Saturday morning, somewhere in Germany. While the weekend is just beginning for many, our team notices the first warning signs on a client company’s systems: unusual activities that immediately trigger all alarm bells. A quick analysis confirms the suspicion—ransomware. Within a very short time, critical systems are compromised. What follows is a race against time: securing systems, isolating critical areas, and then starting the recovery process.

Preventing Cyber Attacks: How Companies Build Resilience with IT Structures

Why cyber attacks succeed so frequently

Ransomware attacks are no coincidence. Attackers deliberately choose times when companies are understaffed — such as weekends. They exploit vulnerabilities like outdated authentication processes, unpatched systems, or misconfigured access points. A common mistake: the lack of a unified security concept. Instead of a well-thought-out overall strategy, many companies rely on isolated measures that are insufficient against complex attacks.

However, there are well proven approaches: a security model based on zero-trust principles, as well as clear structuring of access rights and automation to enable rapid response in case of emergency.

Three pillars for a robust IT security strategy

Secure Infrastructure – The foundation for resilience

A resilient IT infrastructure must not only function reliably but also actively close security gaps. In our example, 300 computers had to be isolated. The first step was therefore the complete reinstallation of a clean environment—based on our Azure Foundation. This cloud infrastructure follows clear security guidelines and is rolled out in a standardized way using Infrastructure-as-Code (IaC). This allows security configurations to be automatically checked and updated according to best practices.

Another advantage: The use of zero-trust principles ensures that workloads are segmented and only released for authorized connections. This keeps the attack surface minimal.

Security starts with authentication

In almost every cyberattack, identity management is the first point of attack. Passwords only are no longer enough. With Entra ID, user accounts can be centrally managed and secured. Multi-factor authentication (MFA) is the standard.

Another advantage: Suspicious activities are automatically detected and reviewed. For example, if a user logs in again from another location within a few minutes, this is recognized as a potential threat and access is automatically blocked.

To detect attackers in the infrastructure, advanced systems such as Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) are used. These solutions aggregate alarms and events, analyze them, and enable rapid assessment. A managed SOC—such as the Cloud Security Operations Center from glueckkanja—helps to make optimal use of these technologies.

Restoring workstations quickly

After an attack, employees need to be able to work again quickly. Cloud-based solutions like Microsoft Intune are essential for this. Devices can be fully reset and configured via a central portal—regardless of where the user is located.

The advantage: Employees can carry out the process themselves without the IT department having to manually set up each device. In addition, platforms like RealmJoin automatically distribute all relevant software packages and ensure that security updates are installed.

Emergency protection: AzERE as a contingency solution

An incident like this shows how important it is to have an emergency strategy in place. AzERE (Azure Emergency Response Environment) provides an isolated environment in which critical systems such as the domain controller are replicated in a secure “Dark Tenant” instance. This enables access to a clean version of the data, even in the event of a large-scale attack.

Additionally, AzERE enables the setup of a digital “War Room”: a platform where all relevant stakeholders come together to coordinate actions in real time. This central communication capability can make the decisive difference when minutes determine success or failure.

Conclusion: Proactive resilience instead of reacting to threats

This incident shows: An effective security concept requires more than isolated solutions. It needs a combination of secure cloud infrastructure, robust identity management, and a modern work environment that can be quickly restored.

And that’s exactly why our IT Workaholics stories are about people whose IT operations we’ve brought back from crisis mode to normal operations.

Read IT Workaholics stories now!