Technical Guidance Memos

Compares issuing endpoint-protected laptops versus hosted remote desktops (VDI/DaaS) for offshore contractors handling PII and PI. Concludes that virtual desktops provide a materially stronger security and compliance posture in most scenarios because data never leaves the datacenter, while acknowledging operational trade-offs around latency, internet reliability, and provider dependency.

Explains why Microsoft Defender is now sufficient for most small businesses, why stacking third-party antivirus products often backfires, and how antivirus fits into a broader defense-in-depth strategy that includes patching, least privilege, MFA, and backups.

Explains the utility and limitations of VPNs, and recommends the usage of a major provider (e.g. Mullvad) when necessary.

Explains the three authentication factors, compares 2FA methods from SMS to hardware keys, and advocates for passkeys as the modern replacement for passwords.

A foundational overview of safe internet browsing practices for non-technical small business owners. Covers HTTPS and the meaning of the padlock icon, phishing recognition in the age of AI-generated lures, modern password and MFA guidance (including passkeys), browser and extension hygiene, software updates, tracking and fingerprinting, malvertising, typosquatted domains, public Wi-Fi and VPNs, secure DNS, privacy-respecting search, the 3-2-1 backup rule, and threats specifically targeting small businesses such as business email compromise. Synthesizes guidance from CISA, NCSC, NIST, EFF, and the 2025 Verizon DBIR into actionable habits requiring no technical expertise.