Imagis, New York, NY (2026)

11/21/2025

Guest accounts pile up fast—and they rarely leave on their own. Here’s a tight, practical baseline:

Do this today
- Discover: Export all guests + external shares (Entra/SharePoint/OneDrive, Google Drive/Groups).
- Expire & attest: Turn on guest expiration and quarterly access reviews (Entra ID Governance / Google reviews).
- Restrict sharing: Org-wide default to “Specific people” links; set domain allow/deny lists for external sharing.
- Limit capabilities:
M365: Conditional Access for guests (MFA, web-only, block download on unmanaged).
Google: Context-Aware Access (device/user/IP levels; view-only for unmanaged).
- Separate external from chat/collab sprawl: Tune Teams external/guest vs B2B Direct Connect; in Google, lock Drive/Chat external permissions by OU/group.
- Monitor: Alert on new guest invites, public links, and dormant guest sign-ins.

Small habit, big supply-chain risk reduction.
When did you last review who outside your org can still log in?

11/20/2025

SOC 2 vs ISO 27001 — choose in 5 questions

- Buyer: US enterprise/SaaS → SOC 2. Global/regulated/public → ISO 27001
- Artifact: Type II report vs accredited certificate
- Scope: System/service (SOC 2) vs org-wide ISMS (ISO)
- Evidence cadence: 6–12 mo operating effectiveness vs ISMS + surveillance audits
- Timeline: Fast unblock (Type I ➜ II) vs global tenders (ISO)

Stop duplicating work—map controls once, reuse ~80% of evidence.

Read the quick decision playbook: https://imagisit.com/article/soc-2-vs-iso-27001-choose-in-5-questions/

11/19/2025

Run this 60-minute sweep:

Pull 3 sources:
- IdP/SSO (apps, users)
- MDM/EDR (devices)
- Finance/procurement (POs, serials)

Reconcile & hunt unknowns:
- Match by user, hostname, serial, last seen
- Scan DHCP/DNS/VPN/Wi-Fi for rogue devices
- Mine SSO/browser/expense data for shadow SaaS
- Flag orphaned cloud resources (unused VMs, public buckets)

Make one list that matters:
Owner • BU • data classification • criticality • lifecycle (active/loaner/lost/retired) • controls (EDR, MDM, disk encryption, patching) • last seen

Automate & review:
- Daily ingest + exceptions queue
- Weekly deltas, monthly true-up, quarterly spot-check

Track real KPIs:
- % devices in MDM/EDR
- % assets with assigned owner
- Unknown asset rate
- Median days since last seen

Small ritual, huge risk reduction.
What’s your unknown asset rate today?

11/14/2025

Sweating laptops to year 5+ feels thrifty—until security slips. Short, predictable refresh cycles reduce risk:
- Patch eligibility: Older hardware drops off OS/driver/firmware support (bye-bye critical fixes).
- Hardware security: TPM 2.0/Secure Boot/Pluton + modern BIOS protections aren’t guaranteed on legacy models.
- Agent performance: EDR, disk encryption, and DLP need headroom—older CPUs = gaps, timeouts, skipped scans.
- Faster IR: Standardized models image faster and swap quicker during incidents.
- Less “exception drift”: Fewer carve-outs in policies = stronger baseline.

Make it real (playbook):
- Standardize 2–3 models with 3-yr NBD warranty (+1 yr option).
- Refresh 25–35% annually (green ≤24m, yellow 25–48m, red >48m).
- Enforce MDM zero-touch, full-disk encryption, Secure Boot, BIOS/UEFI updates.
- Decommission securely: wipe, attest, and certify disposal.

Finance will like the predictability. Security will love the reduction in unknowns.

What’s your current refresh cadence—and how many “red” devices are still in service?

11/13/2025

Stop overthinking level one. Start with three labels and ship:

Labels (make “Internal” the default):
- Public — safe for the internet; marketing, careers, press.
- Internal — everyday work; no external sharing by default.
- Restricted — customer data, finance, legal, PII; encrypt, watermark, limited access.

60-minute rollout
0–15 min: Define examples for each label (what’s in / out).
15–30 min: Flip sharing defaults: external = off unless Public; Restricted = invite-only.
30–45 min: Enforce in tools: M365 sensitivity labels / Google labels, basic DLP rules (block external on Restricted, warn on Internal).
45–60 min: Post a 1-pager for staff + add a banner: “Default label: Internal.” Schedule a 30-day review.

Measure next month: % files labeled, external shares blocked, Restricted violations prevented.

Simple beats perfect—get it live, then iterate.
How fast could your team get to v1?

11/07/2025

Over time, vendors pile up: MSPs, SaaS providers, consultants, integrators. Many of them still have logins to your systems long after the project is over.

That’s quiet risk.

Here’s a simple third-party access review you can run this month:

1️⃣ List all external accounts
– Guest users in M365/Google
– Vendor/admin accounts in VPN, firewalls, ERP, CRM, ticketing, etc.

2️⃣ Ask 3 questions for each vendor:
– Do they still actively work with us?
– What systems and data can they see?
– Do they still need this level of access?

3️⃣ Act on the answers:
– Remove dormant accounts
– Downgrade over-privileged access
– Add MFA + logging to anything that stays

Then put it on a cadence: quarterly third-party access review—small habit, big reduction in supply chain risk.

When was the last time you checked which vendors can still log in?

11/06/2025

If only 20–30% of your apps sit behind SSO, you don’t have an SSO strategy—you have SSO decoration.

Your “SSO Adoption %” is a real security KPI:
- 100% of critical apps behind SSO = fewer passwords to steal
- Central MFA + Conditional Access = consistent protection
- One offboarding action = access removed everywhere

Quick self-check
1️⃣ Export all apps your users log into (IdP, browser, expense data).
2️⃣ Mark which are behind SSO vs. direct login.
3️⃣ Calculate: apps behind SSO / total apps.
4️⃣ Set a goal: e.g. 80%+ in 6–12 months, 100% for critical apps.

Then start migrating: finance, HR, CRM, email, dev tools—anything with sensitive data or broad access.

What’s your SSO adoption % right now—and what’s your target by year-end?

11/05/2025

Most teams discover backup gaps during an outage or ransomware incident—when it’s too late.

In our latest article, we break down:
- RPO & RTO in plain language
- The 3-2-1-1-0 backup rule for ransomware resilience
- How to run real restore tests (and prove it to auditors)

If your only evidence is “the job says Success,” this one’s for you.
Read the full guide: https://imagisit.com/uncategorized/backup-that-actually-restore/

10/30/2025

Security-as-UX: Fewer prompts, stronger auth — why passkeys feel better 🔐✨

Passwords create friction (and tickets). Passkeys flip the script:

- Phishing-resistant by design (no shared secret to steal)
- One-tap sign-in with Face/Touch ID = happier users
- Fewer resets & lockouts = lighter helpdesk
- Faster auth = better conversion for customer apps

How to roll out (fast):
- Enable passkeys in your IdP/SSO (Entra/Okta/Google).
- Start with admins & high-risk apps; keep 1–2 break-glass accounts.
- Offer device-bound + sync passkeys; define recovery & fallback.
- Ship a 60-sec how-to and update the helpdesk playbook.
- Track wins: reset tickets ↓, auth success ↑, time-to-auth ↓.

Security that feels invisible is security people actually use.

10/24/2025

Access creep is inevitable—projects end, roles change, contractors linger. Fix it with a 30-minute review:

Do this this week

1. Export users, roles & app groups from your IdP (Entra/Okta/Google).
2. Filter: inactive >60 days, ex-contractors, shared/service accounts, privileged roles.
3. Attest: send owners a one-click “keep/remove/downgrade” review (10-day expiry).
4. Revoke unapproved access, rotate tokens, close shared logins, archive stale groups.
5. Log every change (ticket + audit trail) and schedule the next review.

Measure: revocations per quarter, time-to-revoke, % users in least-privilege roles.

Small habit, big reduction in breach risk—and auditors love it.

10/22/2025

Most breaches start in the browser. Tighten the blast radius by controlling extensions:

Do this today

- Default = Block, then allowlist only approved extensions.
- Disable Developer Mode + external sources; no “load unpacked.”
- Review permissions (clipboard, file access, broad host *); auto-remove high-risk.
- Force-install security add-ons (password manager/EDR) and log everything.
- Add a request workflow so users can propose tools without Shadow IT.

Fast paths
Google Workspace: Admin Console → Devices → Chrome → Apps & extensions → Users & browsers → Block-all, then Allowlist; enable Extension reporting; disable Developer Mode.

Microsoft Edge (Intune): Endpoint Manager → Devices → Config Profiles → Microsoft Edge → set ExtensionInstallBlocklist/Allowlist; disable Developer Mode; enable SmartScreen & Enhanced Security.

Small control, big reduction in phishing, data exfil, and malware risk.
Want help with securing your browser? Follow the link: https://imagisit.com/services/managed-security-services/

10/17/2025

1. Isolate, don’t power off. Pull network (Ethernet/Wi-Fi/VPN) on affected hosts or quarantine in EDR. Keep systems on to preserve evidence.
2. Preserve evidence immediately. Screenshot ransom notes, record filenames/timestamps, collect logs/EDR alerts, and start a simple chain-of-custody.
3. Activate your IR plan. Notify IR lead, legal/comms, and (if applicable) cyber-insurance. Assign a single incident commander and open a ticket/war-room.
4. Stop lateral movement. Enforce MFA, disable suspicious accounts, reset privileged creds, revoke OAuth/API tokens, and block legacy protocols where possible.
5. Protect clean backups. Lock backup consoles, verify last known-good restore point, enable immutability/offline copies, and halt any automated deletions.

Do not: wipe systems, “test” restores into the infected network, or engage the attacker directly.

Want a one-page runbook you can print for your team? Comment “RUNBOOK” and I’ll share it.

Imagis

11/21/2025

11/20/2025

11/19/2025

11/14/2025

11/13/2025

11/07/2025

11/06/2025

11/05/2025

10/30/2025

10/24/2025

10/22/2025

10/17/2025

Address

Telephone

Website

Alerts

Contact The Business

Shortcuts

Share

Category