TechTidBit - Tips and advice for small business computing - Tech Experts™ - Monroe Michigan

Brought to you by Tech Experts™

Did One Of These Fool You Last Year?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

You’re not imagining it. Scam emails are getting harder to spot.

Phishing attacks are becoming more convincing, more targeted, and more frequent.

Let’s rewind a moment…

Phishing is when criminals pretend to be a company you trust and try to trick you into clicking a link, opening an attachment, or logging in to a fake website.

Their goal is usually to steal passwords, money, or access to your systems.

The reason it works so well is simple: It relies on familiarity and distraction.

Last year, the company most often impersonated by scammers was Microsoft.

That’s not because Microsoft has done anything wrong, but because so many businesses rely on its email, files, and cloud services.

One stolen Microsoft login can open the door to email accounts, documents, and even financial data.

Close behind were Facebook and Roblox, with other familiar names like Amazon, Google, and PayPal also commonly abused.

Security researchers noticed a big spike in phishing toward the end of last year. That makes sense.

People are busy, inboxes are full, and there’s a lot going on with shopping, renewals, year-end tasks, and business and personal income tax preparation.

Scammers know this and time their attacks carefully.

What makes things more worrying is how realistic these messages have become. Criminals now use AI to create fake login pages and “security alerts” that look almost identical to the real thing.

Some attacks don’t just steal your password but also grab the extra security codes you use to log in, allowing attackers straight through the front door.

So how do you stay safe?

The most important habit is to slow down. Any email or text that claims there’s an urgent problem with an account should immediately raise suspicion.

Instead of clicking, open your browser and go directly to the company’s website yourself to check. If something feels off, it probably is.

Extra protection also matters. Using multi-factor authentication, which is a second check like a code sent to your phone, can stop criminals even if they get your password.

Keeping devices protected with up-to-date security software and making sure your team knows what phishing looks like can make a huge difference.

Phishing isn’t going away.

But with the right awareness and a few sensible safeguards, it doesn’t have to catch you out.

Implementing Zero Trust For Small Business

Think about your office building. You probably have a locked front door, security staff, and maybe even biometric checks.

But once someone is inside, can they wander into the supply closet, the file room, or the CFO’s office?

In a traditional network, digital access works the same way: a single login often grants broad access to everything. The Zero Trust security model challenges this approach, treating trust itself as a vulnerability.

For years, Zero Trust seemed too complex or expensive for smaller teams. But the landscape has changed.

Today, it is a practical, scalable defense, essential for any organization.

It’s about verifying every access attempt, no matter where it comes from. It’s less about building taller walls and more about placing checkpoints at every door.

And it’s not just about outsiders. It also limits damage from everyday mistakes – like clicking a bad link – or from a compromised vendor account. With Zero Trust, access is granted based on identity, device health, and context, and only to the specific resources needed. That “least privilege” approach shrinks the blast radius when something goes wrong, making incidents easier to contain and faster to recover from.

Transform your security posture

Adopting Zero Trust isn’t just a technical change, it’s a cultural one. It shifts the mindset from broad trust to continuous monitoring and validation.

Your teams may initially find the extra steps frustrating, but explaining clearly why these measures protect both their work and the company will help them embrace the approach.

The goal is to foster a culture of ongoing governance that keeps Zero Trust effective and sustainable.

Your actionable path forward

Start with an audit to map where your critical data flows and who has access to it. While doing so, enforce MFA across the board, segment your network beginning with the highest – value assets, and take full advantage of the security features included in your cloud subscriptions.

Achieving Zero Trust is a continuous journey, not a one-time project. Make it part of your overall strategy so it can grow with your business and provide a flexible defense in a world where traditional network perimeters are disappearing.

Contact us to schedule a Zero Trust readiness assessment for your business.

Beyond Chatbots: Preparing Your Company For “Agentic AI” In 2026

AI chatbots can answer questions. But now picture an AI that goes further, updating your CRM, booking appointments, and sending emails automatically. This isn’t some far-off future. It’s where things are headed in 2026 and beyond, as AI shifts from reactive to proactive, autonomous agents.

This next wave of AI is called “Agentic AI.” It describes AI that can set a goal, figure out the steps, use the right tools, and get the job done on its own. For a small business, that could mean an AI that takes an invoice from inbox to paid, or one that runs your whole social media presence. The upside is massive efficiency, but it also means you need to be prepared. When AI gets more powerful, having the right controls matter.

What makes an AI agent “agentic?”

A research article on the evolution and architecture of AI agents explains the big shift like this: AI is moving from tools that wait for instructions to systems that work toward goals on their own. Instead of just helping with tasks, AI starts doing the work, making it possible to hand off whole processes and collaborate with it like a teammate.

The 2026 opportunity for your business

For small businesses, this is about real leverage. Agentic AI can work around the clock, clear out repetitive bottlenecks, and cut down errors in routine processes. That means things like personalizing customer experiences at scale or even adjusting supply chains in real time become possible.

And this isn’t about replacing your team. It’s about leveling them up. AI takes the busywork so your people can focus on strategy, creativity, tough problems, and relationships, the things humans do best. Your role shifts too, from doing everything yourself to guiding and supervising your AI.

What you need before you launch agentic AI

Before you hand over your processes to an AI agent, you need to make sure those processes are rock solid. The reasoning is simple: AI will amplify whatever it touches, order or chaos, with equal efficiency. That’s why preparation is key. Start with this checklist:

Clean and Organize Your Data: AI agents make decisions based on the data you give them. Garbage in means not just garbage out; it can lead to major errors. Audit your critical sources.

Document Workflows Clearly: If a human can’t follow a process step by step, an AI won’t be able to either. Map out each workflow in detail before you automate.

Building your governance framework

Just like with human team members, delegating to an AI agent requires oversight. That means setting up clear guardrails by asking a few key questions:

  • What decisions can the AI agent make on its own?
  • When does it need human approval or guidance?
  • What are its spending limits if it handles finances?
  • Which data sources is it allowed to access?

Answering these questions lets you build a framework that becomes your company’s rulebook for its “digital employees.”

Security is another critical piece. Every AI agent needs strict access controls, following the principle of least privilege. Regular audits of agent activity are now a non- negotiable part of good IT hygiene.

Embracing the role of strategic supervisor

Agentic AI is a true force multiplier, but it depends on clean data and well-defined processes. It rewards careful preparation and punishes the hasty. By focusing on data integrity and process clarity now, you position your business not just to adapt, but to lead. Contact us today for a technology consultation on AI integration. We can help you audit workflows and create a roadmap for reliable, effective adoption.

Passwords Protect People, Not Just Data

Machines start up. Systems exchange signals. Processes run quietly in the background, hour after hour, day after day. For many businesses, that technology isn’t just supporting the operation – it is the operation.

Behind it sits something called Operational Technology (OT).

Unlike office IT systems such as email, file storage, and accounting software, OT controls the physical world. It’s the hardware and software that tells equipment what to do, when to do it, and how to do it safely.

Production lines, control panels, monitoring systems, sensors, and the networks that connect them all fall into this category. If IT is where information gets created and shared, OT is where information becomes motion, pressure, temperature, speed, and output.

The challenge is that OT security often hasn’t matured at the same pace as modern cyber threats. Many OT environments were built years ago, designed for reliability and safety rather than hostile internet-era conditions.

They were expected to run for a long time, change slowly, and stay stable. That mindset makes sense in an industrial setting – but it can leave gaps when today’s reality includes remote access, vendor connectivity, cloud reporting, and increasing links between the plant floor and the business network.

One of the biggest weak spots is still surprisingly simple: passwords.

In OT environments, it’s common to find shared logins, default credentials that were never changed, passwords written down near the equipment, or accounts that haven’t been updated in years.

Sometimes it happens because “everyone has always used the same operator login.”

The problem is that the old assumption – “OT is isolated” – is often no longer true.

As OT and IT become more connected, a compromise that starts in the office can reach operational systems. A criminal who gains access to a user’s email account or laptop can look for saved passwords, reused credentials, remote access tools, mapped shares, or documentation that reveals how OT systems are managed.

If passwords are reused between environments, that attacker may not need a clever exploit. They can simply log in.

That matters because OT attacks don’t just affect data. They can halt production, disrupt critical services, damage equipment, create safety risks for staff, or force a shutdown while you verify what changed.

Even when nothing catastrophic happens, uncertainty is expensive: if you can’t trust system readings or configurations, the safest choice is often to stop and inspect.

The good news is that improving password security is one of the highest-impact steps most organizations can take without rebuilding their entire OT environment.

A few practical moves make a major difference:

Use longer passwords or passphrases. Length dramatically increases the effort required to guess or crack a password.

Make passwords unique. Unique credentials reduce lateral movement.

Add multi-factor authentication (MFA) wherever possible. MFA can stop intruders even if a password is stolen.

Of course, OT environments need care. You can’t treat a production controller like a disposable laptop. Changes should be planned, tested, documented, and scheduled to avoid downtime.

OT systems are designed to be dependable and almost invisible when they’re working properly. That “quiet reliability” can make security easy to overlook. Yet the systems that control physical processes deserve the same discipline and attention as office IT – often more, because the consequences are bigger.

Cyber Resilience Matters More Than You Think

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Most businesses still picture cybersecurity like an old-school castle. Tall stone walls. Heavy iron gates. A moat full of alligators, if possible.

The idea is simple: keep the bad guys out, and everything inside stays safe.

That model made sense once. But it doesn’t anymore.

Today’s workplace isn’t a castle. Your employees work from home, the office, hotels, and coffee shops. Your data lives in the cloud. Your systems connect to dozens of outside vendors, apps, and services every day. Files are shared constantly. Logins happen from everywhere.

There is no single wall to defend anymore, and cybercriminals know it.

That’s why the focus of cybersecurity has quietly shifted over the last few years. It’s no longer just about trying to block every possible attack. It’s about assuming something will eventually get through, and making sure your business can recover quickly when it does. That mindset is called cyber resilience.

Frankly, even well-protected organizations get hit. Someone clicks the wrong link. A trusted supplier suffers a breach. A password gets reused. A convincing, AI-powered scam slips past email filters. It happens to smart, careful companies every single day.

The difference between a crisis and a minor disruption is what happens next.

A cyber-resilient business is built to spot trouble early, contain it quickly, and recover without chaos. Instead of panic, finger-pointing, and downtime, the response is calm and methodical. Accounts get locked down. Systems are isolated. Data is restored. Business resumes. That doesn’t happen by accident.

One major piece of cyber resilience is visibility – having systems that constantly watch for unusual behavior, not just obvious “alarms.” Modern security tools look for things like strange login locations, unusual file access, or activity that doesn’t match a user’s normal pattern. Many of these tools now use AI to spot problems long before a human ever would.

This is important because today’s attacks often don’t announce themselves. Hackers don’t always smash windows. More often, they log in quietly and try to blend in.

Then there’s the safety net: backups.

Not just “we think we have backups,” but properly designed, secure, and tamper-proof backups that attackers can’t delete or encrypt. When backups are set up correctly, recovery can be surprisingly fast. In some cases, systems are restored so quickly that customers never even realize something went wrong.

But technology alone isn’t enough.

Cyber resilience also depends on people. Employees need to recognize suspicious emails and feel comfortable reporting mistakes immediately.

Leadership needs a simple, clear plan for who does what when something goes wrong. Everyone needs to understand that speaking up early is always better than staying quiet and hoping a problem disappears.

Cyber resilience is about preparation and accepting reality, staying calm under pressure, and having the ability to bounce back quickly when the unexpected happens.

If your business hasn’t thought beyond “keeping the bad guys out,” it may be time to rethink your approach.

And if you’d like help building a practical cyber resilience strategy that fits how your business actually operates, we’re here to help.

Hackers Aren’t Hacking – They’re Just Logging In

When most business owners picture a cyberattack, they imagine a hoodie-wearing genius furiously typing code, breaking through firewalls, and “hacking” their way into a network.

That image is outdated.

Today’s cybercriminals usually aren’t hacking anything at all. They’re logging in – using real usernames and real passwords.

And that’s what makes modern cybercrime so dangerous. Attackers have figured out that breaking in is hard. Logging in is easy.

Instead of trying to defeat security systems, they steal or buy login credentials and walk right through the front door. Once inside, they look exactly like a normal employee.

Your systems don’t raise alarms because, technically, nothing unusual is happening. This shift has changed the rules of the game.

How Do Hackers Get Logins?

Most of the time, it starts outside your business. Employees reuse passwords across multiple websites. A breach at a social media platform, online retailer, or personal email account exposes those passwords. Criminals collect them, bundle them together, and sell them on underground marketplaces.

From there, automated tools try those same email-and-password combinations against business systems like Microsoft 365, Google Workspace, VPNs, and remote access portals.

If one works, they’re in. No malware. No warning pop-ups. No dramatic breach notification. Just access.

Why Small Businesses Are Prime Targets

Large companies make headlines, but small businesses are easier and more profitable targets.

Smaller organizations often assume they’re “too small to bother with.” Attackers know better.

They know smaller businesses tend to have weaker security, fewer safeguards, and limited monitoring.

Even more appealing: small businesses often serve larger ones. Law firms, accountants, manufacturers, contractors, medical offices – these are gateways to valuable data and trusted relationships.

Once attackers log in, they take their time. They read emails. They learn how invoices are sent. They figure out who approves payments. Then they strike.

That’s how wire fraud happens. That’s how fake invoices get paid. That’s how ransomware spreads quietly before detonating.

Why Passwords Alone No Longer Work

Passwords used to be enough. They aren’t anymore.

Even strong passwords fail if they’re reused or stolen somewhere else.

You can do everything “right” internally and still get compromised because the password was exposed on an unrelated site years ago.

That’s why breaches today often leave business owners stunned.

“We didn’t click anything.”

“We didn’t download anything.”

“Our antivirus never went off.”

All true – and all irrelevant. The attacker didn’t force their way in. They logged in.

The One Control That Stops Most Attacks

There’s a simple reason cybersecurity professionals push so hard for multi-factor authentication (MFA). It works.

MFA requires something you know (your password) and something you have (a phone app, text code, or hardware key). Even if a criminal has the password, they can’t complete the login without the second step.

It’s not flashy. It doesn’t feel dramatic. But it stops the vast majority of account-based attacks cold.

When businesses skip MFA because it’s “inconvenient,” they’re betting the company on convenience.

That’s rarely a good trade.

What Business Owners Should Take Away

Cybersecurity today isn’t about fighting hackers in dark basements. It’s about controlling access. Ask yourself a few simple questions:

Could someone log in as one of my employees from another country?

Are email, remote access, and cloud systems protected with MFA?

Would we even notice if someone quietly accessed our systems today?

If the answers aren’t clear, that’s a risk – not a technical problem, but a business one.

Hackers aren’t breaking in anymore. They’re logging in.

And the businesses that recognize that reality are the ones staying ahead of the next incident, instead of reacting after the damage is done.

The “Deepfake CEO” Scam: Voice Cloning Is The Next Cyber Threat

The phone rings, and it’s your boss. The voice is unmistakable; with the same flow and tone you’ve come to expect. They’re asking for a favor: an urgent wire transfer to lock in a new vendor contract or maybe sensitive client information that’s strictly confidential.

Everything about the call feels normal, and your trust kicks in immediately. It’s hard to say no to your boss, and so you begin to act.

What if this isn’t really your boss on the other end? What if every inflection, every word you think you recognize has been perfectly mimicked by a cybercriminal?

In seconds, a routine call could turn into a costly mistake; money gone, data compromised, and consequences that ripple far beyond the office.

What was once the stuff of science fiction is now a real threat for businesses. Cybercriminals have moved beyond poorly written phishing emails to sophisticated AI voice cloning scams, signaling a new and alarming evolution in corporate fraud.

How AI voice cloning changes the threat landscape

We have spent years learning how to spot suspicious emails by looking for misspelled domains, odd grammar, and unsolicited attachments. Yet we haven’t trained our ears to question the voices of people we know, and that’s exactly what AI voice cloning scams exploit.

Attackers only need a few seconds of audio to replicate a person’s voice, and they can easily acquire this from press releases, news interviews, presentations, and social media posts

A scammer doesn’t need to be a programming expert to impersonate your CEO. They only need a recording and a script.

Traditionally, business email compromise (BEC) involved compromising a legitimate email account through techniques like phishing and spoofing a domain to trick employees into sending money or confidential information. BEC scams relied heavily on text-based deception, which could be easily countered using email and spam filters.

While these attacks are still prevalent, they are becoming harder to pull off as email filters improve.

Voice cloning, however, lowers your guard by adding a touch of urgency and trust that emails cannot match.

“Vishing” (voice phishing) uses AI voice cloning to bypass the various technical safeguards built around email and even voice-based verification systems. Attackers target the human element directly by creating high-pressure situations where the victim feels they must act fast to save the day.

Challenges in audio deepfake detection

Few tools currently exist for real-time audio deepfake detection, and human ears are unreliable as the brain often fills in gaps to make sense of what we hear.

That said, there are some common tell-tale signs, such as the voice sounding slightly robotic or having digital artifacts when saying complex words. Other subtle signs you can listen for include unnatural breathing patterns, weird background noise, or personal cues such as how a particular person greets you.

Securing your company against synthetic threats

As AI tools become multimodal, we will likely see real-time video deepfakes joining these voice scams, and you will need to know how to prove that a recording is false to the press and public.

Waiting until an incident occurs means you will already be too late.

Does your organization have the right protocols to stop a deepfake attack? Contact us today to assess your vulnerabilities and secure your communications against the next generation of fraud.

Why “It Hasn’t Happened To Us (Yet!)” Is The Most Expensive IT Strategy

There’s a small word people usually leave off the end of this sentence: “It hasn’t happened to us… yet.”

Most business owners don’t say the word out loud, but it’s always there. Unspoken. Understood.

The systems are running. Email works. Files open. No one has locked up the network. No clients are calling about strange messages. So it feels safe to assume that whatever happens to other companies probably won’t happen here.

At least not anytime soon.

The problem isn’t that this thinking is reckless. It’s that it quietly assumes time is on your side.

Technology doesn’t usually fail in dramatic, movie-style fashion. It fails slowly, silently, and then all at once. Settings drift. Hardware ages. Security tools fall behind. Backups run without ever being tested. One workaround turns into a permanent solution because everyone is busy.

Nothing breaks, so nothing changes. That “yet” keeps getting pushed forward.

Then something ordinary happens on an ordinary day. A password is reused. A software update doesn’t go as planned. An employee clicks a link they’ve clicked a hundred times before. A server that’s been “fine for years” finally isn’t.

And suddenly the question becomes: Why are we dealing with this now?

The answer is almost always the same. It didn’t happen earlier, but it was always going to happen eventually.

For small and mid-sized businesses, the cost isn’t just the technical repair. That part is usually solvable. The real damage comes from everything that stacks up around it.

Work stops. Deadlines slip. Employees wait. Customers notice. Leadership gets dragged into decisions they shouldn’t be making in the middle of the day. People scramble without a plan because the plan was “we’ll deal with it if it ever comes up.”

The “yet” has arrived. What surprises most owners is how long the fallout lingers. Productivity doesn’t snap back instantly. Systems behave oddly for weeks. Data has to be verified. Trust has to be rebuilt – internally and sometimes externally. Everyone remembers how fragile things felt.

None of this happens because someone ignored a warning labeled “Disaster Ahead.” It happens because everything appeared stable enough to postpone improvements one more quarter, one more year, one more budget cycle.

Businesses that avoid this trap don’t do it by being paranoid. They do it by being realistic.

They assume failures will happen eventually and plan accordingly. They design environments that are predictable, documented, and recoverable. They test the things they hope they’ll never need. They remove single points of failure before those points get to choose the timing.

They don’t rely on luck as a business strategy. “It hasn’t happened to us yet” is a comforting thought. It feels responsible. It feels measured.

But “yet” is doing more work than most people realize.

And when that word finally cashes in, it usually does so at the worst possible time – and at a much higher cost than anyone expected.

You Absolutely Need To Back Up Your Cloud Services Like Office 365

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.
Most businesses today rely heavily on Microsoft 365 for email, documents, calendars, and collaboration. It’s the backbone of day-to-day operations.

Because Microsoft has massive data centers and strong uptime, many people assume their data is automatically “fully backed up.” That’s a dangerous assumption.

Microsoft 365 runs on a shared responsibility model. Microsoft does a great job keeping the platform running, but protecting your data is still your responsibility. In other words, they keep the lights on – but what happens to your files, emails, and Teams data is ultimately on you.

Yes, Microsoft includes some built-in safety nets. Things like file versioning in OneDrive and SharePoint, recycle bins that typically keep deleted items for up to three months, and basic retention policies can help recover from simple mistakes. Accidentally delete a file or overwrite a document? You may be able to get it back – if you catch it in time.

That “if” is the problem. Once those retention windows expire, your data is gone. There’s no rewind button. And these tools aren’t designed for full, point-in-time restores or long-term archiving across your entire environment.

Human error alone makes this risky. Someone deletes the wrong folder. An email with an important attachment is purged. A departing employee’s mailbox is removed before something critical is discovered.

These things happen every day, often without anyone realizing it until it’s too late.

Security threats raise the stakes even higher. Ransomware and account takeovers increasingly target Microsoft 365 environments through phishing and stolen credentials.

Even with good security controls in place, breaches still happen. When attackers encrypt or delete cloud data, Microsoft’s native tools don’t always provide a clean, fast way to roll everything back.

Then there are outages. While rare, Microsoft 365 service disruptions do occur. When access is interrupted, organizations without independent backups may find themselves completely stuck, unable to retrieve email, files, or records when they need them most.

Compliance requirements add another layer. Industries governed by HIPAA, GDPR, or financial regulations often need longer retention, audit trails, and reliable recovery options. Microsoft’s built-in tools help, but they’re usually not enough on their own.

That’s where third-party Microsoft 365 backups come in. Dedicated backup solutions capture your data regularly, store it independently, and let you restore exactly what you need when you need it. They’re affordable, easy to automate, and dramatically reduce risk.

Bottom line: Microsoft 365 is an excellent productivity platform, but it is not a complete backup solution. If your data matters to your business, relying on built-in tools alone is a gamble you don’t need to take.

It’s Time To Prepare For The Era Of Agentic AI

A quiet shift is happening in the digital world. But most businesses won’t notice it until it’s already reshaped how work gets done.

We’re entering the era of agentic AI. Smart, autonomous systems that don’t only assist people, but act on their behalf.

While that might sound futuristic, the foundations are already in place today.

Unlike traditional tools that wait for someone to click, type or browse, agentic AI can read data, talk to other systems, and complete entire tasks end-to-end.

It can negotiate prices, fill out forms, run processes and make decisions within rules you set.

To do that safely and effectively, it needs clean data, reliable systems and secure paths to the information it uses. That’s where lots of businesses will need to prepare.

Most companies have grown their technology stack over years, adding apps, cloud services, storage locations and workflows along the way.

It works, but it’s often messy behind the scenes. Data sits in different places. Integrations are fragile. Permissions aren’t always up to date. These things might not cause major problems today, but they’re exactly the areas agentic AI depends on.

For example, AI agents rely heavily on APIs, the simple, secure digital doors that allow one system to talk to another.

If those doors don’t exist, don’t work properly or aren’t secure, the agent’s capabilities become limited or worse, risky.

The same goes for identity management. If your business still relies on shared passwords, old login methods or inconsistent MFA, an autonomous system can only do so much safely.

Then there’s data quality. AI agents don’t guess, and they don’t “work around” human mistakes.

If your data is duplicated, inconsistent or outdated, the agent will simply act on whatever it sees. Even if that leads to poor decisions.

Good data governance suddenly becomes a business essential, not a nice-to-have.

You may also need to rethink how automations run inside your business.

Many companies already use basic workflow tools, but agentic AI expects deeper, more reliable automation pathways that don’t break the moment a system changes.

Luckily, it’s simply a case of strengthening the digital foundations you already rely on. Better identity systems, cleaner data, solid cloud infrastructure, modern security and well-designed integrations.

Agentic AI will introduce incredible opportunities, but only for businesses whose tech environments are ready for it. If you need help getting those foundations right, get in touch.