Massif MSP

As a first responder to cybersecurity incidents, we want to prepare organizations on how to allocate limited IT resources rather than hearing during incidents how limited funds were invested in single-layer or legacy defenses. Below is a compilation of ten priorities from national standards and modern cyber defense trends to address IT needs for the most immediate, largest impacting, or impending ground-shifting cross-industry threats. While not a replacement for NIST or CIS frameworks (Read the enterprise page for how cybersecurity should be planned), this list is to help organizations as a first exercise in risk to account for cybersecurity shifts and to plan budgets accordingly.

1. Backups

If your business needs to restore all files from scratch without using your current computers, do you have copies? Modern threat actor's primary extortion method is now business disruption to maximize their ransom requests, have full backups of critical computers, servers, and databases and test your restoration method periodically. Backups should be Write-Once Read-Many (immutable) and follow the 3-2-1 rule. Microsoft's OneDrive isn't considered immutable because a hacked administrator account can change retention settings to only save the latest copies, then with one encryption that file is permanently lost.

2. Endpoint Protection

Your organization needs to take risks every day to open attachments, browse the internet, and download software to function. This is the most common entry point for cybercrime, and why all endpoints (computers & servers) should have active, monitored Endpoint Detection and Response (including protections against modern fileless malware).

3. Multi-Factor Authentication

If your website host (GoDaddy, Squarespace, Cloudflare, Namecheap, Hostinger, etc.) and email administrator account use passwords and a text message to log in, this is no longer considered safe (even the FBI says texts are not secure). If your email administrator account is hacked and locked out, using your website host to regain control is often the final stand, so protecting it today is critical.

Buying a main and backup security passkey is a one-time purchase totaling $120 with no ongoing costs. Keep one with your keys, and it's easy to use: similar to a thumbdrive/USB stick, you would plug it in for a second to log in. Since stolen credentials are the second most common threat vector, depending on your risk profile, it may be cost effective to have all accounts use it as it can store a hundred passkeys and can replace passwords. Ensure your key uses FIDO2-Compliant Multifactor Authentication as even if you accidentally use a FIDO2 key on a phishing website, it only works on designated logins making FIDO2 one of the few phishing proof methods.

4. Patching

The US government advises patches be applied as soon as possible because in most cybercrime incidents, patches were available but the business did not apply it in the weeks leading up to the attack. As the front door to the internet, edge devices (firewalls) are probed hundreds of times daily, so check for updates and patch security updates within days, holding feature-only updates to give time for public feedback of any new glitches. All endpoints should have scheduled patch cycles for vulnerability management to apply monthly Windows patches, and plan for End of Life Operating Systems in all network infrastructure.

5. DNS Records

For websites, ensure SPF, DKIM, and DMARC are setup to prevent spoofed emails that impersonate your business from being sent to vendors or customers.

6. Change Control

Critical infrastructure and business applications should have procedures for change. This should involve an approval process so management knows and approves of changes before it impacts people, changes are scheduled to occur outside business hours, and changes are logged in detail so security can go back and review historical settings. In the event a change causes an issue, the reversion method to roll back to before any changes were made should be written in a disaster recovery plan.

7. Principle of Least Privilege

Often employees accumulate access to more files with time, which means in a compromise or an accident, those accounts can access, edit, or delete those files. The solution is Least Privilege, Identity Access Management, and Role-Based Access Controls should be applied to all account accesses. Administrators should need to enter additional credentials to access superuser roles. For internal job transfers determine when to sunset accesses.

8. Vetting Google & AI

With more malware coming from remote monitoring tools and ClickFix, verify technical employees and helpdesk have vetting processes for commands found from outside sources (Google, AI) to avoid malware.

9. AI Policies

Consider your company's Artificial Intelligence (AI) risk tolerance and what information you'd be okay not being able to copyright or patent because it came from AI or your data leaking from AI. For external AI agents, have interaction policies to share only the minimum and non-proprietary, non-confidential information required to complete tasks as LLMs are stateless, but application logs typically store data. For agentic workflows, ensure total deletion of files on the workstation it uses is an acceptable risk. For large data sets consider differential privacy (changing data slightly). When you use AI, to reduce compaction, rot, and hallucinations, advise using sub-agents, disable unnecessary tools, and refresh context when context window usage exceeds 40%.

10. Long-term Purchases

Encryption methods should be inventoried so that new longer-term hardware purchases meet post-quantum cryptography standards to avoid shortages or price spikes for the 2030 "quantum day" when capture and replay of non-quantum encryption will be broken later leading to leaks of passwords. This doesn't mean buying new technology unnecessarily today, but when you do purchase new gateways, firewalls, or VPNs check if they can use Hybrid VPNs.

Cybersecurity isn't buying a single product to be "protected", it's building your organization a series of defenses against both accidents and cybercrime to prevent the likelihood and impact of incidents on your business when they happen. By sharing this list publicly and freely to all Maine businesses, our goal is to shift conversations toward the most cost effective ways to meet modern standards, prevent business disruptions, and impose costs on cybercriminals. This list is a dialog so if you want to discuss your cybersecurity situation or to share your thoughts or feedback, reach out to us with the contact form below.