Cyber threats have evolved into a pressing business issue, impacting operations, reputation, and the bottom line. Recognizing this shift, we recently hosted a thought-provoking webinar titled “Preventing Cyber Incidents: Your Blueprint For Cyber Resilience.”

During the session, Turn Key Solutions President Henry Overton was joined by cybersecurity attorney and former U.S. Army Lt. Colonel Sarah Anderson of SWA Law. Together, they unpacked how organizations can proactively manage cyber risks through administrative strategies, legal insights, and practical governance, without diving into the technical weeds.

In this blog post, we’ll break down the key takeaways from the webinar and explore how your business can bridge the gap between technology and risk management, starting with the human and procedural elements that often go overlooked.

Cybersecurity Reality Check: What Most Businesses Get Wrong

Sarah’s opening message was candid: cybersecurity is never foolproof. “There’s no such thing as 100% security,” she said. “No vendor should claim they can fully prevent attacks. The goal is to do the best you can with the resources available.”  Think of security as eating an elephant one bite at a time. Progress, not perfection, is what matters.

Progress, not perfection, is what matters.

Understanding the real threat landscape starts with debunking some common misconceptions that most business owners have regarding cybersecurity threats to their business.

Top 5 Cybersecurity Myths And Why They’re Dangerous

  1. “We’re too small to be a target.”
    Small businesses are often more attractive to attackers. Why? Because they’re perceived as having weaker defenses and limited budgets. Cybercriminals know that smaller organizations may lack the resources for robust security.
  2. “We don’t have anything valuable.”
    It’s not always about your data, it’s about your connections. Hackers often target smaller vendors to gain access to larger partners or clients. If others trust your systems, you’re a potential gateway.
  3. “We’re encrypted in the cloud, so we’re safe.”
    Encryption is only effective if your credentials are secure. Once attackers gain access, encryption offers no protection; it “melts away” the moment they log in with valid credentials.
  4. “We have backups and insurance, so we’re covered.”
    This mindset can be dangerously misleading. Insurance policies often have strict limitations, and attackers frequently target and destroy backups first. Without offline or immutable backups, recovery may be impossible.
  5. “We’ll just keep a breach quiet.”
    In the age of public breach-reporting sites and dark web forums, silence isn’t an option. Most breaches become public, often by the attackers themselves. Transparency and preparation are your best defenses.

Watch the Webinar Now:

 

Administrative Cybersecurity: The Overlooked Defense

The Cybersecurity Trinity: Physical, Technical, Administrative

Cybersecurity is often framed around tools and technology, but true resilience comes from a balanced approach.

One helpful framework breaks it down into three pillars:

  1. Physical security – Locked doors, ID badges, surveillance systems, and access controls.
  2. Technical security – Firewalls, antivirus software, endpoint detection, and other digital defenses.
  3. Administrative controls – Policies, employee training, vendor management, and documented procedures.

While physical and technical measures are essential, administrative practices are often the first line of defense. These human-centered controls help prevent incidents before technology even comes into play by shaping behavior, setting expectations, and managing risk proactively.

Your Business Data Might Be More Valuable Than You Think – Find Out How Secure Your Data Is!

Contact Us Today

Key Administrative Tools You Should Implement

  1. Security Awareness Training

Your strongest firewall is a well-trained employee. Regular phishing and awareness training sharpens your team’s instincts, transforming hesitation into protection and making every employee a critical part of your cyber defense.

Why it matters:

  • Attackers now use AI to craft convincing phishing emails with fewer spelling errors and more realistic language.
  • Look for signs like odd punctuation, new domain extensions (e.g., .ai, .today), and urgency cues like “Immediate Action Required.”
  1. Acceptable Use and Device Policies

Employees must understand that company devices aren’t private. Make clear what employees can and cannot do with company devices. Include policies around privacy, reporting suspicious behavior, and prohibited sites (e.g., dating sites, streaming sites, AI chatbots).

Sarah advised clearly stating:

  • No personal email on work devices
  • No browsing of dating, gambling, or adult sites
  • No saving passwords or clicking “remember me” on shared devices

Why? These behaviors make it easier for attackers to gather login tokens (cookies) and bypass multi-factor authentication.

“You’d be shocked at how many breaches I investigate that start with something as dumb as accessing a gambling site on company time,” she noted.

  1. Third-Party Risk Management (TPRM)

Vendors are often a hidden vulnerability. Vet vendors thoroughly and limit their access.

Steps to take:

  • Google them: Search their business name with terms like “cyber incident” or “lawsuit.”
  • Send cybersecurity questionnaires: Include misrepresentation clauses and require honest answers.
  • Include strong contract clauses: minimum insurance, defined breach procedures, and access restrictions.
  • Search legal databases: Look for prior issues.
  • Require proof of security controls like firewalls, password policies, and cyber insurance.

Contract Must-Haves:

  • Fraud prevention provisions
  • Minimum insurance standards
  • Data return/destruction clauses at contract termination

Real Example:
Target’s 2013 breach came through their HVAC vendor, which had access to internal systems. “They trusted a system that got hacked—and paid the price,” she explained.

Planning for the Inevitable: Incident Response

Planning for the inevitable is crucial because it’s not a matter of if but when you’ll face a breach.

Prepare Your Toolkit

  • Print your cyber insurance policy.
    Don’t rely on digital access if your systems are locked down.
  • Know your first call.
    Call legal counsel before the insurance company to preserve attorney-client privilege.
  • Have pay and backup schedules printed.
    Imagine being hit the night before payroll, you’ll need offline access to keep business running.
  • Train your staff.
    Train staff not to turn off devices during incidents; instead, disconnect from the internet.

Emerging Threats to Watch For

Cookie Theft and MFA Bypass – Cookies store authentication tokens; if stolen, they can bypass MFA. Sarah and TKS recommend disabling “remember me” features entirely.

Corrupted Document Attacks- Hackers now send slightly corrupted Word files that bypass email filters. Once opened, they auto-correct in Word and include malicious links.

Bonus: Sarah’s Top 3 Must-Have Tools

  • Multi-Factor Authentication (MFA)
  • Secondary, offline backup system (e.g., Backblaze + Dropbox)
  • Endpoint Detection and Response (EDR) like CrowdStrike or SentinelOne

Practical Advice from a Cyber Law Veteran

Sarah closed with some great advice:

“Employees are your greatest asset—and your biggest risk. Train them, guide them, and protect yourself from their mistakes with smart policies.”

Need IT Support Services or Advice?

Click Below to Schedule A Consultation:

Need Legal Support Services?

Click Below to Talk with Sarah:

Related Posts - TKS Blog
TKS Newsletter - 2025 June
Here's our June 2025 Newsletter Read the full PDF version here: The TKS Sentinel - June Issue In this month's edition, we discuss: Responsible AI Use PC Crashes ...
Read more
June 12, 202510:48 am
New Sophisticated Phishing and Email Threats
[vc_row][vc_column][vc_column_text]Cybercrime has shifted, and small and medium-sized businesses (SMBs) are now prime targets. No longer limited to Fortune 500 giants, today’s cyberattacks are hitting companies...
Read more
June 13, 20254:34 pm
secure emailsecure email
Modern Email and SaaS Security: What You Need to Know
In today’s tech-driven business world, everything’s connected, from your software to emails, your data, and workflows all live in the cloud. SaaS tools and digital...
Read more
June 9, 202511:24 am
email security for businessemail security for business
The Hidden Danger in Your Inbox: Email Security Guide
Imagine that you are sitting in your office, sipping your morning coffee, going through your emails. Everything seems routine until you stumble upon an alarming...
Read more
May 26, 20254:16 pm