I was today years old when I learned what an FCEB is, it is a Federal Civilian Executive Branch Agency (say that five times fast). It is any agency within the civilian (non-military) part of the U.S. Federal Government. These agencies range from social services and healthcare to regulatory oversight and federal administration. Their employees are federal government employees.
Why do I care? I was reading a scary little bedtime story called CISA Shares Lessons Learned from an Incident Response Engagement" released on September 23, 2025.
It appears the CISA (Cybersecurity & Infrastructure Security Agency) had to help an FCEB agency after the organization’s SOC identified potential malicious activity through security alerts generated by the agency’s endpoint detection and response (EDR) tool. (That means you aren’t sleeping tonight in SOC speak).
The cyber threat actors gained access to the agency’s network on July 11, 2024. On July 24th, they gained access to a second server and then moved laterally to compromise a SQL Server and Web Server before being discovered. “Between July 15th and 31st, 2024, the cyber threat actors conducted extensive network and vulnerability scanning…” the article reads.
Finally on July 31, 2024 the organization’s SOC identified the compromise using their EDR tool. It identified a 1.txt file uploaded as suspected malware on the SQL Server.
Three weeks later! This is a federal agency!
The article goes on to explain how the hackers did it and identify mistakes made by the “large FCEB agency” to share lessons with us. If the United States Government can’t even do it, what chance do we have?
This led me to ask Waldo, AKA my ChatGPT, for a list of the most recommended information technology security measures in ranking from most to least important. That question gave me a nice high level, no budget or employee constraints answer.
So, I asked Waldo to apply that to a small CPA firm without its own IT or Security Staff. Waldo gave me this nice list that I exported into a PDF and then converted to a jpg. (I am not bragging about how amazing I am at using ChatGPT but rather giving an example for anyone still unsure on how it can save you time on simple tasks.)
1. MFA – We all know about MFA and hopefully all of you are using it. Microsoft O365 has made it mandatory, same with most SAAS. One thing I recently learned is that some authenticator apps such as Google Authenticator and Microsoft Authenticator do not support more secure sha256 or sha512 algorithms. You can look at Aegis Authenticator for Android and 2FA Authenticator (2FAS) for iOS.
2. Secure backups – With the use of Google Workspace, Microsoft 365, and other SAAS applications we assume this is not a concern. Let’s look into Microsoft 365, the 500lb bully gorilla. In the Microsoft Services Agreement, it specifically it states “Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve your content or data that you’ve stored. We recommend that you regularly backup your content and Data that you store on the Services or store using Third-Party Apps and Services” Microsoft Services Agreement, Section 6b. There are many backup solutions for Google Workspace, Microsoft 365 and other SAAS vendors. Ask your IT provider who they recommend and why.
3. Patch management/automation updates – Like MFA, this usually doesn’t require a cost. You just have to make sure you update. Don’t forget other devices like printers, copiers, and routers. Don’t forget that Microsoft Windows 10 is sunsetting on October 14, 2025. You will lose the ability to patch without paying extra, so you need to be upgraded to Windows 11. I feel they have the Windows 10 to Windows 11 update down pretty good. It takes a long time, but it has not been much of an issue for me if your hardware supports it.
4. DNS filtering and email security - I think it is funny that Waldo grouped these two totally different protections in the same spot, but don’t overlook DNS filtering! Many IT companies have a fear of filtering DNS, but it is a solid way to protect your user’s workstations inside and outside of the office. Once again ask your IT provider as there are plenty of options in this space.
5. Security awareness training – Your end users are your weakest link. Great article on Cybersecurity Awareness Training here, this guy knows what he is talking about!
6. End point protection – A little outdated here, you really need to be using Managed End Point Detection and Response. Managed EDR is where a provider is constantly watching alerts from your computers or SAAS logins, giving the ability for immediate response, account suspension/lock out, and host isolation to protect your entire network. It is a proactive not reactive service that can often stop an incident before it starts. If your IT provider is not using managed EDR, look at your contract for an expiration date.
7. Encryption of laptops and client data – Windows OS has BitLocker available in the OS. Make sure it is configured and that you know where your encryption key is and that you have it. I have heard of too many people losing data due to a computer failure caused by something other than their hard drive and the data could not be recovered. If you are unsure, here is a good way to find and document your key. Keep it in a secure location, and multiple locations are not a bad idea. I have it in my password manager and gun safe (Texan).
8. Password management – A password management tool will allow you to have separate, complex passwords for all systems. Look for options your team can use. It makes it easier to shut down an employee at termination and to control access to assigned customer data.
9. Written security information plan – You should all have one of these by now, unless you just checked the box. Make sure you are keeping it up to date. Have you added an AI Section to your WISP this year?
10. Incident response and recovery plan – This is actually a part of your WISP, but if you used a template, you should find your local IRS stakeholder liaison and add contact information to the plan to save time. What if you can’t access the internet? Also list your local FBI office, local police and file a report with the FTC if over 500 people have been affected.
The good news is that five of those do not cost money to implement. But if you are trying to determine what you can squeeze into your budget, this is the order recommended.
At the end of the day, you can only control what you can control. Find the best solution you can for your budget. Talk to your provider and tell them your budget. Don’t waste your time looking at a solution you cannot afford.
We are all in this together. If it hasn’t happened to you, enjoy being sympathetic. Empathy is much worse, but more people join that group every day. We must work together to have a chance. Good Luck!