 B.J. says, what are y'all doing to prevent your organization from being compromised? Obviously, two-factor authentication, but anything else. Also, once you have been compromised, what are you doing to gain control outside of changing passwords? Oh my goodness. It's a bigger question. This is a huge question. I suspect something has happened. It's really good. We'd love to hear more, too. Yeah. We'd love to hear more, but I suspect that maybe he or she has been tasked with, from someone up above, saying, well, what happens if this happens? What are we going to do? And they're like, oh, I don't know. Can I share? Because having been through this, with my own demo tenant, I've got some guest users on there, a couple different accounts, logins for it. I had MFA on all of them, but one. And the reason it was turned off for one, and you probably, this scenario, you're familiar with this, because I was doing some other third-party site, and it was running into the MFA block, I turned it off to do that, forgot to turn it back on. Yeah. Yeah. So that happened, so it got hacked, it confirmed, they went in there with some data, and it's fine. I went in, and I turned on MFA. If there had been any business data within it, it's a demo tenant. So there's nothing in it. I'm lucky. I did a backup, cleaned up, was right back out there. It was an annoyance. But when that happened to me, I had two clients, both that got hacked and got ransomware. And so it was a major issue. One of them said, took the loss on the data, they lost about a week worth of data. The other one, they were in the middle of restructuring a site and doing a bunch of other things. They paid a hefty fee to get it back and then locked it down after that. So yeah, worst-case scenario, they paid to get it back. They tried, and these are Microsoft people, like community people, MVPs at the organization, and they went through everything, racking their brain, or like, what can we do? They caught them at the worst possible time while they were restructuring and getting ready to relaunch and their guard was down. So, look, it's a horrific scenario. I don't know how big the impact of this is, but that's where my first thing is, first go and stop the leaks, shut it down, MFA at all points there, but two, and go and look at what is the risk profile, what did you potentially lose there, what do they have access to, and so go and do an audit of that to see if anything has been misplaced. Of course, other things to go and do is scanning the system, looking for any malware, any other suspicious things that are on there. You're safe to go back prior to the hack and restore back to that data to wipe out any potentially malicious code or anything else that was placed back there, but, yeah, it's rough because it could be a lot of things that could happen. Well, when you take a look at it, whether the question itself, it says, you know, what are you all doing to prevent organization from being compromised, compromise could mean a thousand different things, right? We're talking about a specific ransomware type of situation, but it could be a social attack, it could be, you know, a simple little phishing attack, it could be IP, you know, intellectual property, you know, stolen, things like that. So there's all kinds of different compromises. So we'd have to kind of, you know, and there are companies that I've worked with in the past that have these really comprehensive layouts for, you know, one kind of attack, this is the process, another kind of attack, this is the process, another kind of attack, this is the process. So they have it really established, but then again, there are companies who, you know, haven't invested in that, they don't know what to do. They just have one big game plan that if we're hacked, we're going to do this no matter what the compromise consists of. But I think that when you talk about 2FA, you have to be really clear that there's weak 2FA and there's strong 2FA, all right? Using your phone as a 2FA for text messages or SMS, that's very weak, okay? It's very, it can be hacked. Man in the middle can pull that easily. And it's been proven. It's a terrible, terrible way to do your multi-factor. But when you get into the actual, like using apps, okay, for your MFA and getting verification codes and having backup codes, and even going so far as having physical keys, like UB keys, that is very strong MFA, okay? And you can't really hack that. You can't duplicate that, right? Like a hacker can't get in there. So if you were going to talk about 2FA or MFA, if you're going to talk about that, you have to talk about what degree that you're going to do it. Because if it's just simple text, which surprises me that like banks still do text messaging and email verification, I'm like, it's so easy for me to log into somebody else's email and get the verification code. I mean, hard, that'd be. But that's all they require. So it's very weak. And to me, you have to gauge that. You have to say, are we going to invest in something that's really secure? Will it make our users, some users just don't want to have to enter a password twice or use a physical key or do anything, they know, make it easier for them. And some verticals like healthcare and stuff, they just, it's like, if I got to do more than one thing to get into a terminal, it's a waste of my time, kind of a thing. But those are all things I think you have to think about. I do want to express one thing, and I'll shut up after this. But not recently, like within the last two months, there was a company that got ransomware. And they got it actually from a phishing attack. So you know phishing, right? It comes through email. Now they have phishing. Yeah, yeah, they have the phishing with a B. And that actually comes through on your SMS, on your text, and you click the link, and you do all that kind of stuff. Anyways, they got that from a person that was doing scheduling. So they would go in and they would schedule appointments for these medical people. And they actually got a text message, and they clicked on it. And when they clicked on it, it opened up a website on their phone. And then the website on their phone said, enter your email address. So they entered your email address, then they were able to actually get into using different social techniques to get in. Anyways, they got in, they locked the files. Okay. And as it turns out, they were like, well, we're not going to pay this. And in conversations with the security folks that were working with them, I'm like, did they really understand if you have to start over what the impact is? And again, I said, then think about the opposite side, because this happened at a major hospital here in the United States, is they paid the ransom, but they didn't unlock the files. And they paid the Bitcoin ransom, and the people disappeared, and their files are still locked. So that, yeah, there's always that possibility. Yeah. I was just going to add that, one of the preventative things, and I wish more companies would do it. I mean, I do this with my family, with my kids, with my wife, is to make sure that my last company, they regularly tested sent out dummy emails, dummy phishing, dummy texts, things to test people. Then right away, you failed. Why did you click on this? And did you not see that it was, then, dummy, it was wrong. You could float over a link with your mouse on your PC. You can see, hey, that's actually going to johnsmith.com site, not to what, who they claim to be. And so now, of course, it's becoming so much more familiar, getting the text, the random texts, that you don't know who the person is. I never click on anything. If I see, get an email, get a text for anything from a place claiming to be my bank, or my credit card, or whatever that is, I will use it as a prompt to go then, I'll go log in directly into the site, go log in, look at the system messages. I'll tell you about half the time I look and say, yeah, there is no system message. That was a fake message. So that's one way to get around that is, I use those as a prompt to go. And if you're not sure, go and do the native login to that site or to your company site to see if it was a legitimate request to do. But yeah, I know BJ is asking also outside of MFA, what else could he be implementing or thinking about? And credentials, honestly, they really are or at least identity is kind of the primary attack vector. And I think beyond MFA and using strong MFA, like Mike said, with an app, you've got to start looking at what's the future of the way that organizations are being attacked. And what have you implemented in a more modern way to combat that? I think of things immediately, like, are you going through passwordless authentication? That's the first step, right? Get rid of your passwords. Start looking at what are new ways, new technologies, Windows Hello, you start using your biometrics, using apps like the Authenticator app. So it's on your person, it's on your device that can be managed by your organization. Really secure that you can get access and open up that particular account. And then, of course, we still have the 502 security keys. So there's a few ways you can start looking at other alternatives or additions. I'm sorry, I should always say additions to MFA. But there are more things that you can do. I would definitely recommend, if you're really worried about access to your M365 environment, one of the strongest things to do is at least privilege admin access accounts. You should not have any standing admin accounts out there that have passwords assigned. They should be inactive, or at least not have a password in them. Meaning that you have to use some sort of privilege identity management or access management process in order to utilize those admin accounts. So securing your admin accounts, extremely important. I think leveraging things like Secure Score. Go out, take a look at Microsoft Secure Score. That will give you an overview of your entire M365 tenant and the level of risk that you are allowing with the configurations that you've set in the services that you're running. And it will start to give you a glimpse into, oh my gosh, there is that one MFA account that we removed. We forgot to add back because we were doing some work. It was bothersome. Whatever the case, it will be identified and you can take action. To me, having a Secure Score review, at least weekly, to take a look at what's changed, what's been updated, and right size your risk. Work with your security team. Know what you are able to allow and what you're able to actually put a lot of coverage over. And then of course, always the audit log. You can get a lot of access to sign in activity logs and Azure Active Directory to review. You can get alerts. You can set alerts when things are somebody who is located in the U.S. and they sign in from another country. Chances are they are probably not in two places at once. So set up your alerts. Make sure you're getting all the right people notified. When different strange things are occurring, so you can take immediate action. And I think some of those key things that I mentioned will help you go down that road, B.J., to get more control of what's happening and obviously to reduce the risk inside of your environment. I would just add real quick, too. I know that this is kind of a Microsoft-centric type of cast, right? But there are tools that are outside of the Microsoft realm that cover more of a larger footprint than just M365. And I would recommend some of them like CrowdStrike. CrowdStrike's like an incredible piece of software that gives you a lot of information. But just so you know, I mean if you're talking just beyond the Microsoft protection and Microsoft does expand into other areas outside of Microsoft as well, I mean they will take a look at your AWS footprint and all that other kind of stuff inside of security. But for overall reaching every, you know, all your endpoint points from your firewalls to your, you know, your ingress points and your egress points in and out of your company, you may want to look at something that's a little bit, like I said, covers a bigger footprint.