On Tuesday, April 23, we hosted the Dutch Microsoft Security Meetup at Valid's Eindhoven office. The Dutch Security Meetup is a community of more than 1,700 Microsoft security specalists. At the monthly event, with changing locations, security professionals from all over the country, and even Belgium, come together to share experience and knowledge about IT security technology from Microsoft. This time for the first time in the south of the country, at Valid in Eindhoven! We look back with pleasure on a beautiful event, with a delicious communal dinner, interesting lectures and a nice closing drink with pub quiz.

For example, Neal Bongers, from Tilburg University, gave a presentation on "15 security things that are free but almost nobody uses": You have MFA enabled, but how many employees have it set up? Have you adequately secured all domains in your Entra ID tenant? These and other pitfalls you can avoid before you get hacked. A Lessons Learned session on a broad spectrum of issues from conducted Security Assessments based on Microsoft 365 and Entra ID. Here Neal showed practical examples, but also indicated how you can check and adjust this yourself(source: Dutch Security Meetup).

Ruud Gijsbers Rademakers, of Avanade, gave a presentation on "The Landscape of RBAC Roles in Microsoft Intune": This session provided tools for mastering Intune's RBAC roles, which will allow you to successfully implement the complex terrain of RBAC and access. Ruud provided insight into the world of Microsoft Intune, and shared his best practices with the audience.(Source: Dutch Security Meetup).

The most important and practical security tips

During the event, we asked the security experts in attendance for their most important or practical IT security tip. Below is an overview of the tips the experts wrote down. Important: we have provided a brief explanation for each tip, as this clarifies the context. However, this is an interpretation and addition from our side and not necessarily the opinion of the giver of the tip. Furthermore, the list is certainly not exhaustive, it is only an overview of the tips given:

• 'Always use MFA (Multi Factor Authentication)': with MFA as a login method, a user must verify authenticity in more than one way. This could include a password combined with authenticator app, physical key, biometrics or verification code via text message or email.
• 'Involve non-techies in security policies': Security policies are often drafted by techies, who know all about the subject matter. However, it can also be certainly valuable to involve the non-techies and make sure they understand the trade-offs to ultimately ensure proper compliance with the policy.
• 'Create awareness among colleagues through awareness programs and training.' Following on from the previous tips, awareness is a very important factor in IT security. With a good awareness program, you create understanding and attentiveness among your colleagues.
• 'Use a password manager, such as KeyPass or Bitwarden': A password manager helps you securely store and centrally manage your login credentials and is actually an indispensable tool for everyone to safely use your laptop, phone and all other digital devices.
• 'Find the balance between security and functionality': In finding the right balance, strive for the best mix of security and a policy that is feasible and workable in practice.
• 'Handle the Zero Trust Principle': With Zero Trust, all IT users are considered untrustworthy at the beginning of every interaction. This means authenticity must be verified over and over again.
• 'Use Microsoft 365 Defender': Microsoft 365 Defender is a bundled enterprise pre- and post-attack defense package that coordinates detection, prevention, investigation and response for endpoints, identities, email and applications to provide integrated protection against advanced attacks.
• 'Not every employee needs to have public facing e-mail': business e-mail addresses sometimes contain sensitive info related to work and/or the organization. Some e-mail addresses, such as info@voorbeeld.nl, are public facing or generally known. Administrator e-mail addresses for certain applications or infrastructure, you don't want to have public facing for security reasons.
• 'Listen to signals and feedback from 'non-IT colleagues'': Also in line with the previously mentioned tips, it is important to listen to the feedback and signals from non-IT colleagues regarding the security policy, and actually take it into account.
• 'Use MAST (Microsoft Attack Simulation & Training') for security awareness': MAST allows companies to simulate various attack techniques used by malicious actors, such as phishing, ransomware and advanced persistent threats (APTs). Through these simulations, organizations can take stock of their security levels and discover where there is room for improvement.
• 'Switch to 'password-less' working': When working without passwords, users log in via alternative methods: such as Face ID, fingerprint, (temporary) PINs and/or physical security keys, for example.

As indicated, this is just an overview of some of the tips written down by security experts. It depends on the context which of the tips are most applicable and/or relevant to your organization. What is your most important security tip?

What are your organization's security challenges?

Security and compliance is a major challenge for almost every organization. It's a hot topic, you know you probably need to address it, but where to start? What is relevant and what is not? What fits your organization and how best to deal with threats and risks. We understand that these are difficult questions. We are happy to meet with you to discuss your situation, wishes and needs to see how your organization can best deal with security.