In episode 76 of UnHacked, hosts Justin Shelley, Mario Zaki, and Bryan Lachapelle launch an essential multi-part series on baseline cybersecurity by tackling the foundation of digital security: identity and access control. This isn't just another technical discussion—it's a wake-up call for every business owner who thinks a strong firewall is enough protection in 2026.

The Landscape Has Changed Dramatically

Gone are the days when cybersecurity meant simply having a good firewall and strong server passwords. Today's threat landscape is fundamentally different. As Bryan Lachapelle explains, "It used to be that you only had the network to protect... Well, now people work from home, they work from airports, they work from all over the place and some companies don't even have an office."

The episode opens with a shocking revelation: courts have recently ruled that all your ChatGPT conversation history is now discoverable in legal proceedings. This means every query, every business strategy discussion, and every confidential conversation you've had with AI platforms can be subpoenaed and used against you.

The Microsoft 365 Holy Grail

The hosts reveal why compromising a Microsoft 365 account has become the "holy grail" for cybercriminals. With Office 365 access, attackers gain your files, email, and the ability to impersonate key executives. Bryan warns, "If they can get into your Office 365 account, they've got everything... especially if it's somebody higher up in the food chain at the company."

Three Critical Microsoft 365 Security Measures Every Business Owner Must Implement:

• Long Passphrases Over Complex Passwords: The old rules about symbols and numbers are obsolete. Modern security focuses on length—think five-word phrases with spaces that are memorable yet secure.
• Multi-Factor Authentication (MFA): This isn't optional anymore. Every account accessing business data needs this additional layer of protection.
• Conditional Access Policies: Geographic restrictions that prevent login attempts from suspicious locations, potentially blocking 90% of unauthorized access attempts.

The Shared Account Epidemic

Perhaps the most eye-opening discussion centers on shared accounts—a practice that nearly 100% of new clients engage in, according to the hosts. Using Brian's banking analogy: "Would you imagine having 20 people in your office all having access to the same bank card? Who's spending the money? Who's doing what?"

The risks of shared accounts include:

• Zero accountability: No way to track who accessed what and when
• Persistent access for former employees: Ex-employees can continue accessing systems long after termination
• Legal compliance violations: Many industries legally require individual user accounts for audit trails
• Corporate espionage opportunities: Former employees working for competitors can maintain silent access to confidential information

The HR-IT Connection Most Businesses Miss

One of the episode's most valuable insights is the critical connection between HR processes and cybersecurity. Every hiring and termination decision has cybersecurity implications. Mario Zaki emphasizes the importance of keeping IT teams informed about all software and services, sharing a story about a client using Dropbox with nine employees sharing one personal account password—unknown to their IT provider until after a security incident.

Real-World Horror Stories

The hosts share multiple real-world examples:

• A client's Dropbox account accessed by numerous former employees who could monitor every new client and bid
• An MSP still having admin access to a former client's Office 365 two years after the relationship ended
• A company owner who kept getting alerts for systems they no longer managed because proper offboarding procedures weren't followed

The Checklist Solution

Drawing inspiration from the aviation industry, the hosts stress the importance of standardized checklists for onboarding and offboarding employees. As Mario states, "I don't want to see an onboarding or an offboarding go out or get completed without the checklist, no matter what simple setup you think it could possibly be."

The Bottom Line for Business Owners

This episode makes clear that identity and access control isn't just an IT function—it's a business-critical process requiring:

• Clear policies understood company-wide
• Integration with HR processes
• Regular audits of who has access to what
• Immediate action when employee relationships change
• Professional oversight to identify blind spots

The hosts emphasize that while you can't eliminate all risks, you must know what risks you're accepting. The worst position a business owner can be in is simply not knowing their risk level.

Your Next Steps

If this episode has revealed gaps in your current security posture, don't wait for a breach to force action. The hosts are building an interactive self-assessment tool to accompany this series, but professional evaluation remains essential.

Ready to discover your real security risk?

Phoenix IT Advisors offers comprehensive cybersecurity assessments that reveal exactly where your business stands and what steps you need to take to protect your most valuable asset—your business itself.

Don't let identity and access control vulnerabilities become your company's downfall. The time to act is now, before you become another cautionary tale in a future UnHacked episode.