A guest Wi-Fi setup that won’t expose the office
How to give visitors internet access without putting file shares, cameras, and printers on the same network as your coffee-shop guests.
71 articles
How to give visitors internet access without putting file shares, cameras, and printers on the same network as your coffee-shop guests.
By Michael NarehoodMicrosoft 365
A practical path to require multifactor authentication in Microsoft 365 for a small business, without locking everyone out on Friday afternoon.
Hugging Face disclosed an AI-driven intrusion through its dataset pipeline. Lessons on hosted model guardrails, local forensics, and treating data processing as attack surface.
A realistic endpoint baseline for small businesses: patching, MFA, EDR, backups, and least privilege, without pretending you need a Fortune 500 stack.
Critical unauthenticated RCE (wp2shell) hits WordPress 7.0.0–7.0.1 and 6.9.0–6.9.4. What the CVEs mean, which versions are fixed, and what SMBs should do today.
OpenAI's internal GPT-Red red-teaming model shows how automated prompt injection testing scales. Practical steps for businesses deploying Copilot, agents, and AI connectors.
Microsoft's record July 2026 release reflects AI-assisted vulnerability discovery. What MSPs and SMBs should change in triage without freezing from volume anxiety.
Why phishing-resistant MFA belongs on privileged accounts first, and how to start small.
You cannot patch what you forgot existed. A quick method to find shadow WordPress and forgotten subdomains.
A look at Qutzl’s patch priority process when a core product vulnerability hits the news.
Out-of-office season is when delayed patching and standing admin rights get expensive. A pre-travel checklist.
Bot leads waste sales time and can hide phishing callbacks.
BYOD mail and Teams are convenient. Containerization and remote wipe need to be real.
Any-any rules and forgotten NAT entries accumulate. Schedule the cleanup.
Separate admin identities and turn off unused seats before attackers find them.
What to do in the first sixty minutes of a suspected breach.
By Michael NarehoodMicrosoft 365
Citizen automation is great until a forgotten flow holds privileged consent.
By Michael NarehoodBackups & Continuity
A one-hour script to practice ransomware or BEC response without breaking production.
By Michael NarehoodMicrosoft 365
Impossible travel, new countries, and legacy protocol spikes: signals worth a human look.
By Michael NarehoodMicrosoft 365
Toll fraud and voicemail hacks still happen. A short hardening list for modern phone systems.
How small business sites get owned, and a maintenance rhythm that prevents most of it.
Temporary staff need tools on day one, not permanent Global Admin on day ninety.
Powering off is not decommissioning. Data remnants and DNS ghosts linger.
By Michael NarehoodMicrosoft 365
Federation and guest access are powerful, and easy to leave too open.
Block-all vs allow-with-logging: picking a control that matches your risk.
By Michael NarehoodMicrosoft 365
Secure Score is a guide, not a grade. Which recommendations move risk for small tenants.
By Michael NarehoodMicrosoft 365
Open calendars leak meetings, clients, and travel plans. Tighten defaults without killing scheduling.
Default passwords, ancient firmware, and flat VLANs turn MFPs into quiet pivot points.
How remote assistance should work when you care about consent, audit trails, and least privilege.
Signature AV alone is not enough. How EDR changes outcomes without requiring a SOC theater budget.
Service accounts with never-expiring passwords become permanent backdoors.
Helpful toolbars are supply-chain risk. How to set a sane policy.
Anthropic's April 2026 Project Glasswing put Claude Mythos Preview to work finding critical flaws with major vendors. What that means for downstream patching at ordinary SMBs.
Rotating the PSK every week is not a strategy. Segmentation and enterprise auth are.
Default passwords and UPnP still ship with many “security” cameras. Segment them before they segment you.
Payment devices and office laptops should not share a flat network. A practical segmentation sketch.
By Michael NarehoodBackups & Continuity
MFA, EDR, and backup proof: what underwriters ask and how to answer without scrambling.
Contractors and MSPs change. Make sure their VPN, admin, and SaaS access changes with them.
Separate guests from production without making the lobby password a company secret.
By Michael NarehoodBackups & Continuity
A focused working session to improve your odds before an incident, not a multi-month maturity model.
By Michael NarehoodMicrosoft 365
Disable stale accounts, reclaim licenses, and shrink attack surface before summer projects start.
Full tunnel vs split tunnel is a security and performance comparison. Make it on purpose.
NAS firmware holes are quiet until ransomware finds the share.
Block macros from the internet. Your 2014 workflow may need a redesign.
Why delayed disablement is a predictable incident.
A two-hour quarterly ritual that catches privilege creep before an audit or an attacker does.
Move past email attachments for sensitive files without making clients jump through hoops.
End-of-support appliances quietly become unpatchable internet doors. How to plan a refresh without drama.
A plain-language tour of the three records that decide whether your mail looks legitimate.
By Michael NarehoodMicrosoft 365
SharePoint and OneDrive sharing settings that balance client collaboration with least privilege.
The phrases and patterns that should trigger a pause before anyone moves money.
CPAs and bookkeepers become high-value targets each spring. Harden the paths to returns and source docs.
Old TLS versions linger in niche payment and LOB software. Plan the break.
Credit-card SaaS purchases create data and identity debt. How to see it without becoming the department of no.
When one ancient app pins you to an old OS, and exit ramps that are less painful than denial.
SIM swaps and SS7 abuse make text-message codes weaker than app-based or FIDO MFA.
BitLocker and FileVault basics so a stolen laptop is an inconvenience, not a breach notification.
When a classic VPN is enough, when it becomes a liability, and what “zero trust” means without the buzzwords.
How to run awareness tests that improve reporting rates instead of breeding resentment.
Ransomware and commodity malware love over-privileged users. How to shrink admin without breaking work.
By Michael NarehoodMicrosoft 365
A practical way to kill shared spreadsheets without enterprise IAM theater.
Attackers spam approve prompts until someone taps Yes. How number matching and better MFA choices help.
Skip the resolutions theater. Five security habits SMBs can keep through February and beyond.
Emergency browser updates do not wait for Patch Tuesday. How SMBs should force Chrome updates, control extensions, and close the relaunch gap before attackers do.
Microsoft’s Windows Server 2025 LTSC release brings hotpatching, stronger Active Directory and SMB security, hybrid cloud options, and a 180-day evaluation download.
iOS 18.0.1 fixes iPhone 16 touchscreen and camera issues, Messages crashes, performance problems, and important security bugs in Messages and Passwords.
macOS 15 is GA with iPhone Mirroring, a Passwords app, and continuity changes IT should pilot before a broad upgrade.
A practical shortlist of WordPress plugins for security, Google insights, SEO, legal pages, and caching: what each one does and when Premium is worth it.
A bad Falcon content update crashed millions of Windows systems. Here is what small IT teams should change without turning it into blame theater.
By Michael NarehoodSoftware & Releases
Google finished the MV3 transition. Here is what broke, what still works, and a practical checklist for extension policy at work.
CVE-2024-3094 hit rolling Linux distros hard. Here is what happened, who was exposed, and the checks SMB teams should run.