One of my many interests is IT and also security. I think we all have a responsibility to keep dishonest people from hurting others.
Why am I sharing this? All of my career I have helped and encouraged companies to have the highest levels of security. Often I was ignored and told it couldn’t happen to them. Which is fine, I warned them and then the consequences are on them.
I did work as a MSP/consultant and sometimes the company was hacked due to their lack of security or mistakes from people using it. Normally companies will find the money once they have seen they are vulnerable. I wish this wasn’t the case.
Part of the problem is that security always adds complexity. This is unavoidable. There is a trade-off with security and usability, and I think it has to be more secure than usable if you have to make a choice. For example I once worked with a client who had Okta verify common things like accessing an internal hosted app like timekeeping or service desk request. I thought that was excellent.
I also was impressed when the client let you know when MFA was triggered with an email or letting you know of external links in email. That should be the standard for all companies. Make it easy for people to do the secure thing.
5 things you can do today to become more secure
- Zero Trust IAM: Enforce strong MFA/SSO, block legacy auth, and use Conditional Access with risk/device signals.
- Privileged Access (PAM): Apply least privilege with separate admin accounts, JIT elevation, and tight monitoring of role changes.
- Vulnerability & Patch SLAs: Keep a full asset inventory and patch exploitable/internet-facing critical issues fast with tracked exceptions.
- Endpoint/Server Hardening: Deploy EDR everywhere and reduce attack surface with secure baselines and app control where feasible.
- Resilience & IR Readiness: Use immutable/offline backups, test restores regularly, and drill incident response playbooks.