// 01
MANAGED IT.
What is managed IT?+
Managed IT is a flat-fee service in which an outside provider takes ongoing responsibility for a business's technology — monitoring, patching, helpdesk, security tooling, backup, vendor coordination, and strategic guidance — for a predictable monthly price per user. It's the modern replacement for the old “break-fix” model where you only call IT when something is on fire. Managed IT shifts incentives: the provider is paid the same whether things break or not, so the provider invests in prevention and proactive maintenance.
How much does managed IT cost per user per month in Florida?+
In North Central Florida the market range is roughly $100–$200 per user per month depending on the security and compliance posture included. Simply IT's published pricing is $75 (Simply Managed — core IT), $125 (Simply Secure — IT plus a full security stack), and $150 (Simply Compliant — adds HIPAA / FTC / FL Bar alignment and documentation) per user per month. There's a No long-term contracts.
Is managed IT worth it for a 5-person business?+
Usually yes. At 5 people, the labor cost of one staff member spending 30 minutes a week fighting printers, password resets, and PC issues already exceeds a managed IT contract — and that ignores the security and backup risk you're absorbing personally. Simply IT prices managed IT per user so a 5-person business can buy real managed IT (monitoring, patching, EDR, backup) at the same per-user economics as a 50-person business.
What's included in a flat-fee managed IT contract?+
At minimum: 24/7 monitoring of servers and endpoints, automated patching, helpdesk for end users, antivirus or EDR, basic backup, and vendor coordination with your ISP and software vendors. Better-tier plans add: phishing-resistant email security, MFA enforcement, security awareness training, encrypted offsite backup with tested restores, written incident response plan, and strategic IT roadmap reviews. The exact line items vary by provider — always ask for the line-item scope before signing.
How is managed IT different from break-fix?+
Break-fix bills by the hour when something fails — the provider only earns revenue when you have a problem, which creates the wrong incentive. Managed IT bills a flat per-user fee whether anything breaks or not, which incentivizes the provider to prevent problems in the first place. Break-fix made sense in 1998 when IT was simpler and security wasn't a daily threat. In 2026, with ransomware, cyber insurance requirements, and 60-day breach-notification clocks, break-fix is no longer a defensible model for any business that depends on its data.
Can I switch IT providers without losing data?+
Yes — if it's done right. A clean transition involves an inventory phase (documenting every system, every admin credential, every vendor account, every backup target), an admin handoff phase (transferring or rotating credentials, migrating tenants if needed), and a stabilization phase (the new provider runs in parallel for a couple of weeks before full cutover). Simply IT's standard MSP onboarding includes this transition plan at no extra charge. Data loss during MSP changes happens when the transition is rushed or undocumented, not because it's inherently risky.
How long does MSP onboarding take?+
For a typical 5–25-user business, full onboarding takes 2–4 weeks. Week 1: documentation and inventory, agent deployment, admin credential rotation. Week 2: security baseline (MFA enforcement, EDR rollout, email security, backup verification). Weeks 3–4: stabilization, end-user training, and the first quarterly business review. Simply IT charges no separate onboarding fee for standard onboarding — it's built into the flat monthly price.
Do I need a long-term contract with a managed IT company?+
No, and you should be skeptical of providers who insist on 3-year terms. Simply IT operates on month-to-month service with no long-term contract — the only commitment is the If a provider's service is good, you won't leave; if it's bad, a long-term contract is exactly the wrong thing to sign. Some providers will discount for annual prepayment, which is reasonable — but that's different from a multi-year lock-in.
What's an SLA and does Simply IT have one?+
An SLA (Service Level Agreement) is the written commitment to response and resolution times for support tickets — typically tiered by severity (critical, high, normal, low). Yes, Simply IT publishes an SLA: critical incidents (business stopped, security breach) get a 15-minute response 24/7; high-priority issues respond within 1 business hour; standard tickets respond within 4 business hours. SLA terms are in the master service agreement and are part of every signed contract.
Does Simply IT serve businesses outside Ocala?+
Yes. Simply IT is headquartered in Ocala, FL and serves businesses across North Central Florida — Marion, Alachua, Lake, Sumter, Citrus, Levy, and Putnam counties — including The Villages (45 min south), Gainesville (40 min north), Lady Lake, Belleview, Dunnellon, Lecanto, Inverness, and the surrounding region. For remote-friendly clients, Simply IT also supports multi-location businesses with offices anywhere in Florida and a primary operations base in our service area.
// 02
CYBERSECURITY.
Why is cybersecurity important for a small business?+
Because small businesses are now the primary target of ransomware and business email compromise — not because they're valuable individually, but because they're soft and there are millions of them. Verizon's annual Data Breach Investigations Report has consistently shown that 40–60% of breach victims are businesses with fewer than 1,000 employees. The average ransomware recovery cost for a small business is well into six figures, and roughly 60% of small businesses that suffer a major breach close within a year. Cybersecurity at a small business is no longer optional; it's a survival baseline.
What is multi-factor authentication and why do I need it?+
Multi-factor authentication (MFA) means logging in requires more than just a password — typically a one-time code from a phone app (Microsoft Authenticator, Authy, Duo) or a hardware key. Microsoft's own research has shown that MFA blocks 99.9% of automated credential-stuffing attacks. Every email account, every remote-access entry point, every cloud service that holds sensitive data should have MFA enforced. It's the single highest-ROI security control any business can deploy, and most cyber insurance carriers now require it before binding or renewing coverage.
What is endpoint detection and response (EDR)?+
EDR is the modern replacement for legacy antivirus. Traditional antivirus matched files against a list of known malicious signatures — useless against ransomware that mutates its signature on every run. EDR watches the behavior of running processes (what files they touch, what network connections they open, what registry keys they modify) and isolates suspicious behavior before it spreads. Leading EDR products include Microsoft Defender for Business, SentinelOne, CrowdStrike, and Huntress. Every workstation and server in a business should be running EDR — antivirus alone is no longer sufficient.
How do I protect my business from ransomware?+
Five controls in priority order: (1) MFA on every account, especially email and remote access. (2) EDR on every endpoint and server. (3) Tested, immutable backups stored offsite — quarterly restore drills, not just “backup ran” reports. (4) Email security with attachment sandboxing and DMARC enforcement. (5) Security awareness training plus monthly phishing simulations. Ransomware almost always enters via phishing or unpatched remote access; these five controls close the most-used paths. The Simply Secure tier includes all five.
What is business email compromise (BEC)?+
BEC is the attack where a criminal compromises (or convincingly impersonates) a real email account inside a business and uses it to redirect a wire transfer, payroll deposit, or vendor payment. The FBI's Internet Crime Complaint Center has consistently reported BEC as the single most financially damaging cybercrime category — multi-billion dollars per year in U.S. losses. The defenses: MFA on email, DMARC/DKIM/SPF on your domain, banking workflows that require out-of-band verification for any changed payment instructions, and trained staff who know to verify changes by phone, never by email reply.
Does my business need security awareness training?+
Yes — and most cyber insurance carriers now require it for binding or renewal. The training needs to be ongoing (annual at minimum), include phishing simulations (monthly is the modern norm), and produce documented completion records. Products like KnowBe4, Hoxhunt, and Microsoft Defender Attack Simulator are common choices. Simply Secure and Simply Compliant tiers include KnowBe4-style training and monthly phishing simulations as part of the flat monthly fee.
What is a written incident response plan?+
A one-to-two page document that tells the business what to do in the first 60 minutes of a suspected security incident — who to call first (cyber insurance hotline, always), what to disconnect, what to document, and who is in charge of communications. The plan's value is not strategic; it's tactical. When the office manager is in fight-or-flight mode at 3pm on a Tuesday, they don't need to think — they need to read the plan. Simply IT provides a one-page IR plan template as part of standard onboarding.
Does cyber insurance require specific security controls?+
Yes. As of 2026, every major carrier (Coalition, Travelers, AIG, Chubb, Beazley, AmTrust, Hartford) requires a baseline set of controls before binding or renewing a policy. The list varies slightly per carrier, but the consolidated core is: MFA on email and remote access, EDR on endpoints, tested encrypted backup, email security gateway, patch management, security awareness training, written IR plan, vendor / BAA tracking, network segmentation, and privileged account management. Businesses without these controls are seeing premium increases of 25–100% at renewal or being declined outright.
What are the 10 cyber insurance controls underwriters now demand?+
(1) Multi-factor authentication on email, remote access, and admin accounts. (2) Endpoint detection and response (EDR) on every workstation and server. (3) Email security gateway with attachment sandboxing and DMARC enforcement. (4) Tested encrypted backup following 3-2-1 with immutable cloud target. (5) Patch and vulnerability management on a controlled cadence. (6) Annual security awareness training plus monthly phishing simulations. (7) Written incident response plan. (8) Vendor inventory and BAA tracking. (9) Network segmentation between user, guest, and sensitive systems. (10) Privileged account management with separate admin credentials. These ten are also a clean operational floor for HIPAA-aligned IT.
How does Simply IT respond to a cyberattack at 3am?+
Critical security incidents trigger our 15-minute 24/7 response SLA. The on-call engineer engages, contains the affected systems, and walks the client through the first-hour actions in their written IR plan — including the critical step of calling the cyber insurance hotline before doing anything else (this preserves attorney-client privilege over the investigation). From there we coordinate with the carrier's breach coach, forensics team, and the client's leadership on containment, recovery, and regulatory notification timing. Veteran-owned, headquartered in Ocala, on-call every night of the year.
// 03
MICROSOFT 365 & CLOUD.
What is Microsoft 365 and which version do I need?+
Microsoft 365 is a subscription bundle that includes Outlook, Word, Excel, PowerPoint, Teams, OneDrive, SharePoint, and (in higher tiers) device management and advanced security. For a typical small business: Business Basic (web/mobile apps only, no desktop install) is rarely the right answer; Business Standard (desktop apps + Teams) fits most general office work; Business Premium (adds Defender, Intune, Azure Information Protection) is the right tier for anyone handling regulated data — medical, legal, financial, or anyone subject to cyber insurance control requirements.
How much does Microsoft 365 cost for a small business?+
Microsoft's commercial list prices in 2026 are roughly $7.50 per user/month for Business Basic, $15 per user/month for Business Standard, and $27 per user/month for Business Premium (annual commitment). Nonprofit eligible 501(c)(3) organizations get Business Basic FREE for up to 300 users, Business Standard FREE for up to 300 users, and Business Premium at $6 per user/month. Simply IT licenses Microsoft 365 at the same Microsoft list price and includes setup, BAA activation where applicable, MFA enforcement, and Conditional Access policy configuration.
Is Microsoft 365 HIPAA-compliant?+
Microsoft 365 Business Basic, Standard, and Premium are HIPAA-eligible through Microsoft's standard Online Services Terms — but only when the Business Associate Agreement (BAA) is explicitly activated in the admin console. The BAA is not automatically in effect. In our experience auditing Florida medical practices, the M365 BAA-not-activated gap is the single most common HIPAA documentation finding. Activation is free; it's just a documentation step. After activation, the practice still needs to configure MFA, Conditional Access (Premium), Defender for Business (Premium), and audit log retention.
What is the Microsoft 365 BAA and how do I activate it?+
The Microsoft 365 Business Associate Agreement binds Microsoft to the HIPAA Security Rule and Privacy Rule obligations for the PHI stored in your tenant. To activate: log into the Microsoft 365 admin center → Settings → Org Settings → Services → search for “Business Associate Agreement” or attest under the Microsoft Online Services Terms. There is no cost. Until it's activated, the tenant is technically not a HIPAA Business Associate of yours and the email service is not properly covered for PHI use. Simply IT activates this on every healthcare client tenant as a standard part of onboarding.
Does Microsoft back up my data?+
Microsoft 365 has redundancy and short-term retention — but it is not a substitute for backup. Microsoft's Shared Responsibility Model is explicit: Microsoft is responsible for infrastructure uptime and durability; the customer is responsible for protection against accidental deletion, malicious deletion, ransomware, and long-term retention. Every business storing important data in M365 should run a third-party backup of Exchange, OneDrive, SharePoint, and Teams — common products include Datto SaaS, Acronis, Barracuda, and Dropsuite. Simply IT includes M365 backup on Simply Secure and Simply Compliant tiers.
What's the difference between Microsoft 365 Business Standard and Premium?+
Standard ($15) gives you the Office desktop apps, Exchange email, Teams, SharePoint, and OneDrive. Premium ($27) adds: Microsoft Defender for Business (EDR), Intune (mobile device and PC management), Azure Information Protection (data classification and DLP), Conditional Access policies, and Windows 11 Pro upgrade rights. For any business subject to HIPAA, FTC Safeguards, or cyber insurance control requirements, Premium is the right tier — the extra $12/user/month is dramatically less than buying those security tools separately.
Can my nonprofit get Microsoft 365 for free?+
Yes, if your nonprofit is a verified 501(c)(3) (or international equivalent). Microsoft offers Business Basic FREE for up to 300 users, Business Standard FREE for up to 300 users, and Business Premium at a deeply discounted $6 per user/month. You apply through Microsoft Nonprofit Center using your IRS determination letter and EIN. Verification typically takes 5–10 business days. Simply IT helps nonprofit clients through verification at no charge as part of onboarding.
What is Microsoft Defender for Business?+
Defender for Business is Microsoft's endpoint detection and response (EDR) product for small businesses — it's included in Microsoft 365 Business Premium and also sold standalone at roughly $3 per user/month. It provides behavioral analysis, automated investigation and response, threat hunting, attack surface reduction rules, and integration with the broader Microsoft Defender security stack. For most small businesses already on Microsoft 365, Defender for Business via Premium is the simplest, most cost-effective EDR deployment available.
Can Simply IT migrate us from Google Workspace to Microsoft 365?+
Yes — Workspace-to-M365 migrations are routine. A typical 10–25-user migration takes 2–4 weeks: discovery and tenant setup, mailbox migration (using Microsoft's native migration tools or BitTitan MigrationWiz), Drive-to-OneDrive/SharePoint migration, calendar and contacts, and user cutover with parallel-running grace period. We handle DNS cutover, end-user training, and the first month of stabilization support. Pricing is project-based and quoted after a discovery call; for existing managed IT clients there's no separate migration fee on most migrations under 25 users.
What is Microsoft Azure and do I need it?+
Azure is Microsoft's cloud platform for hosting virtual servers, databases, file storage, application backends, AI services, and identity infrastructure. Most small businesses don't directly consume raw Azure — they consume Microsoft 365 (which runs on Azure under the hood). Businesses that need Azure directly: those running a legacy line-of-business application that needs a Windows Server, those modernizing a database, those building custom apps, and those doing AI/ML work that needs GPU compute. Simply IT designs and operates Azure environments for clients where it fits — without it, most small businesses don't need to think about Azure at all.
// 04
COMMUNICATIONS & VOIP.
What is VoIP?+
VoIP (Voice over Internet Protocol) is business phone service delivered over your internet connection instead of traditional copper phone lines. Calls travel as data packets to a cloud-hosted phone system, which routes them to desk phones, softphone apps on PCs, and mobile apps on staff phones. The advantages over traditional PBX phone systems are dramatic: dramatically lower cost, no on-site phone hardware to maintain, the same phone number rings everywhere a staff member is, full integration with Microsoft Teams or other collaboration platforms, and remote work just works.
How much does business VoIP cost per user?+
Mid-market business VoIP runs roughly $20–$40 per user per month depending on features. Microsoft Teams Phone (when added to an existing Microsoft 365 Business Premium tenant) is $8 per user/month for the Teams Phone license plus a calling plan ($12/month for domestic US calling on most Microsoft plans). Standalone hosted VoIP providers like RingCentral, Nextiva, and 8x8 typically price between $25 and $40 per user/month for business tiers. Simply IT recommends Teams Phone for most Microsoft 365 clients — fewer moving parts, single login, single bill.
Can I keep my existing phone numbers when switching to VoIP?+
Yes — number porting is standard and required by FCC rules. The porting process takes 7–14 business days for most local numbers and 4–6 weeks for toll-free numbers. The key gotchas: don't cancel your old carrier until after the port completes (cancellation kills the port), make sure the porting paperwork uses the exact business name and address as on file with the old carrier, and plan the cutover for a slow business day. Simply IT manages the entire porting process for every VoIP migration we do.
Is Microsoft Teams Phone a real replacement for a business phone system?+
Yes, for most small and mid-sized businesses. Teams Phone supports auto-attendants, call queues, hold music, voicemail-to-email transcription, call recording, e911, direct-routing for advanced setups, and integration with Microsoft Outlook contacts and Teams chat. The gaps versus a dedicated PBX are narrow now: very high call-volume contact centers, unusual industry-specific integrations (medical answering services, legal-specific recording), and businesses that already have a deep investment in a specific PBX ecosystem. For most general-purpose small business use, Teams Phone is the simplest deployment.
Do I need to upgrade my internet for VoIP?+
Usually no, but you should verify. A typical concurrent VoIP call uses about 100 kbps of upload bandwidth. A 10-person office where all 10 are on calls simultaneously needs about 1 Mbps of upload — well within the capacity of any modern business internet connection. The real requirement is not bandwidth but quality of service (QoS) on your network — voice traffic should be prioritized over file downloads so that a Windows update doesn't degrade an active call. Simply IT configures QoS as part of every VoIP deployment.
Does VoIP work during a power outage?+
Not on its own — VoIP requires power for the desk phone and the office internet equipment, and internet for the call routing. The mitigations: UPS battery backup on the router and switch (60–90 minutes for typical small offices), automatic failover to cellular for staff (the same VoIP softphone app on phones keeps working over LTE/5G), and call-forwarding rules that route incoming calls to mobile numbers if the office disconnects. Simply IT configures all three as part of standard VoIP deployment for businesses that can't miss a call.
Is call recording legal in Florida?+
Florida is a two-party consent state under F.S. 934.03 — meaning all parties on a call must consent to being recorded. In practice, businesses comply with a recorded announcement (“This call may be monitored or recorded for quality assurance”) at the start of incoming calls, and clear notification on outbound calls. Implementing the announcement is a routine configuration step in any business VoIP system. Simply IT configures the Florida-appropriate two-party-consent notification as part of every VoIP deployment for Florida-based businesses.
What is E911 and why does it matter for VoIP?+
E911 (Enhanced 911) is the system that automatically routes a 911 call to the correct local dispatch center and provides the caller's physical address. With traditional copper phone lines, E911 just works — the phone line is registered to a physical address. With VoIP, a phone can physically be anywhere with internet, so the system must be configured to provide the correct physical address per phone and per location. Misconfigured E911 is both a regulatory and a safety problem. Simply IT configures E911 location data on every VoIP deployment per FCC Kari's Law and RAY BAUM's Act requirements.
How long does a VoIP migration take?+
For a typical 5–25-user office, end-to-end migration takes 3–4 weeks: week 1 discovery and design, week 2 porting paperwork submitted and phones ordered, week 3 phones provisioned and tested on a parallel pilot, week 4 cutover and number port. The cutover itself is usually a 30-minute window on a low-volume day. Most of the calendar time is waiting on the porting carriers — the actual technical work is straightforward. Simply IT manages the full project end to end including porting, configuration, training, and cutover support.
Does Simply IT install VoIP for businesses in Ocala?+
Yes. VoIP is a core service line, and Simply IT's headquarters in Ocala, FL makes us a natural fit for Marion County and surrounding North Central Florida businesses. We design, install, and support VoIP — Microsoft Teams Phone or hosted VoIP from carriers like RingCentral / Nextiva — for clients in Ocala, The Villages, Gainesville, Lady Lake, Belleview, Dunnellon, Lecanto, Inverness, and the wider region. On-site for installation and cutover, remote for ongoing support and changes.
// 05
COMPLIANCE.
Does my Florida medical practice need a HIPAA BAA with its IT company?+
Yes, if the IT provider has any direct or potential access to systems containing protected health information (PHI) — which essentially every managed IT provider does. The Business Associate Agreement is required under 45 CFR 164.308(b) and 164.314(a). Without a signed BAA, your IT provider is an unauthorized PHI handler and you have a documented HIPAA gap. Simply IT signs a BAA with every healthcare client as a standard part of onboarding — not as an extra. See our HIPAA Cybersecurity Guide for Florida Medical Practices for the full breakdown.
What is the FTC Safeguards Rule and does it apply to my accounting firm?+
The FTC Safeguards Rule (16 CFR Part 314) requires financial institutions — broadly defined to include accountants, CPAs, tax preparers, and many financial-services firms — to implement and document a written information security program. The 2023 amendments raised the bar significantly: nine specific control areas, mandatory designation of a Qualified Individual responsible for the program, mandatory annual reporting to the firm's board or owners, and breach notification within 30 days. Most North Central Florida accounting firms we audit are out of compliance — typically because nobody has yet built the written program the Rule requires.
What is the Florida Bar Rule 4-1.6 cybersecurity duty?+
Florida Bar Rule 4-1.6(e) imposes an affirmative duty on Florida attorneys to make reasonable efforts to prevent unauthorized access to or disclosure of confidential client information. Comments to the Rule make clear this includes cybersecurity controls appropriate to the firm's practice — encryption, access controls, secure file transfer, vendor management with confidentiality protections, and training. The Florida Bar has issued ethics opinions (Op. 10-2, Op. 12-3) reinforcing the duty. Practical translation: a Florida law firm without MFA, encryption, EDR, and trained staff is taking on ethics risk in addition to operational risk.
How often do I need a HIPAA security risk analysis?+
Annually, at minimum, and after any significant change to the practice's information systems (new EHR, major office move, merger, new clinical workflow involving PHI). It's required under 45 CFR 164.308(a)(1)(ii)(A) and is one of the most-cited OCR enforcement findings — practices that have never documented one are exposed even if every other safeguard is in place. HHS publishes the free Security Risk Assessment Tool. Simply IT conducts and documents the annual risk analysis for every Simply Compliant healthcare client.
What is a Written Information Security Program (WISP)?+
A Written Information Security Program (WISP) is the documented set of administrative, physical, and technical safeguards a business has in place to protect sensitive information. The IRS requires tax preparers to maintain one. The FTC Safeguards Rule requires financial institutions to maintain one. Massachusetts and several other states require any business handling state-resident personal data to maintain one. A practical WISP is a 10–20 page document covering scope, risk assessment, controls, training, vendor management, incident response, and the schedule for annual review. Simply IT drafts and maintains the WISP for every Simply Compliant client.
What is FIPA and how is it different from HIPAA?+
FIPA is the Florida Information Protection Act (F.S. 501.171), Florida's state-level data breach notification law. It applies to all Florida businesses (not just healthcare) holding personal information of Florida residents. The key practical difference from HIPAA: FIPA requires notification of affected Florida residents and the Florida Department of Legal Affairs within 30 days of breach discovery — significantly faster than HIPAA's 60-day federal timeline. Any breach affecting 500+ Florida residents triggers both notifications simultaneously. The shorter FIPA clock is usually the binding constraint.
How long do I have to report a data breach in Florida?+
For breaches affecting 500+ Florida residents: 30 days from discovery, per FIPA (F.S. 501.171), to notify both the affected residents and the Florida Department of Legal Affairs. For healthcare breaches under HIPAA: 60 days to affected individuals; for breaches affecting 500+ individuals, HHS within 60 days; for smaller breaches, HHS in an annual roll-up by March 1 of the following year. For FTC-regulated breaches (financial institutions under the amended Safeguards Rule): 30 days to the FTC. Most real-world Florida breaches trigger more than one timeline — the shortest controls.
Does my church or nonprofit need to follow compliance rules?+
Churches and nonprofits aren't exempt from data protection obligations. If you collect donor PII, payment card data, or any personal information of donors or members, you're subject to FIPA (Florida breach notification), state-level data protection laws of donors' home states, and PCI-DSS if you process card payments. Faith-based health ministries and counseling ministries may also be subject to HIPAA depending on services offered. The good news: most churches and small nonprofits qualify for free or deeply discounted Microsoft 365 Business Premium, which makes a strong security baseline affordable.
Can Simply IT serve as our Qualified Individual under FTC Safeguards?+
Yes, for clients on Simply Compliant ($150/user/month) we serve as the designated Qualified Individual under the FTC Safeguards Rule — building and maintaining the written information security program, conducting the annual risk assessment, overseeing service provider oversight, and producing the annual board report the Rule requires. This is bundled into the flat monthly fee for accounting firms, financial advisory practices, and other Safeguards-Rule-covered clients. We document everything to be audit-defensible if the FTC inquires.
Is Simply IT itself SOC 2 compliant?+
Simply IT operates against SOC 2 Type II control objectives — meaning we maintain the administrative, technical, and physical controls a Type II audit examines (security, availability, confidentiality), and our tooling and access governance is built to those standards. We provide a written security posture summary to any prospective client who needs vendor due diligence documentation. We do not currently undergo an annual third-party SOC 2 audit — we're transparent about that. If your industry requires a current SOC 2 attestation from your MSP, ask us before signing.
// 06
AI FOR BUSINESS.
Should my small business use ChatGPT?+
Probably yes — but with governance. AI tools like ChatGPT, Claude, and Microsoft Copilot deliver real productivity gains for drafting, summarizing, research, code, and customer support. The question isn't whether to use AI; it's how to use it responsibly: which tools, on which accounts (business, not personal), with what data classification rules, with what audit trail. Businesses that ignore AI fall behind. Businesses that adopt AI without governance end up with client data in third-party training pipelines and compliance findings nobody saw coming.
Is it safe to paste client data into ChatGPT?+
It depends on which ChatGPT you're using. Free ChatGPT and ChatGPT Plus on consumer accounts: by default, conversations may be used for model training, and you have no Business Associate Agreement or signed data processing agreement. Pasting client PII, PHI, financial data, or attorney-client privileged content into these is a meaningful data-handling risk. ChatGPT Enterprise, ChatGPT Team, and OpenAI API: conversations are not used for training by default, and a data processing agreement is available. The same distinction applies to Anthropic Claude and Google Gemini. Use the business tier, not the consumer one.
What is the difference between consumer ChatGPT and ChatGPT Enterprise?+
Consumer ChatGPT (Free and Plus) is designed for individual personal use — conversations may be used for model training by default, support is community-based, and there's no admin console or data processing agreement. ChatGPT Enterprise and Team are business tiers — conversations are not used for training by default, there's an admin console for centralized management, SSO and SCIM integration with Microsoft Entra ID or Google Workspace, audit logging, and a data processing agreement. For any business use involving client or proprietary data, Enterprise or Team is the right tier.
Can a healthcare practice use AI and still be HIPAA-compliant?+
Yes, but only with the right AI tier. The default consumer versions of ChatGPT, Claude, and Gemini are not HIPAA-eligible — no Business Associate Agreement is offered. The HIPAA-eligible options as of 2026 include: Microsoft 365 Copilot (covered under the Microsoft BAA when properly activated), Azure OpenAI Service (covered under the Microsoft BAA), Anthropic Claude via AWS Bedrock with HIPAA-eligible AWS account, and certain healthcare-specific AI vendors with signed BAAs. Practices using AI without a BAA in the chain have a HIPAA gap regardless of how careful staff are with the inputs.
What is an AI acceptable-use policy?+
A written policy that tells staff which AI tools are approved, which accounts to use (business tier, never personal), what data classifications are allowed in which tools (no client PII in consumer ChatGPT, period), how to log AI-generated content in client work, and what disclosure obligations apply to clients and regulators. Most small businesses we audit have zero written AI governance — staff are pasting client data into personal ChatGPT accounts and nobody has told them not to. Simply IT drafts and maintains a tailored AI acceptable-use policy for every Simply Secure and Simply Compliant client.
What is Microsoft 365 Copilot and how much does it cost?+
Microsoft 365 Copilot is the generative AI assistant embedded across Word, Excel, PowerPoint, Outlook, Teams, and the broader Microsoft 365 surface. It pulls context from your organization's own documents, emails, calendars, and chats (governed by your existing Microsoft permissions) to draft, summarize, analyze, and answer questions. Pricing in 2026 is $30 per user/month on top of an underlying Microsoft 365 Business Standard or Business Premium license — annual commitment, minimum tenant license requirements vary by region. For businesses already on Premium, Copilot is the most natural enterprise-AI entry point.
What is Anthropic Claude and how is it different from ChatGPT?+
Anthropic Claude is a family of large language models developed by Anthropic, a US-based AI safety company. Functionally Claude is comparable to ChatGPT for most business tasks (writing, summarization, code, analysis), with particular strengths in longer-context work and instruction-following. Differences for business use: Claude is available via Anthropic's own API and via cloud platforms (AWS Bedrock with HIPAA-eligible accounts, Google Cloud Vertex AI), Claude.ai consumer and Team tiers operate similarly to ChatGPT consumer/Team. Many businesses use both Claude and ChatGPT for different tasks; they're not mutually exclusive.
What is shadow AI and is it a real risk?+
Shadow AI is the use of AI tools by employees on personal accounts, outside the visibility of the business's IT and security governance — typically free ChatGPT, free Claude, or free Gemini accounts used to summarize client documents, draft client communications, or analyze internal data. The risk is real: data leakage into third-party training pipelines (with consumer tiers), no audit trail, no data processing agreement, and compliance findings when regulators or clients ask “what AI did you use on our matter?” The fix is the AI acceptable-use policy plus making the approved business-tier AI tools easy enough that staff don't reach for personal accounts.
How much should a small business expect to spend on AI tools?+
Realistic 2026 budget for a 10-person office adopting AI thoughtfully: $30 per user/month for Microsoft 365 Copilot if you want AI inside Outlook/Word/Excel/Teams (~$300/month for 10 people), or $25–30 per user/month for ChatGPT Team or Claude Team if you want a standalone chat workspace (~$250–300/month for 10 people). Some businesses use both. Add a one-time $1,500–3,000 for the AI acceptable-use policy, training, and governance setup if you don't already have IT support handling it. Total first-year AI spend for a thoughtful 10-person rollout: roughly $5,000–8,000.
How does Simply IT govern AI access for clients?+
On Simply Secure and Simply Compliant tiers we (a) draft the client's AI acceptable-use policy, (b) configure Microsoft 365 Copilot or the chosen alternative under the business's identity provider with SSO and audit logging, (c) block or restrict consumer-tier AI tools where appropriate via Conditional Access and DNS filtering, (d) train staff on which tools to use for which data, and (e) document everything to be audit-defensible. The goal isn't to block AI — it's to make the right AI easy and the wrong AI hard, which is exactly what compliance regulators are starting to expect.