On 11 March 2026, a pro-Iran hacktivist group called Handala attacked Stryker Corporation, a Fortune 500 medical device manufacturer. They did not use ransomware. They did not ask for money. They gained access to Stryker’s Microsoft Intune and Entra device management platform and wiped over 200,000 devices, including servers, PCs, and mobile phones, within minutes.

79 country offices went offline. Production lines stopped. Employees could not work for days. CISA launched an investigation. Handala claimed 50TB of data stolen.

Here is the part that should concern you: Stryker runs the same Microsoft 365, Entra, and Intune environment that a 20-person accountancy practice in Liverpool or a 15-person law firm in Chester uses. The technology stack is identical. The attack did not exploit some obscure vulnerability. It exploited admin access to Microsoft’s built-in device management tools.

Wondering whether your Microsoft 365 environment is configured securely? Start with a credential exposure check on your domain. No cost, no commitment, results in 48 hours. Request your credential exposure check or call 0151 452 3060.

This Was Not Sophisticated. That Is the Problem.

The Stryker attack was not a zero-day exploit or custom malware. It was devastatingly simple: gain admin-level access to a device management platform, then use that platform’s own tools to wipe every device it manages. Intune is designed to remotely manage, configure, and yes, wipe devices. That is its job. The attackers simply used it for its intended purpose, against the organisation.

For SMBs, this should be a wake-up call. Most small and medium businesses running Microsoft 365 have one or two people with Global Admin access. Those accounts can do everything: create users, delete data, change security settings, wipe devices. If someone compromises one of those accounts, they own your entire environment.

43% of UK businesses reported a cyber attack in the past year (DSIT 2025). The average breach takes 241 days to detect (IBM 2025). A wiper attack does not give you 241 days. It gives you minutes.

Why SMBs Are More Exposed Than Stryker

Stryker is a Fortune 500 company with dedicated security teams, a SOC, and enterprise-grade monitoring. They still got hit. A typical SMB has none of those things, which means the gaps are wider.

1. No Admin Account Separation

In most small businesses, the person who manages Microsoft 365 uses their admin account for everything: reading email, browsing the web, joining Teams calls. That same account has the power to wipe every device in the organisation. If that account is compromised through a phishing email or a reused password, the attacker has the keys to the entire kingdom.

What Stryker teaches you: Separate your admin accounts from your daily-use accounts. Admin accounts should never be used for email, web browsing, or anything other than administration. This is not optional.

2. No Conditional Access Policies

Conditional access policies control where, when, and how admin accounts can be used. They can require that admin access only comes from specific devices, specific locations, or requires additional verification. Most SMBs have none of these controls in place.

What Stryker teaches you: If your Global Admin account can be accessed from any device, anywhere in the world, with just a username and password (or even just MFA), you are exposed. Conditional access policies should restrict admin access to managed, compliant devices only.

3. Only 40% Use MFA on Email

Only 40% of UK businesses use multi-factor authentication on email (DSIT 2025). For admin accounts, MFA is the bare minimum, not the ceiling. Phishing-resistant MFA methods (hardware keys or certificate-based authentication) should be used for any account with elevated privileges.

What Stryker teaches you: MFA on every account. Stronger MFA on admin accounts. No exceptions.

4. No Break-Glass Accounts

A break-glass account is an emergency admin account stored securely offline, separate from your normal admin accounts. If an attacker compromises your regular admin accounts and locks you out, a break-glass account is your way back in. Most SMBs have never heard of them.

What Stryker teaches you: If an attacker gets into your admin accounts and changes the passwords, how do you recover? If you do not have a break-glass account, the answer might be “you don’t.”

Is Your Microsoft 365 Environment Configured Correctly?

Most of the protections in this article, including admin account separation, conditional access policies, MFA enforcement, and break-glass accounts, are configuration settings within Microsoft 365. They do not require additional software. They require someone who knows how to set them up properly.

Our H-Protect Standard package (from £55/user/month) includes Microsoft 365 security hardening as a day-one onboarding task: admin account separation, conditional access, MFA enforcement, backup configuration, and ongoing credential monitoring. We work alongside your existing IT; you do not need to switch providers.

Book a 15-minute call to review your Microsoft 365 security posture: Schedule a call | 0151 452 3060

The Backup Question Nobody Wants to Answer

The Stryker attack was a wiper, not ransomware. There was no decryption key to buy. No negotiation. The data was destroyed. The only path to recovery is restoring from backup.

This raises the question every business owner should be asking right now: if someone wiped every device in your organisation today, could you recover? How long would it take?

Most SMBs will say “yes, we have backups.” But dig a level deeper:

  • Are your backups immutable? If an attacker with admin access can delete your backups too, they will. Cloud backups that can be modified or deleted by the same admin account that was compromised are not real protection. You need immutable backups that cannot be altered or deleted, even by an administrator.
  • Are your backups tested? When did you last run a full restore test? Not a single file recovery. A full system restore. If the answer is “never” or “I’m not sure,” you do not know whether your backups actually work.
  • How long would recovery take? There is a difference between “we have backups” and “we can be operational again in four hours.” Knowing your recovery time objective is as important as having the backup itself.

85% of UK cyber attacks start with a phishing email (DSIT 2025). But the Stryker incident shows that the damage does not stop at stolen data. A wiper attack destroys your ability to operate. Without tested, immutable backups and a documented recovery process, a wiper is a business-ending event.

The Lock the Door Connection

The UK Government’s Lock the Door campaign, launched in February 2026, urges every SME to adopt the five Cyber Essentials protections: firewalls, secure configuration, software updates, access control, and malware protection.

The Stryker attack is a case study in what happens when access control fails at scale. Every recommendation in this article maps directly to the Cyber Essentials framework:

  • Access control: Admin account separation, conditional access, MFA, regular access reviews
  • Secure configuration: Hardening your Microsoft 365 tenant, removing unnecessary admin accounts
  • Malware protection: Endpoint security that detects and blocks threats before they escalate
  • Software updates: Keeping Intune-managed devices patched and compliant
  • Firewalls: Network segmentation that limits the blast radius of a compromised account

As the NCSC CEO Dr Richard Horne put it during the campaign: “Most attackers don’t care about size, reputation or logos, they are looking for opportunity and weaknesses.”

Stryker had the size, reputation, and logos. The attackers found a weakness anyway.

Five Things to Do This Week

You do not need to overhaul your entire IT infrastructure. But you do need to close the most dangerous gaps, starting with these five:

  1. Separate admin accounts from daily-use accounts. If the person managing your Microsoft 365 is using the same account for email and admin tasks, fix this today.
  2. Enable MFA on every account. Then upgrade to phishing-resistant MFA on admin accounts.
  3. Implement conditional access policies. Restrict admin access to managed devices and known locations.
  4. Create a break-glass account. Store the credentials securely offline. Test it quarterly.
  5. Test your backups. Run a full restore drill. Know your recovery time. Verify your backups are immutable.

If you are not sure how to do any of these, that is exactly the gap a managed security provider fills. These are configuration tasks, not purchases. They require expertise, not budget.

Find Out Where You Stand Before It Matters

The Stryker attack happened on a Tuesday. By Wednesday, 79 offices were offline. Wiper attacks do not give you time to react. The only defence is preparation.

Here is how to start:

  1. Today: Request a credential exposure check on your domain. No cost, no commitment, results in 48 hours. It shows whether your team’s passwords are already circulating on criminal marketplaces. Request your check
  2. This week: Book a 15-minute call to walk through your Microsoft 365 security configuration. We will tell you which of the five actions above are already in place and which are missing. Call 0151 452 3060.
  3. This month: Get a vendor-sponsored vulnerability assessment to test your external defences. We run 20 of these a month for local businesses.

We work with businesses across Liverpool, Wirral, Chester, and the wider North West. We configure admin separation, conditional access, immutable backups, and MFA enforcement on day one of every onboarding. Not as an add-on. As the starting point.

Call 0151 452 3060 or book your assessment online.

HiltDigital provides security-first managed IT services for businesses across the North West. We work alongside your existing IT as a specialist security layer, covering Microsoft 365 hardening, threat monitoring, backup architecture, and compliance support.