IT Services for Cyber Risk.

Cyber Risk Is Not Someone Else’s Problem. Here’s Where to Start.

/in , , /by

Most organizations think about cyber risk backwards.

They imagine a sophisticated, targeted attack, decide it won’t affect them, and move on. But that’s not how most breaches actually happen.

On a recent episode of The Creative Stack, we sat down with Kirsten Bay, co-founder and CEO of Cysurance, to talk about how organizations should really think about cyber risk, what cyber insurance does (and doesn’t) cover, and the handful of practical steps that make the biggest difference. It’s one of those conversations we could have kept going for hours.

You Don’t Get to Decide What Your Data Is Worth

One of the most useful reframes Kirsten offered was this: attackers decide what your data is worth—not you.

We hear it all the time: “We don’t have anything anyone would want.” That mindset has been around for 20 years, and it completely misses the point.

A small manufacturer producing a single component for an HVAC system might not see itself as a target. But its production systems, employee data, and client relationships all have value to someone. Bad actors aren’t running highly targeted campaigns against specific companies. They’re testing every door in the neighborhood. An unlocked one gets opened.

Shifting from “I don’t have anything valuable” to “I don’t get to make that call” fundamentally changes how you think about both security and insurance.

The NotPetya Lesson: Cyber Risk Gets Physical

The 2017 NotPetya event was a turning point for the cyber insurance industry, and for good reason.

What made it different wasn’t just the scale of the data loss. It was the real-world impact. Companies couldn’t manufacture products. Oreo cookies couldn’t be made. Shipping operations ground to a halt.

That’s when it became clear: cyber incidents aren’t just abstract data problems. They can bring physical operations to a standstill.

We’ve seen this firsthand. We worked with a manufacturer that experienced a breach, had insurance, and believed they were well covered. Even so, recovery was long and painful. The impact of having production down for even a few days is something many organizations don’t fully appreciate until they’re living it.

The goal isn’t to eliminate incidents entirely—that’s unrealistic. It’s to make sure they stay manageable. We’d much rather deal with a fender bender than a six-car pileup.

The Five Things That Actually Reduce Risk

When we asked Kirsten which controls matter most, her answer was refreshingly simple. No exotic tools. No complex frameworks. Just five fundamentals:

Turn on MFA

If you’re running Microsoft 365, you already have it. Despite years of recommendations, it’s still not universal. MFA isn’t perfect, but it makes unauthorized access significantly harder—and insurers expect to see it.

Patch regularly

Most breaches exploit systems that weren’t kept up to date. Patching may not be glamorous, but it closes the doors attackers use most often. The longer you wait, the greater the risk.

Enable immutability on backups

Backups that can be altered or deleted during an attack aren’t real backups. Tools like OneDrive include immutability features; you just have to enable them.

Stop reusing passwords

The 23andMe breach is a clear example. Credential stuffing from unrelated breaches allowed attackers to move through accounts because passwords were reused. Unique credentials matter more than people realize.

Segment your network

When every system can freely communicate with every other system, a single breach can spread quickly. Segmentation limits how far attackers can go once they’re inside.

None of this requires a major investment. Most of it is configuration work on tools you already have. And according to Kirsten, implementing these five measures can reduce risk by 60–70%.

Insurance and Security Are the Same Conversation

Many organizations treat cyber insurance and security controls as separate topics. They’re not.

As Kirsten put it, insurance helps organizations move past the idea of zero risk. There are no zero house fires. No zero car accidents. We rely on airbags, lane assist, and other tools to reduce impact—not eliminate it entirely. Cybersecurity works the same way.

The problem is that many organizations buy cyber insurance like a gym membership and never use it. The policy exists, but the controls don’t.

When a claim is filed, and the investigation reveals that MFA wasn’t enabled or patches were months behind, coverage becomes complicated.

Underwriters are asking the same questions we ask when onboarding clients:

  • What controls are in place?
  • When were systems last patched?
  • Is MFA enforced?

The answers determine whether coverage is issued and at what cost.

What a Good IT Partner Actually Does

We also explored a question that’s coming up more often: with AI tools improving, do organizations still need a managed IT provider?

Kirsten shared a compelling stat: 88% of small and mid-sized businesses outsource their IT and security functions in some form. That’s not changing anytime soon.

The reason isn’t just cost. Security requires ongoing attention, expertise, and accountability—things most organizations simply can’t maintain internally.

The real challenge is expectations. Many business leaders assume their IT provider is handling security by default. In reality, basic break-fix support and proactive security management are very different services. If you want the latter, you need to explicitly define it.

At Valiant, our goal is to be a trusted partner, like a good attorney or accountant. Not just responding when something breaks, but helping you understand your risk and make better decisions over time. The goal is simple: keep you focused on your business.

Start With What You Already Have

The most practical takeaway from the conversation was this: most organizations don’t need new tools. They need to use the ones they already have.

If you’re running Microsoft 365, you already have:

  • A security score
  • Built-in MFA controls
  • Backup immutability options

Start there. Review what’s enabled and what isn’t. That alone will close most of the meaningful gaps.

The framework is simple. Start small, stay consistent, and don’t let perfect get in the way of better.

You’re probably not one tool away from being secure. You’re a few configuration changes away from being significantly less exposed.

The Creative Stack is produced by Valiant Technology, a managed IT services provider based in New York specializing in serving creative agencies and PR firms. Listen to episodes at podcast.thevaliantway.com and learn more at thevaliantway.com.

You might also like
Feature image for Windows EOLSay Goodbye to Windows 10
SonicWall feature imageUnderstanding Firewalls: Why They Matter, and Why We Trust SonicWall
macOS Tahoe Feature ImageWhat You Need to Know About macOS Tahoe
Passwords Blog Post Header ImagePasskeys, MFA, and Password Managers Are Non-Negotiable
Continual Security Training Header ImageWhy Continual Security Training is Essential
Cyberattack Insurance Header imageProtecting Your Business From the Inevitable
IT services for Creative Agencies.Does Your Agency Actually Have IT Under Control? Probably Not.
IT services for managing contractor IT risks.Your Contractors Probably Have More Access Than They Should