 365, their practice management system — but everything. The e-signature tool. The client portal. The invoicing platform. The thing they're pretty sure accounting signed up for last year.

Most people can get to eight or ten. The actual number, once we dig in, is usually closer to twenty-five.

Every one of those is a door.

The cybersecurity conversation for small businesses has gotten a lot better over the last few years. Firms are taking MFA seriously. Password hygiene is improving. M365 security configurations that were being ignored in 2021 are getting attention now. That's all good.

What hasn't caught up is third-party risk; the idea that your security is only as strong as the weakest vendor you're quietly handing your data to.

Here's what I mean. In 2024, Change Healthcare — a company that processes roughly half of all U.S. medical claims — got hit with ransomware. The attackers didn't break through some exotic zero-day. They used stolen credentials to get into a Citrix portal that didn't have multi-factor authentication enabled. The downstream impact hit thousands of healthcare providers, including small practices that had never heard of Change Healthcare and had no idea they were exposed through it.

That's the pattern. A vendor you depend on, with security practices you've never reviewed, becomes the entry point into your world.

For professional services firms, the exposure is specific and serious. Think about what your vendors actually touch.

Your e-signature platform has copies of executed agreements, potentially including wire transfer instructions, property details, or confidential terms. Your cloud storage integrations have client documents. Your billing software has financials. Your scheduling tool, if it integrates with your calendar, has context about who you're meeting with and when.

None of that is hypothetical. Every category I just listed has seen a notable breach in the past two years.

The problem isn't that these tools are bad. Most of them are perfectly fine. The problem is that when a vendor gets hit, you don't get to opt out of the consequences just because the breach wasn't your fault. Your clients don't experience a distinction between "we got breached" and "our vendor got breached." The letter you have to send them looks the same either way.

So what do you actually do about it?

Start by building a real list. Not from memory. Review your credit card statements and your email to find every SaaS subscription, every app your team uses, every integration that touches client data. That inventory is the foundation of everything else.

Once you have the list, the questions get simpler. Does this vendor have a published security page or trust center? When did they last run a SOC 2 audit, and can you see the report? What happens to your data if you leave, or if they go under? Is MFA available, and is it enforced?

You're not doing a full vendor security assessment on every tool; that's not realistic for a 15-person firm. But the vendors that touch your most sensitive data deserve more than a blind trust relationship built on the fact that someone signed up for them three years ago.

The third thing is offboarding discipline. Vendor risk isn't just about the tools you're actively using. It's also about the tools you stopped using but forgot to deactivate. Former employees whose accounts still have access to a vendor portal you've been ignoring. An API integration that still has read access to your client list even though the contract ended eight months ago.

I'll be honest with you: this isn't the most exciting part of running a secure operation. It doesn't have the drama of endpoint protection or the urgency of an active phishing campaign. It's administrative, and it's tedious, and it's easy to defer.

But vendor risk is where a lot of firms are quietly exposed right now, because they secured their own environment while assuming someone else was securing theirs.

If you want to know where you actually stand, the vendor inventory and review process is something we work through with clients as part of ongoing management under Athencia One Complete, ensuring it gets done systematically rather than whenever someone remembers to think about it.

I've seen the aftermath of too many preventable incidents. Ransomware locking up an accounting system because someone clicked a link in an email that looked like it came from FedEx. A bookkeeper who wired $75,000 to what she thought was the vendor’s bank account, when in reality a business email compromise from a colleague allowed the attacker to swap in a new routing and account number. A former employee who still had admin access to the VPN and file server six months after they left because nobody remembered to revoke it.

None of these were sophisticated attacks. They were opportunistic, and they worked because the basics weren't covered.

You're Not Too Small to Be a Target

I hear this all the time. "We're just a 15-person firm, why would anyone come after us?" The answer is precisely because you're a 15-person firm. You have client data, banking credentials, and probably no dedicated security team. From an attacker's perspective, you're easier to hit than a Fortune 500 company and still worth the effort.

The goal here isn't to become Fort Knox. You just need to be harder to compromise than the next guy. Most attackers aren't persistent. They're scanning for easy wins. If you make it annoying enough, they'll move on.

Layers, Not Silver Bullets

I explain security to clients like a house. You've got locks on the doors to keep people out. You've got smoke detectors in case something goes wrong inside. And you've got insurance for when the worst happens anyway.

The first part is prevention: MFA, strong passwords, keeping your software updated, not clicking on sketchy links. Basic hygiene.

The second part is containment: if someone does get in, how do you limit the damage? That's where backups, access controls, and network segmentation come in. If your receptionist's laptop gets compromised, can the attacker pivot to your file server? They shouldn't be able to.

The third part is recovery: when something goes sideways, how fast can you get back to operational? Do you have a plan, or are you going to be figuring it out in the middle of a crisis?

None of this requires expensive tools. It requires thinking it through ahead of time.

Train Your People

Most security incidents start with a person, not a piece of code. Someone clicks a phishing link. Someone reuses their Netflix password for their work email. Someone shares credentials over Teams because it's faster than looking up the proper process.

The single best investment you can make is training your team to pause before they click with ongoing phishing simulations. Make it normal to ask "hey, is this email legit?" without feeling stupid. The culture shift costs almost nothing and prevents most of the stuff that actually happens to small businesses.

The Stuff You Actually Need to Do

I'm not going to give you a 47-point checklist. Here's what actually matters:

Turn on MFA everywhere. Email, banking, cloud apps, everything. This alone stops the majority of account takeovers.

Use a password manager. We use 1Password and include it in Athencia One Complete because it's dead simple and people actually use it. If your team is reusing passwords or keeping them in a spreadsheet, you're exposed.

Keep your software updated. I know updates are annoying. Automate them. Unpatched software is how a lot of ransomware gets in.

Encrypt your devices. Laptops get stolen. Phones get left in Ubers. If the drive is encrypted, losing the hardware is an inconvenience, not a breach.

That's it. Do those four things and you're ahead of most small businesses.

You Already Have Better Tools Than You Think

If you're on Microsoft 365, you're likely sitting on security features that most people never turn on. Defender, Conditional Access, Data Loss Prevention... it's all included, just not configured by default. I spend a lot of time helping clients flip those switches. It's one of the fastest ways to improve your security without spending another dollar.

I wrote a detailed post on the M365 Security Baseline a few weeks ago if you want the specifics.

Backups: The Thing Everyone Forgets Until They Need It

Here's something a lot of people don't realize: Microsoft and Google are not backing up your data in the way you think they are. They'll keep their infrastructure running, sure. But if you accidentally delete a folder, or ransomware encrypts your files, or a former employee wipes their mailbox on the way out, that's on you.

You need independent backups. Something that runs automatically, stores copies offsite, and that you've actually tested restoring from. A backup you've never tested is just a hope.

Have a Plan Before You Need One

At some point, something will go wrong. Maybe it's minor, maybe it's not. But if you're figuring out who to call and what to do in the middle of an incident, you've already lost valuable time.

Write down the basics: who gets notified, how do you isolate an affected system, when do you call your IT provider or your insurance carrier, what do you tell clients if their data might be involved. You don't need a 50-page document. A one-pager that everyone knows exists is better than a binder nobody has read.

The Point of All This

Security doesn't have to be scary or complicated. It's really just about not being an easy target. Cover the basics, train your people, and have a plan for when things go sideways.

Most attackers are lazy. Don't make it easy for them.

This post is part of a series on the five pillars of SMB IT success: Foundation, Security, Productivity, Growth, and Governance. It's based on concepts from my book, The SMB IT Playbook.

If you want a partner who actually looks at the whole picture, Athencia One combines visibility with protection so you're not left guessing.

I've spent the past few months rebuilding how Athencia works. The pricing, the positioning, the website. Here's what changed and why.

Who we're for

Small and mid-sized businesses. We work with SMBs across industries, but we specialize in professional services: law firms, accountants, consultancies, healthcare practices, and architecture firms. Places where security and reliability aren't optional.

If you have 5 to 75 people and you're tired of wondering whether your IT is okay, we built this for you.

What we offer now

Two options, both built on the same security stack:

Athencia One costs $45-55/user/month depending on team size. You get the full security and monitoring stack: Microsoft 365 Business Premium, Huntress (EDR, ITDR, SAT, SIEM), Dropsuite backup, and access to the Athencia One portal. Labor is billed separately when you need it.

Athencia One Complete costs $159-199/user/month. Everything in Athencia One, plus unlimited support. We run your IT so you don't have to. Projects are still billed separately, but day-to-day operations, user management, patching, vendor coordination are all included.

The old pricing was higher. I looked at what other IT services firms charge in Seattle, did the math, and brought it down. No gimmicks.

The Athencia One portal

I've been building this for a while. It's a dashboard that shows you the health of your IT environment in plain English. Seven indicators, traffic-light style. Green means good. Yellow means check on it. Red means let's talk.

No digging through multiple admin consoles. No wondering if your backups are running or your security tools are actually doing anything.

It's live in beta at athencia.one and is included free of charge for all Athencia One clients.

The new website

Rebuilt from scratch. Clearer messaging, better structure. Same principles.

athencia.com

If you're already a client

Nothing changes unexpectedly. If you're on an existing agreement, we'll honor it. If the new pricing works better for you, we'll move you over. Reach out and we'll sort it out.

If you've been thinking about working with us

Now's a good time. The offering is tighter, the pricing is fairer, and I'm taking on new clients.

Book a call or reply to this email.

Jeremy

A few years back, I walked into a new client's datacenter after they'd laid off their internal IT team. What I found wasn't really a datacenter anymore. It had become a storage closet for technology. Servers, switches, cables, boxes of equipment, all stacked and forgotten.

They had an outside firm handling IT support, but that firm operated in pure break-fix mode: they did exactly what was asked and nothing more. Nobody was looking at the whole picture, so the result was a mishmash of patching configurations, inconsistent software setups, and zero visibility into what the business actually owned.

As we started digging through it, a pattern emerged. Instead of checking whether they already had usable hardware, employees had simply bought new hardware. Over and over. Nobody knew what they had, so they assumed they had nothing.

By the time we finished the inventory, we'd identified what was easily six figures worth of equipment sitting unused.

They weren't negligent. They weren't careless. They just couldn't see what they had.

The Four Questions

Most SMB owners I work with can't answer four basic questions about their own technology:

1. How many devices do we actually have?

2. Who has access to what?

3. What software are we paying for each month?

4. Where does our critical data live?

If you can't answer those right now, don't worry about it. You're in good company.

IT usually starts as a side quest. A few laptops, a domain name, email setup, and you're off to the races. It's only later, when the team grows and systems multiply, that the patchwork stops holding together. The problem isn't that you don't care. It's that nobody forced you to look until something broke.

Visibility Is the Foundation

There's a common misconception that solid IT infrastructure needs to be complicated. Enterprise-grade, filled with jargon, maintained by someone with six certifications and a caffeine dependency. In reality, most SMBs need the opposite.

Complexity doesn't make systems stronger. It makes them fragile. The more moving parts you add, the more things can break. The more bespoke your setup, the harder it is to maintain. The goal isn't to impress anyone with your tech stack. It's to build something that runs quietly and doesn't create unnecessary drama.

But you can't simplify what you can't see, and you can't manage what you don't know you have.

That's why visibility is the foundation everything else gets built on. Security decisions, budget planning, vendor negotiations, growth planning... all of it depends on knowing what's actually in your environment.

Start Simple

You don't need a fancy tool to get started. You need a list.

An IT inventory can be as simple as a spreadsheet. Track your devices (every laptop, desktop, server, phone, and tablet) along with who uses it, when it was purchased, and whether it's still under warranty. Document who has accounts on which systems and who has admin rights, and when someone last reviewed that. List every piece of software you're paying for monthly or annually, including the cost, renewal date, and whether anyone's actually using it. And know where your critical data lives, whether that's customer records, financial data, or intellectual property, and whether it's backed up in a way you could actually recover from.

This isn't glamorous work. But it's the kind of work that keeps you from paying thousands for hardware and software you don’t need.

The Payoff

Once you can see your environment, you can manage it. Once you can manage it, you can simplify it.

I've spent 30 years helping businesses get to the point where they don't have to think about their IT anymore because it just works. The ones who get there fastest aren't the ones with the biggest budgets. They're the ones willing to look honestly at what they have and build from there.

The inventory isn't the exciting part. But it's where everything else starts.

This post is part of a series on the five pillars of SMB IT success: Foundation, Security, Productivity, Growth, and Governance. It's based on concepts from my book, The SMB IT Playbook.

If you want visibility into your IT environment without the guesswork, Athencia One gives you a clear, real-time view of your technology health.

A lot of firms want to use AI tools this year. Copilot in Microsoft 365. ChatGPT. Small, focused assistants built into the software you already have. The interest is there. The pressure is there. The potential is real.

But professional services firms have a unique problem: your entire business sits on a foundation of confidentiality and trust. You cannot treat AI adoption the same way a startup or a marketing agency might. You operate in a world where one bad decision with client data has real consequences.

The goal isn’t to avoid these tools. It’s to use them responsibly and predictably, with clear boundaries that match the way your firm works.

This is a practical starter pack to help you do that.

Start with a simple idea: AI isn’t the risk, your data handling is

Most of the fear around AI comes from not knowing where data goes or how it’s used. But the truth is simpler. AI tools are only as risky as the access you allow and the context you give them.

If someone can paste a client document into a public AI tool, that’s not an AI problem. It’s a data governance problem.

If Copilot can reach sensitive files it shouldn’t have access to, that’s not an AI problem. It’s an access control problem.

Good AI governance begins with the same fundamentals every firm should already have in place:

• Clear access boundaries

• Strong identity controls

• Basic data classification

• A predictable file structure

• People who understand what “confidential” actually means

AI doesn’t erase any of that. It just exposes it.

Understand the two types of AI you’re dealing with

Most firms will touch two broad categories of tools.

1. Public AI (ChatGPT, Gemini, Claude, etc.)

These are general-purpose tools. Useful. Powerful. Not tied to your data unless you intentionally put it there. The risk comes from people copying and pasting client information into these tools without thinking.

Your policy here should be simple:

• No client data

• No confidential firm information

• No internal documents

• No “just to check something quickly” exceptions

If someone wouldn’t email that information to a stranger, they shouldn’t paste it into a public AI tool.

2. Enterprise AI (Copilot for Microsoft 365)

This is different. It runs inside your tenant and respects your existing permissions. If someone doesn’t have access to a document, Copilot can’t see it either.

This makes it much safer for day-to-day work, but it also brings a new requirement: your permissions need to be correct. Sloppy access models lead to sloppy AI output.

Before turning on Copilot, firms should clean up:

• Overshared SharePoint sites

• Old “everyone in the company” links

• Personal OneDrives full of client material

• Teams channels with unclear ownership

• Legacy folders carried forward out of convenience

Copilot magnifies whatever structure you already have. If your tenant is organized, it performs incredibly well. If it’s not, it reflects that too.

Set boundaries people can understand and actually follow

AI governance doesn’t need to be a 20-page document. Start with a one-page guide that covers:

What people can use AI for

• Drafting

• Summarizing

• Brainstorming

• Rewriting

• Simplifying internal explanations

What they cannot use AI for

• Client documents

• Matter-specific information

• Financials

• Sensitive personal data

• Anything bound by a confidentiality agreement

• Anything that identifies a specific client situation

What to do instead

• Use templates

• Use internal examples

• Strip identifiable details

• Ask a colleague before asking a model

Clarity beats perfection. People will follow simple rules, and if you’re an Athencia One client, we’re happy to help you draft them.

Tie AI use back to your existing confidentiality obligations

Professional services firms already have standards:

• Engagement letters

• Ethical rules

• Regulatory requirements

• Client confidentiality clauses

• Cyber insurance controls

Your AI standards should map directly to those. You’re not inventing new expectations. You’re applying old ones to a new tool.

A good way to explain it is this:

“Use AI the same way you would use a contractor you don’t know yet. Helpful, but not someone you give sensitive client information to.”

Put yourself in a defensible position

If a client or insurer asks about AI use, they’re not looking for perfection. They’re looking for evidence that you’ve thought about the issue.

Have these things ready:

• A short AI policy

• A list of approved tools

• A list of disallowed tools

• A basic explanation of how Copilot or ChatGPT handles data

• A record of staff training or acknowledgement

• Confirmation that confidential data isn’t sent to public AI tools

• Confirmation that enterprise AI respects existing permissions

• A short internal FAQ answering common questions

When firms can show this level of preparation, the conversation becomes much easier.

Monitor the environment the same way you already should

Nothing about AI replaces the need for basic monitoring. If anything, it makes it more important.

You still need:

• Strong identity controls

• MFA everywhere

• Conditional Access

• Clear device policies

• Proper access reviews

• A reliable offboarding process

• A 24/7 SOC to catch the things you don’t see

AI doesn’t introduce new risks so much as it sharpens the ones already in your system. A mature monitoring posture fills in the gaps.

Start small, move steadily, and keep people in the loop

You don’t need a grand rollout. The best path looks like this:

1. Publish a simple policy

2. Approve a small set of tools

3. Train your people on how to use them

4. Start with low-risk use cases

5. Tighten access and structure as you learn

6. Add new capabilities when the firm is ready

Your goal is steady, confident progress. Not a big-bang announcement.

The bottom line

Professional services firms can safely adopt AI. Many should. The work these tools can automate will free teams for the higher-value parts of your practice.

The key is structure. Clear boundaries. A predictable framework. And a culture where people understand both the promise and the responsibility.

That is what AI governance looks like at this stage. It’s not complicated. It’s not dramatic. It’s simply part of running a modern firm.

The start of a new year always brings a small pause. Not the dramatic kind, just enough space to look at what worked, what didn’t, and what deserves more attention than it got.

For a lot of professional services firms, 2025 was a year of juggling. More clients. More expectations. More tools. More noise. Most teams did well, but many also felt the strain of systems that weren’t quite keeping up.

My hope for you in the new year is simple: more clarity, fewer surprises, and a technology environment that quietly supports the work instead of competing with it.

If the last few years taught us anything, it’s that firms don’t need more complexity. They need consistency. Clean systems. Clear boundaries. A predictable foundation. These things rarely make headlines, but they make the day-to-day experience of running a firm noticeably better.

In 2026, Athencia will keep focusing on that kind of work. Practical improvements. Stronger security. Smoother operations. Better alignment between how your people work and the tools they use. Nothing dramatic. Just steady progress that makes the firm more resilient and easier to run.

Thank you for reading, for sharing feedback, and for trusting us to help you make sense of a world that changes faster than anyone would like to admit. I’m looking forward to what we build together this year.

Here’s to a good start and a better rhythm ahead. Happy New Year!

Cheers,

Jeremy Phillips
Founder & CEO

As we head into the holidays, here’s hoping your season is filled with rest, good company, and as few security alerts as humanly possible.

Professional-services firms earn trust all year long and this time of year is a reminder of why it matters: clients rely on you even when the office lights dim and the inbox quiets.

Here’s to a safe, peaceful, and recharging holiday season.

Happy Holidays from Athencia

Most professional services firms run their world on Microsoft 365 now. Email, documents, meetings, calendars, client files. It is the closest thing you have to an operating system for the firm.

The problem is that many tenants are still in the state they were the day someone first clicked “Next” during setup. A few things turned on, a few things ignored, and then everyone got busy and moved on.

If you hold client data, that is not good enough anymore.

You do not need to turn every knob Microsoft gives you. You do need a clear baseline. A set of non-negotiables that keep people productive and keep your risk where it belongs.

This is what that baseline looks like for a 10-to-100-person professional services firm.

What “good enough” actually means

A secure Microsoft 365 environment for a firm like yours is not perfect. It is consistent.

At a minimum, it should:

• Protect accounts even if passwords are stolen

• Protect firm data on laptops and phones, including personal devices

• Limit what happens if one account is compromised

• Make offboarding clean and predictable

• Give you basic visibility into what is happening

If your current setup cannot honestly claim those things, you have work to do. The good news is that most of it is configuration, not buying more tools.

1. Identity first: accounts, MFA and sign in rules

If someone can log in as you, nothing else matters.

Start here.

Use one account per person

Every person should have:

• One named account

• The right license

• A role that matches their job

Shared mailboxes are fine. Shared user accounts are not.

Enforce multi factor authentication for everyone

Not “everyone except partners” or “everyone except the one legacy thing.” Everyone.

Use:

• Authenticator app or hardware keys where possible

• SMS only as a last resort

Turn on “number matching” in the authenticator so people cannot just blindly tap “Approve.”

Use Conditional Access to set basic sign in rules

You do not need to start with 20 policies. Start with a few clear ones, such as:

• Block sign ins from countries where you have no staff or clients

• Require MFA on any risky sign in

• Require compliant or protected devices for sensitive apps

The goal is simple. Good users get through with a small amount of friction. Suspicious activity gets slowed down or stopped.

2. Devices: keep firm data safe on laptops and phones

Most of the risk in a firm lives on devices. Lost laptops. Personal phones. Old machines that never get updates.

You cannot fix that with a memo. You fix it with policy and tooling.

Manage firm owned devices

If the device is owned by the firm, you should:

• Enroll it in Intune or your management tool of choice

• Require disk encryption

• Push regular updates

• Standardize basic settings

People should not be local admins by default. If they need admin rights, grant them in a controlled way.

Use app protection on personal devices

If you allow BYOD, do not try to manage the whole phone. Protect the apps that hold firm data.

For example:

• Require a PIN or biometric to open Outlook and other work apps

• Block saving work files to personal storage

• Block copy and paste from work apps into personal apps

• Be able to wipe firm data from those apps without touching personal content

This is how you protect client information without creeping into people’s private lives.

Require screen locks and encryption

This is simple but often missed.

• All laptops and phones that access firm data must have a PIN or password

• Laptops must be encrypted

• Devices that do not meet these rules should not be allowed to connect to firm data

Write it down in a short BYOD and device policy. Then enforce it with technology.

3. Data: keep client information from leaking out

Professional services firms live and die by how they handle client information. In Microsoft 365, that mostly means email, OneDrive and SharePoint.

Standardize where client data lives

Make some decisions:

• Use SharePoint sites and Teams for client and matter folders

• Use OneDrive for personal work in progress

• Do not store firm data in random personal storage accounts

If you do not decide this, everyone will make their own decision and you will end up with files everywhere.

Turn on basic Data Loss Prevention

You do not need to start with heavy classification projects.

Start with a small number of simple rules, for example:

• Alert or block when someone tries to email sensitive information outside the firm

• Alert when large volumes of data are downloaded or shared externally

• Monitor external sharing links, and set sensible expiration defaults

You want guardrails, not constant noise. Tune the rules over time.

Use retention and legal hold where it matters

Some information should be kept for a defined period. Some should be removable quickly. Some may need legal hold.

Use retention policies to:

• Keep email and documents long enough to meet your legal and client obligations

• Avoid keeping everything forever by default

Again, this does not have to be complex. Start with a small number of clear rules.

4. Email: raise the bar for attackers

Email is still where a lot of incidents start, especially for firms whose entire client relationship runs through it.

You will get phished. You will get spoofed. You will have staff who are tired and in a hurry.

Your job is to give them better default protection and make sure someone is watching the environment when things slip through.

Key elements:

• Enforce MFA for everyone

• Turn on the recommended phishing and malware protections in Exchange Online

• Use Safe Links and Safe Attachments if your license supports them

• Publish and correctly configure SPF, DKIM and DMARC for your domains

• Train people regularly on how to report suspicious messages

• Make sure you have real monitoring in place, ideally a 24/7 SOC that can respond when an alert is more than just noise

None of this will stop every attack. It will push most of them away or blunt the impact. The SOC piece simply closes the gap between a good configuration and a fast response when something slips past it.

5. Access and offboarding: control who has what

Firms are very good at getting new people access to things. They are less consistent about taking that access away.

This is where a lot of hidden risk lives.

Use groups for access, not individual assignments

Set up groups that map to roles. For example:

• Partners

• Associates

• Finance

• Operations

• External contractors

Assign permissions to the group. Add or remove people from groups as their role changes. This keeps your access model understandable.

Have a clear offboarding checklist

When someone leaves:

• Disable their sign in

• Remove their licenses when appropriate

• Transfer their OneDrive content to a manager or archive

• Turn their mailbox into a shared mailbox and give their manager access to it

• Remove them from all groups

• Reassign any shared mailboxes or calendar access

Do this the same way every time. This is one of the simplest and most effective controls you can put in place.

6. Monitoring and visibility: know what is happening

You do not need an in-house security operations center, but you do need some level of awareness.

At a minimum:

• Turn on unified audit logging

• Review sign in risk and security alerts regularly, or have a managed provider do it

• Check Secure Score and use it as a guide, not a scoreboard

If you work with an MSP or security partner, be clear about who is watching what, how often, how they will contact you if something needs attention, and what proactive actions they’ll take on your behalf if they see a security incident in action.

7. A simple way to start

If this feels like a lot, break it into stages.

For example:

Month 1

• Enforce MFA

• Clean up user accounts

• Start using groups for access

Month 2

• Enroll firm owned devices

• Turn on basic app protection for mobile

• Require screen locks and encryption

Month 3

• Standardize where client data lives

• Turn on a small set of DLP and email protection rules

• Document and tighten your offboarding process

You do not have to do everything at once. You do have to start.

The payoff

A good Microsoft 365 baseline does not feel dramatic. The ideal outcome is that nothing exciting happens.

You do not see strange logins from eastern Europe at midnight.
You do not spend a week recovering from a lost laptop.
You do not discover that someone who left six months ago still has access to client folders.

People log in. They do their work. Systems behave in predictable ways. You sleep a little better.

That is what a baseline is for. It is not decoration. It is the floor you refuse to fall through.

If you want help getting your firm to that floor, that is the kind of work we do every day at Athencia.

Spend enough time around firm owners, managing partners, and admins, and you hear the same sentence over and over:

It’s a fair question. It’s also the wrong one.

The right question—the one professional services firms hate asking because they already know the answer—is this:

Because in a professional services firm, your client data is the business.

You’re not being targeted because you’re famous, you’re being targeted because you’re trusted.

Let’s unpack that.

Professional Services: The Softest Target With the Most Valuable Data

Cybercriminals aren’t romantic. They’re not looking for prestige points or bragging rights. They follow the same incentives every business does:

• High value

• Low resistance

• Predictable return

Professional services check all three boxes:

1. Your client data is extremely valuable

Law firms have confidential matters.
CPAs hold tax records and financials.
Consultants have strategy decks and client IP.
Wealth firms have PII, account details, and statements.

This isn’t “kinda sensitive.”
This is “extortion-grade” material.

2. You look secure from the outside, but often aren’t

You’ve got Microsoft 365, a VPN, maybe a firewall, maybe MFA on email.

That feels secure.

Meanwhile:

• Legacy file systems live behind weak passwords

• Sensitive docs sit in personal Dropbox or Google Drive

• Partners use the same password for everything

• Staff access client data from personal devices

• Shared mailboxes have no auditing

• MFA is “encouraged,” not enforced

This is normal in 10–75 person firms and it’s also low-hanging fruit for attackers.

3. Your people are busy and predictable

Busy, billable humans follow patterns:

• Checking email late at night

• Approving invoices on mobile

• Reusing passwords

• Forwarding files to personal email “just this once”

• Clicking a link from “the partner who always emails last-minute”

Attackers love patterns.

The Myth of “We’re Too Small to Matter”

Let’s clear this up:
Attackers don’t target companies.
They target conditions.

And professional services firms naturally create the conditions that attackers automate against:

• Lots of email

• Lots of documents

• Lots of client communication

• Lots of urgency

• Lots of trust

• Not a lot of IT staffing

From an attacker’s perspective, you’re not a boutique consulting firm. You’re a funnel of sensitive client data guarded by exhausted people and incomplete controls.

It's not personal. It’s just math.

The Attack Scenarios That Actually Happen (Not the Hollywood Ones)

Here are three scenarios we see in the wild constantly—not theoretical, not exaggerated, just the everyday threats professional services firms face.

Scenario 1: The Distinguished Partner With the Weak Phone PIN

A partner loses their phone in an Uber.
It unlocks with a 4-digit code.
Outlook opens automatically.
Client matters, financials, contracts—wide open.

You’re now legally required to report a breach.

All because of a 4-digit number.

Scenario 2: The “Can You Approve This?” Email

An attacker gains access to a client’s compromised mailbox.

They send a believable request to your senior associate:

“Need this wire approved before close of business. Can you confirm?”

The associate, deep in client work, clicks. The associate’s credentials are successfully harvested. Your mailbox is now part of the attacker’s toolset.

Scenario 3: The Offboarded Employee With a Sync Folder

Someone leaves the firm.

No one wipes their OneDrive sync folder.

Six months later, they still have:

• Client data

• Drafts

• Emails

• Attorney–client communications

• Board decks

• Tax filings

• Financial statements

All sitting quietly on a personal laptop next to Netflix and photos of the dog.

No amount of policy language fixes this.

The Real Cost: The Phone Call You Never Want to Make

Here’s the uncomfortable truth:
When a professional services firm is breached, the damage isn’t the ransom or the cleanup.

It’s the conversation where you call a client and say:

That call isn’t about technology, it’s about trust.

And trust is your entire business.

The Good News: The Bar for ‘Secure Enough’ Is Clear and Achievable

This is where most firms underestimate themselves.

You don’t need:

❌ A massive IT department
❌ A CISO
❌ A six-figure stack of enterprise tools
❌ An army of engineers

You need:

1. Identity protection (MFA, Conditional Access)

Stop attackers from logging in, even with the right password.

2. Device boundaries (BYOD done right)

Protect firm data without touching personal data.

3. A Microsoft 365 baseline

The settings your tenant should never go without.

4. Basic compliance alignment

HIPAA/GLBA/SEC isn’t “for big companies.”
It’s for anyone holding sensitive client data.

5. Real offboarding controls

Remove firm data immediately when someone leaves.

6. Someone watching the alerts

A managed SOC so you’re not the one responding at 2:14am.

None of this is exotic; it’s all very achievable for a 10–100 person firm with the right structure.

The Security Equation for Professional Services

If you want to understand why you’re a target, boil it down to this:

High-value data × Busy people ÷ Limited IT = Prime target

That’s it.

That’s the formula.

And the firms that understand this early get ahead of the risk, while the firms that don’t… eventually learn the hard way.

You don’t need to be perfect. You just need to be better than the average firm.

No attacker wants to spend days breaking into a well-configured Microsoft tenant with MFA, device boundaries, and real alerting… when the firm down the street still uses Outlook 2016 with no MFA and “PasswordSpring2024!” as a shared credential.

Security isn’t a contest. But if it were, you only need to avoid being the easiest opponent.

If you want help getting there, we do this all day.

You don’t need a security department. You don’t need more tools.

You need a repeatable security foundation built for professional services firms.

If you want us to build that with you, just say the word.

Over the years I’ve seen the same patterns repeat. Too many tools. Too much noise. Systems that don’t quite fit together. Security gaps that hide in the corners. Good people forced to work around the limitations of what they have. None of this is because firms don’t care. It’s because no one has ever handed them a simple, complete picture of what “good IT” actually looks like for a small or midsized organization.

So I wrote one.

Today I’m releasing The SMB IT Playbook. It’s a practical guide to building a stable, secure and scalable technology foundation without pretending you’re a Fortune 500 company. For now, it’s free for Athencia Insights subscribers. Simply subscribe to Athencia Insights and you’ll receive a link directly to the PDF

Why this book exists

Growing firms eventually hit a point where technology decisions stop being about “what’s cheapest” or “what’s available” and start being about “what will support the next stage of the business.” Some get there early. Others get pushed there by an outage, a security scare or a compliance requirement. Either way, the questions become bigger and the stakes get higher.

This book lays out a simple model for understanding your environment and making decisions that hold up over time. It’s not technical for the sake of being technical. It’s focused on clarity, structure and helping leaders see the whole system instead of isolated problems.

What’s inside

The book is organized around five areas that shape every firm’s technology posture.

1. Foundation

The basic systems that everything else depends on. How to create stability, reduce surprises and keep your environment from becoming a patchwork of half-finished ideas.

2. Security

A clear view of the real risks facing small and midsized organizations and the controls that actually matter. No theatrics. Just the essentials that protect client data and keep you out of trouble.

3. Productivity

How to reduce tool sprawl, simplify workflows and help people do their best work without fighting the system. This is where small improvements have an outsized impact.

4. Growth Enablement

How to use technology to scale without chaos. Things like automation, standardization and visibility. The parts of IT that support growth instead of reacting to it.

5. Governance

The structure that keeps your environment predictable. Who makes decisions. How technology is evaluated. How you maintain order as the firm expands or roles change.

Each section is practical and directly applicable to a 10-to-100-person firm. Nothing theoretical. Nothing written for enterprise audiences. Just a clear path forward.

Who it’s for

Owners, partners, operations leaders and firm administrators who want their technology to support the business instead of distracting from it. People who are tired of chasing problems and want a framework that makes sense. Anyone who feels like the firm has outgrown the way IT used to work.

If that’s you, this book will help.

Get your copy

The book is available now for purchase on Amazon and free for Athencia Insights subscribers.

Want your free copy? Simply subscribe to Athencia Insights and you’ll receive a link directly to the PDF.

As you load up your plate this Thanksgiving, remember client trust is like cranberry sauce: once spilled, it stains everything.

Secure your data, secure your reputation.

Happy Thanksgiving from Athencia!

Professional services firms don’t compete on infrastructure. They compete on judgment, discretion, and trust. Clients hand over their strategies, financials, disputes, vulnerabilities, and future plans with the expectation that you will protect them as if they were your own.

Anthropic’s latest report on AI-enabled espionage makes one thing clear: that trust model is now under direct pressure and the threat isn’t just faster phishing or better malware. It’s autonomous AI systems running reconnaissance, moving laterally, harvesting data, and shaping extortion paths without requiring a skilled human operator behind them. This is a structural change in how attacks happen and who is capable of launching them, and professional services firms sit directly in the blast radius.

1. Why This Changes the Equation for Professional Services Firms

AI collapses the expertise barrier

What once required technical skill now requires almost none. AI systems can walk inexperienced actors through the steps of an intrusion: identifying weak points, probing shared drives, analyzing file structures, and staging exfiltration. Basically, if an attacker can ask a question, they can attempt an intrusion.

Automation turns one attacker into many

A single operator can now run multiple tailored attacks in parallel. These aren’t broad, noisy campaigns. They’re quiet, adaptive, and persistent, designed to find specific footholds inside high-value environments like law firms, consultancies, and accounting practices.

Decision-making is shifting from people to models

Anthropic’s analysis showed AI agents selecting targets, choosing which client files to steal, and determining what extortion strategy to pursue. When decision-making is automated, the speed of an attack is no longer limited by a human’s capacity to act.

Your exposure is multiplied by every client you represent

A breach inside a professional services firm doesn’t stop at the firm. It cascades through client portfolios: M&A materials, litigation strategy, audit workpapers, tax positions, investment memos, deal rooms, HR cases. One compromise becomes many, which is the real scale risk.

2. What This Means for Firm Leadership

The implications for partners, managing directors, COOs, and CIOs are direct:

Your firm is now a proxy target

Attackers don’t need to go after your clients if they can steal the same data from you — concentrated, organized, and already labeled.

Incident timelines are compressing

AI-driven intrusions unfold in minutes, not days. If your response processes assume human-paced attacks, they’re already outdated.

Shadow AI is already inside the firm

Professionals adopt tools that help them move faster. That includes AI assistants and agents, often used informally without governance, and sometimes with client data.
This is becoming one of the largest blind spots in the industry.

Clients will require new levels of transparency

Soon, they’ll ask:

• Which AI tools interact with our data?

• How is AI governed inside your workflows?

• What safeguards prevent unauthorized agentic behavior?

Firms that can’t answer confidently and consistently will see trust erode.

3. The Operational Weak Points Unique to Professional Services

Professional services environments create a specific kind of exposure:

Communication platforms filled with sensitive detail

Partners and teams use Slack, Teams, and email freely. AI agents can analyze, scrape, and pattern-match across all of it.

Attachment-driven workflows

Matter files, drafts, briefs, models, diligence packets are moving constantly via email and shared drives. Predictable surfaces. Easy for automated reconnaissance.

Client work structured across shared folders

Engagement drives and project workspaces give attackers both structure and hierarchy that gives AI exactly what it needs to navigate.

Vendor sprawl across the tech stack

Document automation, research tools, contract analytics, managed IT, cloud storage.
Each vendor is a potential point of leverage for automated intrusion.

High-velocity, deadline-driven work

When timelines shrink, security takes shortcuts. Attackers depend on this.

Professional services firms sit at the intersection of high-value data and complex, people-driven workflows that allow AI-enabled attackers to thrive.

4. What Firms Need to Do Differently Starting Now

1. Build transparency around AI use

Clients will expect clarity on:

• which models you use

• how they interact with their data

• who governs access and behavior

This is quickly moving from “nice to have” to contractual obligation.

2. Strengthen internal AI governance

Assume your teams are already using AI tools. The priority is controlling how they are used and which tools are used, not pretending they aren’t.

3. Bring AI into your defense, not just your workflows

AI-assisted attacks can’t be countered with manual detection; defense needs to match offense in speed and automation.

4. Treat governance as a security control

People follow process when the process is clear, predictable, and reinforced. Inconsistent governance is now a material security risk.

5. What Leaders Can Do This Weekend

If you want to reduce exposure immediately, start here:

1. Identify every touchpoint where AI interacts with client data

Formal and informal. Policy-approved or not.

2. Run a short tabletop: “AI breach of a client file”

Test your detection, escalation, communication, and containment paths.

3. Audit how client data is segmented

Shared drives and legacy folder structures create easy pathways for automated reconnaissance. Consider tools like Microsoft Purview or Concentric AI to automatically classify data and then establish clear segmentation wherever possible.

4. Review your AI-enabled vendor stack

Ask direct questions about agentic behavior, model governance, and logging.

5. Brief your top-tier clients

Proactivity builds trust: “We are strengthening your data protection in light of new AI-driven threat models.”

6. Commission an AI-agentic risk assessment

Against recon, internal navigation, and exfiltration workflows — not just perimeter scanning.

6. Closing Thought for Firm Leaders

AI-enabled attackers don’t need more skill or more people. They need more compute, and they already have it.

The firms that adapt early will differentiate themselves not just through security, but through trust while those who wait will be defined by their incidents, not their expertise.

For anyone who wants to review the underlying analysis:
https://www.anthropic.com/news/disrupting-AI-espionage?utm_source=insights.athencia.com

Look, most professional services firms aren’t handing out laptops and phones like it’s Google onboarding day. People bring their own devices. They work from home, the hotel lobby, the carpool line, the airport café, and the client’s conference room. It’s the real world.

And that real world collides, hard, with the expectations of client confidentiality, compliance, and cyber insurance. Your staff’s iPhones now hold client emails. Their laptops sync files. Their iPads get meeting invites. Whether you like it or not, your firm’s data is already living on personal hardware you don’t control.

The good news? You can protect firm data without invading anyone’s privacy, spying on their photos, or turning your workplace into a digital TSA line.

Let’s walk through how.

The Real Concern Isn’t the Device — It’s the Data

Partners and admins worry about personal devices because of one thing:

“If someone loses their phone, could a stranger open Outlook and download our entire client history?”

That’s the nightmare scenario. But the nightmare doesn’t come from the device—people lose devices all the time. It comes from unprotected access:

• No passcode

• Auto-login email apps

• No ability to wipe business data

• Zero separation between “work stuff” and “my stuff”

Professional services firms carry client financials, contracts, PII, health information, audit deliverables, investment docs, and plenty of “please don’t ever leak this” material.

We can’t rely on good intentions or a sternly written employee handbook, which means we need guardrails.

What Employees Fear (and Why You Need to Address It Early)

If you roll out a BYOD policy the wrong way, people assume the worst:

• “Can you see my photos?”

• “Are you tracking my location?”

• “Are you monitoring my texts?”

• “Can you snoop through my apps?”

• “If I leave, are you going to nuke my phone?”

This anxiety kills adoption.

A modern BYOD program needs one thing above everything else:

Transparency.

Tell people exactly what the firm can and can’t see.

Spoiler: With the right setup, you can’t see anything personal.

And you shouldn’t want to.

How to Do BYOD the Right Way (Without Being Creepy)

Here’s the model that works repeatedly for 10–100 person professional services firms.

1. Use “App Protection” Instead of “Device Control”

This is the part most firms get wrong.

You don’t need to manage the entire device, you just need to protect firm data inside specific apps, mostly:

• Outlook

• Teams

• OneDrive

• SharePoint

• Office apps (Word, Excel, PowerPoint)

• A few collaboration tools you rely on

With Microsoft 365, App Protection Policies let you:

• Require a PIN just for firm apps

• Block copy/paste into personal apps

• Disable saving work files into personal storage

• Remotely wipe only work data if the person leaves or loses their device

Their photos, texts, apps, and browser history remain untouched, exactly how it should be.

2. Require MFA and a Screen Lock (Yes, Really)

This is the bottom of the bottom of the bare minimum:

• Phone must have a passcode/FaceID

• MFA is non-negotiable

• Outlook login shouldn’t be a permanent open door

Your client’s attorney, accountant, auditor, or advisor losing a fully unlocked device is… not great.

This isn’t heavy-handed, it’s basic hygiene.

3. Enforce Conditional Access: “Only Healthy Devices Get In”

Conditional Access gives you the one rule that solves almost every BYOD complaint:

If the device doesn’t meet minimum requirements, it doesn’t access firm data.

Minimum requirements might include:

• Screen lock

• Not jailbroken

• Not out-of-date

• Approved app

• Approved location or risk level

This is how you avoid a staff member opening client files on:

• A borrowed laptop

• A random kiosk computer

• An 8-year-old Android Frankenstein experiment

• A device with malware happily running in the background

You don’t have to manage the device, you just decide whether it’s allowed through the door.

4. Create a “Plain-Language BYOD Policy”

Every professional services firm needs a 1-page BYOD explanation that says:

We can see:

• That your device is allowed to connect

• Whether it passes basic security checks

• The business data and apps we manage

We cannot see:

• Your photos

• Your texts

• Your personal files

• Your browser history

• Your personal apps

• Your location

• Anything outside the work apps

If you leave the firm:

• We remove work data from your device

• We do not wipe your entire phone or computer

This one page will save you hours of explaining and eliminate 90% of staff fears. (Coincidentally, this is something we can help you with if you’re an Athencia One client.)

5. Offboarding: The Moment BYOD Actually Matters

The riskiest moment in every firm is not a cyberattack, it’s offboarding.

When someone leaves a professional services firm, they walk out with:

• A phone full of client emails

• Meeting notes

• File sync caches

• Calendar entries

• Drafts

• Possibly sensitive conversations

• And whatever else their role gave them access to

With proper BYOD:

• You can wipe work data instantly

• Their personal data stays intact

• No drama, no forensics, no “I think they still have access to…” conversations

This is the moment firms realize how important BYOD really is.

The BYOD Sweet Spot for Professional Services

A good BYOD program gives you:

• Security

• Compliance

• Data boundaries

• Cleaner offboarding

• Happier employees

• Less hardware cost

• Reduced IT overhead

And it avoids:

• Creepy surveillance

• Device takeovers

• Device wipes gone wrong

• Privacy anxiety

• HR issues

• Staff revolt

Firms that get this right reduce risk dramatically without killing culture.

If You’re a 10–100 Person Firm, This Is Not Optional Anymore

Professional services firms don’t get breached because they don’t care.
They get breached because they assume:

• “Everyone locks their phone.”

• “We’re too small to matter.”

• “People know what not to do.”

Meanwhile:

• Client inboxes are the #1 entry point

• Lost/stolen devices are a major contributor to incidents

• Insurance questionnaires now ask about BYOD controls

• Regulators assume you’ve locked this down

A modern BYOD program is table stakes, but done right, it’s painless.

Want help?

If you want a BYOD setup that keeps your firm safe without making everyone hate IT, we do this all the time for professional services firms. Just say the word.