Milwaukee Cyber Lessons: Different Breaches, Same Five Doors (and How to Close Them)

When you read Milwaukee breach headlines, the stories look different, but the entry points are familiar. Week after week, we see the same five “doors” getting abused in SMB environments:

1. Spoofed invoices
2. Stale MFA / legacy protocols
3. Exposed admin panels / public logins
4. Flat backups (no immutability/offsite)
5. “Just this once” exceptions that never get rolled back

Good news: this isn’t about buying a dozen new tools. It’s about applying a handful of boring, high-impact controls consistently. Below is our 5×5 SMB Risk Matrix (Milwaukee Edition); a one-page way to map quick wins by impact and effort with your team in ~10 minutes.

Download: 5×5 SMB Risk Matrix — Milwaukee Edition (Excel) - https://www.dropbox.com/scl/fi/qzrdlxzemz1bf0z79e3oo/5x5_SMB_Risk_Matrix_MKE.xlsx?rlkey=wioyoqpcotfml26oufmekw7vx&st=u760zfvd&dl=0

The Five Doors (what we keep seeing)

1) Spoofed invoices (BEC/AP fraud) - Look-alike domains and impersonation tactics trick Accounts Payable into wiring funds or changing bank info. The tech looks like email, but the real fix is process.

2) Stale MFA / legacy protocols - SMS codes and legacy IMAP/POP/basic auth make it easier for attackers to bypass or sidestep MFA. Fatigue prompts (“approve?” x10) don’t help.

3) Exposed admin panels / public logins - Cloud admin portals and device consoles left open to the internet become easy targets for credential stuffing and brute force.

4) Flat backups (no immutability/offsite) - Backups exist, but they’re on the same network, writable, or never tested. That’s not recoverability. That’s a false sense of security.

5) “Just this once” exceptions (policy drift) - Temporary access, shared accounts, or bypassed approvals that never get cleaned up. That’s risk that grows quietly over time.

Five Controls That Consistently Work

A) DMARC + AP call-back SOP - DMARC reduces spoofed mail that even reaches humans. Your AP “call-back” rule (to a known number on file) stops fake vendor changes.

B) Passkeys & number-match MFA; disable IMAP/POP; Phishing-resistant sign-ins for admins and execs first; number-match MFA everywhere else. Turn off legacy protocols that bypass modern auth.

C) SSO & Conditional Access; no public admin. Single sign-on centralizes control. Conditional Access enforces device health, geography, and risk. Admin panels shouldn’t be on the open internet.

D) 3-2-1 backups, immutability, and monthly restore drills. Three copies, two media types, one offsite, plus an immutable layer. Prove it works with a timed restore drill.

E) Just-in-time admin; quarterly access & exception reviews, temporary elevation with timeouts, not standing admin rights. Track exceptions with an expiry date and an owner.

How to Run the 10-Minute Huddle (use the 5×5)

1. Pick the five risks (we prefilled them in the download).
2. Review the five controls (also prefilled).
3. For your org, rate each risk’s Impact (1–5) and Effort (1–5) to address.
4. The sheet calculates a Priority Score and flags Quick Wins (high impact, low/med effort).
5. Pick 1–2 Quick Wins to execute this month. Assign an owner and a due date in your PM tool.

Download: 5×5 SMB Risk Matrix — Milwaukee Edition (Excel) https://www.dropbox.com/scl/fi/qzrdlxzemz1bf0z79e3oo/5x5_SMB_Risk_Matrix_MKE.xlsx?rlkey=wioyoqpcotfml26oufmekw7vx&st=u760zfvd&dl=0

What “Closing the Five Doors” Looks Like in Practice

• Spoofed invoices - DMARC & AP SOP - Outcome: Fewer fake emails hit inboxes; process catches the rest before funds move.
• Stale MFA / legacy protocols - Passkeys & disable legacy - Outcome: Phishing attempts fall flat; fewer MFA fatigue approvals; audit logs improve.
• Exposed admin panels - SSO & Conditional Access - Outcome: No public login targets; access requires healthy devices; risky sign-ins blocked.
• Flat backups - 3-2-1, immutability, and drills - Outcome: Ransomware blast radius drops; restores are timed and documented; confidence rises.
• Exceptions - JIT admin & quarterly reviews - Outcome: Temporary access expires automatically; risk doesn’t accumulate silently.

Bonus: Prove You Can Restore (30-Minute Micro-Drill)

Backups don’t matter, restores do. Once a month, pick one system and run this:

1. Single file and one folder restore, time both.
2. Record who requested/approved/executed/verified.
3. Note gaps (missing permissions, slow steps, unclear runbooks).
4. Compare to your targets: RTO (how fast you must restore) and RPO (how much data you can lose).

Grab our ready-to-use Restore Readiness Scorecard to auto-score A/B/C/D and assign next actions.

Download: Restore Readiness Scorecard (Excel) https://www.dropbox.com/scl/fi/ka7l259crx5mjz8zrjbqm/Restore_Readiness_Scorecard__Preview_.csv?rlkey=cljnwse6xce34n7adx2uzedn4&st=731xhtov&dl=0

Plain-English refresher:

• RTO = “We can be back in X minutes/hours.”
• RPO = “We can afford to lose up to X hours of data.”

What You’ll Feel in the First 30 Days

• Fewer sketchy invoices land (and the ones that do get caught by process).
• Cleaner sign-ins (less MFA fatigue; fewer weird prompts after disabling legacy auth).
• Admin access gets quieter (no more standing global admin; approvals have receipts).
• Restore confidence climbs (you’ve timed it; you know who does what).
• Exceptions stop lingering (everything temporary has an owner and an expiry).

Ready to run this with your team?

• Start with the 5×5 matrix during a Monday stand-up. Pick two Quick Wins.
• Schedule a 30-minute restore drill this month.
• If you want help, we’ll do a lightweight posture check and give you a 48-hour, plain-English readout.

Milwaukee SMBs: if you’d like us to facilitate the huddle or the drill with your team, get in touch with us. No drama, just a practical tune-up.

FAQ

Is this overkill for a small team? No. These are the least fancy, most reliable controls. You can phase them in without derailing day-to-day work.

We already have backups, why drill?Because recovery steps and permissions drift. A 30-minute dry run keeps you honest and exposes small issues before they’re big.

We use SMS MFA. Is that bad?It’s better than nothing, but it’s easier to phish. Start passkeys for admins/execs, enable number-match MFA for everyone else, and disable legacy protocols.

How soon will we see results?Many teams feel the difference in 2-4 weeks: fewer suspicious emails making it through, quieter sign-ins, and a documented restore time you can share with leadership.

Next Steps

• Download the 5×5: 5×5 SMB Risk Matrix — Milwaukee Edition (Excel)
• Run the drill: Restore Readiness Scorecard (Excel)
• Want a guided walkthrough? Book a 15-minute “Milwaukee Cyber Lessons” session—bring your ops lead and we’ll leave you with an action list.