For tax practices, healthcare offices, and other small professional firms, this is a reminder to treat endpoint management, RMM, EDR, and security consoles as Tier-0 assets. Confirm patch status, review admin access, monitor policy and script changes, enforce MFA, and keep these systems out of direct internet exposure whenever possible.

This week’s HarrisFCS cyber brief highlights three practical reminders for small professional firms: use CISA’s Known Exploited Vulnerabilities catalog to prioritize patching, train staff to avoid ClickFix-style fake verification prompts, and keep IRS Publication 4557 WISP documentation connected to real controls like endpoint protection, patch management, and staff training. HarrisFCS helps small tax, healthcare, and professional firms turn daily cyber risk into practical safeguards.

I see a lot of small and mid-sized businesses running basic antivirus or whatever came with their internet package and calling it good.

Reports coming out this year (VikingCloud, World Economic Forum, multiple industry trackers) all say the same thing: for the first time, cybersecurity concerns have surpassed economic worries as the top threat to small and mid-sized businesses. Why? Attackers are using AI to supercharge phishing (think realistic deepfake voice calls and emails), Ransomware-as-a-Service is cheaper and easier than ever, and Business Email Compromise is still printing money for criminals. The brutal stat: 40% of SMBs say a single attack costing <$100k would shut them down.