OUR OWN HARDENING · UPDATED QUARTERLY
We secure our own house first.
An MSP that can't defend itself has no business defending you. Here's the actual list of practices we run on
brooklynsupport.com,
our internal systems, and our laptops. We update this page quarterly and welcome scrutiny.
// IDENTITY
// 01
MFA enforced on every internal account
No exceptions, no admin bypass. Hardware keys (YubiKey) for tier-1 admin operations.
// 02
Conditional access policies
Geo-fenced to US. Block legacy auth protocols. Force compliant device for admin actions.
// ENDPOINTS
// 03
Managed EDR on every workstation
Same SentinelOne / Bitdefender we deploy at clients. 24/7 alerting to a real human pager.
// 04
Full-disk encryption
BitLocker / FileVault on every device that touches client data. Recovery keys escrowed in our PAM.
// NETWORK
// 05
Network segmentation
Production, dev, guest, IoT each on their own VLAN. East-west traffic restricted by firewall rules.
// 06
Zero standing remote access
No "open VPN to office." Just-in-time access with MFA + audit trail. Sessions expire automatically.
// EMAIL
// 07
DMARC enforced (p=reject)
No spoofing of brooklynsupport.com — full SPF, DKIM, DMARC alignment. We eat our own cooking.
// 08
Anti-phishing + impersonation defense
Microsoft Defender for Office 365 with safe-links and safe-attachments. Quarterly internal phishing simulation.
// BACKUP
// 09
3-2-1 backup with monthly restore tests
Local NAS + encrypted offsite + immutable snapshots. We restore-test on the first Monday of every month.
// 10
Ransomware-resistant immutable storage
Backups in object lock — even a compromised admin can't delete them within retention window.
// OPERATIONS
// 11
Audit log retained 12 months
Every admin action logged, retained, queryable. We can produce evidence for any client incident.
// 12
Annual penetration test
Third-party (not us!) tests our systems annually. Findings tracked in public-to-clients summary.
// PEOPLE
// 13
Background-checked technicians
Every Brooklyn technician passes background check before touching client systems.
// 14
Quarterly security training
Phishing simulation, password hygiene, latest threat trends. Documented completion.
// INCIDENT
// 15
Documented incident response runbook
If we get hit, we have a plan: contain, preserve, notify, recover. Practiced annually.
// 16
Cyber insurance + breach counsel on retainer
Because if it happens, our clients shouldn't have to worry that we can't handle our own response.
Responsible disclosure
Found a vulnerability? Tell us first.
We run a responsible disclosure program. Email [email protected] with details. We respond within 24 hours, fix critical issues within 7 days, and credit researchers in our quarterly update.
PGP fingerprint available on request.
Want this rigor at your business?
Schedule a free 30-minute walk-through. We'll tell you what's exposed, what's overpriced, and what to fix this quarter.
(718) 539-8858