Most growing businesses have made real investments in cybersecurity but often still can't answer whether those investments are doing the job.
They’ve built programs, stood up firewalls, implemented antivirus software, and conduct annual phishing training and regular backups. The combination made sense for the threat environment it was built for, but most security programs are still catching up to how much that environment has changed.
The result is a cybersecurity gap most small businesses discover only when something forces the question. If multi-factor authentication has exceptions, security alerts are going unreviewed, and backups have never been tested with a real restore, coverage is thinner than it appears. That’s not a technology failure, it’s a validation gap: the distance between what a security control is supposed to do and whether anyone has confirmed it’s working.
The perspectives in this piece draw from a recent conversation between Cyberleaf CEO Jeff Buss and Bill Michael, CIO at partner organization SWK Technologies, two practitioners who regularly work through these situations with businesses across regulated industries.
The threat environment shifted in ways most security programs haven’t fully absorbed.
Smaller companies are now profitable targets. Bots scan the entire internet continuously for open doors, and a 75-person company is just as attractive a target as one with 5,000 employees. Verizon’s annual threat report puts the probability of a meaningful attack against a smaller business at over 30 percent today. A few years ago, that number sat closer to 5 to 10.
The signals that once made attacks easy to spot have largely disappeared. Phishing emails used to have bad grammar, odd requests, and clunky formatting but AI has cleaned all of that up. Beyond the content of the attacks themselves, the threat landscape now moves faster than any software update schedule can match, and exposure grows on its own timeline.
“AI is a margin call for IT. If you haven’t invested in building secure systems, AI makes defending what you have even harder.”
Compliance is a commercial requirement now, alongside the regulatory one. SOC 2, CMMC, and HIPAA controls show up as prerequisites in RFPs and contract renewals, particularly for businesses selling into regulated industries or supply chains. Many businesses are still working to meet that expectation.
Here’s what that gap looks like on the ground.
Multi-factor authentication (MFA) is enabled on most systems, but enforcement has gaps. A server carved out for convenience. An administrative account that got an exception somewhere along the way. Those gaps stay invisible from the inside, but attackers find them because while the security tools are active, the alerts they generate sit unreviewed. Backups go out nightly, but no one has run a restore test, so no one knows whether the data comes back clean until something forces the question.
Jeff Buss puts it plainly:
“We’d go into organizations and they’d say they have MFA, they have endpoint protection. But MFA wasn’t enforced, not on every server, not on every account. Tools were installed but not running where they needed to be. After a while, we stopped taking ‘yes, we have it’ at face value and started validating whether it was actually working.”
SWK Technologies CIO Bill Michael has a name for it: the deploy and forget syndrome. "Companies invest in security tools and assume that because they're deployed, it equals protection. Unless you're monitoring and managing and validating the outputs, you're susceptible to misconfigurations and alerts that go completely unseen. That's silent failing." The tools are on and the lights are green, but underneath there’s often real distance between what’s installed and what’s working.
Many businesses carry the assumption that their policy covers a breach, but what many find out afterward is harder to absorb. Underwriters price those policies assuming a security program exists. If a post-breach investigation finds that the security measures claimed during the application weren’t in place, the claim gets denied. The funds set aside for recovery disappear before they’re ever used and the backup strategy most businesses count on as their fallback carries a similar assumption.
We’ve sat in enough of these calls to know how it unfolds. Most sophisticated ransomware groups steal your data before encrypting it, then threaten public exposure regardless of whether a restore succeeds. Tested backups address one part of that problem. The second demand stays on the table either way.
The businesses that close this gap work through the same priorities but rather than steps on a checklist, they work through them as layers, each one making the next more effective.
Most successful attacks take the simplest path available, they find the unlocked door. Closing those doors comes down to three things done consistently:
Strong fundamentals shrink the surface attackers have to work with.
Every cloud application, AI tool, and third-party connection opens another path into your systems. A common example right now is employees connecting personal AI tools to company systems, creating data flows that nobody approved and nobody is tracking.
Knowing what’s moving through your environment, and having the expertise to act on it, is the difference between catching a threat early and finding out about it later. In practice, later usually means the threat has already moved further, complicating containment and mitigation.
The basics reduce exposure. Visibility tells you when something still gets through.
A practiced response plan is what determines the outcome when something goes wrong.
“I was running a major defense command center and thought I had access to the best security talent in the world. When a breach happened and we had to brief all the way up to the National Security Council, bringing in outside experts when I believed my team had it covered was one of the most humbling moments of my career. I see the same pattern in businesses of every size: ‘we’ve got it, we’ve got it.’ The lesson I took from it: ask for help early, and do the work before the pressure is real.”
The preparation is straightforward and it starts with what we call the first-five-names plan: before an incident happens, write down the first five calls you would make:
That list, documented and confirmed in advance, is worth more than most security tools when the pressure is real. The organizations that come through serious incidents fastest have already worked through those questions, and that preparation scales to any team size.
"The level of preparedness is the single most decisive factor in determining the outcome of a cyber incident. Companies with a written and exercised incident response plan contain breaches significantly faster, helping to mitigate regulatory penalties and, most importantly, preserve trust with their customers and stakeholders."
— Bill Michael, CIO, SWK Technologies
Most organizations find out what their security program is made of during an incident. The ones that come through it fastest have already done that work. Start before something forces your hand.
If you're ready to find out where your business stands, the conversation starts here →