Imagis

Imagis Contact information, map and directions, contact form, opening hours, services, ratings, photos, videos and announcements from Imagis, Information Technology Company, New York, NY.

Guest accounts pile up fast—and they rarely leave on their own. Here’s a tight, practical baseline:Do this today- Discov...
11/21/2025

Guest accounts pile up fast—and they rarely leave on their own. Here’s a tight, practical baseline:

Do this today
- Discover: Export all guests + external shares (Entra/SharePoint/OneDrive, Google Drive/Groups).
- Expire & attest: Turn on guest expiration and quarterly access reviews (Entra ID Governance / Google reviews).
- Restrict sharing: Org-wide default to “Specific people” links; set domain allow/deny lists for external sharing.
- Limit capabilities:
M365: Conditional Access for guests (MFA, web-only, block download on unmanaged).
Google: Context-Aware Access (device/user/IP levels; view-only for unmanaged).
- Separate external from chat/collab sprawl: Tune Teams external/guest vs B2B Direct Connect; in Google, lock Drive/Chat external permissions by OU/group.
- Monitor: Alert on new guest invites, public links, and dormant guest sign-ins.

Small habit, big supply-chain risk reduction.
When did you last review who outside your org can still log in?

SOC 2 vs ISO 27001 — choose in 5 questions - Buyer: US enterprise/SaaS → SOC 2. Global/regulated/public → ISO 27001- Art...
11/20/2025

SOC 2 vs ISO 27001 — choose in 5 questions

- Buyer: US enterprise/SaaS → SOC 2. Global/regulated/public → ISO 27001
- Artifact: Type II report vs accredited certificate
- Scope: System/service (SOC 2) vs org-wide ISMS (ISO)
- Evidence cadence: 6–12 mo operating effectiveness vs ISMS + surveillance audits
- Timeline: Fast unblock (Type I ➜ II) vs global tenders (ISO)

Stop duplicating work—map controls once, reuse ~80% of evidence.

Read the quick decision playbook: https://imagisit.com/article/soc-2-vs-iso-27001-choose-in-5-questions/

Run this 60-minute sweep:Pull 3 sources:- IdP/SSO (apps, users)- MDM/EDR (devices)- Finance/procurement (POs, serials)Re...
11/19/2025

Run this 60-minute sweep:

Pull 3 sources:
- IdP/SSO (apps, users)
- MDM/EDR (devices)
- Finance/procurement (POs, serials)

Reconcile & hunt unknowns:
- Match by user, hostname, serial, last seen
- Scan DHCP/DNS/VPN/Wi-Fi for rogue devices
- Mine SSO/browser/expense data for shadow SaaS
- Flag orphaned cloud resources (unused VMs, public buckets)

Make one list that matters:
Owner • BU • data classification • criticality • lifecycle (active/loaner/lost/retired) • controls (EDR, MDM, disk encryption, patching) • last seen

Automate & review:
- Daily ingest + exceptions queue
- Weekly deltas, monthly true-up, quarterly spot-check

Track real KPIs:
- % devices in MDM/EDR
- % assets with assigned owner
- Unknown asset rate
- Median days since last seen

Small ritual, huge risk reduction.
What’s your unknown asset rate today?

Sweating laptops to year 5+ feels thrifty—until security slips. Short, predictable refresh cycles reduce risk:- Patch el...
11/14/2025

Sweating laptops to year 5+ feels thrifty—until security slips. Short, predictable refresh cycles reduce risk:
- Patch eligibility: Older hardware drops off OS/driver/firmware support (bye-bye critical fixes).
- Hardware security: TPM 2.0/Secure Boot/Pluton + modern BIOS protections aren’t guaranteed on legacy models.
- Agent performance: EDR, disk encryption, and DLP need headroom—older CPUs = gaps, timeouts, skipped scans.
- Faster IR: Standardized models image faster and swap quicker during incidents.
- Less “exception drift”: Fewer carve-outs in policies = stronger baseline.

Make it real (playbook):
- Standardize 2–3 models with 3-yr NBD warranty (+1 yr option).
- Refresh 25–35% annually (green ≤24m, yellow 25–48m, red >48m).
- Enforce MDM zero-touch, full-disk encryption, Secure Boot, BIOS/UEFI updates.
- Decommission securely: wipe, attest, and certify disposal.

Finance will like the predictability. Security will love the reduction in unknowns.

What’s your current refresh cadence—and how many “red” devices are still in service?

Stop overthinking level one. Start with three labels and ship:Labels (make “Internal” the default):- Public — safe for t...
11/13/2025

Stop overthinking level one. Start with three labels and ship:

Labels (make “Internal” the default):
- Public — safe for the internet; marketing, careers, press.
- Internal — everyday work; no external sharing by default.
- Restricted — customer data, finance, legal, PII; encrypt, watermark, limited access.

60-minute rollout
0–15 min: Define examples for each label (what’s in / out).
15–30 min: Flip sharing defaults: external = off unless Public; Restricted = invite-only.
30–45 min: Enforce in tools: M365 sensitivity labels / Google labels, basic DLP rules (block external on Restricted, warn on Internal).
45–60 min: Post a 1-pager for staff + add a banner: “Default label: Internal.” Schedule a 30-day review.

Measure next month: % files labeled, external shares blocked, Restricted violations prevented.

Simple beats perfect—get it live, then iterate.
How fast could your team get to v1?

Over time, vendors pile up: MSPs, SaaS providers, consultants, integrators. Many of them still have logins to your syste...
11/07/2025

Over time, vendors pile up: MSPs, SaaS providers, consultants, integrators. Many of them still have logins to your systems long after the project is over.

That’s quiet risk.

Here’s a simple third-party access review you can run this month:

1️⃣ List all external accounts
– Guest users in M365/Google
– Vendor/admin accounts in VPN, firewalls, ERP, CRM, ticketing, etc.

2️⃣ Ask 3 questions for each vendor:
– Do they still actively work with us?
– What systems and data can they see?
– Do they still need this level of access?

3️⃣ Act on the answers:
– Remove dormant accounts
– Downgrade over-privileged access
– Add MFA + logging to anything that stays

Then put it on a cadence: quarterly third-party access review—small habit, big reduction in supply chain risk.

When was the last time you checked which vendors can still log in?

If only 20–30% of your apps sit behind SSO, you don’t have an SSO strategy—you have SSO decoration.Your “SSO Adoption %”...
11/06/2025

If only 20–30% of your apps sit behind SSO, you don’t have an SSO strategy—you have SSO decoration.

Your “SSO Adoption %” is a real security KPI:
- 100% of critical apps behind SSO = fewer passwords to steal
- Central MFA + Conditional Access = consistent protection
- One offboarding action = access removed everywhere

Quick self-check
1️⃣ Export all apps your users log into (IdP, browser, expense data).
2️⃣ Mark which are behind SSO vs. direct login.
3️⃣ Calculate: apps behind SSO / total apps.
4️⃣ Set a goal: e.g. 80%+ in 6–12 months, 100% for critical apps.

Then start migrating: finance, HR, CRM, email, dev tools—anything with sensitive data or broad access.

What’s your SSO adoption % right now—and what’s your target by year-end?

Most teams discover backup gaps during an outage or ransomware incident—when it’s too late.In our latest article, we bre...
11/05/2025

Most teams discover backup gaps during an outage or ransomware incident—when it’s too late.

In our latest article, we break down:
- RPO & RTO in plain language
- The 3-2-1-1-0 backup rule for ransomware resilience
- How to run real restore tests (and prove it to auditors)

If your only evidence is “the job says Success,” this one’s for you.
Read the full guide: https://imagisit.com/uncategorized/backup-that-actually-restore/

Security-as-UX: Fewer prompts, stronger auth — why passkeys feel better 🔐✨Passwords create friction (and tickets). Passk...
10/30/2025

Security-as-UX: Fewer prompts, stronger auth — why passkeys feel better 🔐✨

Passwords create friction (and tickets). Passkeys flip the script:

- Phishing-resistant by design (no shared secret to steal)
- One-tap sign-in with Face/Touch ID = happier users
- Fewer resets & lockouts = lighter helpdesk
- Faster auth = better conversion for customer apps

How to roll out (fast):
- Enable passkeys in your IdP/SSO (Entra/Okta/Google).
- Start with admins & high-risk apps; keep 1–2 break-glass accounts.
- Offer device-bound + sync passkeys; define recovery & fallback.
- Ship a 60-sec how-to and update the helpdesk playbook.
- Track wins: reset tickets ↓, auth success ↑, time-to-auth ↓.

Security that feels invisible is security people actually use.

Access creep is inevitable—projects end, roles change, contractors linger. Fix it with a 30-minute review:Do this this w...
10/24/2025

Access creep is inevitable—projects end, roles change, contractors linger. Fix it with a 30-minute review:

Do this this week

1. Export users, roles & app groups from your IdP (Entra/Okta/Google).
2. Filter: inactive >60 days, ex-contractors, shared/service accounts, privileged roles.
3. Attest: send owners a one-click “keep/remove/downgrade” review (10-day expiry).
4. Revoke unapproved access, rotate tokens, close shared logins, archive stale groups.
5. Log every change (ticket + audit trail) and schedule the next review.

Measure: revocations per quarter, time-to-revoke, % users in least-privilege roles.

Small habit, big reduction in breach risk—and auditors love it.

Most breaches start in the browser. Tighten the blast radius by controlling extensions:Do this today- Default = Block, t...
10/22/2025

Most breaches start in the browser. Tighten the blast radius by controlling extensions:

Do this today

- Default = Block, then allowlist only approved extensions.
- Disable Developer Mode + external sources; no “load unpacked.”
- Review permissions (clipboard, file access, broad host *); auto-remove high-risk.
- Force-install security add-ons (password manager/EDR) and log everything.
- Add a request workflow so users can propose tools without Shadow IT.

Fast paths
Google Workspace: Admin Console → Devices → Chrome → Apps & extensions → Users & browsers → Block-all, then Allowlist; enable Extension reporting; disable Developer Mode.

Microsoft Edge (Intune): Endpoint Manager → Devices → Config Profiles → Microsoft Edge → set ExtensionInstallBlocklist/Allowlist; disable Developer Mode; enable SmartScreen & Enhanced Security.

Small control, big reduction in phishing, data exfil, and malware risk.
Want help with securing your browser? Follow the link: https://imagisit.com/services/managed-security-services/

1. Isolate, don’t power off. Pull network (Ethernet/Wi-Fi/VPN) on affected hosts or quarantine in EDR. Keep systems on t...
10/17/2025

1. Isolate, don’t power off. Pull network (Ethernet/Wi-Fi/VPN) on affected hosts or quarantine in EDR. Keep systems on to preserve evidence.
2. Preserve evidence immediately. Screenshot ransom notes, record filenames/timestamps, collect logs/EDR alerts, and start a simple chain-of-custody.
3. Activate your IR plan. Notify IR lead, legal/comms, and (if applicable) cyber-insurance. Assign a single incident commander and open a ticket/war-room.
4. Stop lateral movement. Enforce MFA, disable suspicious accounts, reset privileged creds, revoke OAuth/API tokens, and block legacy protocols where possible.
5. Protect clean backups. Lock backup consoles, verify last known-good restore point, enable immutability/offline copies, and halt any automated deletions.

Do not: wipe systems, “test” restores into the infected network, or engage the attacker directly.

Want a one-page runbook you can print for your team? Comment “RUNBOOK” and I’ll share it.

Address

New York, NY

Telephone

(866) 462-4474

Website

Alerts

Be the first to know and let us send you an email when Imagis posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Contact The Business

Send a message to Imagis:

Shortcuts

Share

Category