Screen Connect
Support
Customer Portal
Pay Online

SWK Technologies

Software Solutions & Services

An Honest Cybersecurity Conversation: What Matters and What’s Just Noise [Webinar]

Open brass and black padlock resting on a screen displaying multicolored candlestick charts, line graphs and bar charts with numerical values.

In a recent SWK Technologies webinar, Bill Michael, CIO of SWK Technologies, and Jeff Buss, President and CEO of Cyberleaf, sat down for a candid discussion on what small and medium businesses should actually be focused on when it comes to cybersecurity — and what amounts to noise. This session was a deliberate departure from the standard cybersecurity talk: no fear tactics, no acronym soup, no thinly veiled sales pitch. Just clear thinking, honest assessments and practical next steps your business can act on.

Bill and Jeff walked through why the cybersecurity strategy that worked five years ago no longer holds, where security gaps stop being abstract and start costing businesses real money, and how to think about the return on investment of a managed cybersecurity program. Use the section summaries and timestamps below to navigate the parts of the conversation most relevant to your business, and refer to the matching markers in the YouTube recording:

Watch the Webinar Here

Meet the Presenters (0:56)

Bill Michael oversees the Managed Cloud Services (MCS) team as well as security and compliance for all of SWK Technologies as CIO, ensuring controls are in place to protect the company and its clients against an ever-evolving threat landscape. His career has spanned regulated industries with stringent governance and 24/7 operations, including financial services, banking and healthcare, with a focus on helping clients quantify and mitigate risk across critical applications, systems and data assets. Bill was also named a Visionary CIO at the 2025 Global InfoSec Awards by Cyber Defense Magazine for his work building risk management frameworks that help SWK clients maintain strong security postures across complex regulatory environments

Jeff Buss is President and CEO of Cyberleaf, a managed security firm and SWK partner that supports MSPs (managed service providers) as well as businesses of up to enterprise size. Prior to Cyberleaf, Jeff served as CIO at Dexian and Nordic Consulting and as Managing Director at Ernst & Young, where he advised four of the five largest U.S. banks and ran the firm’s national SIEM and SOAR practices. A retired Navy Captain, Jeff completed his military service as Commander of the Defense Information Systems Agency (DISA) Command Center, running and defending the $35 billion Department of Defense Information Network..

Free Cyber Risk Report (4:06)

SWK Technologies announced a free cyber risk report offer with the webinar. This report provides a data-driven evaluation of your security posture, covering vulnerabilities, third-party risk and standing against industry compliance standards. The summary identifies where deficiencies exist so a business can prioritize closing those gaps before an attacker exploits them

  • Formatted as honest assessments and practical next steps over fear tactics and acronym soup (4:06)
  • Free cyber risk report: data-driven evaluation of vulnerabilities, third-party risk and compliance standing (4:36)
  • Summary highlights where deficiencies exist and where to close gaps before exploitation (5:14)

Why the Five-Year-Old Cybersecurity Playbook Fails (6:01)

Bill opened the conversation by acknowledging that the cybersecurity strategy most businesses implemented five years ago was prudent and largely effective at the time. The legacy playbook leaned on four pillars: keeping bad actors out with a strong perimeter, patching regularly against known vulnerabilities, training employees once a year on basic phishing awareness, and backing up data so it could be restored. That logic held until it stopped working.

  • Perimeter defense, antivirus and Wi-Fi hardening defined the 2020 playbook (6:18)
  • Patching against known vulnerabilities was the second pillar, antivirus the safety net (6:30)
  • Annual phishing training focused on the era of obvious typos and bad grammar (6:43)
  • Backups were treated as the recovery layer of last resort (7:14)

Three Shifts Driving the Cyber Threat Landscape (7:29)

Jeff identified three forces that have changed the cybersecurity math for small and medium-sized businesses: 1) AI has made it easier for attackers to pick out random targets at scale, 2) it is more profitable to attack SMBs for cybercriminals and 3) enterprise-level data privacy regulations are trickling down into contract-level expectations of even smaller companies.

  • Verizon and CrowdStrike threat data place SMB attack probability above 30 percent, up from 5–15 percent five years ago (8:07)
  • Quote: “AI is a margin call for tech debt” — outdated infrastructure cannot be patched out of the problem (8:32)
  • Emerging AI-driven code scanning tools like Mythos and Glasswing can identify zero-day vulnerabilities at attacker speed (9:26)
  • Buyers now require documented proof — SOC 2, ISO 27001 and CMMC 2.0 are increasingly prerequisites to bid on contracts (9:45)
  • Enterprise-grade compliance is flowing downstream to small suppliers without enterprise-grade budgets (10:19)
  • Roughly 90 percent of cyber incidents start with a phishing email, and AI has raised the sophistication bar significantly (11:09)

Where Security Gaps Start Costing You Money (12:00)

Bill made the case that the supply chain is now a primary threat vector, and that vendor risk must be managed to the same standard as internal controls. When responding to a request for proposal, every security question should be treated as mandatory — access control policies, multi-factor authentication (MFA) enforcement, mobile device management and similar table-stake controls are no longer optional. This was further illustrated with a single page-4 RFP question that ends a deal — a security questionnaire that simply asks the bidder to provide their SOC 2 attestation, MFA policy and incident response plan, with the contract going to whichever competitor can produce them.

  • Third-party SaaS and hosting dependencies expand the threat vector beyond your own network (12:16)
  • Treating any RFP security question as optional translates directly to lost business (12:30)
  • Regulations now rolling from European banking into U.S. financial services, healthcare and supplier ecosystems (13:36)
  • SOC 2 attestation, MFA and basic controls are table stakes — not differentiators (14:14)

Cybersecurity Insurance (14:39)

Premiums have climbed sharply, and Jeff described a catch-22 facing many businesses: without documented controls, insurance is either prohibitively expensive or unavailable, while those that lean on insurance in place of an actual cybersecurity program tend to find it does not work when an incident occurs. Bill added a critical detail on the claims process — issuers will hire a digital forensics firm during a claim, and any gap between what was attested to on the application and what was actually implemented can result in a denial.

  • Insurance premiums have spiked, particularly for small and medium businesses (14:45)
  • Carriers now validate controls before issuing policies; weak controls drive premiums up or block coverage entirely (15:03)
  • Using insurance as a substitute for a security program has a documented failure rate (15:21)
  • Minimum policy requirements are climbing toward $5–10 million; the average large-company breach lands near $9.8 million (15:52)
  • Claims can be denied when forensics reveals attested controls were not actually implemented (16:37)

The Cyber Incident You Cannot Afford (17:23)

Jeff opened with a sobering shift in incident response timing. The CrowdStrike standard most businesses internalized — one minute to alert, ten minutes to investigate, sixty minutes to remediate — has been compressed by AI-driven exfiltration to a fraction of that window. From there, the conversation moved into what an actual incident looks like in practice: weeks of operational disruption, email locked down, phones rerouted, and the operational reality of recovery once an attack has succeeded. Bill closed the segment by anchoring the discussion in preparedness as the single most decisive factor in incident outcomes.

  • The industry-standard CrowdStrike response benchmark — 1 minute to alert, 10 minutes to investigate, 60 minutes to remediate — has been compressed by AI-driven exfiltration to roughly 5 to 10 minutes total (17:29)
  • Operations halted, email files locked, phones routed to backup lines — weeks of disrupted business operations (17:55)
  • Jeff referenced Ray Rothrock’s book Digital Resilience: “If you don’t know where your stuff is, it’s difficult to defend” (18:13)
  • Example: A ransomware case at a Cyberleaf-supported private equity firm where the attorney on the response call mentioned it was his 12th call that week to the same ransomware group’s attorney — on a Tuesday at 6 PM (18:32)
  • Written and exercised incident response capabilities contain breaches significantly faster (20:00)
  • Bill points out that the decision between a one-hour and five-hour response can mean hundreds of thousands or millions in losses, plus reputation and continuity (20:43)

A Three-Layer Framework: Hygiene, Visibility and Response (21:00)

Bill and Jeff worked through the framework they use to evaluate a business’s security posture according to three defined layers:1) cyber hygiene, 2) visibility and 3) incident response. Each layer is necessary; no enterprise-level version of any single one substitutes for the others.

Layer 1: Hygiene — Lock the Doors

Bill made the case that the vast majority of successful attacks do not exploit sophisticated zero-day vulnerabilities — they exploit poor hygiene. Weak passwords, unpatched software and untrained employees are the open doors attackers walk through. Hygiene closes those doors before an attacker gets a chance to even try.

  • Strong passwords are obvious — but make sure they get rotated (22:16)
  • Patching closes the operating-system and software vulnerabilities attackers actively exploit (22:21)
  • Email security features like risk scoring catch impossible-travel events — a login from New Jersey followed five minutes later by one from California (22:34)
  • Daily, tested backups — the test is the part most businesses skip (23:00)

Layer 2: Visibility — Know When Something’s Wrong

“You cannot protect what you cannot see.” Jeff laid out the baseline — intrusion detection and prevention systems feeding logs into a continuously monitored system, ideally backed by a Security Operations Center (SOC) with the staffing to act on what the tools surface. The challenge has grown more complex with AI tools pulling data in and out of company networks, often via personal accounts and unsanctioned connectors.

  • IDS/IPS, firewall logs and 24/7 monitoring as the visibility baseline (23:24)
  • AI connectors create entirely new visibility gaps — personal Claude accounts plugged into company financials are a real example (24:14)
  • Bill’s “deploy and forget” pitfall: tools deployed without monitoring fail silently while active threats go undetected (26:07)

Layer 3: Response — When It Happens, and It Will

Response is the layer Bill identified as the one where everything either comes together or falls apart. A documented incident response plan, defined roles, pre-vetted vendors, an exercised tabletop and an offline contact list separate businesses that recover from those that do not. Jeff compared response readiness to VO2 max — an honest measure of organizational health that cannot be faked or postponed indefinitely.

  • Third-party risk assessment is part of response planning — your partners’ controls are your controls (27:34)
  • Maintain a hard-copy call tree of critical vendors, suppliers and staff for when technology fails (27:59)
  • Jeff’s VO2 max analogy: response readiness is an honest measure of organizational health that cannot be avoided indefinitely (28:30)
  • Boards and CEOs have an obligation to require tabletop exercises and IR plan review (28:53)

How to Frame the ROI of Cybersecurity for Your C-Level (29:43)

Bill laid out three lenses for justifying cybersecurity spend. Insurance premium reductions of 15 to 25 percent are real but make for the weakest standalone case. The strongest argument is investment to win business — when a SOC 2 attestation or vendor security questionnaire unlocks a deal, the first-year ROI often runs 3x to 10x the investment. Incident avoidance is the third lens and the one where CFOs typically need the most education, because expected-value math reframes a low-probability event into a measurable annual liability on the books.

  • Insurance premium reductions of 15–25 percent function as contribution, not justification (29:58)
  • Investment to win deals typically delivers 3–10x first-year ROI when a security questionnaire stands between you and a contract (30:24)
  • Incident avoidance modeled through expected value: a 25 percent chance of a $2 million incident is $500,000 of annual liability on the books (31:06)
  • Jeff cited Jack Jones’s FAIR methodology for quantifying cyber risk impact in business-value terms boards understand (31:31)

Baseline Actions to Take Right Now: MFA, Backups and Incident Planning (32:59)

Jeff and Bill listed three actions worth completing before month-end. The first is MFA enforced everywhere — not just where it is convenient. The second is daily, tested, segmented backups. The third is a documented incident response plan with the first five names a business would call written down before the call is needed.

  • Brilliant at the basics — Jeff uses NIST CSF as the baseline framework (Identify, Detect, Protect, Respond, Recover) (33:06)
  • Common audit finding: MFA enabled but not enforced, or CrowdStrike installed on workstations but not servers (33:41)
  • Turn MFA on everywhere, not just where it is nice and easy (34:07)
  • Maintain segmented, tested backups — daily at minimum, more frequent for transaction-heavy operations (34:35)
  • Write down your incident response plan and the first five names you would call before you need them (36:13)
  • Establish attorney-client privilege, engage your insurance carrier, and hand off to your IR team within the first hour or two (36:38)

DIY vs. Hybrid vs. Managed Security: Which Approach Fits Your Business (38:08)

The session worked through three valid paths for delivering cybersecurity, each with a clear tradeoff profile. Do-it-yourself fits businesses with the in-house technical bandwidth to manage hygiene, visibility and response themselves — at the cost of overhead and hiring risk. Hybrid splits the work, with internal staff handling some functions while a managed security partner covers the rest. Managed pushes the entire function to an outside partner and converts capital expense into a predictable operating subscription.

  • DIY fits when the technical team is in-house and the bandwidth is real — most control, highest overhead, real skill-obsolescence risk (38:32)
  • Jeff’s lesson from running the DISA command center: ask for help early — humility is the most expensive thing to learn the hard way (40:09)
  • Hybrid is the most common SMB pattern, splitting cost and complexity between internal staff and an external partner (41:17)
  • Common hybrid mistake: outsourcing the helpdesk but trying to keep cybersecurity in-house (41:58)
  • Managed fits cleanest when there is no internal IT — lowest cognitive load, predictable OpEx (43:18)

How SWK Approaches Managed Cybersecurity Services (45:02)

Bill closed the framework discussion by walking through how SWK structures a managed engagement. The approach is consultative rather than one-size-fits-all, accounting for the regulations a business operates under — HIPAA for healthcare, CMMC for the defense contracting supply chain, SEC and FINRA for financial services — and the existing technical resources the business already has in place. SWK partners with Cyberleaf to augment its own SOC, managed detection and response and continuous monitoring capabilities under CyberAssurance CORE, with the option to layer in business continuity, disaster recovery and compliance reporting based on what the business actually needs.

  • Consultative scoping based on regulatory environment (HIPAA, CMMC, SEC/FINRA) and existing technical resources (45:14)
  • Full managed cybersecurity through SWK and Cyberleaf, or selective augmentation of existing internal teams (46:00)
  • Business continuity and disaster recovery services as part of the broader engagement (47:04)
  • Compliance reporting, policies, procedures and board-level documentation built into the program (47:09)

Q&A: Do Clients Ever Pay Ransomware? When Does It Make Sense? (49:11)

The first audience question asked whether SWK and Cyberleaf clients pay ransom and under what conditions. The honest answer from both: rarely, and it depends. Jeff explained that working with ransomware groups is now relatively well-established practice through legal counsel and insurance carriers, and that even paid ransoms frequently return partial data or none at all. Double extortion — encrypting data and threatening public release — has changed the calculation, but quality segmented backups and a tested response process still resolve most incidents without payment.

  • Cases where payment makes sense are narrow: no valid backup, or highly sensitive exfiltrated data with no other path to containment (49:43)
  • Double extortion is now the default ransomware model — encryption plus a public-release threat (50:03)
  • Even paid ransoms frequently return partial data, parsed data or none of the data attackers claimed to have (50:33)
  • Attorneys familiar with specific ransomware groups (e.g., BlackCat/AlphaV) can directly inform board-level decisions (51:03)
  • Segmented, air-gapped backups remain the most reliable defense against having to consider payment at all (52:12)

Q&A: What Businesses Most Commonly Skip — And Always Regret (52:39)

Bill identified incident planning and response as the single most common omission. Businesses invest in infrastructure, tools and headcount and assume that investment equals protection — until an incident reveals the gap. Communication is consistently underprepared: knowing who to call, confirming third-party vendor contacts are still current, and validating that the response plan actually works under pressure. Jeff added that buying a tool without the trained staff to operate it is the equivalent of buying an F-22 with no F-22 pilot.

  • Incident planning and response is the most universally skipped discipline (52:53)
  • Communication failure: knowing the plan but not knowing who to call, or last speaking to that contact a year ago (53:24)
  • Third-party dependencies belong in the incident response plan — most businesses do not include them (53:37)
  • Tools without trained operators deliver a false sense of security, not actual protection (54:09)

Q&A: Nation-State vs. Opportunistic Attackers — What Actually Threatens SMBs Today (55:01)

On the final question, Jeff offered a unique perspective: nation-state actors are not the most relevant threat for most businesses. If a nation-state actor targets a specific company, that company is going to be breached — there is no realistic SMB-budget defense against that level of capability. The far more relevant threat is the AI-enabled opportunistic attacker, often operating from countries with limited legal cooperation with the U.S., running spear-phishing and credential attacks at high volume.

  • Operational technology attacks like Salt Typhoon and Volt Typhoon have changed approach for critical infrastructure — but those are nation-state targets, not SMB ones (55:46)
  • If a nation-state actor wants into your company, they get in — that level of capability has no SMB-budget defense (57:00)
  • Spear-phishing remains the most dangerous threat to most small and medium businesses (57:15)
  • AI has enabled the “weekend warriors” of hacking — sophisticated phishing and malware deployment at lower skill thresholds (57:34)

See How SWK Technologies Will Help You Strengthen Your Cybersecurity

Cybersecurity is no longer an option for any business with an IT footprint today, but it is becoming an increasingly complex requirement that demands more proactive – and repetitive – work. Let SWK Technologies help you regain peace of mind over your security posture and get back to running your business with our award-winning managed services and tailored cybersecurity solutions built for SMB needs.

Contact SWK here to learn more about our managed security services, and let us help you take back control over your cybersecurity.  

Contact Us Here

Category: , ,