I've seen the aftermath of too many preventable incidents. Ransomware locking up an accounting system because someone clicked a link in an email that looked like it came from FedEx. A bookkeeper who wired $75,000 to what she thought was the vendor’s bank account, when in reality a business email compromise from a colleague allowed the attacker to swap in a new routing and account number. A former employee who still had admin access to the VPN and file server six months after they left because nobody remembered to revoke it.

None of these were sophisticated attacks. They were opportunistic, and they worked because the basics weren't covered.

You're Not Too Small to Be a Target

I hear this all the time. "We're just a 15-person firm, why would anyone come after us?" The answer is precisely because you're a 15-person firm. You have client data, banking credentials, and probably no dedicated security team. From an attacker's perspective, you're easier to hit than a Fortune 500 company and still worth the effort.

The goal here isn't to become Fort Knox. You just need to be harder to compromise than the next guy. Most attackers aren't persistent. They're scanning for easy wins. If you make it annoying enough, they'll move on.

Layers, Not Silver Bullets

I explain security to clients like a house. You've got locks on the doors to keep people out. You've got smoke detectors in case something goes wrong inside. And you've got insurance for when the worst happens anyway.

The first part is prevention: MFA, strong passwords, keeping your software updated, not clicking on sketchy links. Basic hygiene.

The second part is containment: if someone does get in, how do you limit the damage? That's where backups, access controls, and network segmentation come in. If your receptionist's laptop gets compromised, can the attacker pivot to your file server? They shouldn't be able to.

The third part is recovery: when something goes sideways, how fast can you get back to operational? Do you have a plan, or are you going to be figuring it out in the middle of a crisis?

None of this requires expensive tools. It requires thinking it through ahead of time.

Train Your People

Most security incidents start with a person, not a piece of code. Someone clicks a phishing link. Someone reuses their Netflix password for their work email. Someone shares credentials over Teams because it's faster than looking up the proper process.

The single best investment you can make is training your team to pause before they click with ongoing phishing simulations. Make it normal to ask "hey, is this email legit?" without feeling stupid. The culture shift costs almost nothing and prevents most of the stuff that actually happens to small businesses.

The Stuff You Actually Need to Do

I'm not going to give you a 47-point checklist. Here's what actually matters:

Turn on MFA everywhere. Email, banking, cloud apps, everything. This alone stops the majority of account takeovers.

Use a password manager. We use 1Password and include it in Athencia One Complete because it's dead simple and people actually use it. If your team is reusing passwords or keeping them in a spreadsheet, you're exposed.

Keep your software updated. I know updates are annoying. Automate them. Unpatched software is how a lot of ransomware gets in.

Encrypt your devices. Laptops get stolen. Phones get left in Ubers. If the drive is encrypted, losing the hardware is an inconvenience, not a breach.

That's it. Do those four things and you're ahead of most small businesses.

You Already Have Better Tools Than You Think

If you're on Microsoft 365, you're likely sitting on security features that most people never turn on. Defender, Conditional Access, Data Loss Prevention... it's all included, just not configured by default. I spend a lot of time helping clients flip those switches. It's one of the fastest ways to improve your security without spending another dollar.

I wrote a detailed post on the M365 Security Baseline a few weeks ago if you want the specifics.

Backups: The Thing Everyone Forgets Until They Need It

Here's something a lot of people don't realize: Microsoft and Google are not backing up your data in the way you think they are. They'll keep their infrastructure running, sure. But if you accidentally delete a folder, or ransomware encrypts your files, or a former employee wipes their mailbox on the way out, that's on you.

You need independent backups. Something that runs automatically, stores copies offsite, and that you've actually tested restoring from. A backup you've never tested is just a hope.

Have a Plan Before You Need One

At some point, something will go wrong. Maybe it's minor, maybe it's not. But if you're figuring out who to call and what to do in the middle of an incident, you've already lost valuable time.

Write down the basics: who gets notified, how do you isolate an affected system, when do you call your IT provider or your insurance carrier, what do you tell clients if their data might be involved. You don't need a 50-page document. A one-pager that everyone knows exists is better than a binder nobody has read.

The Point of All This

Security doesn't have to be scary or complicated. It's really just about not being an easy target. Cover the basics, train your people, and have a plan for when things go sideways.

Most attackers are lazy. Don't make it easy for them.

This post is part of a series on the five pillars of SMB IT success: Foundation, Security, Productivity, Growth, and Governance. It's based on concepts from my book, The SMB IT Playbook.

If you want a partner who actually looks at the whole picture, Athencia One combines visibility with protection so you're not left guessing.

I've spent the past few months rebuilding how Athencia works. The pricing, the positioning, the website. Here's what changed and why.

Who we're for

Small and mid-sized businesses. We work with SMBs across industries, but we specialize in professional services: law firms, accountants, consultancies, healthcare practices, and architecture firms. Places where security and reliability aren't optional.

If you have 5 to 75 people and you're tired of wondering whether your IT is okay, we built this for you.

What we offer now

Two options, both built on the same security stack:

Athencia One costs $45-55/user/month depending on team size. You get the full security and monitoring stack: Microsoft 365 Business Premium, Huntress (EDR, ITDR, SAT, SIEM), Dropsuite backup, and access to the Athencia One portal. Labor is billed separately when you need it.

Athencia One Complete costs $159-199/user/month. Everything in Athencia One, plus unlimited support. We run your IT so you don't have to. Projects are still billed separately, but day-to-day operations, user management, patching, vendor coordination are all included.

The old pricing was higher. I looked at what other IT services firms charge in Seattle, did the math, and brought it down. No gimmicks.

The Athencia One portal

I've been building this for a while. It's a dashboard that shows you the health of your IT environment in plain English. Seven indicators, traffic-light style. Green means good. Yellow means check on it. Red means let's talk.

No digging through multiple admin consoles. No wondering if your backups are running or your security tools are actually doing anything.

It's live in beta at athencia.one and is included free of charge for all Athencia One clients.

The new website

Rebuilt from scratch. Clearer messaging, better structure. Same principles.

athencia.com

If you're already a client

Nothing changes unexpectedly. If you're on an existing agreement, we'll honor it. If the new pricing works better for you, we'll move you over. Reach out and we'll sort it out.

If you've been thinking about working with us

Now's a good time. The offering is tighter, the pricing is fairer, and I'm taking on new clients.

Book a call or reply to this email.

Jeremy

A few years back, I walked into a new client's datacenter after they'd laid off their internal IT team. What I found wasn't really a datacenter anymore. It had become a storage closet for technology. Servers, switches, cables, boxes of equipment, all stacked and forgotten.

They had an outside firm handling IT support, but that firm operated in pure break-fix mode: they did exactly what was asked and nothing more. Nobody was looking at the whole picture, so the result was a mishmash of patching configurations, inconsistent software setups, and zero visibility into what the business actually owned.

As we started digging through it, a pattern emerged. Instead of checking whether they already had usable hardware, employees had simply bought new hardware. Over and over. Nobody knew what they had, so they assumed they had nothing.

By the time we finished the inventory, we'd identified what was easily six figures worth of equipment sitting unused.

They weren't negligent. They weren't careless. They just couldn't see what they had.

The Four Questions

Most SMB owners I work with can't answer four basic questions about their own technology:

1. How many devices do we actually have?

2. Who has access to what?

3. What software are we paying for each month?

4. Where does our critical data live?

If you can't answer those right now, don't worry about it. You're in good company.

IT usually starts as a side quest. A few laptops, a domain name, email setup, and you're off to the races. It's only later, when the team grows and systems multiply, that the patchwork stops holding together. The problem isn't that you don't care. It's that nobody forced you to look until something broke.

Visibility Is the Foundation

There's a common misconception that solid IT infrastructure needs to be complicated. Enterprise-grade, filled with jargon, maintained by someone with six certifications and a caffeine dependency. In reality, most SMBs need the opposite.

Complexity doesn't make systems stronger. It makes them fragile. The more moving parts you add, the more things can break. The more bespoke your setup, the harder it is to maintain. The goal isn't to impress anyone with your tech stack. It's to build something that runs quietly and doesn't create unnecessary drama.

But you can't simplify what you can't see, and you can't manage what you don't know you have.

That's why visibility is the foundation everything else gets built on. Security decisions, budget planning, vendor negotiations, growth planning... all of it depends on knowing what's actually in your environment.

Start Simple

You don't need a fancy tool to get started. You need a list.

An IT inventory can be as simple as a spreadsheet. Track your devices (every laptop, desktop, server, phone, and tablet) along with who uses it, when it was purchased, and whether it's still under warranty. Document who has accounts on which systems and who has admin rights, and when someone last reviewed that. List every piece of software you're paying for monthly or annually, including the cost, renewal date, and whether anyone's actually using it. And know where your critical data lives, whether that's customer records, financial data, or intellectual property, and whether it's backed up in a way you could actually recover from.

This isn't glamorous work. But it's the kind of work that keeps you from paying thousands for hardware and software you don’t need.

The Payoff

Once you can see your environment, you can manage it. Once you can manage it, you can simplify it.

I've spent 30 years helping businesses get to the point where they don't have to think about their IT anymore because it just works. The ones who get there fastest aren't the ones with the biggest budgets. They're the ones willing to look honestly at what they have and build from there.

The inventory isn't the exciting part. But it's where everything else starts.

This post is part of a series on the five pillars of SMB IT success: Foundation, Security, Productivity, Growth, and Governance. It's based on concepts from my book, The SMB IT Playbook.

If you want visibility into your IT environment without the guesswork, Athencia One gives you a clear, real-time view of your technology health.

A lot of firms want to use AI tools this year. Copilot in Microsoft 365. ChatGPT. Small, focused assistants built into the software you already have. The interest is there. The pressure is there. The potential is real.

But professional services firms have a unique problem: your entire business sits on a foundation of confidentiality and trust. You cannot treat AI adoption the same way a startup or a marketing agency might. You operate in a world where one bad decision with client data has real consequences.

The goal isn’t to avoid these tools. It’s to use them responsibly and predictably, with clear boundaries that match the way your firm works.

This is a practical starter pack to help you do that.

Start with a simple idea: AI isn’t the risk, your data handling is

Most of the fear around AI comes from not knowing where data goes or how it’s used. But the truth is simpler. AI tools are only as risky as the access you allow and the context you give them.

If someone can paste a client document into a public AI tool, that’s not an AI problem. It’s a data governance problem.

If Copilot can reach sensitive files it shouldn’t have access to, that’s not an AI problem. It’s an access control problem.

Good AI governance begins with the same fundamentals every firm should already have in place:

• Clear access boundaries

• Strong identity controls

• Basic data classification

• A predictable file structure

• People who understand what “confidential” actually means

AI doesn’t erase any of that. It just exposes it.

Understand the two types of AI you’re dealing with

Most firms will touch two broad categories of tools.

1. Public AI (ChatGPT, Gemini, Claude, etc.)

These are general-purpose tools. Useful. Powerful. Not tied to your data unless you intentionally put it there. The risk comes from people copying and pasting client information into these tools without thinking.

Your policy here should be simple:

• No client data

• No confidential firm information

• No internal documents

• No “just to check something quickly” exceptions

If someone wouldn’t email that information to a stranger, they shouldn’t paste it into a public AI tool.

2. Enterprise AI (Copilot for Microsoft 365)

This is different. It runs inside your tenant and respects your existing permissions. If someone doesn’t have access to a document, Copilot can’t see it either.

This makes it much safer for day-to-day work, but it also brings a new requirement: your permissions need to be correct. Sloppy access models lead to sloppy AI output.

Before turning on Copilot, firms should clean up:

• Overshared SharePoint sites

• Old “everyone in the company” links

• Personal OneDrives full of client material

• Teams channels with unclear ownership

• Legacy folders carried forward out of convenience

Copilot magnifies whatever structure you already have. If your tenant is organized, it performs incredibly well. If it’s not, it reflects that too.

Set boundaries people can understand and actually follow

AI governance doesn’t need to be a 20-page document. Start with a one-page guide that covers:

What people can use AI for

• Drafting

• Summarizing

• Brainstorming

• Rewriting

• Simplifying internal explanations

What they cannot use AI for

• Client documents

• Matter-specific information

• Financials

• Sensitive personal data

• Anything bound by a confidentiality agreement

• Anything that identifies a specific client situation

What to do instead

• Use templates

• Use internal examples

• Strip identifiable details

• Ask a colleague before asking a model

Clarity beats perfection. People will follow simple rules, and if you’re an Athencia One client, we’re happy to help you draft them.

Tie AI use back to your existing confidentiality obligations

Professional services firms already have standards:

• Engagement letters

• Ethical rules

• Regulatory requirements

• Client confidentiality clauses

• Cyber insurance controls

Your AI standards should map directly to those. You’re not inventing new expectations. You’re applying old ones to a new tool.

A good way to explain it is this:

“Use AI the same way you would use a contractor you don’t know yet. Helpful, but not someone you give sensitive client information to.”

Put yourself in a defensible position

If a client or insurer asks about AI use, they’re not looking for perfection. They’re looking for evidence that you’ve thought about the issue.

Have these things ready:

• A short AI policy

• A list of approved tools

• A list of disallowed tools

• A basic explanation of how Copilot or ChatGPT handles data

• A record of staff training or acknowledgement

• Confirmation that confidential data isn’t sent to public AI tools

• Confirmation that enterprise AI respects existing permissions

• A short internal FAQ answering common questions

When firms can show this level of preparation, the conversation becomes much easier.

Monitor the environment the same way you already should

Nothing about AI replaces the need for basic monitoring. If anything, it makes it more important.

You still need:

• Strong identity controls

• MFA everywhere

• Conditional Access

• Clear device policies

• Proper access reviews

• A reliable offboarding process

• A 24/7 SOC to catch the things you don’t see

AI doesn’t introduce new risks so much as it sharpens the ones already in your system. A mature monitoring posture fills in the gaps.

Start small, move steadily, and keep people in the loop

You don’t need a grand rollout. The best path looks like this:

1. Publish a simple policy

2. Approve a small set of tools

3. Train your people on how to use them

4. Start with low-risk use cases

5. Tighten access and structure as you learn

6. Add new capabilities when the firm is ready

Your goal is steady, confident progress. Not a big-bang announcement.

The bottom line

Professional services firms can safely adopt AI. Many should. The work these tools can automate will free teams for the higher-value parts of your practice.

The key is structure. Clear boundaries. A predictable framework. And a culture where people understand both the promise and the responsibility.

That is what AI governance looks like at this stage. It’s not complicated. It’s not dramatic. It’s simply part of running a modern firm.

The start of a new year always brings a small pause. Not the dramatic kind, just enough space to look at what worked, what didn’t, and what deserves more attention than it got.

For a lot of professional services firms, 2025 was a year of juggling. More clients. More expectations. More tools. More noise. Most teams did well, but many also felt the strain of systems that weren’t quite keeping up.

My hope for you in the new year is simple: more clarity, fewer surprises, and a technology environment that quietly supports the work instead of competing with it.

If the last few years taught us anything, it’s that firms don’t need more complexity. They need consistency. Clean systems. Clear boundaries. A predictable foundation. These things rarely make headlines, but they make the day-to-day experience of running a firm noticeably better.

In 2026, Athencia will keep focusing on that kind of work. Practical improvements. Stronger security. Smoother operations. Better alignment between how your people work and the tools they use. Nothing dramatic. Just steady progress that makes the firm more resilient and easier to run.

Thank you for reading, for sharing feedback, and for trusting us to help you make sense of a world that changes faster than anyone would like to admit. I’m looking forward to what we build together this year.

Here’s to a good start and a better rhythm ahead. Happy New Year!

Cheers,

Jeremy Phillips
Founder & CEO

As we head into the holidays, here’s hoping your season is filled with rest, good company, and as few security alerts as humanly possible.

Professional-services firms earn trust all year long and this time of year is a reminder of why it matters: clients rely on you even when the office lights dim and the inbox quiets.

Here’s to a safe, peaceful, and recharging holiday season.

Happy Holidays from Athencia

Most professional services firms run their world on Microsoft 365 now. Email, documents, meetings, calendars, client files. It is the closest thing you have to an operating system for the firm.

The problem is that many tenants are still in the state they were the day someone first clicked “Next” during setup. A few things turned on, a few things ignored, and then everyone got busy and moved on.

If you hold client data, that is not good enough anymore.

You do not need to turn every knob Microsoft gives you. You do need a clear baseline. A set of non-negotiables that keep people productive and keep your risk where it belongs.

This is what that baseline looks like for a 10-to-100-person professional services firm.

What “good enough” actually means

A secure Microsoft 365 environment for a firm like yours is not perfect. It is consistent.

At a minimum, it should:

• Protect accounts even if passwords are stolen

• Protect firm data on laptops and phones, including personal devices

• Limit what happens if one account is compromised

• Make offboarding clean and predictable

• Give you basic visibility into what is happening

If your current setup cannot honestly claim those things, you have work to do. The good news is that most of it is configuration, not buying more tools.

1. Identity first: accounts, MFA and sign in rules

If someone can log in as you, nothing else matters.

Start here.

Use one account per person

Every person should have:

• One named account

• The right license

• A role that matches their job

Shared mailboxes are fine. Shared user accounts are not.

Enforce multi factor authentication for everyone

Not “everyone except partners” or “everyone except the one legacy thing.” Everyone.

Use:

• Authenticator app or hardware keys where possible

• SMS only as a last resort

Turn on “number matching” in the authenticator so people cannot just blindly tap “Approve.”

Use Conditional Access to set basic sign in rules

You do not need to start with 20 policies. Start with a few clear ones, such as:

• Block sign ins from countries where you have no staff or clients

• Require MFA on any risky sign in

• Require compliant or protected devices for sensitive apps

The goal is simple. Good users get through with a small amount of friction. Suspicious activity gets slowed down or stopped.

2. Devices: keep firm data safe on laptops and phones

Most of the risk in a firm lives on devices. Lost laptops. Personal phones. Old machines that never get updates.

You cannot fix that with a memo. You fix it with policy and tooling.

Manage firm owned devices

If the device is owned by the firm, you should:

• Enroll it in Intune or your management tool of choice

• Require disk encryption

• Push regular updates

• Standardize basic settings

People should not be local admins by default. If they need admin rights, grant them in a controlled way.

Use app protection on personal devices

If you allow BYOD, do not try to manage the whole phone. Protect the apps that hold firm data.

For example:

• Require a PIN or biometric to open Outlook and other work apps

• Block saving work files to personal storage

• Block copy and paste from work apps into personal apps

• Be able to wipe firm data from those apps without touching personal content

This is how you protect client information without creeping into people’s private lives.

Require screen locks and encryption

This is simple but often missed.

• All laptops and phones that access firm data must have a PIN or password

• Laptops must be encrypted

• Devices that do not meet these rules should not be allowed to connect to firm data

Write it down in a short BYOD and device policy. Then enforce it with technology.

3. Data: keep client information from leaking out

Professional services firms live and die by how they handle client information. In Microsoft 365, that mostly means email, OneDrive and SharePoint.

Standardize where client data lives

Make some decisions:

• Use SharePoint sites and Teams for client and matter folders

• Use OneDrive for personal work in progress

• Do not store firm data in random personal storage accounts

If you do not decide this, everyone will make their own decision and you will end up with files everywhere.

Turn on basic Data Loss Prevention

You do not need to start with heavy classification projects.

Start with a small number of simple rules, for example:

• Alert or block when someone tries to email sensitive information outside the firm

• Alert when large volumes of data are downloaded or shared externally

• Monitor external sharing links, and set sensible expiration defaults

You want guardrails, not constant noise. Tune the rules over time.

Use retention and legal hold where it matters

Some information should be kept for a defined period. Some should be removable quickly. Some may need legal hold.

Use retention policies to:

• Keep email and documents long enough to meet your legal and client obligations

• Avoid keeping everything forever by default

Again, this does not have to be complex. Start with a small number of clear rules.

4. Email: raise the bar for attackers

Email is still where a lot of incidents start, especially for firms whose entire client relationship runs through it.

You will get phished. You will get spoofed. You will have staff who are tired and in a hurry.

Your job is to give them better default protection and make sure someone is watching the environment when things slip through.

Key elements:

• Enforce MFA for everyone

• Turn on the recommended phishing and malware protections in Exchange Online

• Use Safe Links and Safe Attachments if your license supports them

• Publish and correctly configure SPF, DKIM and DMARC for your domains

• Train people regularly on how to report suspicious messages

• Make sure you have real monitoring in place, ideally a 24/7 SOC that can respond when an alert is more than just noise

None of this will stop every attack. It will push most of them away or blunt the impact. The SOC piece simply closes the gap between a good configuration and a fast response when something slips past it.

5. Access and offboarding: control who has what

Firms are very good at getting new people access to things. They are less consistent about taking that access away.

This is where a lot of hidden risk lives.

Use groups for access, not individual assignments

Set up groups that map to roles. For example:

• Partners

• Associates

• Finance

• Operations

• External contractors

Assign permissions to the group. Add or remove people from groups as their role changes. This keeps your access model understandable.

Have a clear offboarding checklist

When someone leaves:

• Disable their sign in

• Remove their licenses when appropriate

• Transfer their OneDrive content to a manager or archive

• Turn their mailbox into a shared mailbox and give their manager access to it

• Remove them from all groups

• Reassign any shared mailboxes or calendar access

Do this the same way every time. This is one of the simplest and most effective controls you can put in place.

6. Monitoring and visibility: know what is happening

You do not need an in-house security operations center, but you do need some level of awareness.

At a minimum:

• Turn on unified audit logging

• Review sign in risk and security alerts regularly, or have a managed provider do it

• Check Secure Score and use it as a guide, not a scoreboard

If you work with an MSP or security partner, be clear about who is watching what, how often, how they will contact you if something needs attention, and what proactive actions they’ll take on your behalf if they see a security incident in action.

7. A simple way to start

If this feels like a lot, break it into stages.

For example:

Month 1

• Enforce MFA

• Clean up user accounts

• Start using groups for access

Month 2

• Enroll firm owned devices

• Turn on basic app protection for mobile

• Require screen locks and encryption

Month 3

• Standardize where client data lives

• Turn on a small set of DLP and email protection rules

• Document and tighten your offboarding process

You do not have to do everything at once. You do have to start.

The payoff

A good Microsoft 365 baseline does not feel dramatic. The ideal outcome is that nothing exciting happens.

You do not see strange logins from eastern Europe at midnight.
You do not spend a week recovering from a lost laptop.
You do not discover that someone who left six months ago still has access to client folders.

People log in. They do their work. Systems behave in predictable ways. You sleep a little better.

That is what a baseline is for. It is not decoration. It is the floor you refuse to fall through.

If you want help getting your firm to that floor, that is the kind of work we do every day at Athencia.

Spend enough time around firm owners, managing partners, and admins, and you hear the same sentence over and over:

It’s a fair question. It’s also the wrong one.

The right question—the one professional services firms hate asking because they already know the answer—is this:

Because in a professional services firm, your client data is the business.

You’re not being targeted because you’re famous, you’re being targeted because you’re trusted.

Let’s unpack that.

Professional Services: The Softest Target With the Most Valuable Data

Cybercriminals aren’t romantic. They’re not looking for prestige points or bragging rights. They follow the same incentives every business does:

• High value

• Low resistance

• Predictable return

Professional services check all three boxes:

1. Your client data is extremely valuable

Law firms have confidential matters.
CPAs hold tax records and financials.
Consultants have strategy decks and client IP.
Wealth firms have PII, account details, and statements.

This isn’t “kinda sensitive.”
This is “extortion-grade” material.

2. You look secure from the outside, but often aren’t

You’ve got Microsoft 365, a VPN, maybe a firewall, maybe MFA on email.

That feels secure.

Meanwhile:

• Legacy file systems live behind weak passwords

• Sensitive docs sit in personal Dropbox or Google Drive

• Partners use the same password for everything

• Staff access client data from personal devices

• Shared mailboxes have no auditing

• MFA is “encouraged,” not enforced

This is normal in 10–75 person firms and it’s also low-hanging fruit for attackers.

3. Your people are busy and predictable

Busy, billable humans follow patterns:

• Checking email late at night

• Approving invoices on mobile

• Reusing passwords

• Forwarding files to personal email “just this once”

• Clicking a link from “the partner who always emails last-minute”

Attackers love patterns.

The Myth of “We’re Too Small to Matter”

Let’s clear this up:
Attackers don’t target companies.
They target conditions.

And professional services firms naturally create the conditions that attackers automate against:

• Lots of email

• Lots of documents

• Lots of client communication

• Lots of urgency

• Lots of trust

• Not a lot of IT staffing

From an attacker’s perspective, you’re not a boutique consulting firm. You’re a funnel of sensitive client data guarded by exhausted people and incomplete controls.

It's not personal. It’s just math.

The Attack Scenarios That Actually Happen (Not the Hollywood Ones)

Here are three scenarios we see in the wild constantly—not theoretical, not exaggerated, just the everyday threats professional services firms face.

Scenario 1: The Distinguished Partner With the Weak Phone PIN

A partner loses their phone in an Uber.
It unlocks with a 4-digit code.
Outlook opens automatically.
Client matters, financials, contracts—wide open.

You’re now legally required to report a breach.

All because of a 4-digit number.

Scenario 2: The “Can You Approve This?” Email

An attacker gains access to a client’s compromised mailbox.

They send a believable request to your senior associate:

“Need this wire approved before close of business. Can you confirm?”

The associate, deep in client work, clicks. The associate’s credentials are successfully harvested. Your mailbox is now part of the attacker’s toolset.

Scenario 3: The Offboarded Employee With a Sync Folder

Someone leaves the firm.

No one wipes their OneDrive sync folder.

Six months later, they still have:

• Client data

• Drafts

• Emails

• Attorney–client communications

• Board decks

• Tax filings

• Financial statements

All sitting quietly on a personal laptop next to Netflix and photos of the dog.

No amount of policy language fixes this.

The Real Cost: The Phone Call You Never Want to Make

Here’s the uncomfortable truth:
When a professional services firm is breached, the damage isn’t the ransom or the cleanup.

It’s the conversation where you call a client and say:

That call isn’t about technology, it’s about trust.

And trust is your entire business.

The Good News: The Bar for ‘Secure Enough’ Is Clear and Achievable

This is where most firms underestimate themselves.

You don’t need:

❌ A massive IT department
❌ A CISO
❌ A six-figure stack of enterprise tools
❌ An army of engineers

You need:

1. Identity protection (MFA, Conditional Access)

Stop attackers from logging in, even with the right password.

2. Device boundaries (BYOD done right)

Protect firm data without touching personal data.

3. A Microsoft 365 baseline

The settings your tenant should never go without.

4. Basic compliance alignment

HIPAA/GLBA/SEC isn’t “for big companies.”
It’s for anyone holding sensitive client data.

5. Real offboarding controls

Remove firm data immediately when someone leaves.

6. Someone watching the alerts

A managed SOC so you’re not the one responding at 2:14am.

None of this is exotic; it’s all very achievable for a 10–100 person firm with the right structure.

The Security Equation for Professional Services

If you want to understand why you’re a target, boil it down to this:

High-value data × Busy people ÷ Limited IT = Prime target

That’s it.

That’s the formula.

And the firms that understand this early get ahead of the risk, while the firms that don’t… eventually learn the hard way.

You don’t need to be perfect. You just need to be better than the average firm.

No attacker wants to spend days breaking into a well-configured Microsoft tenant with MFA, device boundaries, and real alerting… when the firm down the street still uses Outlook 2016 with no MFA and “PasswordSpring2024!” as a shared credential.

Security isn’t a contest. But if it were, you only need to avoid being the easiest opponent.

If you want help getting there, we do this all day.

You don’t need a security department. You don’t need more tools.

You need a repeatable security foundation built for professional services firms.

If you want us to build that with you, just say the word.

Over the years I’ve seen the same patterns repeat. Too many tools. Too much noise. Systems that don’t quite fit together. Security gaps that hide in the corners. Good people forced to work around the limitations of what they have. None of this is because firms don’t care. It’s because no one has ever handed them a simple, complete picture of what “good IT” actually looks like for a small or midsized organization.

So I wrote one.

Today I’m releasing The SMB IT Playbook. It’s a practical guide to building a stable, secure and scalable technology foundation without pretending you’re a Fortune 500 company. For now, it’s free for Athencia Insights subscribers. Simply subscribe to Athencia Insights and you’ll receive a link directly to the PDF

Why this book exists

Growing firms eventually hit a point where technology decisions stop being about “what’s cheapest” or “what’s available” and start being about “what will support the next stage of the business.” Some get there early. Others get pushed there by an outage, a security scare or a compliance requirement. Either way, the questions become bigger and the stakes get higher.

This book lays out a simple model for understanding your environment and making decisions that hold up over time. It’s not technical for the sake of being technical. It’s focused on clarity, structure and helping leaders see the whole system instead of isolated problems.

What’s inside

The book is organized around five areas that shape every firm’s technology posture.

1. Foundation

The basic systems that everything else depends on. How to create stability, reduce surprises and keep your environment from becoming a patchwork of half-finished ideas.

2. Security

A clear view of the real risks facing small and midsized organizations and the controls that actually matter. No theatrics. Just the essentials that protect client data and keep you out of trouble.

3. Productivity

How to reduce tool sprawl, simplify workflows and help people do their best work without fighting the system. This is where small improvements have an outsized impact.

4. Growth Enablement

How to use technology to scale without chaos. Things like automation, standardization and visibility. The parts of IT that support growth instead of reacting to it.

5. Governance

The structure that keeps your environment predictable. Who makes decisions. How technology is evaluated. How you maintain order as the firm expands or roles change.

Each section is practical and directly applicable to a 10-to-100-person firm. Nothing theoretical. Nothing written for enterprise audiences. Just a clear path forward.

Who it’s for

Owners, partners, operations leaders and firm administrators who want their technology to support the business instead of distracting from it. People who are tired of chasing problems and want a framework that makes sense. Anyone who feels like the firm has outgrown the way IT used to work.

If that’s you, this book will help.

Get your copy

The book is available now for purchase on Amazon and free for Athencia Insights subscribers.

Want your free copy? Simply subscribe to Athencia Insights and you’ll receive a link directly to the PDF.

As you load up your plate this Thanksgiving, remember client trust is like cranberry sauce: once spilled, it stains everything.

Secure your data, secure your reputation.

Happy Thanksgiving from Athencia!

Professional services firms don’t compete on infrastructure. They compete on judgment, discretion, and trust. Clients hand over their strategies, financials, disputes, vulnerabilities, and future plans with the expectation that you will protect them as if they were your own.

Anthropic’s latest report on AI-enabled espionage makes one thing clear: that trust model is now under direct pressure and the threat isn’t just faster phishing or better malware. It’s autonomous AI systems running reconnaissance, moving laterally, harvesting data, and shaping extortion paths without requiring a skilled human operator behind them. This is a structural change in how attacks happen and who is capable of launching them, and professional services firms sit directly in the blast radius.

1. Why This Changes the Equation for Professional Services Firms

AI collapses the expertise barrier

What once required technical skill now requires almost none. AI systems can walk inexperienced actors through the steps of an intrusion: identifying weak points, probing shared drives, analyzing file structures, and staging exfiltration. Basically, if an attacker can ask a question, they can attempt an intrusion.

Automation turns one attacker into many

A single operator can now run multiple tailored attacks in parallel. These aren’t broad, noisy campaigns. They’re quiet, adaptive, and persistent, designed to find specific footholds inside high-value environments like law firms, consultancies, and accounting practices.

Decision-making is shifting from people to models

Anthropic’s analysis showed AI agents selecting targets, choosing which client files to steal, and determining what extortion strategy to pursue. When decision-making is automated, the speed of an attack is no longer limited by a human’s capacity to act.

Your exposure is multiplied by every client you represent

A breach inside a professional services firm doesn’t stop at the firm. It cascades through client portfolios: M&A materials, litigation strategy, audit workpapers, tax positions, investment memos, deal rooms, HR cases. One compromise becomes many, which is the real scale risk.

2. What This Means for Firm Leadership

The implications for partners, managing directors, COOs, and CIOs are direct:

Your firm is now a proxy target

Attackers don’t need to go after your clients if they can steal the same data from you — concentrated, organized, and already labeled.

Incident timelines are compressing

AI-driven intrusions unfold in minutes, not days. If your response processes assume human-paced attacks, they’re already outdated.

Shadow AI is already inside the firm

Professionals adopt tools that help them move faster. That includes AI assistants and agents, often used informally without governance, and sometimes with client data.
This is becoming one of the largest blind spots in the industry.

Clients will require new levels of transparency

Soon, they’ll ask:

• Which AI tools interact with our data?

• How is AI governed inside your workflows?

• What safeguards prevent unauthorized agentic behavior?

Firms that can’t answer confidently and consistently will see trust erode.

3. The Operational Weak Points Unique to Professional Services

Professional services environments create a specific kind of exposure:

Communication platforms filled with sensitive detail

Partners and teams use Slack, Teams, and email freely. AI agents can analyze, scrape, and pattern-match across all of it.

Attachment-driven workflows

Matter files, drafts, briefs, models, diligence packets are moving constantly via email and shared drives. Predictable surfaces. Easy for automated reconnaissance.

Client work structured across shared folders

Engagement drives and project workspaces give attackers both structure and hierarchy that gives AI exactly what it needs to navigate.

Vendor sprawl across the tech stack

Document automation, research tools, contract analytics, managed IT, cloud storage.
Each vendor is a potential point of leverage for automated intrusion.

High-velocity, deadline-driven work

When timelines shrink, security takes shortcuts. Attackers depend on this.

Professional services firms sit at the intersection of high-value data and complex, people-driven workflows that allow AI-enabled attackers to thrive.

4. What Firms Need to Do Differently Starting Now

1. Build transparency around AI use

Clients will expect clarity on:

• which models you use

• how they interact with their data

• who governs access and behavior

This is quickly moving from “nice to have” to contractual obligation.

2. Strengthen internal AI governance

Assume your teams are already using AI tools. The priority is controlling how they are used and which tools are used, not pretending they aren’t.

3. Bring AI into your defense, not just your workflows

AI-assisted attacks can’t be countered with manual detection; defense needs to match offense in speed and automation.

4. Treat governance as a security control

People follow process when the process is clear, predictable, and reinforced. Inconsistent governance is now a material security risk.

5. What Leaders Can Do This Weekend

If you want to reduce exposure immediately, start here:

1. Identify every touchpoint where AI interacts with client data

Formal and informal. Policy-approved or not.

2. Run a short tabletop: “AI breach of a client file”

Test your detection, escalation, communication, and containment paths.

3. Audit how client data is segmented

Shared drives and legacy folder structures create easy pathways for automated reconnaissance. Consider tools like Microsoft Purview or Concentric AI to automatically classify data and then establish clear segmentation wherever possible.

4. Review your AI-enabled vendor stack

Ask direct questions about agentic behavior, model governance, and logging.

5. Brief your top-tier clients

Proactivity builds trust: “We are strengthening your data protection in light of new AI-driven threat models.”

6. Commission an AI-agentic risk assessment

Against recon, internal navigation, and exfiltration workflows — not just perimeter scanning.

6. Closing Thought for Firm Leaders

AI-enabled attackers don’t need more skill or more people. They need more compute, and they already have it.

The firms that adapt early will differentiate themselves not just through security, but through trust while those who wait will be defined by their incidents, not their expertise.

For anyone who wants to review the underlying analysis:
https://www.anthropic.com/news/disrupting-AI-espionage?utm_source=insights.athencia.com

Look, most professional services firms aren’t handing out laptops and phones like it’s Google onboarding day. People bring their own devices. They work from home, the hotel lobby, the carpool line, the airport café, and the client’s conference room. It’s the real world.

And that real world collides, hard, with the expectations of client confidentiality, compliance, and cyber insurance. Your staff’s iPhones now hold client emails. Their laptops sync files. Their iPads get meeting invites. Whether you like it or not, your firm’s data is already living on personal hardware you don’t control.

The good news? You can protect firm data without invading anyone’s privacy, spying on their photos, or turning your workplace into a digital TSA line.

Let’s walk through how.

The Real Concern Isn’t the Device — It’s the Data

Partners and admins worry about personal devices because of one thing:

“If someone loses their phone, could a stranger open Outlook and download our entire client history?”

That’s the nightmare scenario. But the nightmare doesn’t come from the device—people lose devices all the time. It comes from unprotected access:

• No passcode

• Auto-login email apps

• No ability to wipe business data

• Zero separation between “work stuff” and “my stuff”

Professional services firms carry client financials, contracts, PII, health information, audit deliverables, investment docs, and plenty of “please don’t ever leak this” material.

We can’t rely on good intentions or a sternly written employee handbook, which means we need guardrails.

What Employees Fear (and Why You Need to Address It Early)

If you roll out a BYOD policy the wrong way, people assume the worst:

• “Can you see my photos?”

• “Are you tracking my location?”

• “Are you monitoring my texts?”

• “Can you snoop through my apps?”

• “If I leave, are you going to nuke my phone?”

This anxiety kills adoption.

A modern BYOD program needs one thing above everything else:

Transparency.

Tell people exactly what the firm can and can’t see.

Spoiler: With the right setup, you can’t see anything personal.

And you shouldn’t want to.

How to Do BYOD the Right Way (Without Being Creepy)

Here’s the model that works repeatedly for 10–100 person professional services firms.

1. Use “App Protection” Instead of “Device Control”

This is the part most firms get wrong.

You don’t need to manage the entire device, you just need to protect firm data inside specific apps, mostly:

• Outlook

• Teams

• OneDrive

• SharePoint

• Office apps (Word, Excel, PowerPoint)

• A few collaboration tools you rely on

With Microsoft 365, App Protection Policies let you:

• Require a PIN just for firm apps

• Block copy/paste into personal apps

• Disable saving work files into personal storage

• Remotely wipe only work data if the person leaves or loses their device

Their photos, texts, apps, and browser history remain untouched, exactly how it should be.

2. Require MFA and a Screen Lock (Yes, Really)

This is the bottom of the bottom of the bare minimum:

• Phone must have a passcode/FaceID

• MFA is non-negotiable

• Outlook login shouldn’t be a permanent open door

Your client’s attorney, accountant, auditor, or advisor losing a fully unlocked device is… not great.

This isn’t heavy-handed, it’s basic hygiene.

3. Enforce Conditional Access: “Only Healthy Devices Get In”

Conditional Access gives you the one rule that solves almost every BYOD complaint:

If the device doesn’t meet minimum requirements, it doesn’t access firm data.

Minimum requirements might include:

• Screen lock

• Not jailbroken

• Not out-of-date

• Approved app

• Approved location or risk level

This is how you avoid a staff member opening client files on:

• A borrowed laptop

• A random kiosk computer

• An 8-year-old Android Frankenstein experiment

• A device with malware happily running in the background

You don’t have to manage the device, you just decide whether it’s allowed through the door.

4. Create a “Plain-Language BYOD Policy”

Every professional services firm needs a 1-page BYOD explanation that says:

We can see:

• That your device is allowed to connect

• Whether it passes basic security checks

• The business data and apps we manage

We cannot see:

• Your photos

• Your texts

• Your personal files

• Your browser history

• Your personal apps

• Your location

• Anything outside the work apps

If you leave the firm:

• We remove work data from your device

• We do not wipe your entire phone or computer

This one page will save you hours of explaining and eliminate 90% of staff fears. (Coincidentally, this is something we can help you with if you’re an Athencia One client.)

5. Offboarding: The Moment BYOD Actually Matters

The riskiest moment in every firm is not a cyberattack, it’s offboarding.

When someone leaves a professional services firm, they walk out with:

• A phone full of client emails

• Meeting notes

• File sync caches

• Calendar entries

• Drafts

• Possibly sensitive conversations

• And whatever else their role gave them access to

With proper BYOD:

• You can wipe work data instantly

• Their personal data stays intact

• No drama, no forensics, no “I think they still have access to…” conversations

This is the moment firms realize how important BYOD really is.

The BYOD Sweet Spot for Professional Services

A good BYOD program gives you:

• Security

• Compliance

• Data boundaries

• Cleaner offboarding

• Happier employees

• Less hardware cost

• Reduced IT overhead

And it avoids:

• Creepy surveillance

• Device takeovers

• Device wipes gone wrong

• Privacy anxiety

• HR issues

• Staff revolt

Firms that get this right reduce risk dramatically without killing culture.

If You’re a 10–100 Person Firm, This Is Not Optional Anymore

Professional services firms don’t get breached because they don’t care.
They get breached because they assume:

• “Everyone locks their phone.”

• “We’re too small to matter.”

• “People know what not to do.”

Meanwhile:

• Client inboxes are the #1 entry point

• Lost/stolen devices are a major contributor to incidents

• Insurance questionnaires now ask about BYOD controls

• Regulators assume you’ve locked this down

A modern BYOD program is table stakes, but done right, it’s painless.

Want help?

If you want a BYOD setup that keeps your firm safe without making everyone hate IT, we do this all the time for professional services firms. Just say the word.

The Azure outage today reminded me of something simple but important: even the strongest systems fail sometimes. It’s easy to take uptime for granted until it’s gone. For small and mid-sized businesses, a few hours of downtime can ripple out in ways that really hurt — lost productivity, anxious clients, missed momentum.

But downtime doesn’t have to take you down with it.

Over the years, I’ve learned that the difference between a major disruption and a minor inconvenience usually comes down to preparation, awareness, and partnerships that actually deliver when things get rough.

Here’s what I recommend to every SMB leader right now.

1. Know What Matters Most

Start by listing the systems that keep your business alive such as email, accounting, CRM, client portals. Then ask: what happens if one of these goes dark? Who steps in? What’s the plan? The answers don’t have to be complex. They just have to exist.

2. Backups That Actually Work

A lot of people think Microsoft 365 has them covered, but it doesn’t go nearly far enough. That’s why I love the Dropsuite M365 Backup built into Athencia One. It keeps a full, immutable backup of your data and lets you restore exactly what you need, from a single email to a full SharePoint site, whenever you need it.

3. Stay Secure, Especially When Things Break

Outages create opportunity for bad actors. Athencia One’s Managed Cybersecurity, powered by Huntress EDR and SIEM, keeps watch around the clock, detecting and isolating threats before they spread. Security isn’t just about tools; it’s about having someone on your side who’s already watching when you’re too busy to notice.

4. Keep an Eye on Everything

Our 24×7 Monitoring and Management system makes sure you know what’s happening across your environment — uptime, patches, devices, all of it. Problems don’t always announce themselves. Sometimes the best defense is a simple alert that shows up five minutes before something breaks.

5. Empower Your Team

Tools are important, but people make it all work. With Empower AI Enablement, teams get hands-on Copilot and AI-readiness sessions every month. The goal is to help them work smarter, stay calm under pressure, and adapt fast when things change.

Why Athencia One Exists

We built Athencia One to make IT management and protection simple for growing businesses. It blends monitoring, cybersecurity, continuity, and enablement into one service. Everything connects. Everything works together.

Whether you’re running a ten-person consultancy or managing seventy users across multiple offices, you get stability and security without the overhead of building it all yourself.

Let’s Talk

If you’re ready to make your business more resilient, visit Athencia.com or reach out to us at hello@athencia.com. We’ll walk you through how Athencia One helps you stay protected, prepared, and productive. Even when the cloud isn’t.

Why Compliance Matters in 2025

• 📝 Regulations are tightening—HIPAA, GLBA, and SEC rules now apply directly to SMBs.

• 🔐 Cybersecurity alone isn’t enough—auditors need evidence, documentation, and reporting.

• 📊 Compliance-as-a-Service is growing fast because most SMBs don’t have time or staff to manage checklists, assessments, and audits themselves.

How Regulations Map to Microsoft 365 Baseline

HIPAA (Healthcare) 🏥

• Protect PHI with encryption and audit logs.

• M365 covers: Encrypted OneDrive/SharePoint, MFA/Conditional Access, Defender for Endpoint, audit logging.

• Athencia Comply adds: Risk assessments, breach response documentation, and audit-ready compliance reports.

GLBA (Financial Institutions) 💰

• Secure customer financial data and manage vendor risk.

• M365 covers: Intune hardening, DLP, secure email, compliance reporting.

• Athencia Comply adds: Vendor risk management and board-level compliance dashboards.

SEC Cyber Rules 📈

• Disclose material incidents in 4 days, prove governance, show continuous monitoring.

• M365 covers: Secure Score, Compliance Manager templates, audit-ready logging.

• Athencia Comply adds: Executive reporting and regulator-ready evidence packs.

Why Microsoft 365 as the Foundation

• ⚖️ Native alignment with NIST CSF (supports HIPAA, GLBA, SEC requirements).

• 🔗 Unified control plane with Intune + Conditional Access.

• 📂 Audit-ready evidence through Compliance Manager.

Where Athencia Comply Extends Microsoft 365

Think of Microsoft 365 baseline as the seatbelt. Athencia Comply is the airbag.

• 🔄 Continuous risk assessments tied to HIPAA, GLBA, and SEC frameworks.

• 🚨 Documented incident response playbooks.

• 📊 Executive dashboards and regulator-facing reports.

• 🎓 Training and simulations to reduce user-driven risk.

• 🗂️ Automated evidence collection and mapping through ControlMap.

What SMBs Gain

• 🏥 Healthcare: Faster HIPAA audit prep, reduced PHI exposure.

• 💰 Financial: Lower GLBA compliance costs, better cyber-insurance terms.

• 📈 Advisors/Public Companies: Meet SEC 4-day disclosure requirements without panic.

Take Action

Compliance isn’t just an enterprise problem. SMBs are on the radar.

👉 Book a 15-minute Security & Compliance Health Check. We’ll perform a 15-minute security & compliance health check to show how your Microsoft 365 setup stacks up and where risks need attention.

🔍 Ready to go further? Check out Athencia Comply, our Compliance-as-a-Service offering powered by ControlMap. It continuously maps HIPAA, GLBA, and SEC requirements to your environment, automates evidence collection, and keeps you audit-ready year-round.

🛡️ Email Security Tune‑Up for Microsoft 365 (SMB Edition)

✉️ A practical, cloud‑first checklist to harden Outlook and Exchange Online fast—no jargon, no drama.

TL;DR

• 🔒 Turn on MFA for everyone, kill legacy logins, and enforce Conditional Access basics.

• 🧪 Enable Safe Links/Safe Attachments and block auto‑forwarding outside your domain.

• 🛡️ Close the loop with SPF, DKIM, DMARC and a “report phish” button + monthly review.

Why It Matters (Proof in 60 seconds)

• Risk: ⚠️ Most breaches start in email via phishing, malware, or credential stuffing.

• Cost: 💸 A single compromised mailbox can expose client data and trigger notification requirements and fraud losses.

• Pressure: 📣 Clients and auditors increasingly expect MFA, DMARC, and user reporting as table‑stakes.

What “Good” Looks Like (KPIs you can measure)

• ✅ MFA coverage: 100% of users and admins; 0 breakglass used in last 30 days.

• ⛔ Legacy auth: 0 successful legacy protocol logins.

• 🛡️ Safe Links/Attachments: On for all users.

• 🚫 External forwarding: Blocked tenant‑wide; monitored exceptions.

• 🌐 Domain protection: SPF pass; DKIM aligned; DMARC policy at quarantine or reject with <1% aligned‑fail.

• 📬 User behavior: ≥3 phish reported per 25 users/month; <1 click‑through in simulations.

• 🔔 Alerts: High‑risk sign‑in and impossible travel alerts reviewed weekly.

The 80/20 Plan (60‑Minute Checklist)

1. 🔒 MFA for everyone

   • Admin Center → Users → Per‑user MFA or Conditional Access policies. Use Microsoft Authenticator + number match; enable trusted device sign‑in.

2. ⛔ Kill legacy authentication

   • Entra ID → Protection → Security defaults (on) or Conditional Access → Block legacy auth.

3. 🧱 Baseline Conditional Access

   • Require MFA for all users; require compliant or hybrid‑joined device for admins; block from countries you don’t operate in; session sign‑in frequency 12–24h.

4. 🧪 Safe Links & Safe Attachments

   • Defender for Office 365 → Policies → Threat policies: turn on Safe Links for email + Office apps; enable Safe Attachments with Dynamic Delivery.

5. 📤🚫 Block auto‑forwarding to external

   • Exchange Admin Center → Mail flow → Remote domains/Transport rules: disable automatic forwarding; create exception for approved shared services if needed.

6. 🧾 SPF, DKIM, DMARC

   • Publish SPF for your sending services; enable DKIM in M365; add a DMARC record at p=quarantine (start at p=none if monitoring first). Review reports weekly and move to p=reject.

7. 📣 User reporting + training

   • Deploy “Report Phishing” add‑in; enable Microsoft Attack Simulation monthly; 5‑minute micro‑training with two real examples from your org.

How To (Microsoft 365)

• 🔒 MFA & Conditional Access

  • Entra ID → Protection → Conditional Access: Policy 1 – All users: require MFA; Policy 2 – Admin roles: require compliant device; Policy 3 – Block legacy auth; Policy 4 – Location: block countries not used.

• ⛔ Disable legacy protocols

  • Exchange Admin Center → Settings → Authentication: Disable IMAP, POP, SMTP AUTH for users by default; enable only per‑user if required.

• 🧪 Safe Links

  • Defender → Policies → Safe Links: On for email and Office apps; URL click protection; tame rewrites for internal domains if needed.

• 📎🛡️ Safe Attachments

  • Defender → Policies → Safe Attachments: Dynamic Delivery; Enable “block” action; Monitor verdicts for false positives.

• 📤🚫 External forwarding

  • Exchange → Mail flow → Rules: “Block auto‑forward outside the organization” with exceptions for specific mailboxes/services.

• 🧾 SPF/DKIM/DMARC

  • M365 Defender → Email & collaboration → DKIM: Enable for primary and custom domains.

  • DNS examples:

    • SPF: v=spf1 include:spf.protection.outlook.com include:{{other-senders}} -all

    • DKIM: Two CNAMEs per domain as provided by M365.

    • DMARC (start): _dmarc TXT "v=DMARC1; p=none; rua=mailto:dmarc@{{domain}}; fo=1" → move to p=quarantine then p=reject as alignment improves.

• 🔔 Reporting/Alerts

  • Defender → Incidents & alerts; Entra ID → Risky sign‑ins; subscribe to weekly digest.

Copy/Paste for Your Team (Internal Comms)

AI Prompts To Try (Self‑Service)

• “Analyze these email headers and tell me if SPF, DKIM, and DMARC aligned and what that means: {{paste headers}}.”

• “Draft a plain‑English note to staff explaining why we’ve blocked external auto‑forwarding and how to report suspicious emails.”

• “Summarize the last 30 days of Defender alerts and suggest which 3 policies to tighten first.”

Compliance Mapping

• NIST CSF: PR.AC‑1/7 (authN/MFA), PR.DS‑1 (data at rest), DE.CM‑7 (monitor for unauthorized activity), RS.AN‑1 (notifications).

• CIS v8 (IG1/IG2): 4.1/4.2 (Secure email), 5.2 (MFA), 6.7 (Block legacy auth), 9.1 (Email web browser protections), 12.3 (Network monitoring & alerts).

FAQ

Q: Will Safe Links break our tools?
A: Most modern apps work fine. Add exceptions for known internal domains if you see issues.
Q: Why block external forwarding?
A: It’s a common data‑exfiltration path. Use approved shared mailboxes or integrations instead.
Q: Do we need DMARC at reject?
A: Aim for quarantine quickly; move to reject once reports show legitimate senders are aligned.

Next Steps

• 🧰 DIY: Use the checklist above and review DMARC reports weekly for a month.

• 🤝 Get help: Athencia can implement the tune‑up and monitor the first 30 days, then hand it back with a 1‑page runbook.

• 📅 Book time: Schedule a 30‑minute working session at https://athencia.com/contact

Secure. Smart. Scalable. 🔐🧠📈
A practical newsletter for leaders who want modern IT that drives the business, not the other way around.

Who we are ☁️

Athencia is a cloud-first managed IT & cybersecurity partner for growth-minded SMBs. We secure devices and data, modernize your stack, and, crucially, teach your team to self-solve everyday issues with Copilot or ChatGPT so you don’t live in the help desk queue.

What we’re doing here 🎯

We’re your shortcut to a secure, productive, compliance-ready business, without drowning in acronyms. Expect opinionated guidance, battle-tested checklists, and templates you can actually use.

What to expect 📬

Cadence: 2×/month (plus occasional deep dives) ⏱️
Format: 5-minute reads with links to how-tos and downloadable templates 📝

Recurring sections:

• Quick Wins ⚡ One change you can make this week (step-by-step).

• Secure by Default 🛡️ Practical baselines (M365, Intune, Defender, Entra).

• Copilot in the Real World 🤖 Prompts, policies, and governance that stick.

• Compliance, Simplified 📜 What matters for HIPAA/GLBA/SEC-style controls, minus the legalese.

• Tooling That Pays for Itself 💸 When to adopt, how to roll out, and how to measure ROI.

• Playbooks 📓 BYOD, offboarding, phishing response, tabletop lite, and more.

Who this is for 🧑‍💼

Owners, ops leads, and firm admins who want:

• Security as a habit, not a project ✅

• Empowered employees who handle routine fixes and use AI safely 🙌

• Clarity and control over costs, licenses, and risk 🎛️

• A partner that supports hybrid where required, while helping you embrace the cloud 🚀

Our point of view 🔭

• Cloud-first wins for resilience, simplicity, and scale.

• Security is the product. Configuration beats shiny tools 10/10.

• People > tickets. Train your team; shrink the help desk.

• AI is a force multiplier with governance and data boundaries from day one.

What we deliver 📦

• Athencia Secure – Core hardening with M365 Business Premium, Intune, Defender, Entra Conditional Access, email/security baselines.

• Athencia Manage – Proactive endpoint & tenant management with senior-engineer support when you actually need it.

• Athencia Comply – Practical compliance support and evidence workflows for audits.

• Athencia Empower – Copilot/AI training, governance, and monthly coaching.

• Athencia One – A bundled path to “secure, smart, scalable” without menu roulette.

Coming up next 🔜

• Issue #1: Email Security Tune-Up (SPF/DKIM/DMARC + MTA-STS/TLS-RPT) 🔐

• Issue #2: Compliance for SMBs: map HIPAA/GLBA/SEC to your M365 baseline + SRM 🧭

• Issue #3: BYOD Without Being Creepy: privacy-respecting protection for personal devices 📱

One small ask 🙏

Hit reply and tell us your top IT headache or the one process you wish AI could automate. We’ll prioritize the most common themes in upcoming issues.

—
P.S. Our AI & data use promise 🔏 We don’t sell subscriber data, and we don’t feed your content into public AI models. When we use AI, we do it with governance in mind and tools that respect organizational boundaries. Want the longer policy? Say “send the full AI & data notice” and we’ll include it in the next issue.