Q&A

Sealing Your Enterprises' Security Gaps

Security guru Mikael Nystrom shares his insight on the biggest problems IT face when hardening their environment.

• By Chris Paoli
• 03/12/2025

Ransomware attacks continue to be one of the most pressing cybersecurity threats, with IT budgets rising to invest in tools and defenses. Yet enterprises still fall victim to attack. The key to effective prevention isn't just about technology but also about security strategies, administrative practices and IT's ability to detect and respond.

Security expert Mikael Nystrom brings his expertise as TruSec's principal technical architect to share insight with Redmondmag on some of the most common security gaps, evolving ransomware tactics and how organizations should rethink their approach to cybersecurity.

Nystrom will also be bringing more than 33,000 hours of incited response work knowledge to his upcoming Cybersecurity & Ransomware Live! virtual session, "The 5 Key Issues Uncovered During Incident Response That Would Have Prevented Ransomware," in May.  
Make your plans today to join us for Cybersecurity & Ransomware Live!  May 13-15. Register by our Super Early Bird deadline of March 28 to save $300!

Redmondmag: Based on your thousands of hours in incident response work, what are some of the most common security gaps that repeatedly lead to ransomware infections?
Nystrom: There's quite a few, so let's divide the answer in two parts. First, the entry point. The entry point, in many cases, is very often something unpatched, like the VPN solution, firewall, remote access gateways, etc. They are either unpatched/misconfigured/unsupported or lack monitoring, things like MFA are almost never in place and, if it is, it can be bypassed. The second answer is, there are no internal barriers. Once the threat actor is inside, they can often be Domain Admin or Global Admin in a few minutes due to misconfigured administration and the fact that folks just don't know how SSO works.

Many organizations invest heavily in security tools but still fall victim to ransomware. What are some misconceptions about ransomware prevention that you frequently encounter?
The big one is that throwing money at the situation solves the problem. This is simply not true.  It is the change in administrative behavior and the ability to detect that matters.  I think I have pictures of every known antivirus/antimalware application that says OK, with the ransomware note behind it.

Your session focuses on five key issues that could have prevented ransomware attacks. Can you share one of these key issues as a preview?
One of them is very simple. By implementing administrative tiering and using privileged admin workstations, it will be almost impossible for a threat actor to steal your admin credentials. And if they can't do that, they usually just walk away since they can't go for the big "kill." Another would be to isolate your hypervisors -- there should be absolutely no way to access the virtualization platform from the normal network, and there is also no need for that.

Ransomware gangs are evolving rapidly. How have their tactics changed in the last few years, and what should organizations be most concerned about today?
This is increasingly true. They are faster now. They also have learned that just stealing the data and threatens to expose it is faster and easier.

With AI-driven threats and deepfake phishing attacks on the rise, how do you see ransomware evolving in the next five years, and how should companies prepare?
They have been relying more on AI to deploy phishing attacks with the goal to gain initial access. In reality, organizations needs to switch into "assume breached" mode -- in other words, there is not going to be a safe place anywhere, there is no "inside and outside," the business needs to operate in a hostile environment all the time. Therefore things like EDR and 24/7 SOC becomes crucial to operate any business.

Many security teams struggle with balancing  usability and security. What's your advice for implementing strong ransomware defenses without disrupting business operations?
Security that is correctly implemented does not hinder any normal worker, but it does require IT administrators to work differently. The endpoint and the worker are never the targets. It is the backup, the data, the servers and the hypervisors. And the only way to get in there is going to be through the administrator, the actual target. Administrators needs to be more alert.

With ransomware tactics evolving rapidly, this session is essential for security professionals looking to stay ahead of emerging threats. Register now to take advantage of the $300 Super Early Bird savings!