Beyond the Wi-Fi Password: Setting Up a Secure Guest Network for Your Office Clients

Article summary: Handing visitors the same Wi-Fi password your team uses puts every device on your network within reach of anyone sitting in your lobby. A secure guest network keeps visitors online without giving them a path to your servers, printers, or point-of-sale systems. Setting it up correctly takes a short list of settings, not a network overhaul.

A client asks for the Wi-Fi password while waiting in your lobby. A few seconds later, their personal phone is connected to the same network your employees use to access accounting software, shared files, and other business systems.

Most small businesses allow this without a second thought. After all, offering Wi-Fi to clients, vendors, and visitors feels routine.

The problem is not the Wi-Fi password. It is allowing guest devices onto the same network as the systems your business depends on.

Why One Shared Password Isn’t Security

A single Wi-Fi network with one password feels simple. It’s also what’s known as a flat network, meaning every device on it can potentially see every other device.

A visitor’s phone, a vendor’s laptop, and the workstation containing your customer database may all be connected to the same network, with no meaningful barriers between them.

Most guest devices are perfectly harmless. That’s not really what matters here.

An infected phone, an outdated laptop, or a compromised tablet can introduce risk when it connects to the same network as sensitive business systems. Once connected, malware may scan the network for other devices it can access or exploit.

Federal guidance is direct on this point: guest Wi-Fi should be separate from and not connected to your business network.

The FTC’s small business cybersecurity guidance states this plainly as a baseline recommendation, not an advanced or optional step. The agency also recommends verifying that any device meets your security requirements before allowing it to connect to your business network.

What a Secure Guest Network Actually Requires

A secure guest network isn’t just a second Wi-Fi name on your router. It creates a separate path for visitor traffic, keeping guest devices isolated from your business systems, data, and internal network resources.

Give guests their own network, not just a login screen

Most business routers can broadcast a separate guest network alongside the primary one.

The mistake is assuming a different network name and password provide real security. If guest traffic isn't truly isolated from your business network, the risk remains.

Segment it so guest traffic can’t reach your systems

This is the part that actually provides the protection.

Your guest network should sit on its own VLAN (virtual local area network), a way of logically dividing one physical network into separate sections, with firewall rules that block guest devices from reaching your servers, shared drives, or point-of-sale system entirely.

Guests should be able to reach the internet. Nothing else.

Cisco’s guidance on guest Wi-Fi security recommends this kind of segmentation specifically so that a compromised guest device can’t be used to access internal resources.

Use real encryption, not an open network

An open network with no password at all is a liability, even for guests. Every guest network should run WPA2 or WPA3, the current encryption standards that protect what’s being transmitted.

Change the guest password on a reasonable schedule, especially if it gets shared widely or is posted somewhere visible.

Turn on client isolation

Client isolation stops devices on the guest network from seeing or talking to each other, not just to your main network.

Without it, one guest’s infected laptop could reach another guest’s phone sitting two tables over. With it, every device is boxed off on its own. That’s the same walled-off principle behind treating every device on your network as untrusted until it proves otherwise.

Setting It Up Without an IT Overhaul

None of this requires replacing your hardware in most cases.

NIST’s guidelines for securing wireless local area networks note that WLAN security depends on how well every component, from access points to client devices, is configured throughout its life, not just at setup. A checklist you revisit occasionally matters as much as the initial configuration.

A workable rollout looks like this:

1.    Confirm your router or access points support multiple SSIDs with VLAN tagging. Most business-grade equipment from the last several years does.

2.    Create the guest SSID and assign it to its own VLAN, separate from your business VLAN.

3.    Configure firewall rules that explicitly block guest VLAN traffic from reaching internal IP ranges.

4.    Enable client isolation on the guest network.

5.    Set WPA2 or WPA3 encryption with a password that isn’t reused anywhere else.

6.    Test it. Connect a phone to the guest network and try to reach a printer or shared folder. If it works, the segmentation isn’t actually in place.

If your network handles card payments, guest Wi-Fi separation can affect the scope of your PCI compliance obligations. Without effective segmentation, the guest network may be considered part of the cardholder data environment and subject to additional requirements.

The Habits That Keep It Secure

A secure guest network is not a one-time setup. A few ongoing habits help keep it secure.

Change the guest password periodically, especially after a large event, an extended vendor engagement, or when someone no longer needs access. A password that has remained unchanged for years may be known far beyond its intended users.

Keep your router and wireless access points updated. Firmware updates often address security vulnerabilities and should be part of routine network maintenance.

Finally, control how the guest password is shared. Provide it only to visitors who need access and avoid posting it publicly or leaving it displayed indefinitely.

Ready to Separate Your Guest Wi-Fi the Right Way?

A secure guest network gives visitors convenient internet access without exposing the systems your business relies on. But meaningful separation requires more than a second Wi-Fi name. It requires proper segmentation, current security settings, and ongoing maintenance.


If you are not sure whether your guest Wi-Fi is truly isolated from your business network, now is a good time to find out. BrainStomp can review your network configuration, identify potential gaps, and help ensure guest access stays separate from your critical business systems.

Reach out at brainstomp.com/contact or call 260-918-3548 to get started. 

Article FAQs

What makes a guest Wi-Fi network actually secure?

Real segmentation. The guest network needs its own VLAN with firewall rules that block traffic to internal systems, current WPA2 or WPA3 encryption, and client isolation so guest devices can’t reach each other.

Do I need new equipment to set up a secure guest network?

Usually not. Most business-grade routers and access points sold in the last several years support multiple SSIDs and VLAN tagging out of the box. The gap is almost always in configuration, not hardware.

Is a separate Wi-Fi name enough to protect my business network?

No. A second network name with the same underlying access is not segmentation. Unless firewall rules explicitly block guest traffic from reaching internal systems, both networks are effectively one.


The Hidden Costs of Buying a New Printer

Article summary: Modern consumer printers come bundled with subscription services, mandatory account registrations, internet requirements, and firmware that blocks cheaper ink. Understanding the hidden costs of buying a new printer before you commit changes the calculation significantly.

The printer costs less than a night out for dinner. It seems like an easy purchase.

Then the ink runs out.

The first trip to buy replacement cartridges is often when people realize the “bargain printer” wasn't much of a bargain after all.

That's by design.

For decades, printer manufacturers have relied on a business model that keeps hardware prices low and makes up the difference through ongoing ink and toner sales.

Today's printers have taken that approach even further. Many require online accounts, internet connectivity, subscription services, or manufacturer-approved cartridges. Some even use firmware updates to restrict the use of lower-cost third-party ink.

None of it appears on the box. And making informed decisions about the hardware and software you bring into your business starts with knowing what you’re actually committing to.

The Business Model Behind the Bargain Price

Printer manufacturers sell hardware at thin margins or below cost, then recoup through ink. It’s an intentional structure. The printer exists to give you a reason to buy cartridges.

JD Young estimates that an $80 bestselling consumer inkjet printing 1,000 pages per month would cost approximately $16,280 over five years when ink and hardware costs are combined.

Ironically, the cheaper printer turned out to be the more expensive option. The analysis found it could cost nearly $5,900 more to operate over five years than a higher-priced model designed to deliver more pages per cartridge.

The hardware price is often the least relevant number in the comparison.

Third-party cartridges can cut ink costs by 50% or more compared to manufacturer originals. 

That savings opportunity is precisely why manufacturers work hard to block access to them.

Subscription Plans and What They Actually Commit You To

HP is the most prominent example of printer subscription entanglement. 

The company offers two main programs: 

  1. The HP Instant Ink which covers ink only.

  2. The HP All-In Plan which bundles a printer and ink together.

What you sign up for

According to reporting by Tom’s Hardware, the HP All-In Plan costs between $8 and $36 per month based on the printer model and monthly page allowance. It requires a 24-month commitment and includes cancellation fees if you exit early. 

Print more than your monthly page allowance and additional charges apply. Although HP advertises a 30-day trial, customers must provide a payment method when enrolling and return the printer within 10 days of cancellation to avoid fees.

Opting into HP+ is marketed as a free upgrade. The actual conditions require an HP account, an active internet connection, and use of HP Original Ink for the lifetime of the printer. Once accepted, those restrictions are applied via a firmware update that cannot be undone.

What happens when you cancel

HP Instant Ink cartridges stop functioning when the subscription ends, even if ink remains in them. According to HP's terms, subscription cartridges are remotely disabled when the service is cancelled, requiring the user to install standard replacement cartridges to continue printing.

Internet Requirements and Account Sign-Ups

HP+ printers require a permanent internet connection to function, not just to set up. 

HP confirms this as a program requirement. A printer on HP+ that loses internet access cannot print until connectivity is restored.

Beyond HP, most modern wireless printers require a manufacturer account for full setup, cloud printing, or firmware access. It is one more set of credentials to create, manage, and secure.

That matters from a security standpoint. Each new vendor account is another entry point, another password to manage, and another data relationship to maintain. Handling those credentials with the same care as any other business account keeps that exposure manageable.

Firmware Updates and Third-Party Ink Restrictions

The mechanism behind third-party ink blocks is firmware: software updates pushed directly to the printer over the internet. 

HP’s Dynamic Security feature causes the printer to check an authentication chip on every cartridge. If the chip does not match HP’s signature, the printer refuses to print.

This has been the subject of multiple lawsuits. 

One complaint brought on behalf of European consumers, HP was accused of encouraging customers to register their printers for automatic updates and then deploying firmware that blocked aftermarket cartridges without clear disclosure. The case ultimately resulted in a $1.35 million dollar fund to compensate eligible HP printer owners.

The practical consequence is that cartridge compatibility is not always fixed at the time of purchase. A firmware update can alter which cartridges a printer will accept months or even years later.

What to Check Before You Buy

The best time to uncover these limitations is before the printer comes home. Start with these questions:

  • Does this printer require an internet connection to operate, or only for setup and optional features?

  • Is this model enrolled in HP+ or an equivalent program that permanently restricts ink to brand cartridges?

  • What is the cost per page using manufacturer cartridges, and does the model support third-party alternatives?

  • Does this printer prompt for a subscription during setup, and what are the cancellation terms?

  • What happens to installed cartridges if a subscription lapses or is cancelled?

Need Help Evaluating Your Print Setup?

The hidden costs of buying a new printer add up fast when you’re not looking for them. A bit of due diligence before purchase saves money for years.

If you’re outfitting an office, reviewing a current print setup, or trying to understand why a printer is costing more than expected, BrainStomp can help you evaluate your options. Reach out at brainstomp.com/contact or call 260-918-3548.

Article FAQs

Do all new printers require an internet connection?

Not all of them. Many modern consumer models only need connectivity for cloud printing, remote access, or initial setup.

What is HP+ and what does it commit me to?

HP+ is a program that applies enhanced features to compatible HP printers via a firmware update. Accepting it is permanent and requires an HP account, an active internet connection, and the use of HP Original Ink for the lifetime of the printer. It cannot be reversed after the update is applied.

Can I use third-party ink cartridges in any printer?

Many printers support third-party cartridges, and they can reduce ink costs substantially. HP printers with Dynamic Security firmware do not. Before buying, check whether the specific model uses Dynamic Security and whether automatic firmware updates might introduce it post-purchase.

What happens to HP Instant Ink cartridges if I cancel the subscription?

They stop working. HP Instant Ink cartridges verify subscription status with HP’s servers, and cartridges issued through the plan are disabled when the subscription ends, regardless of how much ink remains in them.

The “Silent Delivery” Danger: Vetting AI-Generated Email Summaries Sent to Clients

Article summary: AI tools embedded in Outlook, Gmail, and CRM platforms now draft and summarize emails fast enough that review steps get skipped. The risk is that AI email summaries sent to clients can contain wrong figures, statements pulled from unrelated threads, or content the tool was never supposed to access. A short vetting habit before client emails go out protects your credibility and keeps AI a productivity tool rather than a liability.

The AI drafted the email. You gave it a quick look, adjusted one sentence, and clicked send. Your client reads it the next morning and replies asking why the invoice total doesn’t match what you just confirmed.

The AI had pulled a figure from a different thread. It looked right. It wasn’t.

That scenario happens more often than most businesses realize. 

The same speed that makes AI email summaries appealing can also create risk. When a draft arrives instantly, users are more likely to skip the careful review that might have identified an error.

Building a review habit before AI-assisted emails reach clients is part of the same thinking behind keeping communication accurate and secure.

How AI Email Tools Create a Silent Delivery Risk

Tools like Microsoft 365 Copilot and Gmail Gemini work by scanning your email history, drafts, and connected documents to generate summaries and draft replies. The output arrives formatted, grammatically clean, and ready to send.

That polish creates a specific trust problem. 

When people write, they often signal uncertainty with phrases like "I think," "it appears," or "let me verify that." AI-generated summaries rarely do. They present information with the same level of confidence whether it is accurate, incomplete, or wrong.

Thomson Reuters’ guidance on AI accuracy advocates human verification of all AI-generated results, a principle that applies directly to client-facing emails. When AI-generated content reaches customers, clients, or partners, even a small error can undermine credibility and strain relationships.

When the Tool Breaks Its Own Rules

In early 2026, Microsoft disclosed a bug in Microsoft 365 Copilot Chat that allowed the tool to process and summarize certain emails marked as confidential, even when organizations had configured DLP policies to exclude that content.

According to Microsoft's service advisory, the issue affected confidential emails stored in users' Sent Items and Drafts folders. A code defect caused Copilot Chat to ignore the intended restrictions for those messages until Microsoft deployed a fix in February 2026.

BleepingComputer reported Microsoft’s confirmation that the tool continued processing labeled emails because “a code issue is allowing items in the sent items and draft folders to be picked up by Copilot even though confidential labels are set in place.” The policies were in place. A coding error caused Copilot to process content those policies were supposed to exclude.

That’s not a warning about a theoretical future risk. It happened.

Three Ways AI Summaries Go Wrong

Factual hallucinations

AI language models generate text by predicting what should come next, not by verifying facts. 

When summarizing a thread, the model can fill gaps with plausible-sounding content that was never in the original email. Numbers shift. Dates move. Commitments appear that nobody made.

Research published in 2024 found that 38% of business executives reported making incorrect decisions that year based on hallucinated AI output.

Data pulled from the wrong context

AI summary tools scan broadly. 

A summary of one client thread may pull in a figure, a name, or a project detail from a different conversation if the model finds it contextually adjacent. The result reads correctly but refers to the wrong client or the wrong deal.

The Microsoft Copilot incident made this concrete at the platform level. At the individual email level, the same risk is subtler and constant.

Tone that doesn’t match the relationship

AI tools generate professionally formatted text by default. That default may not fit a long-standing client relationship where directness and informality are appropriate. 

The summary might soften a problem that needs to be stated plainly. It might phrase a delivery estimate in a way that reads like a guarantee.

Tone errors don’t introduce wrong facts, but they shape what a client expects next, and correcting that expectation later is its own problem.

Before You Hit Send: A Vetting Checklist

The review process does not need to be time-consuming. Five simple checks before sending an AI-assisted client email will catch most issues.

  1. Does every number in this email match what I can verify in the actual project or account?

  2. Are all dates, deadlines, and deliverables accurate and current?

  3. Is anything here sourced from a different client, project, or thread?

  4. Does the tone match the actual relationship, or does it sound like a template?

  5. Am I comfortable if the client quotes this back to me as a factual record?

That last question is the most practical filter. If you would want to correct something before the client could reference it, correct it before sending.

One More Risk Worth Knowing About

Security researchers at Permiso reported in 2026 testing that AI email summary tools can sometimes be influenced by the content they are summarizing.

In their testing, attacker-controlled text embedded in an email was able to influence how Microsoft Copilot generated its summary. The result could include misleading statements, fake alerts, or other content shaped by the attacker's instructions. It's a form of prompt injection, the same technique used to manipulate AI systems through the information they process.

The attack relies on the trust people place in the summary rather than the original email. If someone skips the source and reads only what the AI produced, a manipulated summary can misrepresent what was said.

The habit that prevents most of these issues is simple: whenever an email involves financial information, commitments, approvals, or client decisions, review the original message rather than relying solely on the AI-generated summary.

Ready to Build a Review Process Your Team Will Actually Use?

AI email tools are useful. The time savings are real. The problem isn’t the tools; it’s the assumption that the output is ready to send without a check.

A 60-second review habit doesn’t slow down AI-assisted communication. It protects the client relationship that took years to build, and the business reputation that lives in every email you send.

BrainStomp can help your team build clear guidelines for AI tool use in client communications, covering what to verify, what to flag, and what to keep out of AI tools entirely. Reach out at brainstomp.com/contact or call 260-918-3548.

Article FAQs

What is a hallucination in an AI email tool?

A hallucination is when an AI produces text that sounds accurate but contains fabricated or incorrect information.

Are tools like Copilot and Gmail Gemini safe for client communication?

They’re genuinely useful productivity tools, but they aren’t a substitute for review. Both have documented cases of summarizing content inaccurately or pulling from unintended sources.

What is prompt injection in the context of email?

Prompt injection is a technique where malicious instructions are hidden inside content that an AI tool processes, in this case an incoming email. The instructions can influence what the AI writes in a summary or draft, potentially inserting false statements or altered figures that the recipient reads as accurate.


Zero Trust for the Home Office: Securing Remote Work Endpoints

Article summary: When employees connect to company systems from personal devices on unmanaged networks, the traditional “trust the device, trust the user” model breaks down. Zero trust remote work security checks every user, device, and connection before access is granted, regardless of where the request comes from, and it’s the only model built for how distributed work actually operates.

Someone on your team logs in from their kitchen table. Personal laptop, home WiFi, same network as the family streaming devices and a teenager’s gaming setup. They open company email, pull up a shared file, and get to work. Normal Tuesday.

From a security standpoint, that’s a lot of trust placed in devices and networks you’ve never verified. That gap is the core problem that zero trust remote work security is built to close.

What Breaks When Everyone Works from Home

The traditional security model relied on a defended perimeter. Everything inside the boundary is trusted. Everything outside isn’t.

Remote work dissolved that boundary. 

Company email is now accessible from a personal tablet, a hotel WiFi, and a managed office desktop, all at the same time. The perimeter became everywhere. When it’s everywhere, it’s effectively nowhere.

According to McKinsey research cited by Microsoft, attacks on endpoints surged fourfold after the shift to widespread remote work, with home networks and personal devices the primary targets.

Attackers didn’t change tactics. They redirected attention toward softer targets. 

The research also found that Gartner estimates up to 90% of successful ransomware attacks hit unmanaged endpoints first. Personal and home-office devices fit that description exactly.

What Zero Trust Actually Means

Zero trust is a security model with one rule: nothing gets trusted until it’s verified. Every login, every device, every connection is checked before access is granted, regardless of whether the request comes from the office, the home, or anywhere else.

NIST SP 800-207 is the federal standard for zero trust architecture. It is moving security away from static network perimeters and toward continuous verification of users, devices, and the resources they’re trying to reach.

For a small business in practice, that translates to a few concrete things. 

A user logs in with verified credentials plus a second factor. Their device is checked to confirm it meets baseline security standards before the connection is allowed. They get access only to what they actually need for that day’s work. 

No one gets in by default just because they used the right password.

Five Controls That Matter Most for Home Offices

Device health checks before access is granted

A personal laptop running an outdated operating system with no antivirus is a liability the moment it connects to company systems. 

Device compliance checks, delivered through endpoint management software, verify that a device meets minimum standards before any access is allowed. No check passed, no access granted. That’s a rule that doesn’t depend on employees remembering to update software on their own.

Multi-factor authentication on every account

A password alone doesn’t prove who is logging in. 

Strong MFA is the most important single control for remote work. Credential theft is the entry point for most remote work breaches, and 

MFA stops most of those attacks even after a password has already been stolen. Phishing emails that appear convincingly legitimate are the most common means of credential theft in home-office environments.

Least-privilege access

Every account should only have access to the specific files, systems, and apps that person needs for their role. Nothing more. 

When a device gets compromised, least-privilege access limits the damage to what that account could reach. The attacker gets in, but there’s a wall between them and everything else.

Encrypted connections

Work traffic crossing the open internet needs encryption. 

For most small businesses, this means requiring a VPN for remote access, and confirming that file storage and communication platforms encrypt data while it’s in transit. An unsecured connection is readable to anyone on the same network.

Visibility and ongoing monitoring

Zero trust isn’t a one-time setup. It requires continuous verification. 

That means logging who accessed what, from where, and when, and flagging patterns that don’t fit. A user who normally logs in from Indiana at 9 a.m., showing up from overseas at 3 a.m. is worth a second look. 

Where to Start Without Rebuilding Everything

Zero trust doesn’t require replacing everything. Most businesses already have some of the pieces in place. The work is connecting them.

IBM’s 2024 Cost of a Data Breach Report found that organizations with mature zero trust practices saved an average of $1.76 million per breach compared to organizations without them.

The IBM research also found that the average breach cost hit $4.88 million in 2024, a record high. 

For small businesses, the cost of a breach is proportionally more disruptive. That context puts the investment required to apply zero trust principles in perspective.

The practical starting point is identity. Enable MFA across every account, starting with email and any cloud services your team uses daily. That addresses the most common attack vector immediately.

Next, audit which accounts have broad access they don’t actively use. 

Tightening those permissions costs nothing. If some employees connect from personal devices, that’s the next conversation: what’s allowed, what’s required from those devices, and how it gets checked.

Find the Gaps in Your Remote Setup

Applying zero trust remote work security to home offices doesn’t require an enterprise budget. It requires a clear picture of who is accessing what, from which devices, and with what level of verification behind each connection.

Most businesses are closer to a solid baseline than the technical terminology suggests.

BrainStomp can audit your current remote work setup, identify the highest-risk gaps, and walk you through practical next steps that fit your team. Reach out at brainstomp.com.

Article FAQs

What is zero trust security for remote workers?

Zero trust is a security model where every login, device, and connection is verified before access is granted, regardless of location. For remote workers, that means confirming device health, requiring MFA, and limiting each account to only the access it genuinely needs.

Why is home office security harder than office security?

The office relies on a controlled network, managed devices, and physical access controls. Home offices use personal hardware on shared networks that IT never configured. Each of those variables creates gaps that don’t exist in a managed environment, and attackers have learned to find them.

What is least-privilege access?

It means each user account is restricted to only the specific files, systems, and applications needed for that person’s role. If a device is compromised, the attacker is limited to what that account could reach. It substantially reduces the blast radius of any single breach.

Where should a small business start with zero trust?

Start with MFA on every account, beginning with email and cloud platforms. Then review account permissions and remove access that nobody actively uses. Those two steps address the highest-risk gaps without requiring new software or a major project.


The Hidden Cost of ‘Shadow IT’ in Cloud Spend

Article summary: When employees sign up for cloud tools without IT’s knowledge, businesses pay twice: once for the subscription and again when those unmanaged apps expose data or duplicate tools already in use. Shadow IT cloud costs are real, they grow quietly, and they show up on the books long before anyone notices them. A simple audit and a one-step approval process are enough to stop the bleeding.

Picture your marketing team signing up for a file-sharing tool. Nobody told IT. It costs $12 a month per user, charged to a company card as “office supplies.” Harmless on its own. 

Now add the sales team’s CRM add-on, the HR team’s recruitment tracker, and the three separate video editing apps installed last spring by two different people. Nobody tracked any of them.

That’s shadow IT. It’s the cloud tools and software that employees set up without IT’s knowledge or approval. 

Staying on top of your software environment and access controls is foundational to running a secure business, and shadow IT makes both harder at once.

What Shadow IT Actually Costs You

The financial hit comes from several directions. Most of it is invisible until someone decides to go looking.

Shadow IT accounts for 30 to 40% of IT spending in large organizations. For smaller businesses, the proportions are similar. The spend doesn’t shrink just because the company is smaller.

Torii’s 2025 SaaS Benchmark Report found that organizations manage an average of 668 applications, and more than half are classified as shadow IT.

That figure comes from first-party data across hundreds of organizations. 

Most of those apps were installed one at a time, by someone solving a real problem. Nobody added them to an inventory. Nobody checked whether the same feature already existed in a paid tool.

Three Places the Money Actually Goes

Duplicate subscriptions and redundant tools

The most direct shadow IT cloud cost is paying for the same functionality more than once. One team signs up for a project tool. Another department already has that capability inside a platform the company is already paying for. Both run. Both get billed.

Research from Zylo found that shadow IT makes up 34% of the average company’s SaaS portfolio, even though it accounts for only 4% of recorded spend. 

Abandoned subscriptions

Subscriptions run until someone stops them. 

When an employee leaves, their personal Dropbox, AI writing tool, and task manager keep billing every month. The charge is small enough to slip through expense review. Until it compounds.

The breach cost multiplier

This is the cost that gets the least attention, and it’s the largest.

IBM’s 2024 Cost of a Data Breach Report found that 35% of the breaches studied involved shadow data, and those incidents cost 16.2% more on average and took 26 percent longer to identify and contain.

The IBM report puts the average breach cost with shadow data at $5.27 million. 

That’s not a small business number for most companies, but the pattern holds at every scale. Unmanaged data is harder to find, harder to contain, and more expensive to recover from.

What a Shadow IT Audit Usually Finds

Most businesses assume they have 10 to 20 active cloud subscriptions. The real number is almost always higher.

Common findings from a first audit:

  • Two or more tools doing the same job, bought by different teams without coordination

  • Active subscriptions tied to email addresses of people who left the company months ago

  • Apps with broad data permissions that nobody reviewed before signing up

  • Personal cloud accounts used to share work files outside any IT oversight

None of these shows up on a standard expense report. They surface when someone cross-references financial records, active accounts, and SaaS authentication logs.

How to Get It Under Control

You don’t need an enterprise platform to start. A few consistent habits close most of the gap.

A quarterly subscription audit is the most practical first step. 

Pull every recurring software charge from company cards and expense records. Match each one to a current employee and a documented business purpose. Anything that doesn’t match gets reviewed and cancelled.

An approval step before new tools go live is the next piece. 

A simple request form, even just an email to IT, catches most unauthorized signups before they become a pattern. Pair that with revoking app access as part of every offboarding checklist, and abandoned subscriptions stop accumulating.

One written policy, shared with the team, is worth more than any detection tool. Employees often use unauthorized tools because the approved process is too slow or they don’t know a better option exists. Making the right path easier than the workaround is how shadow IT stops growing.

It’s Time to Find Out What You’re Actually Paying For

Shadow IT cloud costs are the kind of thing businesses absorb quietly until something forces a closer look. A security incident. An unexpected bill. A compliance audit.

Getting visibility isn’t complicated. It requires someone to own the process and a handful of habits that stick.

BrainStomp can help you run a clear software audit, identify what’s running and what’s a risk, and put a simple approval process in place that keeps the list from growing back. Reach out at brainstomp.com.

Article FAQs

What is shadow IT in cloud services?

Shadow IT refers to any cloud tools, apps, or software that employees set up and use for work without IT’s knowledge or approval. Common examples include personal file-sharing accounts, unapproved project management tools, and AI tools used to handle company data outside any governance.

How does shadow IT increase cloud costs?

It drives waste through duplicate subscriptions, abandoned subscriptions, and breach-related costs when unsecured apps expose business data.

How do I find out what shadow IT we have?

Start by pulling every recurring software charge from company cards and expense reports. Cross-reference those against a current employee list and your approved software inventory. Anything unaccounted for is a candidate for review.

Is shadow IT just a budget issue or a security risk too?

Both. The immediate cost is wasted on unused or duplicate licenses. The bigger risk is that unapproved apps handle business data without IT oversight, creating gaps in access control and breach visibility. The financial damage from a data breach involving unmanaged apps dwarfs the cost of any subscription.


How to Audit and Revoke Third-Party App Access

 Article summary: Most businesses have connected dozens of third-party apps to their email, cloud storage, and collaboration tools, and then forgotten about them. A third-party app access audit lets you see exactly what’s connected, cut what isn’t needed, and close a security gap that’s easy to overlook. Done regularly, it takes under an hour and meaningfully shrinks your attack surface.

Think about the last time someone on your team signed up for a new productivity tool using “Sign in with Google” or “Connect to Microsoft 365.” 

It took about 10 seconds. The app got permission to read email, access files, or manage calendar entries. Then the team moved on. 

That happens dozens of times a year in a typical business.

The problem isn’t that your team uses connected apps. It’s that those connections rarely get reviewed. Over time, you end up with a growing list of third-party tools all with persistent access to your business data.

A regular third-party app access audit is how you get that list under control and keep it there. It’s one of the more practical ”good” cybersecurity habits a business can build.

Why Connected App Permissions Are a Security Risk

When someone authorizes a third-party app, they’re granting it an OAuth token. This is a credential that lets the app access specific data on their behalf without needing their password. OAuth (Open Authorization) is the industry-standard protocol that powers “Sign in with Google” and similar flows.

The catch: those tokens don’t expire on their own. 

Unless someone actively revokes access, an authorized app keeps its permissions indefinitely. This happens even if the person who authorized it has left the company, the app is no longer in use, or the vendor behind it has changed hands.

Attackers who exploited the 2024 Internet Archive breach used tokens that had remained valid and unrotated for 22 months.

That kind of long-lived, unmonitored access is a core reason third-party integrations make attractive targets. Dormant connections are forgotten backdoors.

Where to Look

The first step in a third-party app access audit is getting a full picture of what’s actually connected to your accounts. 

Here’s where to check in the two most common business platforms.

Google Workspace

In the Google Admin Console, navigate to Security > Access and Data Control > API Controls > App Access Control. 

This lists every third-party app authorized to access your Google Workspace data, along with the permissions each one holds.

Microsoft 365

In the Microsoft Entra Admin Center (formerly Azure Active Directory), go to Identity > Enterprise Applications. From there, you can review app permissions by user and see what each app has been granted access to.

For smaller teams without admin access, individual users can check their own connected apps. In Google, visit myaccount.google.com > Security > Third-party apps with account access. 

In Microsoft, check myapps.microsoft.com. Microsoft notes that users often click through consent prompts without reviewing the scope of what they’re granting.

How to Decide What to Keep and What to Cut

Not every connected app is a problem. The goal isn’t to disconnect everything. It’s to make sure each connection is deliberate and still justified.

Questions to ask about each app

  • Is this app still actively used? If nobody has opened it in six months, it probably doesn’t need ongoing access.

  • Does it need the permissions it has? An app asking for full email access when it only sends notifications is asking for more than it needs.

  • Was it authorized by a current employee? Former employees may have connected apps that are still active, even after their accounts were closed.

  • Is the vendor reputable? Look for a clear privacy policy, active maintenance, and a legitimate business presence.

Red flags to watch for

  • Apps you don’t recognize by name

  • Apps authorized by users who no longer work at the company

  • Apps with admin-level or full-mailbox access that aren’t business-critical tools

  • Apps that were authorized by a small number of users with no clear IT approval

How to Revoke Access

Once you’ve identified apps to remove, the process is straightforward.

In Google Workspace, select the app in the Admin Console and choose “Block Access,” or remove the specific OAuth grant from an individual user’s account. 

In Microsoft 365, go to the Enterprise Applications page in Entra and remove the app’s assignment. Individual users can also disconnect apps directly from their personal security settings.

After revoking access, it’s good practice to rotate passwords for connected accounts.

A few habits that keep things manageable going forward:

  • Run an app access review at least quarterly

  • Require IT approval before new apps are connected to company accounts

  • Add app revocation to your employee offboarding checklist

Ready to Get Your App Permissions Under Control?

Third-party app access is one of those areas where businesses often have more exposure than they realize. The apps themselves aren’t the problem. The unmanaged access is.

A quarterly review, a clear approval process, and a solid offboarding checklist will cover most of the risk. None of it requires specialized tools or deep technical expertise. It does require someone to own the process.

If you’d like help running your first audit, setting up ongoing monitoring, or building an app approval workflow for your team, BrainStomp can help. Reach out at brainstomp.com/contact.

Article FAQs

What is a third-party app access audit?

It’s a review of all external applications that have been granted permission to access your business accounts to confirm each one is still needed and appropriately scoped.

How often should I audit third-party app permissions?

Quarterly is a reasonable baseline for most businesses. High-risk environments or those handling regulated data may want to review monthly. At minimum, run a check whenever an employee leaves the company.

Do OAuth tokens expire on their own?

Not usually. Most OAuth tokens remain valid until someone actively revokes them. That means apps you authorized years ago may still have access to your accounts today.

What should I do if I find an app I don’t recognize?

Revoke its access immediately. Then check any available audit logs for that app to see what data it may have accessed. If you see anything unusual, treat it as a potential security incident and investigate further.

Can individual employees revoke app access themselves?

Yes. In Google, users can visit myaccount.google.com > Security > Third-party apps with account access. In Microsoft, myapps.microsoft.com shows connected apps. That said, admins should also manage this at the organizational level to ensure full visibility across the business.

“MFA Fatigue” Protection: Moving from Push Notifications to Number Matching

Article summary: Simple push notification MFA has a well-documented weakness: attackers who have your password can flood your phone with approval prompts until someone taps “allow” out of frustration or inattention. Number matching MFA closes this gap by requiring users to type a code shown on their login screen rather than blindly approving a prompt. The switch is quick to enable in Microsoft 365 and Google Workspace as a meaningful step toward stronger authentication.

In September 2022, a hacker with a stolen password needed one more thing to get into Uber’s corporate network: someone on the other end of an MFA push notification to tap Approve. So the attacker sent dozens of prompts. Then dozens more. 

Eventually, tired of the alerts, a contractor approved one. The attacker was in.

That’s an MFA fatigue attack. And it works because push-based MFA (multi-factor authentication) asks very little of the person approving. One tap. No context. No confirmation that the login was even initiated by you. 

MFA fatigue attack protection starts with understanding that flaw. Building a layered cybersecurity posture means going a step further than simply having MFA turned on.

How MFA Fatigue Attacks Work

An MFA fatigue attack only works if the attacker already has your credentials. They obtained them through phishing, a data breach, or a purchased dump from a dark web marketplace. The password is compromised. The only obstacle left is the second factor.

The attack is simple. The attacker attempts a login with the stolen credentials, which triggers a push notification on the target’s phone. They do it again. And again. The prompts arrive during a meeting, at 2 a.m., mid-commute. There’s no technical bypass involved. The attacker is betting on human exhaustion.

Microsoft tracked over 382,000 MFA fatigue attacks in a single 12-month period and found that 1% of users accept the very first prompt they receive without scrutiny.

At a 50-person company, that’s roughly one person who will approve the first request reflexively. One approval is all an attacker needs.

Why an “Approve” Button Is the Weak Link

Traditional MFA push notifications are fast and frictionless by design. A prompt appears on your phone: "Are you trying to sign in?" You tap Yes. Done.

But that same simplicity is the vulnerability. The prompt gives the user no information about which app triggered the request, where the login attempt originated, or whether they initiated a sign-in at all. 

In a prompt bombing campaign, the user is being worn down until judgment fails. 

Cisco was breached in 2022 in the same way. An employee received voice calls from someone impersonating IT support while push notifications flooded in, with instructions to just approve one to resolve the issue.

Stolen credentials are the prerequisite. 

Sound password hygiene and an understanding of how phishing attacks deliver those credentials reduce exposure at the front end.

But number matching adds a control that holds even after credentials are gone.

What Number Matching Changes

With number matching enabled, the login screen displays a two-digit number. The user opens their authenticator app and must type that specific number to complete sign-in. No number typed correctly, no access granted.

This one change eliminates two failure modes. 

First, accidental approvals become nearly impossible. There’s nothing to tap blindly. 

Second, it creates a brief but meaningful check: the user must see both their login screen and their phone at the same time, making it obvious if a request wasn’t self-initiated.

In Microsoft 365 and Microsoft Authenticator

Microsoft made number matching the default for all Authenticator push notifications in May 2023. 

If your organization uses Microsoft 365, your users are likely already seeing it. Admins can verify the setting is active for all users via Microsoft Entra Admin Center under Security > Authentication Methods > Microsoft Authenticator.

Microsoft also offers two additional context features that can be enabled alongside number matching: 

  1. Displaying the name of the application requesting authentication, 

  2. Showing the geographic location of the sign-in attempt. 

Both help users immediately identify a suspicious prompt before they respond.

In Google Workspace

Google Workspace doesn’t use a number matching system in the same way, but administrators can require stronger authentication methods through the Admin Console under Security > Authentication > 2-Step Verification. 

Google’s prompt already shows device name, location, and time of the sign-in request, giving users enough detail to recognize when something looks off.

Is Number Matching Enough?

Number matching MFA is a meaningful upgrade, not a final destination.

CISA explicitly recommends number matching as an interim mitigation for organizations that use mobile push-based MFA and cannot yet implement phishing-resistant authentication. It is described as one of the best available steps short of a full platform change.

The strongest option is phishing-resistant MFA, which uses hardware-bound cryptographic keys (FIDO2 security keys or Windows Hello for Business). 

Even if an attacker tricks a user into entering their credentials on a fake login page, the hardware key won’t authenticate against a domain it doesn’t recognize. 

For most small businesses, number matching is the right step to take this week. Phishing-resistant MFA is the right goal to plan toward.

What matters most right now: teams should know that an unexpected flood of MFA prompts is a sign of an active attack, not a reason to start tapping Approve.

Train your team to deny unexpected prompts immediately and report them to IT. That response, combined with number matching, closes most of the gap that push-only MFA leaves open.

Upgrade How Your Team Signs In

MFA fatigue attack protection doesn’t require new software or a major rollout. If you’re on Microsoft 365, number matching is likely already on. The question is whether it’s verified, configured correctly, and whether your team understands what to do when prompts arrive unexpectedly.

BrainStomp can help you audit your current MFA setup, enable number matching and additional context, and put a plan in place for stronger authentication over time. Reach out at brainstomp.com/contact.

Article FAQs

What is MFA fatigue?

MFA fatigue (also called push bombing or prompt bombing) is an attack technique where a hacker uses stolen credentials to trigger repeated MFA push notifications on a target’s phone until the user approves one out of frustration or distraction. It requires no technical bypass of MFA itself.

What is number matching in MFA?

Number matching is a security setting that requires the user to type a two-digit code shown on their login screen into their authenticator app before the login is approved. It prevents accidental approvals because the user must actively look at both devices and enter the correct number.

Is number matching the same as phishing-resistant MFA?

No. Number matching is a strong upgrade over simple push notifications, but CISA classifies it as an interim step. 



Stop Storing Passwords in Excel: Password Managers for Small Businesses

Article summary: Password lists in Excel, Word, or Notepad create a single point of failure. They make credential theft, password reuse, and unsafe sharing far more likely. A password manager for small businesses reduces real risk by generating unique passwords, controlling sharing, and storing credentials in a secure vault. This protects accounts and lowers the chance that one mistake exposes multiple systems.

If you’ve ever searched through an Excel sheet, Word document, or Notepad file trying to find “the password,” you’re not alone. It feels fast. It feels familiar. And it often feels like the easiest way to keep a team moving.

The problem is that it’s fragile.

Files get copied, emailed, and stored on shared drives or synced folders. Someone renames the file “Passwords – Updated,” and before long there are multiple versions circulating.

If that file is exposed, whether accidentally or through malware, it doesn’t reveal just one login. It can expose all of them.

That’s why a password manager is such a practical upgrade for small businesses. It’s one of the simplest ways to strengthen everyday IT security.

Why Password Lists Are Risky

Password lists create risk because they turn credentials into something that’s easy to spread and hard to control. 

They don’t just store passwords. They normalize habits that attackers rely on, like reuse and informal sharing. 

Storing passwords in an Excel or Word document on your PC is a common mistake that makes credentials easier to expose in the real world. Passwords are generally more valuable because people typically use the same password for multiple logins.

NIST guidance notes that using distinct passwords helps prevent “password stuffing” attacks, where a leaked password is automatically tried across many other sites and services.

CISA recommends a practical alternative: a password manager, an “easy-to-use program that generates, stores, and even fills in all your passwords.” Unlike a static document, it reduces the need for copy-and-paste storage and makes password reuse far less likely.

That’s why a password manager is such a practical security upgrade for small businesses.

It replaces password lists that lack built-in ways to:

  • Control who can view credentials

  • Share account access without revealing the actual password

  • Track who accessed an account

  • Make unique passwords the default

Attackers Love Stolen Credentials

Attackers don’t need movie-style hacking if they can get valid logins. Stolen credentials are one of the simplest ways into a business because they look like normal access. 

Verizon’s 2025 Data Breach Investigations Report (DBIR) says in the Basic Web Application Attacks pattern, about 88% of breaches involved the use of stolen credentials. 

The report also shows credential abuse as a frequent initial access path, which helps explain why one exposed password rarely stays contained.

Why a Password Manager for Small Business Reduces Real Risk

A password list is a workaround. A password manager is a system. That difference matters, because security works best when the safest option is also the easiest one to use.

Unique Passwords Become the Default

A password manager for small businesses makes strong, unique passwords the easy option. People don’t have to invent passwords, remember them, or reuse the same “good one” everywhere. 

The manager generates long passwords automatically and stores them securely, so each account can have its own password without creating extra work.

Autofill Reduces Phishing and Copy/Paste Mistakes

Password lists force people into copy-and-paste habits, which is how credentials end up where they shouldn’t be.

Autofill reduces that exposure. It also helps reveal suspicious sites, since the password vault won’t autofill on a look-alike page.

Sharing Becomes Controlled

Sharing access shouldn’t mean sharing the password itself. 

Password managers let teams share credentials through a controlled vault, limit who can use them, and remove access when it’s no longer needed.

A Password Manager is Designed for This Job

Spreadsheets and documents were never built to protect credentials. 

Password managers were. They encrypt your vault, support secure sharing, and make safer habits automatic. 

CISA describes a password manager as “an easy-to-use program that generates, stores, and even fills in all your passwords,” which is essentially what many teams try to accomplish with spreadsheets like Excel.

What to Look For in a Password Manager for Small Businesses

Not all password managers are built for teams. A good password manager for small businesses should make secure behavior easy day to day, while giving you enough control to manage access without turning it into a full-time job.

  • Team vaults and secure sharing so people can access what they need without passing passwords around.

  • Admin controls to add/remove users, set permissions, and keep access organized.

  • Multi-factor authentication (MFA) support for the vault itself, plus strong master password requirements.

  • Audit logs or activity reporting so you can see who accessed or changed shared items.

  • Password generator + autofill across browsers and mobile devices.

  • Easy onboarding and offboarding so access stays controlled as roles change.

  • Cross-platform support (Windows/Mac, iOS/Android, major browsers).

  • Breach/weak password alerts, if available, to catch risky reuse early.

Replace Password Files With a Safer System

Password lists feel convenient at first. But that convenience disappears the moment the file is copied, shared, or exposed. 

A password manager is a straightforward upgrade that reduces real risk without adding friction. It gives your team one secure place for credentials, makes strong passwords the default, and replaces informal sharing with controlled access.

Ready to stop guessing where passwords live and who has them? 

Reach out to BrainStomp. We’ll help you take a practical approach to improving password security, so your team can work quickly without creating unnecessary exposure.

Article FAQs

Why is storing passwords in Excel risky?

Because one file can expose many accounts at once. Spreadsheets get copied, shared, synced, and searched easily, and they encourage password reuse and unsafe sharing.

What’s the best password manager for a small business?

The best option is one your team will actually use. Look for secure sharing, admin controls, MFA support, cross-device autofill, and an easy way to manage access. Bitwarden and LastPass are common choices.

Do password managers work for teams?

Yes. Team features like shared vaults and role-based access let people use the credentials they need without passing passwords around or storing them in files.

What should we do with old password spreadsheets?

Treat them as sensitive. Restrict access immediately, migrate the credentials into a password manager, then securely delete the files (and any copies) once you’re confident everything is moved.




Stop Falling for Fake CAPTCHAs: How ClickFix Attacks Work

Stop Falling for Fake CAPTCHAs: How ClickFix Attacks Work

Article summary: ClickFix attacks use fake CAPTCHAs and “helpful instructions” to trick users into running malicious commands on their own devices. Clear patterns,  like treating any prompt that asks you to open Run or paste a command as suspicious, stop these attacks before they start. This reduces the risk of malware and account compromise while giving teams a simple response plan if someone clicks.

CAPTCHAs are so common online that most people barely notice them anymore. You click the box, prove you’re human, and move on.

A ClickFix attack starts the same way, then it takes a sharp turn.

Instead of verifying anything, it displays “helpful instructions” that nudge you into running a command on your own device. No suspicious download. No obvious attachment. Just a few keystrokes that feel routine—until they aren’t.

If you’re responsible for keeping a small team’s IT secure, this is the kind of everyday tactic that’s worth staying ahead of. 

The good news is that ClickFix is simple to stop once you know the pattern.

What Is a ClickFix Attack?

A ClickFix attack is a social-engineering technique designed to trick a user into running a malicious command themselves. 

Microsoft  describes this tactic as one that “trick[s] users into executing a malicious command themselves,” often by presenting a believable prompt that looks like a routine troubleshooting or verification step.

Instead of relying on a traditional malware download, ClickFix uses written instructions to guide the user into launching built-in tools like the Windows Run dialog and pasting in a command. 

What It Looks Like 

A ClickFix attack usually shows up as a normal-looking interruption: a page that claims you need to “verify,” “fix,” or “continue.” It’s often wrapped in a convincing fake CAPTCHA or error message. The tone is helpful and instructional, not threatening. That’s deliberate.

Darktrace describes users being “guided through a three-step process” where the “CAPTCHA” or prompt ultimately leads them to execute a command on their own machine. 

The instructions often look like quick troubleshooting steps, and the page may even display a progress message to make it feel legitimate.

Security Now’s Episode 1066 explains why this is so effective: it hides behind something routine, like completing a CAPTCHA, while steering the user into a copy-and-paste action that isn’t normal web behavior.

The notes cite Huntress research that ClickFix “fueled 53% of all malware loader activity” in 2025 within that dataset, a reminder that this tactic is far from a one-off gimmick.

If you want one simple “spot it fast” rule for your team, it’s this: a real CAPTCHA never needs you to leave your browser to follow keyboard instructions that run something on your device. That pattern is a hallmark of a ClickFix attack.

Why ClickFix Attacks Work So Well

A ClickFix attack works because it doesn’t feel like an attack. It feels like a normal “get me back to work” step. You’re blocked by a prompt, you want the page to load, and the instructions seem simple. That moment of friction is exactly what the tactic exploits.

ClickFix “relies on human intervention,” which is part of why it can be so effective. 

Instead of delivering malware in a way that looks obviously suspicious, it gets the user to do the risky part themselves. That changes how it’s perceived. People are often trained to avoid downloads and attachments, but they’re less suspicious of steps they’re actively performing.

The HHS sector alert also highlights how these campaigns mimic familiar steps, such as “prove you are human” prompts, making the interaction look routine while steering users toward malicious instructions.

And once someone is following instructions, they tend to keep going. The brain treats it like a checklist, not a security decision.

What Happens After You Press Enter

After you press Enter, a ClickFix attack stops being a “weird prompt” and becomes an execution chain. 

The pasted command typically launches built-in Windows tooling (often PowerShell or similar) to pull down the next stage from the internet and run it. 

The user ends up running commands that kick off malicious activity using legitimate system components, which can make the behavior blend in at first. 

From there, attackers aren’t just trying to prove the trick worked. They’re trying to establish control. 

Darktrace’s write-up explains that once the initial command is executed, activity can progress into command-and-control communications and follow-on actions that support broader compromise, including efforts that enable access expansion inside the environment. 

This isn’t limited to a single pop-up event. 

ClickFix campaigns can be delivered through compromised sites and phishing-driven lures, where users are manipulated into executing code that can install malware and open the door to further steps like credential theft and deeper access. 

What To Do If Someone Already Clicked

If someone already followed the steps in a ClickFix attack, the priority is speed and containment. Don’t waste time trying random “cleanup” fixes from the internet, and don’t assume it’s harmless because nothing obvious happened right away.

If someone may have followed the instructions from a suspicious prompt or verification page, contact your IT support provider immediately.

That early alert matters because the first minutes after an incident often determine how far it spreads.

If possible, isolate the device from the network to stop any further connections while you get help. You should immediately disconnect your device so the system can be assessed without ongoing exposure. 

Then focus on the basics that reduce follow-on damage: 

  • Document what happened like what site it was, what steps were followed, etc.

  • Scan the device using trusted security tools.

  • Reset passwords for any accounts that may have been used on that machine, starting with email and core access.

Most importantly, treat it as a real incident, not an embarrassment. ClickFix attacks work because they look routine, and the right response is a calm, fast process that limits impact.

ClickFix Attacks are Preventable With Better Patterns

A ClickFix attack succeeds when it blends into routine behavior. It doesn’t need advanced tricks. It just needs someone to follow “helpful” instructions without pausing to question them.

The fix is simpler than most people expect: teach one or two clear patterns your team can recognize fast. 

Two practical habits make a real difference: learning to recognize suspicious prompts or verification pages, and having a clear response plan if someone follows the instructions before realizing something is wrong.

That kind of readiness rarely happens by accident. It comes from consistent awareness training, clear reporting paths, and systems designed to catch problems early. BrainStomp helps businesses put those pieces in place so employees know what to watch for and what to do if something slips through.

If you want help turning these practices into a consistent habit across your business, contact BrainStomp today.

Article FAQs

What is a ClickFix attack?

A ClickFix attack is a social-engineering scam that looks like a fake CAPTCHA or “verification” step and tricks you into running a command on your own device. Instead of downloading something obvious, it uses instructions to get the user to execute the malware.

Why would a ClickFix attack bypass normal security?

Because the user runs the command themselves using built-in tools like Windows Run or PowerShell. That “human step” can make the activity look more legitimate than a typical malicious download or attachment.

What should I do if I opened Run and pasted something?

Stop what you’re doing and contact IT support immediately. Disconnect from the internet if possible, document what happened, and change passwords for key accounts (especially email) as soon as you can.

Are ClickFix attacks only delivered by email?

No. They can also appear through compromised websites, malicious ads, fake software prompts, and other links that land you on a fake verification page.


Why You Need an AI Policy in 2026

Why You Need an AI Policy in 2026

Article summary: AI is embedded in everyday business tools in 2026. That makes inconsistent, unapproved use a real security and compliance risk. An AI policy in 2026 sets clear rules for which tools are allowed and what data can and cannot be used. It also requires human review because AI output can sound confident while still being wrong. Regulations and AI-enabled scams are pushing businesses to standardise how AI is used without slowing work down. Continuous monitoring supports the policy by making AI use visible and helping teams catch risky behaviour early.

AI is no longer a separate tool you “go use.” In 2026, it’s built into the apps your team already relies on. Email. Meetings. Search. File tools. Even the little add-ons promise to save time.

That convenience is exactly why an AI policy in 2026 matters.

When AI use spreads without clear rules, people make quick choices that create risk. They paste sensitive details into prompts. They trust an answer that sounds confident but isn’t verified. They turn on features that change where data is processed and stored.

Why AI Policy in 2026 Is Non-Negotiable

AI is accelerating faster than most businesses can evaluate

AI tools don’t stay still. Features roll out quietly inside the software your team already uses, and the capabilities keep climbing. That creates a practical problem: most businesses can’t realistically “re-evaluate” every new AI feature, plugin, or model update.

The International AI Safety Report 2026 makes the bigger point clearly: AI systems are becoming more capable quickly, while solid evidence about real-world risks is slower and harder to pin down. In other words, waiting for perfect certainty is a losing strategy. You still need a plan for how your team uses AI today.

AI policy uncertainty is increasing, not decreasing

The regulatory and policy landscape is moving in multiple directions at once. More jurisdictions are creating AI rules, and they don’t all look the same. 

Mind Foundry’s overview of AI regulations around the world frames this as a fast-growing, evolving patchwork. The direction is clear: more expectations around transparency, accountability, and risk management are coming. The details vary, but the pressure is real.

At the same time, AI policy debates are becoming more public and more urgent. Tech Policy Press’ roundup of expert predictions on what’s at stake in AI policy in 2026 highlights how issues like deepfakes, scams, and harmful uses of AI are driving lawmakers and regulators to act. 

The Risks You’re Actually Managing With an AI Policy in 2026

An AI policy in 2026 isn’t about hypothetical future problems. It’s about the risks already showing up in everyday work.

Data leakage and “shadow AI” use

The most common risk is simple: people paste or upload business information into AI tools without thinking through where that data goes next.

The challenge is that AI adoption is moving fast, and evidence about risk can lag behind capability. The International AI Safety Report 2026 is built around that reality: AI is advancing quickly, and organizations still need practical ways to manage risk while the broader landscape evolves.

More AI use often means more potential entry points and more valuable data in play. That’s the security side of “shadow AI,” and it’s why this topic matters now.

AI-powered scams and social engineering get more believable

AI makes phishing and impersonation easier to scale and harder to spot. 

Policy conversation in 2026 is increasingly tied to deepfakes, scams, and consumer harm. 

The Tech Policy Press 2026 expert predictions highlight how these issues are shaping what regulators and lawmakers are focused on. Your policy doesn’t have to be political, but it should be practical: verification steps for payment changes, banking details, urgent requests, and identity checks.

Tool sprawl, integrations, and unknown access

AI rarely stays “standalone.” 

The global push toward AI governance reflects this complexity. AI regulations around the world reinforce that expectations around accountability and control are increasing, even as the rules differ by region. 

An AI policy in 2026 gives you a consistent internal standard: what integrations are allowed, who approves them, and what gets logged and monitored.

What an AI Policy in 2026 Should Include

A practical AI policy in 2026 should be short, clear, and easy to follow.  At minimum, it should cover:

  • Approved AI tools and features. Define what’s allowed, what’s not allowed yet, and how employees request approval for new tools.

  • Data rules for AI use. Specify what can never be entered into AI tools and what’s acceptable in limited cases.

  • Human review requirements. Require review for customer-facing content, technical instructions, decisions that affect people, and anything that could create legal or compliance exposure.

  • Accuracy and sourcing expectations. Make it clear that AI output must be verified, and require sources or documentation where appropriate.

  • Security controls for AI accounts. Require MFA, enforce strong access control, and limit or approve integrations/plugins that expand access.

  • Monitoring and enforcement. Define what will be monitored so the policy can be applied consistently.

  • Ownership and accountability. Assign who approves tools, who owns the policy, and what happens if the policy is ignored.

  • Training and updates. Set a simple schedule for refreshing the policy as tools and regulations evolve.

Put Your 2026 AI Policy into Practice 

An AI policy in 2026 only helps if it changes day-to-day behavior. Clear rules for tools, data, and human review reduce mistakes and prevent “shadow AI” from becoming a security or compliance problem, especially as AI capabilities keep moving fast and policy expectations keep shifting.

If you want an AI policy your team will actually follow, reach out to BrainStomp. We’ll help you create a clear, practical policy, roll it out in a way that supports productivity, and put the right monitoring in place.

Article FAQs

What is an AI policy?

An AI policy is a set of clear rules for how employees can use AI tools at work. It typically covers approved tools, what data can and cannot be entered, when human review is required, and who is responsible for enforcement and updates.

Which companies need an AI policy in 2026?

Any company that handles customer, employee, financial, or confidential business data needs an AI policy by 2026. If your team uses AI features in email, documents, meetings, customer support, marketing, or analytics, you need a clear standard.

What will happen in 2026 with AI?

AI will be more embedded in everyday business software, more capable, and more widely adopted across teams. At the same time, expectations around responsible AI use will increase as regulations and public scrutiny continue to evolve.

Does an AI policy in 2026 mean banning AI?

No. A good AI policy in 2026 supports safe use by setting rules for tools, data, and review. The goal is to keep productivity gains while reducing security, compliance, and quality risks.