Cybertron Blog

The FTC spent years handing out security advice. Under the Safeguards Rule, which comes from the Gramm-Leach-Bliley Act, that advice has become an enforceable requirement. The standard now is simple. You need protections actually in place, not plans on paper. Here is a quick way to check whether your business measures up.

Does it even apply to you?

The Rule covers businesses the FTC calls financial institutions, and that net is wider than most people expect. It includes accountants, tax preparers, auto dealers, mortgage brokers, and a long list of others that handle customer financial information, not just banks. Even if you are not formally covered, these same expectations now show up in cyber insurance applications and client contracts, so the bar tends to find you either way.

The compliance checklist

Multi-factor authentication. Any access to customer data needs more than a password. MFA is a baseline, not a nice-to-have.

Encryption. Customer data has to be scrambled beyond use without the key, both while stored and while being sent.

A designated security lead. One person has to own your security program, whether that is an internal hire or an outside provider.

An incident response plan. A written guide that walks your team from detection and containment through investigation, notification, and recovery.

Tight access. Sensitive data should only reach the people who genuinely need it for their jobs.

What it costs to ignore

Fall short and the penalties are steep, up to roughly $51,744 per violation, and that figure climbs with inflation every year. That assumes you have not been breached. If you have, and the FTC finds you were missing encryption or MFA, the exposure can run into the millions. Beyond the fines, falling short tells prospective customers you do not take their data seriously.

Compliance is not optional for a business that plans to be around. This is exactly the work we do for accounting firms and other regulated businesses around Wichita. See our IT for CPAs and accountants page, or book a call and we will check you against the Rule line by line.

The FTC has moved from handing out security advice to enforcing it. The Safeguards Rule, which sits under the Gramm-Leach-Bliley Act, now expects proof that you actually run a security program, not a binder of theoretical plans. If you are covered, missing the basics is no longer a gray area. It is a finding with a price tag.

Does this apply to you?

The Rule covers businesses the FTC defines as financial institutions, and that definition is broader than it sounds. It pulls in tax preparers, accountants, auto dealers, mortgage brokers, payday and finance companies, and a long list of others that handle customer financial information. So this is not only banks. If you are an accounting firm or anyone touching financial data, assume you are in scope until someone proves otherwise. And even if you are not directly covered, these same standards now show up in cyber insurance applications and client contracts, so the bar applies to you either way.

What you have to have in place

A written information security program. A real document that maps where data lives and who is allowed to touch it.

A qualified individual. Someone has to own the security program, whether that is an internal hire or an outside provider.

Encryption everywhere. Customer data has to be encrypted at rest and in transit so it stays useless to anyone who grabs it.

Multi-factor authentication and access controls. MFA on the accounts that matter, and permissions limited to what each person actually needs.

An incident response plan. A written, step-by-step playbook covering detection, containment, investigation, notification, and recovery.

What noncompliance costs

The FTC can seek penalties of up to about $51,744 per violation, and the figure climbs with inflation each year. Each missing safeguard can count as its own violation, so gaps stack. If a breach happens and the FTC finds required protections like encryption or MFA were absent, the exposure runs into the millions. Beyond the fines, meeting the standard is what tells clients you take their information seriously.

This is squarely the kind of work we do for accounting firms and other regulated businesses around Wichita. See our IT for CPAs and accountants page, or book a call and we will map your setup against what the Rule requires.

Yes, AI makes people faster. That is exactly why it is already loose in your business. Someone in sales pastes a customer list into a public chatbot to sort it. Someone in operations drops in a spreadsheet to clean it up. Someone summarizes a contract. Nobody asked. Nobody meant harm. Every one of them just handed company data to a system you do not control. That is shadow AI, the AI version of shadow IT.

Why one paste becomes a permanent leak

Most free, public AI tools train on what you feed them. Your input does not just answer your question. It becomes part of the model. Picture a sales team uploading a customer list to speed up sorting. That list has company names, addresses, and financial details. Some clients are sole proprietors, so it has personal information too. Once it is in a public tool, it trains the model, and pieces of it can surface in answers given to anyone else, very possibly including your competitors. Put your own company name in that scenario and read it again. It is not a risk you can claw back once it happens.

Private AI is the locked room

Think of it as the difference between a picnic pavilion in a public park and a locked room with controlled access. Public AI tools learn from outside inputs. Private AI environments, including the enterprise versions Microsoft and other vendors offer, run under no-training terms. The data they process stays inside your organization and never touches the public model. Even then, be careful with client PII. The full picture of running AI on hardware you own is on our Private AI page.

You need an AI acceptable use policy

We are not against AI. We push clients to use it, as long as it is used safely. That starts with a written AI acceptable use policy. It names which tools are approved for company data, which are fine for general research without company data, and which are off-limits. We help businesses write that policy and get their people onto approved, secure tools.

Train the people, not just the tools

A policy nobody is trained on is a document nobody follows. Your team needs one rule cold: strip sensitive details before anything goes into a tool that is not approved to receive them. No client data. No financials. No PII. If the tool is not on the approved list, it does not get the sensitive material.

Where to start

If you do not know what your people are pasting into public AI right now, you are not alone, and that is the gap worth closing first. Want help writing an AI use policy and standing up tools your team can use safely? Book a call.

How many employees do you have who keep your company’s passwords on sticky notes stuck to their monitors? This simple, seemingly benign trick could be putting your business at risk. After all, if you can see the password on a sticky note, so too can others who happen to be wandering around the office—including potential threat actors.

It’s easy for employees to reuse passwords just to make things easier for themselves; after all, why use different passwords when you have a dozen accounts to remember passwords for? Unfortunately, this habit will come back to bite you, especially if your business is ever involved in a data breach. These credentials could be put up for sale on the dark web… and that’s just the beginning of your problems.

In a time when Internet connectivity is so important, manufacturers have met this demand by creating products that feature the ability to connect to apps or other Internet-based dashboards. Unfortunately for users, there is a lot that can go wrong when organizational practices don’t do enough to protect their customer’s privacy; or, simply look to exploit it. Let’s take a look at how the smart devices you depend on can be undermining your family’s privacy.

When it comes to cybersecurity, businesses have a lot to keep tabs on—even a small business like yours. In fact, you wouldn’t believe just how much goes into cybersecurity and why your organization needs to make it a priority. Today, we want to convince you that cybersecurity is more than just a buzzword on the Internet; it’s a lifeline that will keep your company secure.

There are a few occasions that we get a very apparent example of how important basic cybersecurity is, regardless of where you are, and this year’s National Football League draft is one such example.

For those who don’t follow the NFL or the draft proceedings, multiple draftees received prank calls during the process, although one in particular is applicable to businesses of all kinds. Let’s examine this situation to reinforce a few critical cybersecurity best practices.