All posts by [email protected]

What Independence Really Means for Your Small Business’s IT

Every July 4th, we celebrate a declaration that one group of people wouldn’t answer to a power that didn’t have their best interests at heart. It’s worth borrowing that idea for a minute and pointing it at your business.

If you run an accounting firm, a bookkeeping practice, or any small business here in the Hill Country, ask yourself: how independent is your business, really, when it comes to technology?

Dependent on luck. If your only cybersecurity plan is “we haven’t been hit yet,” you’re not independent — you’re just unlucky-free, for now. Ransomware doesn’t check your revenue before it locks your files.

Dependent on one person. If there’s a single employee who knows where everything is, how the network is set up, and what the passwords are, your business isn’t independent — it’s hostage to that person staying employed, healthy, and around.

Dependent on hope. If you’re an accounting or bookkeeping firm handling client SSNs, bank account numbers, and tax records without a written information security program, you’re hoping the FTC Safeguards Rule never comes looking, and hoping a breach never comes looking either.

Real independence for a small business looks different. It looks like:

Monitored endpoints, so something odd gets caught at 2am instead of discovered at 9am with a ransom note on the screen.
Documented, boring IT, so the business doesn’t grind to a halt if one person is out sick or takes a new job.
A written compliance program, so an audit or a regulator’s letter is a formality instead of a fire drill.
A partner, not a hero, watching the systems so you can get back to serving your clients instead of babysitting a server.

This Fourth of July, as you’re grilling and watching fireworks, take five minutes to think about whether your business is actually independent — or just dependent on nothing going wrong yet.

If you want a second set of eyes on where the gaps are, that’s a conversation worth having before the fireworks, not after a breach.

The HIPAA Security Rule Just Got a Major Overhaul — And the Deadline Already Passed

If you run a medical office, dental practice, mental health clinic, or any business that touches a patient’s data, you’ve probably heard the buzz about HIPAA changes rolling out in 2026. Here’s the maybe-not-surprising truth: the federal government proposed the biggest update to HIPAA’s Security Rule since 2003 — and then missed its own deadline to finalize it.

What’s Being Proposed — And Why It’s a Big Deal

The Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking (NPRM) in late 2024 that would fundamentally change what “HIPAA compliant” means for your IT systems. The proposed changes include:

  • Mandatory encryption of all electronic protected health information (ePHI) at rest and in transit — no more treating this as optional
  • Multi-factor authentication (MFA) required for every system that accesses ePHI
  • 72-hour incident reporting to HHS when a breach occurs
  • Annual penetration testing of your systems
  • Vulnerability scanning every six months
  • Enhanced documentation and business associate oversight requirements

This would be the first major update to HIPAA’s security requirements since the original rule was written — before cloud computing, before ransomware-as-a-business-model, before telehealth became mainstream.

So Why Hasn’t the Final Rule Been Published?

The rule was targeted for finalization in spring 2026. That window came and went — no announcement, no final rule, no confirmed timeline for when one will be issued.

Here’s why that’s dangerous if you assume it means you’re safe to wait:

The Office for Civil Rights (OCR) — the agency that enforces HIPAA — has been handing out fines and settlements for years for exactly these issues: inadequate encryption, missing MFA, and failed risk assessments. The proposed rule isn’t introducing new ideas. It’s formalizing what OCR is already enforcing right now through penalties.

Being late doesn’t mean enforcement is late.

What’s Already in Effect Right Now

Not all of the changes to the HIPAA rules are still pending — they’re already law:

  • Notices of Privacy Practices (NPPs) were required to be updated by February 16, 2026
  • Part 2 regulations (covering substance use disorder records) were aligned with HIPAA as of the same date
  • Enforcement trends continue to tighten around security risk analysis failures

If your practice hasn’t updated its NPP or conducted a formal security risk analysis recently, you may already be out of compliance — today, not in some future deadline.

5 Questions Every Healthcare Business Should Ask Right Now

Whether you’re a covered entity (healthcare provider, health plan) or a business associate (accountant, IT provider, billing company) that handles PHI, here’s what you should be asking:

  • Is all ePHI encrypted—both at rest and in transit?
  • Is MFA enabled on every system that can access patient data?
  • When did you last conduct a formal security risk assessment?
  • Do you have documented incident response procedures?
  • Are your business associate agreements (BAAs) up to date?

These aren’t hypothetical future requirements. They’re what OCR looks for when something goes wrong.

How LAN Services FBG Can Help

At LAN Services FBG, we help small businesses in the Texas Hill Country get — and stay — compliant with HIPAA and related security frameworks. Our managed IT services include:

  • Endpoint encryption and monitoring
  • MFA deployment and management across all your systems
  • Security risk assessments aligned with HIPAA requirements
  • Documented incident response planning
  • Business associate agreement (BAA) review support

The final rule will come. Don’t let it catch you off guard.

Contact us today for a free, no-obligation HIPAA readiness conversation.
lanservicesfbg.com/contact

What Accounting Firms Can Learn from Carnival’s Cyber Incident

Understanding the Carnival Cruise Cyber Incident

In a world where digital safety is paramount, the Carnival Cruise cyber incident serves as a cautionary tale for businesses across all sectors, including accounting firms. This incident, which shook one of the largest cruise lines, underscores the vulnerabilities that even major corporations face in the realm of cybersecurity. In essence, Carnival Corporation fell victim to a sophisticated cyberattack that compromised sensitive information of both passengers and employees, leading to financial and reputational repercussions.

For accounting firms, the lessons from this incident are both profound and urgent. Cyber threats are no longer just a possibility; they are a reality that can disrupt operations and erode trust. The Carnival incident highlights the importance of having robust security measures in place, such as employing advanced encryption techniques, regularly updating security protocols, and conducting comprehensive cybersecurity training for all employees. Additionally, accountability and transparency in managing client data must be prioritized to prevent breaches that could expose sensitive financial information.

Furthermore, the incident emphasizes the critical need for a proactive approach to cybersecurity. This includes not only reacting to threats as they arise but also anticipating potential vulnerabilities and fortifying defenses accordingly. Accounting firms must recognize that safeguarding data is an ongoing commitment, one that requires constant vigilance and adaptation to evolving cyber threats.

By learning from the challenges faced by Carnival, accounting firms can better protect their clients and uphold their reputation as trusted financial advisors. In doing so, they not only defend against cyber threats but also bolster client confidence, ultimately supporting their business goals and fostering long-term growth.

Key Lessons for Accounting Firms from the Incident

In the wake of Carnival Corporation’s cyber incident, accounting firms can glean several crucial lessons to bolster their cybersecurity frameworks. The incident serves as a stark reminder of the potential vulnerabilities prevalent in today’s digital landscape. For accounting firms, which handle sensitive financial data, a proactive approach to cybersecurity is imperative.

1. Importance of Data Protection

One of the key takeaways is the paramount importance of data protection. Accounting firms must prioritize safeguarding client information through robust encryption methods and regular audits of their data protection protocols. Implementing multi-factor authentication and ensuring data backups are mandatory steps to prevent unauthorized access and data breaches.

2. Employee Training and Awareness

Another lesson is the critical role of employee training in cybersecurity. The human element often becomes the weakest link in security chains. Regular training sessions can equip staff with the necessary skills to identify phishing attempts and other cyber threats, thus reducing the risk of breaches.

3. Incident Response Planning

An effective incident response plan is crucial. Accounting firms should develop comprehensive response strategies that include identifying potential threats, mitigating damage, and communicating with stakeholders. Regularly testing these plans through simulations ensures preparedness in the event of an actual breach.

By learning from Carnival’s experience, accounting firms can enhance their cybersecurity measures, thereby protecting client data and maintaining trust. For more insights on improving your firm’s cybersecurity posture, explore our guidelines on best practices in data protection.

Analyzing the Importance of Cybersecurity for Small Businesses

In today’s digital age, cybersecurity is no longer just a concern for large corporations; it is equally crucial for small businesses. Recent incidents, such as the cyberattack on Carnival, highlight the vulnerabilities that all enterprises face, regardless of size. Small businesses, often with limited resources, must prioritize cybersecurity to protect sensitive data, maintain customer trust, and ensure business continuity. This section elucidates why cybersecurity should be a cornerstone of every small business strategy.

The Growing Threat Landscape

Cyber threats are evolving quickly, with attackers constantly developing new techniques to infiltrate systems. Small businesses are particularly at risk because they tend to have weaker defenses compared to larger entities. Cybercriminals often perceive small businesses as easy targets, assuming they lack the robust security measures that larger firms implement. Thus, it is imperative for small businesses to stay informed about potential threats and invest in protective measures.

Impact of Cyber Attacks

When a cyberattack occurs, the consequences can be devastating. Data breaches can lead to the loss of sensitive customer information, which can erode trust and damage a company’s reputation. Furthermore, the financial implications can be severe, with potential fines, legal fees, and the cost of repairing systems. For small businesses, which may operate on tighter margins, these impacts can be particularly challenging to overcome.

Implementing Effective Cybersecurity Measures

To mitigate these risks, small businesses should implement a comprehensive cybersecurity plan. This includes using strong passwords, regularly updating software, and training employees on security best practices. Moreover, utilizing professional services, such as those offered by companies like LAN Services FBG, can provide specialized support in computer security and consultancy, ensuring that businesses are equipped to handle potential cyber threats.

Investing in cybersecurity is not just about protecting data; it’s about safeguarding the future of your business. As technology continues to advance, so too must the defenses that protect your operations. By prioritizing cybersecurity, small businesses can not only protect themselves from potential threats but also build a foundation of trust and reliability among their customers.

Ready to enhance your business’s cybersecurity posture? Consider reaching out to professional services for a tailored consultation and secure your business’s digital future.

Effective Data Breach Prevention Strategies

In the wake of Carnival Corporation’s recent cyber incident, it’s imperative for accounting firms to reevaluate their data breach prevention strategies. As trusted custodians of sensitive financial information, accounting firms must prioritize robust cybersecurity measures to safeguard client data and maintain their reputation.

Firstly, implementing a comprehensive risk assessment is essential. By identifying potential vulnerabilities in their IT infrastructure, firms can proactively address weaknesses before they are exploited. Regular audits and vulnerability assessments are crucial in keeping security measures up-to-date.

Secondly, investing in advanced technological solutions is critical. Utilizing encryption, multi-factor authentication, and secure cloud storage can significantly enhance data protection. These technologies ensure that even if data is intercepted, it remains unreadable and secure.

Moreover, fostering a culture of cybersecurity awareness within the organization is vital. Employees should be regularly trained on the latest cybersecurity threats and best practices. This includes recognizing phishing attempts, using strong passwords, and understanding the importance of data protection.

  • Implement regular risk assessments and security audits.
  • Utilize advanced security technologies like encryption and multi-factor authentication.
  • Conduct ongoing employee training to enhance cybersecurity awareness.

By adopting these strategies, accounting firms can not only safeguard their own operations but also instill confidence in their clients. As the digital landscape evolves, proactive cybersecurity measures will be a cornerstone in maintaining trust and ensuring business continuity.

Want to learn more about enhancing your cybersecurity strategy? Explore our comprehensive guides on data protection and risk management. Have questions? Feel free to contact us for personalized advice.

Integrating Cybersecurity in Accounting Practices

In today’s interconnected digital landscape, the importance of cybersecurity within accounting practices cannot be overstated. The recent cyber incident at Carnival serves as a poignant reminder of the vulnerabilities even large enterprises face and the critical need for robust security measures. Accounting firms, custodians of sensitive financial information, are no exception. Integrating cybersecurity into their operations is not just a strategic advantage but a necessity to safeguard client data and maintain trust.

Understanding the Threat Landscape

Accounting firms are often targets for cybercriminals due to the sensitive nature of the data they handle, including financial records, personal information, and business secrets. Therefore, understanding potential threats, such as phishing attacks, ransomware, and data breaches, is crucial. By staying informed about the latest cybersecurity threats, firms can proactively protect themselves and their clients.

Implementing Robust Security Measures

  • Regular Security Audits: Conducting frequent audits helps identify vulnerabilities in systems and processes. These audits should be comprehensive, covering all aspects of data handling and storage.
  • Employee Training: Equip employees with the necessary knowledge to recognize and respond to cyber threats. Regular training sessions can significantly reduce the risk of a successful attack.
  • Advanced Encryption: Employing state-of-the-art encryption technologies ensures that data, both at rest and in transit, is secure from unauthorized access.

Building a Cybersecurity Culture

Creating a culture where cybersecurity is prioritized can transform how firms operate. This involves fostering an environment where employees at all levels understand their role in maintaining security. Encouraging open communication about potential security issues and implementing feedback mechanisms can further enhance this culture.

By integrating cybersecurity into their practices, accounting firms not only protect themselves from potential threats but also demonstrate a commitment to their clients’ privacy and safety. This proactive approach can enhance a firm’s reputation, leading to increased trust and business growth.

Want to learn more about safeguarding your firm’s data? Explore our comprehensive cybersecurity guide or contact our experts for a personalized consultation.

ChatGPT on Client Data

Your Employee Just Used ChatGPT on Client Data. Now What?

Introduction

Earlier this spring, a single employee at Vercel — a well-known tech company — signed up for a third-party AI productivity tool using their work credentials. They clicked ‘Allow All’ on the permissions screen without reading what they were authorizing. Two months later, the AI vendor was compromised, and attackers used that OAuth token to access Vercel’s Google Workspace. Customer data was stolen. The incident triggered a public breach disclosure and is now part of a pattern that regulators and boards are watching very closely.

This wasn’t a sophisticated nation-state attack. It was an employee taking a shortcut.

For small businesses — especially accounting firms, bookkeepers, and financial services companies — this kind of story should hit close to home.

The SEC Is Paying Attention — And So Are Regulators That Affect You

Forbes contributor and Villanova professor Noah Barsky recently highlighted a growing trend: companies are now being required to disclose in SEC filings when employees’ use of AI tools creates a material cybersecurity risk. For public companies, that means a bad AI decision by one employee can show up in a regulatory filing.

But here’s the part that matters for small businesses: you don’t have to be a public company for this to affect you. The FTC Safeguards Rule already requires financial services firms — including accounting practices and tax preparers — to implement a written information security plan. The SEC’s 2026 Examination Priorities explicitly call out AI monitoring and policies. And state regulators are watching too.

If your team is using AI tools — and they are — and you don’t have a policy governing how, you have a gap. A gap that could cost you a client, a regulatory fine, or worse.

What’s Actually Happening Out There

“Vercel was compromised through a third-party AI tool with broad OAuth permissions — with a two-month dwell time before discovery.”
— PKWARE 2026 Data Breaches Report

Here’s the pattern we’re seeing in 2026:
• Employees sign up for free or consumer-grade AI tools using their work email or work accounts.
• They grant broad permissions — because the app asks and it’s faster to click ‘Allow All.’
• Client data (financial records, tax documents, emails) gets pasted into the AI tool for ‘help.’
• The AI vendor gets compromised. The attacker now has your credentials, your clients’ data, or both.
• You find out two months later. Or your client does.

For accounting and bookkeeping firms, this isn’t theoretical. Your staff has access to SSNs, bank statements, tax returns, and financial records. Any one of those pasted into an unsanctioned AI chatbot is a potential Safeguards Rule violation — before anything even goes wrong.

What ‘Having an AI Policy’ Actually Means

  • A lot of businesses think they’re covered because they told employees, ‘don’t use AI for client stuff.’ That’s not a policy. Here’s what a real AI acceptable use policy covers:
  • A list of approved AI tools (and the explicit message that everything else is not approved)
  • Prohibited data categories — what can never be entered into an AI tool
  • How to request approval for a new AI tool
  • What happens if someone violates the policy
  • How the company monitors for unauthorized AI tool usage

Think of it like your Acceptable Use Policy for the internet — except this one also needs to address what the AI vendor does with your data, who owns the output, and whether the tool is compliant with your client confidentiality obligations.

The Real Risk for Accounting Firms Specifically

  • Under the FTC Safeguards Rule, you are required to:
  • Identify and assess risks to customer information
  • Implement safeguards to control those risks
  • Train staff on your security program
  • Monitor and test the effectiveness of your controls

An employee who pastes a client’s Schedule C into ChatGPT to ‘write a summary’ has introduced a risk you haven’t assessed, with a tool you haven’t approved, using data your safeguards weren’t designed to protect. That’s three Safeguards Rule gaps from one click.

What You Should Do Right Now

You don’t have to ban AI. In fact, you shouldn’t — it’s already a competitive tool and your staff is using it regardless. What you need to do is get in front of it.

Three immediate steps:
• Audit what AI tools your team is already using. (Hint: more than you think.)
• Draft or update your AI Acceptable Use Policy — before regulators ask for it.
• Have a conversation with your IT partner about approved AI tools that keep client data inside your controlled environment.

At LAN Services FBG, we help accounting and financial services firms in the Texas Hill Country build the kind of security foundation that regulators expect — and that clients deserve. If you’re not sure where you stand, our free IT Risk and Compliance Audit is a good place to start.

Because when an employee takes an AI shortcut with client data, it’s your name on the disclosure — not theirs.

cyber insurance denied

Your Cyber Insurance Won’t Pay Out — And You Probably Don’t Know It Yet

You bought cyber insurance for your business. You sleep a little easier at night knowing that if ransomware hits or a data breach happens, your business is covered. That’s the idea, anyway.

But there’s a growing and quietly devastating problem hitting small businesses across every industry — including accounting firms, lenders, and other professional services: cyber insurance claims are being denied at an alarming rate. Not because the attack didn’t happen. Because the business couldn’t prove it had the security controls it either claimed to have on its application or that the policy required in the fine print.

The Gap Between “Yes” and “Proven”

When you apply for cyber insurance, you answer a questionnaire. Do you use multi-factor authentication? Do you have endpoint protection? Do you back up your data regularly? Most small business owners answer “yes” — and many genuinely believe they’re covered.

But here’s the hard truth: insurance companies don’t just take your word for it when it comes to them paying expenses at claim time. They are going to initiate there own investigate. Part of that investigation is that they want documentation. They want logs. They want proof that the control was active, enforced, and working on the day the incident occurred.

If you said you had MFA but it wasn’t enabled on every account that should have had it — denied. If you said you had endpoint protection but one laptop wasn’t covered — potentially denied. If your backups weren’t tested and verified — you may find out they’re not as solid as you thought, and your claim reflects that.

This Is Not a Small Problem

Cyber insurers paid out billions in claims over the past several years and they’ve responded by tightening underwriting requirements dramatically. The Hanover, Coalition, Chubb, and others have all increased their scrutiny of what controls are actually in place — not just checked on an application.

By the Numbers

Ransomware remains the #1 driver of cyber insurance claims
Claim denial rates have risen significantly as insurers add policy exclusions
Many denials cite “misrepresentation” on the application — even unintentional
Email compromise and wire fraud are leading causes of financial loss claims for professional firms

For accounting and bookkeeping firms specifically, the stakes are even higher. You handle sensitive financial data, tax records, and client banking information. A breach in your environment doesn’t just hurt you — it creates liability to every client whose data was exposed. And if your insurance won’t pay, that liability lands directly on you.

What a Denial Actually Looks Like

Here’s a real-world scenario playing out in small businesses right now: A firm gets hit with ransomware. They file a claim. The insurer sends an investigator. The investigator finds that:

  • MFA was enabled on Microsoft 365 but not enforced on a shared admin account
  • Endpoint detection was purchased but not deployed on two remote employee machines
  • Backups existed, but the last successful test restore was 14 months ago
  • The insurance application said “yes” to all three of those questions

Claim denied. The firm is now looking at hundreds of thousands of dollars in recovery costs, client notification expenses, and potential lawsuits — with no insurance safety net.

What You Can Do Right Now

The good news: this is entirely preventable. The controls your policy requires are not unreasonable. The problem is that most small businesses have never had someone sit down with them to compare what their policy actually requires against what they can actually document.

That’s exactly what we do at LAN Services FBG. We offer a free Cyber Insurance Alignment Review for local businesses — no pressure, no sales pitch. We walk through your policy’s requirements alongside the current state of your IT environment and help you identify any gaps before they lead to a denied claim.

What We Review In Your Free Assessment

Multi-factor authentication coverage across all accounts and platforms
Endpoint protection deployment and active monitoring status
Backup configuration, testing history, and recovery readiness
Email security (DMARC, anti-phishing) — critical for wire fraud and BEC claims
User access controls and privileged account management
Documentation you can provide to an insurer if a claim is filed

We’re not insurance agents. We’re not here to sell you a new policy. We’re IT and cybersecurity professionals based right here in the Texas Hill Country who understand what insurers are actually looking for — and how to make sure your business can prove it’s doing what it says it’s doing.
Because when an incident happens, “We thought we had it covered” is not a defense that pays your bills.

Ready to find out where you stand? Reach out to LAN Services FBG for your free Cyber Insurance Alignment Review. It’s one conversation that could save your business.

Contact: lanservicesfbg.com · Serving Fredericksburg & the Texas Hill Country

Email is not a backup

Your Email Inbox Is Not a Backup — And I Have the Receipt to Prove It

I’ll be honest — I almost lost a refund this week.


I had canceled an order online, received a confirmation email, and thought nothing of it. Standard stuff. But when I went back to find that email to follow up on the refund status, it was gone. No trace of it in my inbox, my trash, or anywhere else.


Here’s where it gets interesting: because I practice what I preach, I was able to restore that email from my backup. Armed with the original confirmation showing the date, time, and cancellation details, I reached out to the company — even though I was technically outside their refund window. The email proved my case, and it looks like I’m going to get my money back.


That’s a minor inconvenience for me personally. For a business? That same scenario could mean a lost contract, a compliance violation, or a client dispute with no paper trail to defend yourself.


Gmail and Microsoft 365 Are Not Backup Solutions


This is one of the most common misconceptions I run into when working with small businesses. People assume that because their email lives “in the cloud,” it’s safe and always accessible. But cloud storage and cloud backup are two completely different things.


Gmail, Outlook, and Microsoft 365 are designed to deliver and organize email — not to protect it long-term or restore it when something goes wrong.

Here’s what can actually happen to your email without a proper backup in place:

  • Accidental deletion — You or an employee deletes a thread, thinking it’s junk. It’s gone.
  • Account compromise — A bad actor gets into the account and wipes the inbox. Microsoft and Google won’t always be able to restore it.
  • Sync errors — A misconfigured device or app deletes emails at the server level.
  • Retention policy limits — Microsoft 365’s default deleted item retention is 30 days. After that, it’s gone permanently unless you’ve configured additional protections.
  • Departing employees — When you remove a user account, you may lose all of their email history if you haven’t archived it first.


Why This Matters Even More for Accounting and Bookkeeping Firms


If you’re in a regulated industry — and accounting firms absolutely are — email is often a legal and compliance record. The FTC Safeguards Rule, IRS recordkeeping requirements, and client engagement agreements all carry expectations around data retention and availability.

Losing a client email thread isn’t just an inconvenience. It could be:

  • A malpractice exposure if a dispute arises
  • A compliance gap during an audit
  • A lost defense if a client claims you never communicated something

Email backup and archiving isn’t just an IT best practice for your industry. It’s a risk management strategy.


What Proper Email Backup Actually Looks Like


A real email backup solution does several things your inbox doesn’t:

  • Captures email automatically — Every message sent and received is archived in real time, separate from your email provider.
  • Maintains long-term retention — Configurable to keep records for years, not 30 days.
  • Enables fast restoration — Search and restore individual emails, threads, or entire mailboxes in minutes.
  • Survives account-level events — Even if your Microsoft or Google account is compromised or deleted, your archive stays intact.
  • Supports compliance — Many solutions include audit trails and legal hold features.


The Bottom Line


I got lucky this week — I had the right tools in place before I needed them. That’s exactly how it should work.


If your business relies on email as a communication and documentation tool (and whose doesn’t?), your email provider’s built-in storage is not enough. A missing confirmation email is a minor headache. A missing client agreement, a lost vendor record, or a compromised inbox with no recovery path is a business problem.


If you’re not sure whether your email is actually protected, that’s worth a conversation. I offer a free IT assessment for small businesses in the Texas Hill Country — it takes less than an hour and gives you a clear picture of where your risks are.


You can schedule a free risk analysis here: https://meetings-na2.hubspot.com/bryan-pritchett/free-it-risk-analysis