What’s Really Going On In Cybersecurity Today

If you asked most business owners where a cyberattack is most likely to start, many would picture a hooded hacker breaking into servers. The reality is much different. Most attacks do not begin with a technical breach. They start with a person clicking something they should not have.

We recently sat down with Sean Furman, CEO of STF Consulting, a managed IT services provider for small and mid-sized businesses based in New Jersey, on the techrug Podcast. Sean brings over 25 years of experience working with small and mid-sized businesses, helping them manage day-to-day technology and build layered security frameworks designed to withstand modern threats.

As cyberattacks continue to increase in frequency, Sean breaks down how these attacks are actually happening, why they are accelerating, and what businesses need to keep an eye out for when it comes to protecting themselves. Here is where it starts.

How Cybercriminals Actually Get Into Small Business Networks Today

In today's environment, cybercriminals are no longer focused on breaking through firewalls. That approach takes time, skill, and effort. Instead, they target something far more accessible and often overlooked: your email.

These attacks typically come in the form of phishing emails, vendor impersonation, and fake invoices, all designed to gain access to your systems without triggering suspicion. An attacker compromises one email account, becomes a trusted sender inside your organization, and uses that foothold to work their way deeper.

When businesses fall victim to these attacks, it rarely happens overnight. In many cases, attackers gain access and remain completely undetected for weeks, sometimes even months. During that time, they study workflows, payment processes, and internal communication patterns to understand exactly how the business operates. They are not rushing. They are learning.

By the time they make their move, everything appears normal. A fake invoice is created and sent, but it looks legitimate. It is crafted to match real communication styles and real internal language, making it nearly indistinguishable from an actual request. And that is exactly the point. But what is making all of this even harder to detect is what attackers now have access to.

AI Is Making These Attacks Significantly Harder to Detect

With the help of AI, these attacks are becoming significantly harder to detect. The obvious red flags that people used to rely on are disappearing. Poor grammar, low-quality logos, and awkward language are no longer reliable indicators of a threat.

Attackers are now using AI to produce highly convincing emails, clone voices, and create realistic websites and login portals that closely mimic legitimate platforms. In many cases, these messages are tailored to the individual, using publicly available information or previously compromised data to make the communication feel authentic and urgent.

AI is also allowing attackers to operate faster and at a much larger scale. What once took hours of manual effort can now be generated in seconds, enabling highly targeted campaigns across multiple organizations at the same time.

As the quality and speed of these attacks continue to improve, the gap between what looks legitimate and what is malicious is becoming increasingly difficult to identify. Which brings us to the most important question: what does the right protection actually look like?

What Cybersecurity Protection Does a Small Business Actually Need?

Understanding how attacks happen is only half the battle. The more important question is what you can actually do to stop them, or at the very least, make your business a much harder target.

This is where a lot of businesses fall short. They assume that having antivirus software and a basic firewall is enough. Ten years ago that may have been a reasonable baseline. Today it leaves the door wide open. Traditional security tools were built to detect known threats. They look for suspicious files, flagged malware, and unusual traffic patterns. But modern attacks that use stolen credentials or manipulate people directly do not trigger any of those alerts. There is nothing for the tool to catch because from a technical standpoint, nothing looks wrong.

What the industry recommends is what is called a layered security framework. The idea is straightforward. No single tool catches everything, so you stack multiple independent layers of protection. If a threat slips past one, another is waiting. Sean refers to it as the Swiss cheese model. Every slice has holes, but when you line up enough slices, the holes stop lining up.

In practice, a properly built layered security stack for a small or mid-sized business includes:

• Endpoint detection and response (EDR/MDR) that actively monitors devices for suspicious behavior, not just known malware signatures

• A 24/7 Security Operations Center (SOC) so threats are being watched and responded to around the clock, not just during business hours

• Advanced email security with impersonation protection and multi-layer filtering to catch threats before they reach the inbox

• Multi-factor authentication with conditional access policies that go well beyond a simple on and off toggle

• Active monitoring of Microsoft 365 logins and identity signals to catch credential theft and suspicious access in real time

• A tested backup and disaster recovery system with automated alerts for when backups silently stop running

• Regular penetration testing to find vulnerabilities before attackers do

  
  

Security professionals also recommend using multiple vendors across these layers rather than buying everything from one platform. Different vendors use different detection methods and different logic. When one misses a threat, another is often positioned to catch it. That redundancy is intentional and it matters.

The businesses that fare best when an incident occurs are the ones that treated security as a system rather than a checklist. Every layer works together, and the strength of the whole depends on none of them being skipped. But even the strongest system has one variable that technology alone cannot control.

Why Employee Cybersecurity Training Is Critical for Small Businesses

No matter how well-built your security stack is, people remain the most targeted vulnerability in any organization. The technology can be flawless and a single employee responding to the wrong email can undo all of it.

Over 90 percent of the cyber insurance claims we see trace back to a lack of user education. Not a failed firewall. Not a misconfigured server. A person who did not know what to look for.

Sean has watched this play out across hundreds of businesses over 25 years. The attacks have changed dramatically but the human element has stayed constant.

Teaching employees to recognize phishing attempts, suspicious requests, and social engineering tactics is no longer optional. It is a foundational part of any serious security strategy, and it needs to happen on an ongoing basis, not just during onboarding.

But there is a layer to this that goes beyond employee training. Security culture has to start at the top. Sean has seen businesses where leadership agrees with the need for strong security practices in the meeting room and then quietly bypasses those same practices the next morning. They turn off the training program because it feels like an inconvenience. They opt out of MFA because it adds a step to their day. They use the same password they have had for years.

When that happens, it sends a message to every person in the organization. If the people at the top are not following the rules, nobody else will either. The technical controls mean very little if the culture around them is inconsistent.

The hard truth is that security only works when leadership is fully committed to it. A business that treats it seriously from the top down is one that can be genuinely protected. One that sends mixed signals is one that creates openings, no matter how good the technology is.

Where Things Are Headed

The honest answer is that this is not getting easier. The tools available to attackers are improving at a pace that is genuinely difficult to keep up with, and the scale at which they can operate is expanding every year.

Generative AI is giving defenders powerful new capabilities. Security teams are now using AI to audit firewall configurations, flag misconfigurations across entire networks, and identify vulnerabilities in a fraction of the time it used to take. What once took a technician hours to work through manually can now be completed in minutes.

But those same tools are in the hands of attackers. They are using AI to generate more convincing phishing campaigns, identify vulnerabilities faster, clone voices, and automate attacks across hundreds of targets simultaneously.

What used to require a skilled individual can now be done at scale by someone with very little technical background. The barrier to launching a sophisticated attack has dropped significantly and it is continuing to drop.

The global cybersecurity market is projected to grow dramatically through 2030. Not because businesses are becoming more secure, but because the attack surface keeps expanding. More devices, more cloud platforms, more remote access points, and more ways in. The businesses that navigate this environment successfully will be the ones that stopped treating cybersecurity as a one-time IT project and started treating it as an ongoing business priority.

As Sean put it near the end of our conversation, nothing is completely impenetrable. The goal is not perfection. It is making your business difficult enough to attack so that a threat actor moves on to an easier target, and being prepared enough that if something does happen, the damage is contained and the recovery is fast.

A Few Questions Worth Asking About Your Own Business

If you are a business owner evaluating where you stand right now, these are the questions that matter most.

• Is multi-factor authentication enforced for every user on every login, or is it just technically enabled somewhere in your settings?

• Are you running endpoint detection and response tools, or relying on traditional antivirus that was not built to catch today's threats?

• When did someone last actually test whether your backups can be fully restored, not just confirmed they are running?

• Are your employees receiving regular, ongoing security awareness training, and does leadership participate in it?

• Do you know specifically what your cyber insurance policy covers and what it excludes?

• Does your IT provider proactively hold you to security standards, or do they mostly show up when something breaks?

• If your email was compromised today, how long would it take your team to notice?

You do not need to have every answer figured out today. But if several of those questions made you uncomfortable, that discomfort is worth paying attention to. The businesses that get ahead of this are the ones that ask the hard questions before an attacker finds the answers for them.

About

STF Consulting is a managed IT services provider based in Monmouth County, New Jersey, with over 25 years of experience supporting small and mid sized businesses with cybersecurity, IT infrastructure, and layered security strategies.

This post is based on a conversation from the techrug Podcast featuring Sean Furman of STF Consulting and Michael Secrist, VP at techrug.