Jun 30, 2026
Most cyberattacks do not start with a sophisticated intrusion. They start with a click on a personal email, a reused password, or a file uploaded to a familiar cloud service because the approved option felt slower.
The Verizon Data Breach Investigations Report found that 68% of breaches involve the human element.
Not a zero-day exploit. Not a brute-force attack on a hardened system. Human behavior, in the course of an ordinary working day.
For businesses running cloud-based workflows across multiple devices, the personal and professional overlap is now the rule. Understanding where that overlap creates risk is no longer optional. It is a core part of modern security strategy.
The Risk Sitting Outside Your Security Stack
Personal web habits are not reckless behavior. They are normal behavior.
Checking a personal inbox on a work laptop. Logging into a social account during a break. Saving a work password in a browser already loaded with personal accounts. Uploading a document to a storage service because it is faster than the approved option.
None of these feel like security decisions in the moment. But each creates a connection between personal digital activity and business systems, and that connection sits outside most traditional security controls.
Hardening systems, deploying tools, and locking down networks addresses part of the problem. The rest moves with the people.
How Personal Web Habits Create Business Exposure
Personal channels are phishing’s preferred territory
Personal inboxes, messaging platforms, and social media feeds are where phishing thrives.
These environments are harder to filter, easier to spoof, and loaded with the emotional triggers that make people act before they think.
When those channels share a device or browser with business systems, a single click can cross the boundary instantly.
Phishing is the most common entry method for attackers precisely because it exploits distraction rather than technical weakness. The target does not need to be careless. They just need to be busy.
Password reuse turns personal breaches into work incidents
Password reuse is one of the most direct connections between personal and professional exposure.
When credentials from a personal account are compromised, attackers run them against business systems automatically. This technique, credential stuffing, is low-effort and highly effective because so many people use the same password across multiple accounts.
Unique credentials for every account, combined with multi-factor authentication, break that chain.
A personal breach has nowhere to go when the work account requires a second factor that the attacker cannot relay.
Shadow IT is usually about convenience, not defiance
Most unauthorized tool usage does not begin with disregard for IT policy. It begins with a productivity gap. Employees use personal cloud storage, consumer messaging apps, or AI tools because they are faster and more familiar than the approved alternative.
The security risk is not the intention behind the choice. It is what happens to the data.
Once business information moves into platforms that IT cannot see, audit, or secure, it falls outside every control in place. The tool usage is predictable. The data exposure is not.
Why Blocking Behavior Doesn’t Work
The instinct is to lock things down: block personal apps, restrict browsing, enforce strict device policies.
In practice, blanket restrictions rarely stop the behavior. They relocate it. Users find workarounds. Unapproved tools move to personal devices. IT teams lose visibility into exactly the activity they were trying to manage.
The risk does not disappear. It moves somewhere harder to see.
Security strategies that assume perfect compliance perform poorly in real workplaces. The goal is not eliminating the overlap between personal and professional digital activity. It is managing it without breaking how people work.
What Actually Reduces Risk
The controls that work are the ones that match how people actually operate.
Separate contexts, not people
The simplest way to reduce crossover risk is to reduce crossover.
Separate browser profiles for work and personal activity, clear guidance on where business accounts should be accessed, and identity boundaries that prevent accidental mixing all reduce exposure without restricting what people do with their time.
This is not about surveillance. It is about creating enough distance between personal and professional digital activity that a compromise in one does not automatically reach the other.
Design for credential failure
Assume passwords will eventually be exposed somewhere. Design for that outcome rather than hoping to prevent it.
CISA reports that enabling multi-factor authentication makes accounts 99% less likely to be compromised, even when the underlying password has already been stolen.
MFA converts the most common attack path into a dead end.
Stolen credentials from a personal breach cannot reach a work account that requires a second factor. A password manager handles unique credentials across every account, making that protection sustainable without placing an unrealistic burden on users.
Make secure behavior easier than unsafe behavior
Personal web habits are not dangerous by default. Ignoring the risk they create is. The most secure environments today are not the most restrictive. They are the most realistic: built around how people actually work, designed to contain failure when it happens, and focused on making safer behavior the path of least resistance.
Helping clients reduce human-driven security risk is one of the most impactful services an MSP can offer.
Contact us or schedule a consultation to review current controls and identify where the most important gaps are.
—
Featured Image Credit
This Article has been Republished with Permission from The Technology Press.
Jun 10, 2026
It’s a statistic that sends a shiver down the backs of SME owners, managers and employees.
According to the FBI’s 2025 Internet Crime Report, business email compromise (BEC) cost US businesses more than $3 billion last year.
This makes it one of the most financially damaging cybercrimes on record.
AI has made these attacks harder to detect. The question for AP teams is no longer whether they can identify suspicious requests. It is whether the processes around payments make fraud difficult regardless of how convincing it looks.
Why AP Teams Are in the Crosshairs
Accounts payable sits at the intersection of trust and timing. AP teams process invoices, manage supplier details, and execute payments, often under pressure to keep operations running smoothly.
For attackers, that combination is ideal.
Most successful fraud does not involve breaking into systems.
The FBI’s Internet Crime Complaint Center (IC3) has consistently found that BEC attacks rely on impersonation. This involves posing as a trusted executive, supplier, or internal colleague to redirect payments or update bank details before anyone notices.
AI has made that impersonation dramatically more scalable.
Where it once required skill and time to craft a convincing request, tools are now widely available that automate the research, writing, and contextual tailoring that make fraud blend into normal AP workflows.
By mid-2024, an estimated 40% of BEC phishing emails were already AI-generated, with that share expected to grow significantly.
What AI-Enhanced Fraud Looks Like in Practice
Emails that blend into normal workflow
Traditional phishing relied on volume and imperfection. AI has changed that.
Modern BEC emails are grammatically correct and written in the specific tone of the executive or supplier being impersonated. They reference active projects, current invoice numbers, and upcoming payment runs.
For AP teams processing high volumes of routine communications, that level of familiarity is exactly what lowers the guard.
Invoice and payment redirection
One of the most common AP fraud patterns involves payment redirection.
Attackers may intercept a legitimate invoice exchange and quietly alter the destination account. They then send a short message claiming a supplier has updated its banking details, or re-issue a real invoice with minor modifications.
The surrounding content looks entirely legitimate because, in many cases, it is drawn from real correspondence.
Voice cloning and executive impersonation
Email isn’t the only channel being exploited.
AI voice-cloning tools can replicate a person’s voice from a short audio sample. That makes it possible to leave convincing voicemails or place calls that sound like a known executive.
For AP teams accustomed to verbal approvals on high-value or urgent payments, this removes one of the few remaining verification methods that email security alone cannot address.
Why Traditional Checks No Longer Work
Security awareness training still matters, and investing in it remains worthwhile. But AI has changed what AP teams are up against.
Attacks no longer contain the signals that training programs once focused on: awkward phrasing, mismatched logos, odd sender addresses, or generic greetings.
Modern fraud emails can reference the recipient’s organization, active suppliers, and current invoice values drawn from publicly available or previously intercepted sources.
When a fraudulent request is indistinguishable from a legitimate one, placing the burden of detection on the AP team puts it in the wrong place.
The organizations that reduce risk are not asking staff to be more suspicious. They are building verification processes that work independent of how a message looks.
Building Process Around the Risk
The most effective defense is not sharper instincts. It is removing ambiguity from high-risk actions.
Out-of-band verification as standard
Any request to change supplier bank details or approve an urgent payment outside the normal cycle should require secondary confirmation through a known, independent channel — not a reply to the same email thread. Calling a supplier on a number already on file, or confirming with a colleague directly, breaks the impersonation chain regardless of how convincing the original request appeared. This step does not require technology. It requires a written procedure and the team’s habit of following it.
Layered access and authentication controls
Restricting access to financial systems and enforcing multi-factor authentication limits the damage a compromised account can cause. If an attacker gains access to a vendor’s email, MFA requirements on the receiving end create friction that can slow or stop a fraudulent change before any money moves.
A culture that supports slowing down
Fraud prevention improves when staff feel safe questioning requests, including from senior leadership.
A team member who pauses a payment to verify it is not being obstructive. They are doing exactly what good process requires.
Building that culture starts with leadership modeling the behavior and making clear that slowing down on high-risk actions is always the right call.
The FBI’s 2025 Internet Crime Report included a dedicated AI section for the first time, logging more than $893 million in AI-enabled scam losses across more than 22,000 complaints.
When verification is standard and questioning is encouraged, AI-enhanced fraud loses much of its advantage.
The technology attackers use is advancing quickly, but the process controls that contain the damage do not have to be complicated. They have to be consistent.
Shift the Burden From People to Process
Concerned about AI-enhanced fraud targeting your finance teams or clients?
Contact us or schedule a consultation to review your current controls and identify where the most important gaps are.
—
Featured Image Credit
This Article has been Republished with Permission from The Technology Press.
Jun 5, 2026
You click a link, sign in, approve the MFA prompt, and get on with your day. Completely unaware that someone else just logged into your account at the same moment.
That scenario surprises many businesses, particularly those that rely on multi-factor authentication (MFA) to protect cloud accounts. But this is exactly how Adversary-in-the-Middle (AiTM) phishing attacks work.
Rather than stealing passwords for later use, these attacks silently hijack an already-authenticated session in real time.
MFA remains a core control, and getting it implemented correctly is still a critical first step for any business.
But AiTM attacks exploit something MFA was never designed to protect: the trusted session that exists after authentication has already completed.
Phishing Has Moved Beyond Passwords
Phishing remains the most common starting point for account compromise, but the objective has changed.
Traditional phishing collected usernames and passwords. Modern phishing is after something more immediately useful: the authenticated session itself.
Security researchers have documented a significant shift toward session and token theft, where attackers intercept the authentication process as it happens.
Rather than reusing stolen credentials, which MFA typically blocks, they wait until the user successfully completes login, then steal the session token that proves it already occurred.
The technique has matured quickly. Phishing-as-a-Service (PhaaS) platforms now supply ready-made proxy toolkits that let even low-skilled attackers run AiTM campaigns targeting Microsoft 365 and Google Workspace.
How AiTM Attacks Actually Work
The fake login page that isn’t fake
An AiTM phishing site is not a basic replica of a login page. It is a live reverse proxy.
The attacker’s infrastructure sits between the user and the real authentication service. Every keystroke, redirect, and server response flows through the attacker’s system in real time. From the user’s perspective, nothing looks wrong.
The page behaves exactly like the real service, with correct branding, working redirects, and a functioning MFA prompt. In most cases, the only clue is a slightly altered URL that goes unnoticed on a mobile screen or when someone is under time pressure.
Why MFA doesn’t stop it
This is where many security assumptions fall apart.
MFA protects the moment of authentication, not what comes after it.
Once a user successfully completes MFA, the service issues a session cookie. What this means is that the cookie signals to the application that the user is already verified. From that point, no password or MFA prompt is required. The system trusts the token. Whoever holds the cookie holds the access.
AiTM attacks simply wait for that cookie to be issued then steal it.
Microsoft tracked a 146% rise in AiTM attacks over the past year, as cybercriminals increasingly shift focus to accounts already protected by MFA.
Much of this increase is driven by PhaaS platforms like Evilginx that allow even low-skilled attackers to run convincing reverse-proxy campaigns at scale, targeting major cloud identity providers with minimal setup.
Session cookies
Session tokens act as bearer credentials. So, whoever possesses the token can access the account, with no password or MFA challenge required.
Once the cookie is stolen, the attacker imports it into their own browser and immediately resumes the session.
This is a session replay attack. The attacker does not log in. They pick up where the legitimate user left off, inside a fully trusted, already-verified session.
What Happens After a Session Is Stolen
The aftermath of an AiTM attack tends to be quiet, which is precisely what makes it dangerous.
The attacker is operating inside a legitimate, authenticated session. There are no failed MFA attempts, no unusual login alerts, and nothing in standard sign-in logs to signal a problem.
Research from Proofpoint shows that attackers who gain access through session hijacking commonly create hidden inbox rules to redirect mail, register additional MFA methods to lock in persistent access, monitor email threads for financial conversations, and use the trusted account to launch phishing campaigns against internal colleagues or finance teams.
These follow-on actions are a key reason AiTM attacks are frequently uncovered late, after financial fraud, data exposure, or wider network compromise has already begun.
Reducing Your Exposure
MFA is still essential. Building strong authentication practices remains the starting baseline. But reducing AiTM risk requires controls that extend beyond the login event itself.
Adopt phishing-resistant MFA
Methods like FIDO2 hardware keys and passkeys bind authentication to the specific device and the legitimate domain. A proxy in the middle cannot relay them: the process fails if the URL is not the real one.
The Canadian Centre for Cyber Security analyzed over 100 AiTM campaigns targeting Microsoft Entra ID accounts. It found that phishing-resistant MFA consistently blocked session theft where standard MFA methods (including push notifications and one-time passcodes) did not.
Tighten Conditional Access policies
Risk-based access controls evaluate additional signals, including device compliance, IP location, and session behavior, rather than treating every authenticated session as permanently trusted.
Configured correctly, these policies can detect and block anomalous access even when a stolen session token appears valid.
Monitor for post-login anomalies
Detecting AiTM compromise typically means watching for activity after login: new MFA method registrations, inbox rules created outside business hours, access from unfamiliar locations, or unusual data activity.
Authentication logs alone will not surface the problem.
Train users on URL awareness
Employees who understand that a working MFA prompt on an unfamiliar-looking page still represents a risk are better positioned to pause, check the URL, and report before a session is compromised. A brief team walkthrough of what AiTM lures look like in Microsoft 365 contexts can meaningfully reduce exposure.
Stop Protecting Just the Login Screen
MFA is a baseline, not a finish line. The businesses that reduce AiTM risk are the ones that understand how sessions, tokens, and identity trust actually work . And they build controls around each layer, not just the login screen.
Want to review your identity security controls?
Contact us or schedule a consultation to identify the gaps that matter most before an incident does it for you.
—
Featured Image Credit
This Article has been Republished with Permission from The Technology Press.
May 30, 2026
MFA is a strong front-door lock. But it’s not the only thing that decides whether someone can get in.
After you sign in, your browser keeps you logged in using a session token (often stored as a cookie). It’s the digital version of a wristband at an event: once you’ve been checked, the wristband proves you belong there. If an attacker steals that wristband, they may not need to beat your MFA prompt at all.
That’s the core of session cookie hijacking. The attacker isn’t “cracking” MFA. They’re skipping it by replaying your already authenticated session.
This isn’t a reason to stop using MFA. It’s a reason to stop treating MFA as the finish line.
When sessions can be stolen, the practical defence shifts to layered controls: phishing-resistant sign-ins, device hygiene, tighter session policies, and detection that catches suspicious access early.
Why MFA Isn’t a “Game Over” Control
MFA is still one of the best upgrades most businesses can make, but it doesn’t end an attack on its own. The reason is that attackers don’t always try to beat the login step. They try to go around it.
Cloudflare notes that “attackers are finding new ways to circumvent MFA” and that modern incidents are rarely one isolated technique. They’re “part of a chain of attacks.”
In other words, MFA can block a lot of credential theft, but it doesn’t automatically protect what happens after a user successfully signs in.
That’s where session cookie hijacking comes in.
Microsoft has described adversary-in-the-middle phishing campaigns where attackers use a reverse-proxy site to “steal and intercept” a user’s password and the session cookie that proves they have an authenticated session.
This is “not a vulnerability in MFA.” The attacker isn’t breaking the MFA. They’re reusing the session.
What a Session Cookie Is and Why Attackers Want It
When you sign into a web app, the site needs a way to remember that you’ve already proved who you are. That’s what a session is: a temporary “logged-in” state that saves you from entering your password and MFA code on every click.
Kaspersky explains that session hijacking is “sometimes called cookie hijacking” because cookies are commonly used to store the session identifier that keeps you authenticated.
Attackers want that session identifier because it’s the shortcut.
Proofpoint describes session tokens as digital “keys” that let a user stay authenticated. It warns that stealing valid tokens lets attackers impersonate legitimate users and potentially bypass authentication measures “like MFA.”
That’s why session cookie hijacking is so highly leveraged.
If an attacker can steal the cookie or token that represents your active session, they’re not trying to defeat the login process. They’re attempting to reuse what you already completed, and access the same apps and data as if they were sitting at your keyboard.
How Session Cookie Hijacking Actually Happens
A lot of teams picture “account takeover” as someone guessing a password or tricking a user into approving an MFA prompt.
Session cookie hijacking is different. The attacker’s goal is to steal the proof that you’re already logged in, then reuse it, often without triggering another sign-in challenge.
1.) AiTM phishing
Adversary-in-the-middle (AiTM) phishing is the “proxy login” trap.
You think you’re signing into a normal service, but you’re actually signing into a lookalike page that sits between you and the real site. The attacker relays the login in real time, so everything appears to work, including MFA.
Attackers use AiTM phishing sites to “steal and intercept” a user’s password and the session cookie that proves the authenticated session. This is “not a vulnerability in MFA.” The attacker isn’t breaking the MFA. They’re capturing the session after MFA is completed and reusing it.
One such campaign “attempted to target more than 10,000 organisations” since September 2021, which shows how scalable this approach has become.
2.) Browser-in-the-Middle session stealing
Browser-in-the-middle (BitM) is similar in spirit, but it’s even more “hands-on” from the attacker’s side.
Instead of stealing a password and running away, the attacker effectively places themselves in control of the browsing session.
Google’s threat intelligence says, “Stealing this session token is the equivalent of stealing the authenticated session.” Once the token is stolen, “an adversary would no longer need to perform the MFA challenge.”
In other words, the attacker isn’t trying to authenticate instead of you. They’re trying to ride along after you’ve authenticated.
3.) Cookie theft from the endpoint
Not every session hijack starts with a fancy proxy. Sometimes the attacker simply steals session data from the device itself.
Stealing valid session tokens allows attackers to impersonate legitimate users. Tokens act like digital “keys.” If an endpoint is compromised, those “keys” can be extracted and reused.
Invicti explains that an attacker steals HTTP cookies and can gain access. The goal is often to obtain sensitive information stored in cookies.
MFA Is a Baseline, Not a Finish Line
MFA is still essential. It blocks a huge amount of credential theft and makes basic account takeover harder. But session cookie hijacking is a reminder that attackers don’t always try to defeat the login step. Sometimes they reuse what happens after it.
The practical response is layered and realistic. Make phishing harder to pull off, and treat device health as part of identity. Tighten session behaviour for high-risk apps. Watch for suspicious access patterns that suggest a session is being replayed.
When those controls work together, MFA stops being a comforting checkbox and becomes what it should be: a strong baseline that’s backed by protections around the session itself.
Contact us today for help protecting your login sessions from hijacking.
—
Featured Image Credit
This Article has been Republished with Permission from The Technology Press.
May 15, 2026
Browser add-ons have a funny reputation. They feel “small”. A quick install. A tiny productivity boost. A harmless little helper that lives in your toolbar.
But in practice, a browser extension is more like a micro-SaaS vendor sitting inside your browser session. It can see what you see, interact with the pages you open, and sometimes access the same cloud apps your business runs on all day.
That’s why a browser extension security check matters.
Not because every extension is bad, but because it only takes one over-permissioned add-on or one bad update to turn “helpful” into exposure.
The good news is you don’t need a 40-page policy to reduce the risk. A simple five-minute check can prevent most extension problems before they start.
Why Browser Extensions Are a High-Leverage Risk
Browser extensions sit in the most sensitive place in modern work: the browser tab where your staff live all day.
That matters because extensions aren’t just “apps”. They’re granted special authorisations inside the browser. That makes them attractive targets and gives them leverage that’s disproportionate to how “small” they feel.
UC Berkeley’s guidance says extensions get “special authorisations,” and the more you install, the bigger the attack surface becomes.
The risk is often permission-based. OWASP calls out “permissions overreach” as a core problem. Extensions can request more access than they need, including access to “all tabs, browsing history, and even sensitive user data.”
When an extension can read and modify what happens in the browser, it can potentially see data in cloud tools, capture what’s typed into forms, or alter content on a page.
It’s also a “change over time” risk. A useful extension today can become a different extension tomorrow.
The 5-Minute Browser Extension Security Check
This browser extension security check is designed to be fast, repeatable, and realistic. It helps staff make safe decisions in minutes without turning every extension into a big IT ticket.
Vet the developer like a real vendor
If you wouldn’t give a random supplier access to your customer records, don’t give a random extension access to your browser.
Start with the basics:
- Confirm the developer has a real website, support details, and a consistent name across listings
- Look for a track record (other products, a clear company presence, updates that look normal)
- Prefer official stores and trusted sources over “download this .zip” links
Read the description like a contract
Treat the store listing as a mini security disclosure. It should clearly explain what the extension does and why it needs access.
What to look for:
- Specific, concrete function
- Clear explanation of what data it touches
- Any hint of tracking, analytics, or data sharing that doesn’t match the core feature.
Permission sanity check
Permissions are the whole game. This is where a “helpful tool” can become a high-leverage risk.
Microsoft’s Edge Add-ons policies say extensions “must only request those permissions that are essential for functioning,” and requesting permissions for “future proofing” is “not allowed.”
How to do a fast check:
- Ask: “Does this permission match the feature?” If not, it’s a red flag.
- Be cautious of anything that effectively means “read and change everything you do in the browser.”
- Remember: Google even publishes guidance for admins to “evaluate the security risk” of different extension permissions.
Check updates and change risk
Extensions aren’t static. They update. And updates can change what the extension can do.
Two things to watch:
- Permission creep: If an extension suddenly requests new permissions, you should be wary. And if you can’t justify it, “it’s probably better to uninstall”
- Update abuse: Treat unexpected permission changes or sudden feature shifts as a reason to pause and escalate
Decide: approve, avoid, or escalate
You don’t need a committee for every install.
You need a simple decision tree:
- Approve when the vendor is credible, the purpose is clear, and permissions are tight and match the feature
- Avoid when the extension is vague, over-permissioned, or feels like it wants access “just in case”
- Escalate when it’s genuinely useful but touches sensitive systems or asks for broad permissions.
- Have IT review it and, if approved, add it to an allowlist
From “Quick Install” to Clear Standards
Browser extensions aren’t “bad”. Unvetted extensions are the problem.
A simple browser extension security check turns installs from impulse decisions into repeatable standards.
You’re not trying to slow people down. You’re trying to make sure the tools that live inside your browser have a clear purpose, tight permissions, and a vendor you’d actually trust.
Start small. Reduce extension sprawl, treat permission changes as a red flag, and escalate anything that touches sensitive systems.
Then make it easier for staff to do the right thing by default with an approved list and browser-level controls. When installs are standardised, extensions stop being a hidden risk and become just another managed part of the environment.
Contact us today to schedule a browser extension audit.
—
Featured Image Credit
This Article has been Republished with Permission from The Technology Press.
Apr 20, 2026
Ransomware isn’t a jump scare. It’s a slow build.
In many cases, it begins days, or even weeks, before encryption, with something mundane, like a login that never should have succeeded.
That’s why an effective ransomware defense plan is about more than deploying anti-malware. It’s about preventing unauthorized access from gaining traction.
Here’s a five-step approach you can implement across your small-business environment without turning security into a daily obstacle course.
Why Ransomware Is Harder to Stop Once It Starts
Ransomware is rarely a single event. It’s typically a sequence: initial access, privilege escalation, lateral movement, data access, often data theft, and finally encryption once the attacker can inflict maximum damage.
That’s why relying on late-stage defenses tends to get messy.
Once an attacker has valid access and elevated privileges, they can move faster than most teams can investigate. Microsoft says, “In most cases attackers are no longer breaking in, they’re logging in.”
By the time encryption begins, options are limited. The general guidance from law enforcement and cybersecurity agencies is clear: don’t pay the ransom, there’s no guarantee you’ll recover your data, and payment can encourage further attacks.
There isn’t a silver bullet for preventing a ransomware attack. A ransomware defense plan is most effective when it disrupts the attack before encryption ever begins. That’s why recovery needs to be engineered upfront, not improvised mid-incident.
The goal isn’t “stop every threat forever.” The goal is to break the chain early and limit how far an attacker can move. And if the worst happens, you want recovery to be predictable.
The 5-Step Ransomware Defense Plan
This ransomware defense plan is built to disrupt the attack chain early, contain the damage if access is gained, and ensure recovery is dependable. Each step is practical, easy to implement, and repeatable across small-business environments.
Step 1: Phishing-Resistant Sign-Ins
Most ransomware incidents still begin with stolen credentials. The fastest win is to make “logging in” harder to fake and harder to reuse once compromised.
What this means: “Phishing-resistant” sign-ins are authentication methods that can’t be easily compromised by fake login pages or intercepted one-time codes. It’s the difference between “MFA is enabled” and “MFA still works when someone is specifically targeted.”
Do this first:
- Enforce strong MFA across all accounts, with priority given to admin accounts and remote access
- Eliminate legacy authentication methods that weaken your security baseline
- Implement conditional access rules, such as step-up verification for high-risk sign-ins, new devices, or unusual locations
Step 2: Least Privilege + Separation
What this means: “Least privilege” means each account gets only the access it needs to do its job, and nothing more.
“Separation” means keeping administrative privileges distinct from everyday user activity, so a single compromised login doesn’t hand over control of the entire business.
NIST recommends verifying that “each account has only the necessary access following the principle of least privilege.”
Practical moves:
- Keep administrative accounts separate from everyday user accounts
- Eliminate shared logins and minimize broad “everyone has access” groups
- Limit administrative tools to only the specific people and devices that genuinely require them
Step 3: Close known holes
What this means: “Known holes” are vulnerabilities attackers already know how to exploit, typically because systems are unpatched, exposed to the internet, or running outdated software. This step is about eliminating easy wins for attackers before they can take advantage of them.
Make it measurable:
- Set clear patch guidelines: critical vulnerabilities addressed immediately, high-risk issues next, and all others on a defined schedule
- Prioritize internet-facing systems and remote access infrastructure
- Cover third-party applications as well, not just the operating system
Step 4: Early detection
What this means: Early detection means identifying ransomware warning signs before encryption spreads across the environment.
Think alerts for unusual behavior that enable rapid containment, not a help desk ticket reporting that files suddenly won’t open.
A strong baseline includes:
- Endpoint monitoring that can flag suspicious behavior quickly
- Rules for what gets escalated immediately vs what gets reviewed
Step 5: Secure, Tested Backups
What this means: “Secure, tested backups” are backups that attackers can’t easily access or encrypt, and that you’ve verified you can restore successfully when it matters most.
Both NIST’s ransomware guidance and the UK NCSC emphasize that backups must be protected and restorable. NIST specifically calls out the need to “secure and isolate backups.”
Keep backups up-to-date so you can recover “without having to pay a ransom”, and check that you know how to restore your files.
Make backups real:
- Keep at least one backup copy isolated from the main environment.
- Run restore drills on a schedule
- Define recovery priorities ahead of time, what needs to be restored first, and in what sequence
Stay Out of Crisis Mode
Ransomware succeeds when environments are reactive, when everything feels urgent, unclear, and improvised.
A strong ransomware defense plan does the opposite. It turns common failure points into predictable, enforced defaults.
You don’t need to rebuild your entire security program overnight. Start with the weakest link in your environment, tighten it, and standardize it.
When the fundamentals are consistently enforced and regularly tested, ransomware shifts from a headline-level crisis to a contained incident you’re prepared to manage.
If you’d like help assessing your current defenses and building a practical, repeatable ransomware protection plan, contact us today to schedule a consultation. We’ll help you identify your biggest exposure points and turn them into controlled, measurable safeguards.
—
Featured Image Credit
This Article has been Republished with Permission from The Technology Press.