All posts by SystemsNet

The Identity Perimeter: Why MFA Is No Longer Enough Without ITDR (Identity Threat Detection)

Phish-Resistant MFA - SystemsNet
Cybersecurity

In 2026, MFA alone is simply not enough: Cyber criminals have now moved beyond just the login page and are targeting activities that happen after authentication. If your cybersecurity stops at the front door, you are missing where most breaches actually begin.

This shift is why phish-resistant MFA is a starting point, not a finish line. And it is why identity threat detection and response (ITDR) has become the layer that separates businesses that detect attacks early from those that find out weeks later.

Where MFA Is Falling Short

While MFA can still stop a large category of attacks, it falls short in protecting businesses from some new cyber threat methods. Attackers are now using new methods to bypass MFA protection and gain access to your data: MFA fatigue and adversary-in-the-middle (AiTM) phishing.

MFA Fatigue

MFA fatigue does exactly what it sounds like. An attacker with valid credentials spams the user with push approval requests until exhaustion or confusion produces an accidental tap. It requires no technical sophistication,  just patience and a stolen password.

Adversary-in-the-Middle (AiTM) Phishing

AiTM phishing is more technical and more dangerous. The attacker stands up a reverse-proxy page that mirrors a legitimate sign-in portal. The user authenticates normally, MFA fires and the session token is intercepted in transit. The attacker never needs to crack a password or bypass MFA;  they steal the proof that authentication already happened.

What Does “Identity as the Perimeter” Actually Mean?

Identity is now the only perimeter that travels with your business. Traditional network perimeters assumed your employees worked inside a building on hardware your IT team controlled. With remote and hybrid work environments, that assumption is no longer accurate. 

When staff are accessing your networks from personal devices, home networks, hotel Wi-Fi and third-party vendor portals, the deciding factor is identity. The login, the session token, the role assignment and the access policy are the controls that determine who reaches what.

This is the architecture of modern-day work. And it means that if an attacker compromises a valid identity, they do not need to breach a firewall. They are already inside.

What Happens After the Front Door? Session-Level Risk and Breaches

Phish-resistant MFA protects the authentication event. It does not monitor the session that follows.

Once a user is authenticated, a session token is issued. Modern attacks frequently target that token directly. AiTM attacks steal it mid-authentication. Malware on an endpoint can extract it from memory. If the token is valid and unexpired, the attacker moves freely.

Even without token theft, session-level risk exists. Consider a legitimate account that suddenly:

  • Accesses systems it has never touched before.
  • Attempts to modify group policies or admin assignments.
  • Exports large volumes of data outside business hours.
  • Authenticates from a geography inconsistent with the user’s pattern.

These activities are exhibiting risk signals that MFA cannot see because MFA is not watching sessions. It checked the badge at the door. It is not following the visitor through the building. ITDR is designed to watch over the building.

What Is ITDR and How Does It Fit With EDR and XDR?

Identity threat detection and response (IDTR) is the security layer focused specifically on user identities.

For business owners already familiar with endpoint and extended detection tools, the relationship works like this:

  • EDR (endpoint detection and response) watches the device, including processes, files, memory and network connections at the hardware and OS level
  • XDR (extended detection and response) aggregates signals across endpoints, email, cloud apps and network; connecting telemetry to surface broader attack patterns
  • ITDR focuses on the identity layer — the user account itself – how it is behaving, what it is accessing, whether the session looks legitimate and whether privilege levels are changing in ways they should not

These layers are complementary. A sophisticated attack often touches all three: it starts with a phishing email (email security and EDR), moves through compromised credentials (ITDR) and then attempts to install tooling on endpoints (EDR/XDR again). Without the identity layer, that middle stage is invisible.

How Does ITDR Help Stop Privilege Escalation?

Privilege escalation is one of the most dangerous and underappreciated identity risks in SMB and mid-market environments. An attacker who compromises a low-privilege account does not necessarily need to stay at that privilege level. 

If the environment has misconfigured role assignments, legacy permissions that were never cleaned up or weak controls around administrative groups, the attacker begins probing. They look for accounts they can impersonate, permissions they can inherit or group memberships they can modify. Slowly and quietly, a low-level account becomes a path to administrative control.

ITDR detects this behavior by establishing baselines and flagging anomalies:

  • A standard user account attempts to query Active Directory for admin group memberships
  • A service account suddenly starts authenticating interactively
  • A user who has never touched a particular system begins making repeated access attempts
  • A role assignment is modified outside of a change management window

The goal  of ITDR is to identify the pattern of privilege escalation before the attacker reaches the level of control that makes remediation difficult and expensive.

How Does ITDR Provide Continuous Identity Monitoring Across Platforms?

In a modern SMB or mid-market environment, identity is spread across multiple platforms: Microsoft Entra ID (formerly Azure AD), on-premises Active Directory if still in use, Google Workspace, third-party SaaS applications and potentially privileged access management tools. Each of those platforms issues its own sessions, manages its own roles and logs its own activity.

ITDR tools ingest signals across these platforms and evaluate them continuously:

  • Is this user’s behavior consistent with their historical pattern?
  • Is the device presenting claims it should be able to make?
  • Has the session origin changed in a way that suggests token theft?
  • Are role assignments drifting from what policy allows?
  • Are there dormant accounts, stale permissions or orphaned credentials creating exposure?

The result is a continuous posture evaluation. This is the difference between a guard who checks badges at the door and a security system that monitors the entire building throughout the day.

What Does ITDR Response Look Like With SystemsNet?

When ITDR detects a compromised or suspicious credential, the “response” part of the acronym has to mean real action. At SystemsNet, a triggered identity threat follows a structured response workflow:

  1. Contain the account: Suspend or isolate the affected credential immediately to limit lateral movement
  2. Revoke active sessions: Invalidate all existing session tokens associated with the account, forcing reauthentication
  3. Assess scope: Determine what systems the account accessed, what data was reached and whether any configuration changes were made
  4. Identify the entry point: Determine how the credential was compromised (phishing, credential stuffing, token theft) to close the initial vector
  5. Communicate with the client: Give the business owner or IT lead a clear, plain-language summary of what happened, what was done and what recovery steps are needed
  6. Restore access safely: Reissue credentials under verified conditions, confirm phish-resistant MFA enrollment and document the incident

The objective is to stop the attack before a suspicious login turns into data exfiltration, ransomware deployment or regulatory exposure.

Businesses that have phish-resistant MFA deployed but no identity threat detection have visibility into the front door and nothing else. Without the added step, you don’t have a comprehensive security posture. Ready to change that?  Contact SystemsNet today to schedule an identity security assessment and find out where your identity layer is exposed.

Preparing Your Data for AI: Why SharePoint for Microsoft Copilot Is Your Secret Weapon

Technology

SharePoint for Microsoft Copilot - SystemsNet

Artificial intelligence is only as effective as the data behind it. As more organizations adopt tools like Microsoft Copilot, the way your SharePoint environment is structured directly impacts the results you get. That’s why SharePoint for Microsoft Copilot requires preparing your data so those tools can actually deliver value.

If your SharePoint environment is cluttered, inconsistent or poorly governed, AI will reflect those same issues. Clean architecture is what turns AI from a risk into a real advantage.

SharePoint for Microsoft Copilot Starts With Clean Data

Before AI can deliver meaningful insights, it needs access to accurate, organized and trustworthy information. In many organizations, SharePoint contains what is often referred to as “data junk” which can cause confusion for AI.

Data junk often includes duplicate files, outdated documents, inconsistent folder structures, poor metadata and unclear permissions. When multiple versions of the same document exist or content is poorly labeled, AI struggles to determine what is current and reliable.

With SharePoint for Microsoft Copilot, the real issue is clarity. Clean, well-structured data gives AI the context it needs to produce accurate and useful results, whereas ambiguous and outdated data creates friction.

Clean Data Is the Foundation for AI Success

One of the biggest culprits is ROT (redundant, obsolete or trivial) data content. Old files, multiple versions or abandoned libraries force AI to guess what’s current, leading to inconsistent outputs and lower confidence in results.

Cleaning up ROT data and establishing a well-structured environment does more than reduce noise; it shortens the time to value. When content is accurate, organized and governed:

  • AI finds relevant information faster.
  • Search results become more precise.
  • Automation is more reliable.

A clean foundation transforms SharePoint for Microsoft Copilot from a nice feature into a practical, day-to-day tool. Once ROT data is removed and content is structured, AI can start delivering actionable insights immediately.

Structure Your Data So AI Can Understand It

AI does not interpret information the same way people do. It relies on structure and context to deliver meaningful results, which is why your data organization strategy is critical for effectively implementing AI.

Metadata plays a key role by adding context to documents through tags like department, project, document type or status. This makes it easier for AI to search, filter and interpret content accurately. Additionally, AI is much more effective at pulling data using metadata than it is at using information from sorted folders.

At the same time, standardized templates and content types bring consistency to how information is created across your organization. When documents follow the same structure and are labeled correctly, AI can recognize patterns and connect information more effectively.

For SharePoint for Microsoft Copilot, this structured approach allows AI to deliver more relevant and reliable results.

Why Permissions Can Make or Break AI Security

AI introduces a new layer of cybersecurity risk if your SharePoint permissions are not properly managed. Without clear structure and access controls, sensitive information can be surfaced to the wrong users.

Over time, many SharePoint environments develop inconsistent permissions. Access gets layered with one-off exceptions, broken inheritance and unclear ownership, making it difficult to understand who can access what. When AI is introduced into that environment, it exposes these issues faster.

A well-designed SharePoint environment prevents this by:

  • Keeping sensitive data in controlled locations.
  • Implementing role-based permissions.
  • Avoiding broken inheritance across sites and folders.

Cleaning up permissions should be a priority before deploying AI. This means standardizing access, removing unnecessary exceptions and making permissions easier to audit and manage.

AI tools will only surface what users already have access to, but if your permissions are messy, that risk multiplies quickly. By fixing these issues first, you ensure SharePoint for Microsoft Copilot operates within clear, secure boundaries.

Ongoing Governance Keeps Your Environment AI-Ready

Cleaning up SharePoint is not a one-time project. Without ongoing governance, environments quickly return to clutter.

To stay AI-ready, your organization needs clear ownership, regular reviews and consistent standards for managing information. Retention and archiving also help prevent outdated content from building back up.

Without these ongoing practices, even a well-structured environment can drift back into inconsistency, reducing the accuracy and reliability of AI-driven insights.

Build a Stronger Foundation Before Investing in AI

If your budget is limited, investing in SharePoint cleanup before purchasing AI licenses is a smart move. Even the most advanced tools will underperform if the underlying data is disorganized. 

Once your SharePoint environment is properly structured and governed, you can invest in AI with confidence that outputs will be accurate, secure and reliable.

Your SharePoint for Microsoft Copilot Readiness Checklist

Before moving forward with AI, make sure your SharePoint environment is actually ready.

You’re in a strong position if you have:

  • Clean data (no duplicates or outdated files).
  • A clear source of truth.
  • Structured permissions.
  • Metadata applied across documents.
  • Standardized templates and content types.
  • Defined ownership and governance.

Without the proper steps, your AI will underdeliver and you will lose on your investment.

Prepare Your SharePoint Environment With SystemsNet

AI is changing how businesses operate, but businesses must be prepared for this change in order to be successful. SystemsNet helps organizations clean, structure and secure their SharePoint environments so they are ready for tools like Microsoft Copilot.

From architecture design to governance and ongoing management, we ensure your data supports your business goals instead of holding them back.

Ready to get more value from your AI investment? Contact SystemsNet today to prepare your SharePoint environment for Microsoft Copilot.

CMMC Compliance 2.0 Phased Rollout: What DoD Contractors Must Do in 2026

Cybersecurity

CMMC Compliance - SystemsNet

The Department of Defense’s phased rollout of CMMC 2.0 is changing the game for contractors. Compliance is no longer a “check the box” activity after award: It’s now a prerequisite to bid, and prove your security posture across the supply chain. 

Contractors need to act now if they want to avoid losing access to late-2026 work and beyond.

CMMC Compliance in 2026: What Actually Changed

CMMC 2.0 introduces a more structured and enforceable approach to protecting Controlled Unclassified Information (CUI) across the defense supply chain. Instead of a one-size-fits-all model, the framework has tiers:

  • Level 1 (Foundational): Basic cybersecurity practices for contractors handling Federal Contract Information (FCI)
  • Level 2 (Advanced): Alignment with NIST 800-171, required for contractors handling CUI
  • Level 3 (Expert): Additional protections for organizations supporting highly sensitive DoD programs

For most contractors, Level 2 is the standard.

More importantly, compliance is no longer something you can address after winning a contract. It is becoming a requirement to even qualify.

The phased rollout means these requirements will be introduced gradually into contracts rather than all at once, but the impact is immediate. Contractors should already be preparing and implementing parts of the framework because eligibility for late-2026 contracts will depend on having a defensible CMMC compliance position in place.

It’s also not limited to new contract awards. CMMC requirements can be triggered during the life of an existing contract, with:

  • Option renewals or extensions.
  • Task or delivery order actions.
  • Contract modifications that introduce CUI.

This is where many contractors get caught off guard. CMMC compliance now affects the full lifecycle of a contract, not just the starting point.

Where Contractors Are Getting CMMC Wrong

One of the biggest risks in CMMC compliance today is false confidence. Many contractors believe they are prepared when their documentation and controls would likely not hold up under scrutiny.

A common example is the SPRS self-assessment. Too often, organizations treat it like a form to submit rather than a position they need to prove. Scores are entered before scope is fully defined, controls are validated or documentation is complete.

The reality is simple: If you cannot clearly explain how your SPRS score was calculated and back it with evidence, it becomes a liability.

There is also increasing legal and executive risk tied to compliance. Under CMMC 2.0, a senior company official must affirm compliance annually. That affirmation carries real legal weight. Undocumented gaps or improperly managed POA&Ms can lead to audits, contract issues or even legal exposure.

These mistakes are what makes improper CMMC compliance a business risk that leadership is directly accountable for.

The Right Way to Approach CMMC 2.0

Contractors who succeed with CMMC 2.0 are the ones building a structured, defensible approach to compliance rather than simply checking requirements. 

Start With Scope, Not Tools

Many organizations overspend or struggle because they attempt to apply CMMC requirements all at once across their entire environment. A more effective approach is to isolate CUI into a clearly defined enclave with controlled users, systems and data flows. 

When that boundary is properly documented and enforced, it reduces both cost and complexity while making compliance easier to defend.

Build for Today, Plan What’s Next

From there, the focus shifts to building against current requirements while preparing for what’s next. 

The DoD currently only mandates NIST 800-171 Rev. 2, even though Revision 3 has been released.

Contractors need to:

  • Meet Rev. 2 requirements today to remain contract-ready.
  • Design their environment so it can adapt to future updates without a full rebuild.

This approach allows you to stay compliant now while avoiding costly rework later.

Implement High-Impact Controls

Not all controls are equal. High-weight controls — such as multi-factor authentication, FIPS-validated encryption and key system security requirements — must be fully in place before any formal assessment. 

These are not areas where organizations can rely on future remediation plans or short-term fixes. If these controls are not in place, you are not ready for assessment.

Define Responsibility Across Your Environment

For contractors working with external providers, clarity around responsibility is essential. 

A shared responsibility matrix should clearly define:

  • Who owns each control.
  • How it is managed.
  • What evidence supports it.

During an audit, “our MSP handles that” is not an acceptable answer. Every control must be clearly assigned and fully documented.

CMMC 2.0 To-Do List for DoD Contractors

If you are preparing for CMMC compliance in 2026, focus on the fundamentals first:

  • Define and validate your CUI scope.
  • Build and document a complete System Security Plan.
  • Ensure high-weight controls are fully implemented.
  • Review and properly manage all POA&Ms.
  • Align with NIST 800-171 Rev. 2 requirements.
  • Establish clear shared responsibility with any MSPs.
  • Submit an SPRS score that is accurate and defensible.

Without these steps, compliance efforts will stall, and contract eligibility may be at risk.

The SystemsNet Takeaway

CMMC 2.0 is more than a new requirement: It’s a shift in how contractors prove they can be trusted with sensitive data. Organizations that start early, scope correctly and build a defensible compliance program will be in a strong position to win and retain contracts.

SystemsNet helps contractors assess their current state, close compliance gaps and build programs that stand up to real audits, not just internal checklists.

Ready to protect your contracts and stay competitive in 2026? Contact SystemsNet today to get started.

Cybersecurity Insurance in 2026: The Mandatory Checklist for Coverage Approval

Cybersecurity

Cyber Insurance 2026 - SystemsNet

Cyber insurance used to be a safety net. In 2026, it’s a qualifying test. 

The days of simply checking “yes” on a self-attestation form are over. Now, carriers want proof that your controls work, your processes are repeatable and your team can recover quickly when something goes wrong. If you can’t demonstrate that, approvals slow down, premiums spike or insurers simply decline coverage.

As the threat landscape has evolved, so has the underwriting process. To help you navigate your next renewal, Joe Keesey, President at SystemsNet, provides this mandatory checklist for Cybersecurity Insurance in 2026 based on frontline experience and the latest carrier requirements.

1. Frameworks That Actually Matter to Insurers

Insurance applications still reference NIST, ISO 27001 and SOC 2. Carriers in 2026 care less about the framework name and far more about whether the core controls are provably implemented. 

NIST CSF remains a gold standard because it maps directly to how insurers evaluate risk: identify, protect, detect, respond and recover.

What insurers expect:

  • Can you provide screenshots, reports and logs proving your framework alignment?

2. Full Transparency About Past Incidents

Trying to hide a breach or ransomware event is one of the fastest ways to lose coverage. Insurers cross-check claims data, logs and reporting timelines.

Your responsibilities:

  • Answer incident-related questions accurately
  • Stay consistent across renewal cycles
  • Stay transparent regarding past events

3. Cyber Insurance as a Governance Driver

Carriers are now using underwriting to push organizations toward measurable maturity. At SystemsNet, we use tools like Cynomi to keep client programs organized with framework-aligned assessments and automated policy refreshes.

The shift in 2026:

  • Carriers are pushing organizations toward measurable maturity
  • Approvals and pricing depend on continuous improvement
  • Documentation is a requirement, not a nice-to-have

4. The Non-Negotiable Technical Controls

In 2026, there is a baseline “utility” stack that insurers treat as mandatory. If these are missing, approval is unlikely.

  • MFA everywhere: Not just for admins, but for every user, on every identity (M365, VPN and SaaS apps).
  • Modern EDR: Continuous monitoring across all endpoints (e.g., SentinelOne).
  • Reliable and protected backups: Immutable, air-gapped or cloud-isolated backups (e.g., Keepit or Datto SIRIS).
  • DNS-layer protection: Filtering threats before they reach the network (e.g., DNSFilter)
  • Proof that all these tools are active and enforced

If you don’t have these in place, approval is unlikely.

5. Advanced Email Security

Since the majority of claims still originate via phishing, insurers have moved beyond basic spam filters and MFA.

What insurers expect:

  • DMARC enforcement (set to quarantine or reject), not just monitoring
  • SPF and DKIM accuracy across all domains
  • Legacy authentication disabled to prevent credential bypass
  • Layered anti-phishing and ongoing user awareness training

6. Zero-Trust Improves Insurability

Zero-trust has become a major factor in insurability because it limits the “blast radius” of a compromise by moving away from traditional network perimeters.

SystemsNet uses Tailscale to support:

  • Single sign-on (SSO)
  • MFA by default
  • Least-privilege access to apps and systems
  • No exposed VPN ports or traditional gateway risks

The tighter your access model, the safer you look on paper.

7. Backups Must Be Tested and Documented

Insurers don’t just ask if you have backups anymore; they verify whether you can recover reliably and quickly.

They look for:

  • Coverage of Microsoft 365 assets
  • Snapshot frequency
  • Retention periods
  • Ransomware-resistant architecture
  • Recent restore tests with documentation

We deliver this through Keepit for Microsoft 365 and Datto SIRIS for servers and workstations.

8. Incident Response Plans Must Be Actionable

A plan sitting on a shelf doesn’t pass. Insurers evaluate whether your incident response plan will actually work during a crisis. 

Minimum requirements:

  • Clear roles and escalation paths that include timely insurer notification
  • Evidence of tabletop exercises or practice drills to prove the team can execute under pressure
  • Up-to-date contact lists for IT, legal and external incident response support

9. Regular Security Assessments Are Now Required

There’s no universal assessment mandate, but insurers expect ongoing proof of governance.

Carriers typically want:

  • Annual formal risk assessments
  • Annual policy reviews
  • Quarterly or semiannual validation of core controls
  • Additional validation after major changes

Once again, consistency and documentation win.

10. Industry-Specific Requirements

Insurers are increasingly tailoring requirements to specific sectors where claims are most frequent and expensive.

Insurers evaluate industries differently:

  • Healthcare & Finance: High bar for identity controls, monitoring and auditable governance
  • Manufacturing: Focus on operational uptime and securing remote access for industrial (OT) systems
  • Retail: Heavy emphasis on payment security and e-commerce exposure

Why SMBs Face More Scrutiny

Small and medium-sized businesses often face more hands-on scrutiny in 2026. Because SMBs are frequent targets for ransomware and business email compromise, insurers want granular proof—screenshots of MFA enforcement, endpoint coverage reports and specific backup schedules.

Get Coverage-Ready With a Proven Checklist

Meeting the requirements for Cybersecurity Insurance 2026 is about demonstrating a repeatable, documented program that reduces risk—and being able to prove it.

SystemsNet helps organizations meet these high standards with a security-first baseline, ongoing assessments and the detailed reporting insurers now demand.

Ready to streamline your next renewal? Contact SystemsNet today to strengthen your posture.