Hi-Tex Solutions

05/15/2026

Browser add-ons have a funny reputation. They feel “small”. A quick install. A tiny productivity boost. A harmless little helper that lives in your toolbar.

But in practice, a browser extension is more like a micro-SaaS vendor sitting inside your browser session. It can see what you see, interact with the pages you open, and sometimes access the same cloud apps your business runs on all day.

That’s why a browser extension security check matters.

Not because every extension is bad, but because it only takes one over-permissioned add-on or one bad update to turn “helpful” into exposure.

The good news is you don’t need a 40-page policy to reduce the risk. A simple five-minute check can prevent most extension problems before they start.

Oh no! Something has gone wrong. The page you are looking for has been moved or no longer exists.Take a moment to search what you are looking for.

05/10/2026

A fake recruiter message is one of the cleanest social engineering tricks around because it doesn’t look like a trick.That’s why LinkedIn recruitment scams work so well inside real businesses. They don’t arrive as malware.

Oh no! Something has gone wrong. The page you are looking for has been moved or no longer exists.Take a moment to search what you are looking for.

05/08/2026

The Worst Time To Build An Incident Response Plan Is During An Incident

We caught a coordinated attack in a client environment recently. Targeted phishing hitting the same users repeatedly while antivirus was quietly disabled on several machines at the same time.

The tooling worked. We were watching.

But I kept thinking about what happens when nobody is.

The first call would be: "Something's wrong. I can't open my files."

Then what?

Who decides whether to isolate systems? Who calls the insurance carrier? Who notifies customers? Who is not allowed to touch anything until forensics clears it?

In most organizations nobody knows. And in that vacuum you get five people making five different decisions, some of them making things worse.

The technology failing is rarely the first failure in an incident.

The coordination failing is.

If you don't have a written plan with names, phone numbers, and decision trees, you don't have a plan.

You have hope.

Hope is not a strategy.

05/08/2026

The Worst Time To Build An Incident Response Plan Is During An Incident
A few months ago we started seeing something in one of our client environments that made our team stop cold.
Barracuda was catching phishing attempts targeting the same users over and over, multiple times a day. Not random. Targeted. At the same time, antivirus had been silently disabled on a handful of machines.
Two separate alerts. Two separate automated tickets. Neither connected in the system.
We caught it. We were watching. The tooling worked.
But here's what I kept thinking about.
What if we hadn't been monitoring? What if this was an organization that didn't have us?
The first call would have been: "Something's wrong. I can't open my files."
Then what?
Who owns the decision to isolate systems? Who calls the cyber insurance carrier? Who notifies customers if their data is affected? Who handles the press inquiry if it leaks? Who is NOT allowed to touch anything until forensics clears it?
In most organizations the honest answer is nobody knows.
And in that vacuum you get five people making five different decisions. Some helpful. Some actively making things worse.
The technology failing isn't the first failure in most incidents.
The coordination failing is.
If your organization doesn't have a written incident response plan with names, phone numbers, and decision trees, you don't have a plan.
You have hope.
Hope is not a strategy.

05/07/2026

What SOC 2 Maturity Actually Means in the Real World
When the CEO of a professional services firm reached out to us, she wasn’t looking for a new IT provider. She was in crisis. Her Microsoft 365 account had been compromised. Attackers were logging in from multiple states. Trusted contacts were sending malicious emails. Her primary device hadn’t reported into security tools in weeks. And the most concerning part? None of it was a surprise.

What We Walked Into
At a glance, the environment looked managed. Security tools were in place. Alerts were firing. Systems were technically being monitored. But when we dug in, the reality was very different. The CEO’s daily email account was also a Global Administrator. The same account used for everyday communication had full control over the entire Microsoft 365 environment. multi-factor authentication had been configured, but not enforced. Alerts warning about it had been generated daily for over a month.

aSee how one misconfigured Microsoft 365 account exposed an entire business - and what SOC 2 maturity actually looks like when enforced in practice.

05/07/2026

What SOC 2 Maturity Actually Means in the Real World
When the CEO of a professional services firm reached out to us, she wasn’t looking for a new IT provider. She was in crisis. Her Microsoft 365 account had been compromised. Attackers were logging in from multiple states. Trusted contacts were sending malicious emails. Her primary device hadn’t reported into security tools in weeks. And the most concerning part? None of it was a surprise.

What We Walked Into
At a glance, the environment looked managed. Security tools were in place. Alerts were firing. Systems were technically being monitored. But when we dug in, the reality was very different. The CEO’s daily email account was also a Global Administrator. The same account used for everyday communication had full control over the entire Microsoft 365 environment. multi-factor authentication had been configured, but not enforced. Alerts warning about it had been generated daily for over a month.

05/06/2026

SOC 2 Isn’t Something You Get. It’s Something You Maintain.

Over the past couple posts, I’ve shared what SOC 2 actually looks like in the real world. Not the checklist. Not the audit.

What happens when controls aren’t enforced. What breaks when ownership isn’t clear. What risk actually looks like when it shows up.

This is the part most organizations don’t see coming.

Getting through SOC 2 is one thing. Operating in a way that passes it year over year is something completely different.

We recently worked with another organization that came to us after failing their first attempt.

They had the tools. They had policies. They had documentation.

What they didn’t have was consistency.

Access reviews were done once, then forgotten. Changes were tracked sometimes, depending on the team. Evidence was pulled together right before the audit.

They didn’t fail because they didn’t care. They failed because nothing in their environment was built to sustain the standard.

That’s where the approach changes.

SOC 2 isn’t a project. It’s an operating model.

Once we stepped in, the focus shifted from “getting through the audit” to “building something that holds up over time.”

Clear ownership across systems and controls. Defined processes that don’t rely on memory. Ongoing monitoring instead of point-in-time checks. Accountability that doesn’t disappear after certification.

And just as important, we stayed involved.

Not just during the audit, but before it, after it, and every month in between.

Because the real risk isn’t failing SOC 2 the first time.

It’s passing it once and drifting back into the same gaps that caused problems in the first place.

From our side, this is where the difference between a vendor and a partner shows up again.

A vendor helps you get certified. A partner helps you build something that keeps you there.

If you’re working through SOC 2 and need guidance, or the right team to carry the load and get it done right, reach out and let’s talk:

https://hi-texsolutions.com/soc-1-soc-2-compliance/

Keep Data Secure, Clients Confident, and Risk Low Because Trust Without Proof Isn’t Enough When clients trust you with their data, proving SOC 1 & SOC 2 controls is essential to prevent breaches, lost clients, and reputational risk. SOC Compliance That Protects What Matters Most SOC 1 and SOC 2…

05/06/2026

What SOC 2 Maturity Actually Means in the Real World
When the CEO of a professional services firm reached out to us, she wasn’t looking for a new IT provider. She was in crisis. Her Microsoft 365 account had been compromised. Attackers were logging in from multiple states. Trusted contacts were sending malicious emails. Her primary device hadn’t reported into security tools in weeks. And the most concerning part? None of it was a surprise.

What We Walked Into
At a glance, the environment looked managed. Security tools were in place. Alerts were firing. Systems were technically being monitored. But when we dug in, the reality was very different. The CEO’s daily email account was also a Global Administrator. The same account used for everyday communication had full control over the entire Microsoft 365 environment. multi-factor authentication had been configured, but not enforced. Alerts warning about it had been generated daily for over a month.

Oh no! Something has gone wrong. The page you are looking for has been moved or no longer exists.Take a moment to search what you are looking for.

05/05/2026

When the CEO’s Email Was Also the Keys to the Kingdom

We were brought into an environment where the CEO’s Microsoft 365 account was already compromised. Active access, not an attempt.

Logins from multiple states
No MFA enforcement
Endpoint security offline for weeks
Admin access tied to a daily email account

On paper, it looked managed. In reality, it was wide open.

What stood out wasn’t the attacker. It was how predictable it was.

The alerts were there
The risks were known
Nothing was enforced

Thirty plus alerts flagged missing MFA on the most powerful account. Logged daily. Ignored.

A daily device hadn’t checked in for weeks. No follow up.

Successful logins from across the country. No response.

Everything required to stop this existed. No one made it non negotiable.

This is where SOC 2 gets misunderstood.

It’s treated as compliance. In reality, it reflects how your business operates under pressure.

When you map incidents back to controls, the gaps are obvious:

The CEO’s account had full admin rights
MFA was optional
No detection or response, only logs

Then came the conversation.

We outlined what happened, why it happened, and what would change:

No admin access on daily accounts
MFA enforced for everyone
Continuous monitoring
Automatic blocking of anomalous logins

She pushed back. Wanted to keep access. Didn’t want friction.

We held the line.

You cannot secure an environment while allowing the same decisions that caused the breach.

No exceptions. Not for executives. Not for anyone.

That’s the difference.

Most environments don’t fail from lack of tools. They fail because controls are optional.

SOC 2 maturity isn’t a report. It’s enforcement.

Controls applied consistently
Alerts that trigger action
No negotiation around risk

From a business standpoint, that changes everything:

One account no longer exposes the company
Threats are stopped automatically
Security isn’t dependent on luck

If someone had valid access to your systems right now, what could they actually do

And would anything stop them

05/05/2026

In the traditional office, a “Clean Desk” policy was a simple habit: shred the sensitive stuff, lock it away, and don’t leave passwords where someone can see them.

In 2026, the same idea still matters but the “desk” has changed.

For many teams, the home office is now the default workspace, and that means physical access can quickly become digital access. An unlocked screen, a shared device, or a laptop left in the wrong place can expose the same systems your business runs on every day.

Clean Desk 2.0 isn’t about aesthetics. It’s about securing the physical-to-digital bridge.

If a houseguest, a delivery person, or a thief can sit down at your workstation, they don’t need to be a master hacker to cause real damage. They just need a few unattended minutes and an open session.



Why an Unlocked Screen is a Data Breach

Most small business owners treat multi-factor authentication (MFA) as the ultimate front-door lock. And it’s a great lock.