Cybertron Blog

Every so often a very public moment shows exactly why basic security matters everywhere, not just in IT departments. The 2025 NFL Draft was one of those moments. Several prospects got prank calls during the draft, and one in particular is a clean lesson for any business. Let us walk through it.

It Started With an Unlocked Tablet

Quarterback Shedeur Sanders received a prank call live on stream from someone impersonating an NFL general manager. How did the caller get his private draft number? It was found on an unlocked iPad at a coach's home, jotted down by a family member, and used for the prank. The NFL took it seriously, fining the team 250,000 dollars and the coach 100,000. One device left unlocked, one number left visible, and it became a national story with real consequences.

Why This Is a Business Problem Too

Swap the iPad for a laptop and the phone number for a client list, a password, or a wire instruction, and this is a Tuesday at a lot of companies. The exact same chain of small failures plays out in offices constantly. Three lessons stand out.

Limit Who Can See What

This is the principle of least privilege: people, and devices, should only have access to the information they actually need. That sensitive number should never have been sitting in the open on a device a visitor could pick up. In your business, the fewer people and screens that can reach your sensitive data, the smaller the chance it walks out the door by accident.

Lock Things Down

An unlocked device is an open filing cabinet. Screens should lock automatically, accounts should require real authentication, and sensitive systems should sit behind multifactor authentication so a glance over someone's shoulder is not enough to get in. Simple habits, enforced consistently, close the door this whole incident walked through.

Recognize Impersonation for What It Is

The call worked because someone pretended to be a person of authority. That is social engineering, the same trick behind most phishing, and it does not only come by email. It is the fake call from the bank, the urgent text from the boss, the message from a vendor that is not really the vendor. Train your people to verify before they act, especially when a request is urgent or involves money or data.

Avoid the Same Mistake

A prank during a football draft is harmless compared to what the same lapses cost a business: a drained account, a data breach, a lost client. The fixes are not complicated. Limit access, lock devices, verify identities. The hard part is doing them consistently, which is where most organizations slip.

That consistency is what we provide. We build least privilege, strong authentication, and phishing awareness into how our clients operate as part of managed cybersecurity, so a small lapse does not turn into a headline. If you want to make sure your unlocked-iPad moment never happens, book a call.

Cybersecurity has a marketing problem. When it works, nothing happens, and nothing is hard to appreciate. There is no headline for the breach you avoided, no thank-you note for the ransomware that never hit. So it is easy to treat security as a cost you could trim, right up until the day it is the only thing between you and a closed business. The whole point is the disaster you never have to live through. Here is what is actually at stake.

You Are a Target, Whether You Believe It or Not

The most expensive assumption a small business makes is we are too small to bother with. Attackers do not hand-pick targets the way you might imagine. Much of it is automated, scanning the whole internet for any system with a weakness, and your size does not register. A smaller business with thinner defenses is often an easier score than a big one with a security team. Being overlooked is not a strategy. It is a coin flip you keep calling.

A Breach Brings the Regulators

If attackers get to sensitive data, customer records, payment details, health or financial information, the damage does not stop at cleanup. Depending on what you hold and what rules apply to you, a breach can trigger reporting obligations, investigations, and penalties. You end up paying for the incident and then paying again for the fallout. Prevention is a lot cheaper than a regulatory problem with your name on it.

Downtime Hits Everything at Once

An attack does not just expose data. It stops you working. Systems get locked, files get encrypted, and your team sits idle while you scramble to recover. Every hour down is revenue you do not earn, customers you cannot serve, and trust you have to win back later. For a lot of businesses, a long enough outage is the thing they never fully recover from.

Buy the Quiet

Real security is layered and ongoing, not a product you buy once. Monitoring that catches trouble early, patches applied before attackers find the holes, backups you have actually tested, and people trained to spot the tricks. None of it is flashy. All of it is the difference between a quiet year and a catastrophic one. The best money you spend on security is the money that buys you a year where nothing happened.

That quiet is what we sell. We handle layered cybersecurity for businesses, and where regulated data is involved we help with the compliance side too. If you are not sure your defenses would hold, the time to find out is before an attacker does. Book a call and we will take a look.

Almost everything ships with a connection now. Speakers, cameras, thermostats, doorbells, even refrigerators and kids toys. Manufacturers added apps and dashboards because customers asked for them. The trouble is what comes with the convenience. A lot of these devices collect more than they need, guard it poorly, and quietly become a way into the network they sit on. Here is how the gadgets you rely on can work against your privacy, and what to do about it.

The Data Collectors You Stopped Noticing

The features that make a device smart are the same features that make it nosy. A microphone that takes voice commands is a microphone in the room. A camera that lets you check in from your phone is a camera someone else might check in on too. Many devices log far more than they need to function, location, usage patterns, audio snippets, and ship it back to servers you never see.

Read the fine print and you often find the company reserves the right to share or sell that data. The product is cheap because you are part of what is being sold. At home that is uncomfortable. In a business, where the same devices creep into break rooms, lobbies, and offices, it is a real exposure.

The Weak Link on Your Network

Here is the part most people miss. Every connected device is a small computer, and most consumer gadgets are built for price, not security. They ship with default passwords, rarely get patched, and run software the maker forgets about a year later. Attackers know this. A cheap camera or smart plug is often the easiest way onto a network, and once they are on, your laptops, servers, and files are on the same network.

This is the danger of treating a smart device as an appliance instead of an endpoint. It does not feel like a computer, so nobody manages it. It sits there with a known flaw, waiting. One unpatched gadget can undo the careful work you put into protecting everything else.

Taking Control of Your Connected Workplace

You do not have to rip every smart device out. You have to treat them like what they are. Start by knowing what is actually on your network, because you cannot protect what you have not counted. Change default passwords, turn off features and data sharing you do not use, and keep firmware current on anything that matters.

The bigger move is separation. Consumer IoT belongs on its own network segment, walled off from the machines that hold your real data. If a smart thermostat gets compromised, the damage stops at the thermostat. This is standard practice in a well-run network, and it is exactly the kind of thing that gets skipped when nobody owns the problem.

We handle this as part of managed cybersecurity, mapping what is connected, locking it down, and segmenting the network so a weak device cannot reach a strong one. If you are not sure what is talking to the internet from inside your walls, that is worth finding out. Book a call and we will help you take a look.

People reuse passwords because remembering a dozen of them is a pain. The problem is that when any one of those accounts is caught in a data breach, the stolen login can end up for sale on the dark web, and from there it becomes a key someone tries against your business. The dark web sounds like a horror story, but once you understand it, it is manageable. Here is what it is and how to stay ahead of it.

How many of your employees keep company passwords on sticky notes stuck to their monitors? It looks harmless, but anyone walking through the office can read them, including people who should not. Worse, the sticky note is a symptom of a deeper problem in how your business handles passwords. Here is why it happens and the system that actually fixes it.

The FTC spent years handing out security advice. Under the Safeguards Rule, which comes from the Gramm-Leach-Bliley Act, that advice has become an enforceable requirement. The standard now is simple. You need protections actually in place, not plans on paper. Here is a quick way to check whether your business measures up.

Does it even apply to you?

The Rule covers businesses the FTC calls financial institutions, and that net is wider than most people expect. It includes accountants, tax preparers, auto dealers, mortgage brokers, and a long list of others that handle customer financial information, not just banks. Even if you are not formally covered, these same expectations now show up in cyber insurance applications and client contracts, so the bar tends to find you either way.

The compliance checklist

Multi-factor authentication. Any access to customer data needs more than a password. MFA is a baseline, not a nice-to-have.

Encryption. Customer data has to be scrambled beyond use without the key, both while stored and while being sent.

A designated security lead. One person has to own your security program, whether that is an internal hire or an outside provider.

An incident response plan. A written guide that walks your team from detection and containment through investigation, notification, and recovery.

Tight access. Sensitive data should only reach the people who genuinely need it for their jobs.

What it costs to ignore

Fall short and the penalties are steep, up to roughly $51,744 per violation, and that figure climbs with inflation every year. That assumes you have not been breached. If you have, and the FTC finds you were missing encryption or MFA, the exposure can run into the millions. Beyond the fines, falling short tells prospective customers you do not take their data seriously.

Compliance is not optional for a business that plans to be around. This is exactly the work we do for accounting firms and other regulated businesses around Wichita. See our IT for CPAs and accountants page, or book a call and we will check you against the Rule line by line.

The FTC has moved from handing out security advice to enforcing it. The Safeguards Rule, which sits under the Gramm-Leach-Bliley Act, now expects proof that you actually run a security program, not a binder of theoretical plans. If you are covered, missing the basics is no longer a gray area. It is a finding with a price tag.

Does this apply to you?

The Rule covers businesses the FTC defines as financial institutions, and that definition is broader than it sounds. It pulls in tax preparers, accountants, auto dealers, mortgage brokers, payday and finance companies, and a long list of others that handle customer financial information. So this is not only banks. If you are an accounting firm or anyone touching financial data, assume you are in scope until someone proves otherwise. And even if you are not directly covered, these same standards now show up in cyber insurance applications and client contracts, so the bar applies to you either way.

What you have to have in place

A written information security program. A real document that maps where data lives and who is allowed to touch it.

A qualified individual. Someone has to own the security program, whether that is an internal hire or an outside provider.

Encryption everywhere. Customer data has to be encrypted at rest and in transit so it stays useless to anyone who grabs it.

Multi-factor authentication and access controls. MFA on the accounts that matter, and permissions limited to what each person actually needs.

An incident response plan. A written, step-by-step playbook covering detection, containment, investigation, notification, and recovery.

What noncompliance costs

The FTC can seek penalties of up to about $51,744 per violation, and the figure climbs with inflation each year. Each missing safeguard can count as its own violation, so gaps stack. If a breach happens and the FTC finds required protections like encryption or MFA were absent, the exposure runs into the millions. Beyond the fines, meeting the standard is what tells clients you take their information seriously.

This is squarely the kind of work we do for accounting firms and other regulated businesses around Wichita. See our IT for CPAs and accountants page, or book a call and we will map your setup against what the Rule requires.

Yes, AI makes people faster. That is exactly why it is already loose in your business. Someone in sales pastes a customer list into a public chatbot to sort it. Someone in operations drops in a spreadsheet to clean it up. Someone summarizes a contract. Nobody asked. Nobody meant harm. Every one of them just handed company data to a system you do not control. That is shadow AI, the AI version of shadow IT.

Why one paste becomes a permanent leak

Most free, public AI tools train on what you feed them. Your input does not just answer your question. It becomes part of the model. Picture a sales team uploading a customer list to speed up sorting. That list has company names, addresses, and financial details. Some clients are sole proprietors, so it has personal information too. Once it is in a public tool, it trains the model, and pieces of it can surface in answers given to anyone else, very possibly including your competitors. Put your own company name in that scenario and read it again. It is not a risk you can claw back once it happens.

Private AI is the locked room

Think of it as the difference between a picnic pavilion in a public park and a locked room with controlled access. Public AI tools learn from outside inputs. Private AI environments, including the enterprise versions Microsoft and other vendors offer, run under no-training terms. The data they process stays inside your organization and never touches the public model. Even then, be careful with client PII. The full picture of running AI on hardware you own is on our Private AI page.

You need an AI acceptable use policy

We are not against AI. We push clients to use it, as long as it is used safely. That starts with a written AI acceptable use policy. It names which tools are approved for company data, which are fine for general research without company data, and which are off-limits. We help businesses write that policy and get their people onto approved, secure tools.

Train the people, not just the tools

A policy nobody is trained on is a document nobody follows. Your team needs one rule cold: strip sensitive details before anything goes into a tool that is not approved to receive them. No client data. No financials. No PII. If the tool is not on the approved list, it does not get the sensitive material.

Where to start

If you do not know what your people are pasting into public AI right now, you are not alone, and that is the gap worth closing first. Want help writing an AI use policy and standing up tools your team can use safely? Book a call.