Cybersecurity

Most business owners think cybersecurity is antivirus and a firewall. That picture has been out of date for about a decade. The threats moved on, the insurance carriers moved on, and the regulatory expectations moved on. The defenses most small and mid-size businesses have in place haven't moved with them.

This page covers what serious cybersecurity actually looks like in 2026, why your cyber insurance policy probably requires more than you think it does, and how we build the stack into a Managed IT engagement so the security and the operations stay in sync.

What your cyber insurance application is asking you to attest to

A cyber insurance application in 2026 looks nothing like one from 2019. Carriers tightened underwriting after the ransomware wave of 2021 through 2023, and they didn't loosen back up.

A standard application now asks whether you have multi-factor authentication enforced on email, remote access, administrative accounts, and any privileged access into your systems. It asks whether you've deployed endpoint detection and response (EDR or MDR), which is a category beyond traditional antivirus. It asks about your email security beyond the default Microsoft or Google filtering, your backup strategy (particularly whether you have immutable or offline copies that ransomware can't reach), your patch management cadence, your vulnerability scanning practice, your security awareness training program, and your incident response plan. The longer applications also ask about network segmentation, privileged access management, logging and monitoring, and whether you've ever had a security incident before.

What most business owners don't know is that the answers on that application are warranties to the insurer. If you said yes to MFA on email and you don't actually have it across the company, and you have a claim that traces back to an account that wasn't protected, the carrier has grounds to deny the claim or rescind the policy. Several large insurers have done this in the last three years. The application is no longer a paperwork exercise.

The reason this matters for a Wichita business: most of the businesses we talk to in onboarding audits have at least one or two attestations that don't fully match their environment. The MFA box is checked but it's only on email, not on the VPN. The "backups" answer is yes but the backups are on a NAS connected to the same network that ransomware would encrypt. The "antivirus" answer assumes the consumer-grade product on workstations counts as EDR. None of these are deliberate misrepresentations. They're gaps between what someone signing the application understood and what the underwriting really requires.

A serious cybersecurity engagement closes those gaps so that the attestations on your next renewal are accurate, and so that if you ever do have a claim, the carrier can't void coverage on a technicality.

The layered defense stack we deploy

There is no single product that constitutes cybersecurity. The real picture is a layered set of controls covering identity, devices, email, network, data, and people. The layers exist because no individual layer catches everything, and attackers who get past one layer are stopped or detected by the next.

Identity and access. Multi-factor authentication on email, VPN, administrative accounts, and any cloud platform you use. Conditional access policies that restrict logins by location, device, or risk score. Privileged access management for the accounts that can change critical configurations. Strong password policies and a password manager so users aren't reusing credentials across sites.

Endpoint protection. EDR or managed detection and response on every workstation, laptop, and server. EDR is not the same as the antivirus that came with your operating system or the consumer product you bought years ago. EDR continuously monitors behavior on the endpoint, flags anomalies, and can isolate a machine from the network if it starts behaving like it's compromised. A managed version (MDR) means an outside team is reviewing the alerts around the clock so something at 2 AM doesn't sit unread until Monday.

Email security. Advanced filtering beyond what Microsoft or Google provide by default. Specific protections against business email compromise, which is the category of attack where someone impersonates an executive or a vendor to redirect a payment or extract data. Phishing simulation and ongoing user training so the click rate on real phishing attempts goes down over time. Email security is the layer that catches the most attacks because email is where most attacks start.

Network protection. Firewalls with active threat intelligence feeds, kept patched, with rules that actually reflect current network use rather than five-year-old configurations. Network segmentation so that a compromised workstation can't reach systems it has no business reaching. DNS-layer filtering to block known malicious domains before traffic ever leaves the network.

Backup and recovery. A backup strategy where at least one copy is immutable or air-gapped, meaning ransomware that encrypts your production environment cannot reach the backups. Regular restore testing, because untested backups have a high failure rate when you actually need them. Our Backup and Disaster Recovery service covers the operational detail.

Patch and vulnerability management. Operating system patches, third-party application patches, firmware updates on network gear, and regular vulnerability scanning to find what's been missed. Most ransomware exploits known vulnerabilities that had patches available for months before the attack.

Logging, monitoring, and detection. Security event logging on critical systems, centralized so an investigation after an incident can actually reconstruct what happened. Alerting on the events that indicate something is wrong. The detection piece is what shortens dwell time, which is the period between when an attacker gets in and when you find out. Average dwell time for small business intrusions is still measured in weeks, not days.

User awareness training. Recurring training, not one-time onboarding. The data on phishing simulations is clear: organizations that run regular simulations see click rates drop over time. Organizations that train once a year see the same click rates as organizations that don't train at all.

Incident response readiness. A documented plan that names who decides, who communicates, who calls the insurance carrier, and who calls outside counsel. A list of vendors retained or pre-vetted, because the wrong time to negotiate with an incident response firm is at 11 PM during an active intrusion.

That's the stack. Not every business needs every layer at maximum strength. The right depth depends on your industry, your data, your customers, and what your insurance carrier and any applicable regulators require. The point is that "antivirus and a firewall" was the right picture in 2008. It isn't now.

We run this stack on our own business, not just for clients. CybertronIT hosts and secures its own customer-facing infrastructure and supports a workforce spread across several states, so the identity controls, endpoint coverage, and monitoring above are things we operate for ourselves before we ever recommend them to you.

How this fits with Managed IT

We don't sell cybersecurity as a standalone product separate from Managed IT Services. The bundling isn't a packaging preference. It's because security controls live on the same systems your IT team manages every day, and if the two are owned by different vendors, the seams between them are where breaches actually happen.

The pattern shows up in onboarding audits more often than you'd expect. A separate security vendor deployed EDR but the MSP didn't add new endpoints to the policy when the company hired three people. The security vendor wrote a backup policy but the MSP changed the backup target six months later and the policy never got updated. The MFA solution was deployed but a service account that the MSP created for an application bypass got missed. None of these are anyone being negligent. They're handoff gaps between two teams that don't share day-to-day operational visibility.

When CybertronIT is your MSP and your cybersecurity provider, the same team that adds the new employee to the payroll system is the team that adds them to MFA, enrolls their device in EDR, and confirms they're inside the backup scope. There's no handoff because there's no second vendor.

If you're a government contractor with CMMC obligations, the same logic applies even more strongly. Our CMMC Readiness Services page covers that side of the work.

What happens when something gets through

No security posture is impenetrable. The work above reduces the probability dramatically and shortens detection time when something does happen, but a real cybersecurity engagement also includes a plan for the case where prevention fails.

We work with clients before any incident to document an incident response plan: who has decision authority, what gets communicated to employees and customers and law enforcement, when and how to engage the cyber insurance carrier, which forensic firm to call, what the backup recovery sequence is, and how to operate while the investigation is happening. When an incident hits, the first 24 hours are when most preventable damage happens, and they're not the time to be improvising the response.

This is part of every Managed IT engagement we run, not a separate consulting add-on.

Where to start

A short call is enough to find out where your current posture sits against what your insurance is asking you to attest to and what your business actually needs. We're happy to tell you what we'd change and what we'd leave alone. Most of these calls end with a clearer picture even if you don't end up working with us.

Book an exploratory call. Bring your most recent cyber insurance application or renewal questionnaire if you have one. It's the fastest way to find the real gaps.

Frequently asked questions

1. We already have antivirus and a firewall. Isn't that enough?

It's the floor, not the ceiling. Both are still useful layers. Modern attacks routinely defeat traditional antivirus because the malware is custom-built or uses techniques that signature-based products can't see. A firewall without active threat-intelligence feeds, or one still running a years-old ruleset, misses a large share of what a current, well-configured one would stop. The shift over the last decade has been from prevention-only thinking ("keep the bad stuff out") to defense-in-depth ("layers that detect and stop what the previous layer missed"). Antivirus and a firewall are two of the layers, not the whole stack.

2. What's MFA and do we really need it everywhere?

Multi-factor authentication is the second proof of who you are beyond your password. Usually a code from an authenticator app or a hardware key. The reason you need it on email, remote access, and administrative accounts is that those are the credentials attackers buy on criminal markets after they're stolen from somewhere else, and MFA makes the stolen password useless on its own. Industry research has consistently shown MFA blocks well over 99 percent of automated account compromise attempts. Your cyber insurance carrier almost certainly requires it on at least the categories above. If you don't have it on those categories today, that's the highest-impact change you can make this quarter.

3. What does cybersecurity actually include in your Managed IT engagements?

Every engagement includes the foundational layers: MFA across the categories that matter, EDR on all endpoints, advanced email security beyond default filtering, immutable backups with restore testing, patch management on operating systems and major third-party applications, basic vulnerability scanning, user awareness training, and an incident response plan. The deeper layers (managed detection and response with 24-hour coverage, network segmentation, privileged access management, SIEM with active alerting) are scoped against your environment, your regulated obligations if any, and what your insurance carrier requires. The exploratory call is where we figure out which depth fits your situation.

4. What if we get hit despite all this?

We work with you ahead of any incident to document who decides, who communicates, who calls the insurance carrier and outside counsel, which forensic firm gets engaged, what the recovery sequence looks like, and how the business operates during the investigation. Layered defenses shorten dwell time and reduce blast radius if something does get through. The combination of better prevention and a real incident response plan is what separates an incident that becomes a one-week disruption from an incident that becomes an existential event.

5. Can we buy cybersecurity from you without Managed IT?

No. We bundle the two because they have to be operationally coupled or the seams between separate vendors become the failure points. If you already have an MSP you're committed to, the conversation is about whether the timing is right to switch IT providers, not about layering us on top as a cybersecurity-only vendor.