Beyond the Firewall: A Frank Conversation About Cyber Risk in 2025
Cyber risk in 2025 goes beyond technology & “good enough” practices that aren’t challenged
I sat down recently with a CEO—a smart, disciplined manufacturing leader. We weren’t in a server room. We were in his office, reviewing Q3 operational costs.
He leaned back and said:
“Mike, I trust my team, but I have this nagging feeling our biggest risk isn’t something our firewall can stop.”
He was absolutely right.
This isn’t an isolated worry. I’m hearing versions of it from leaders across industries—manufacturing, construction, healthcare, legal.
Cyber risk in 2025 isn’t just about technology. It’s about people, process, and blind spots.
It’s the quiet assumptions we don’t challenge. The “good enough” practices we never upgraded. The trust we extend too easily.
So let’s have a direct, leader-to-leader conversation about six blind spots that can turn a good quarter into a crisis—and what you can do to fix them.
1. We Trust Our Eyes and Ears (But Shouldn’t)
A CFO called me in a panic. Their controller had wired hundreds of thousands of dollars to a “new vendor” after a voicemail that sounded exactly like the CEO. Same voice. Same urgency.
It was a deepfake.
This isn’t some abstract threat. Cheap AI tools can replicate your voice from seconds of online audio.
For decades, we told people to “trust your gut” and “listen for the real voice.” In 2025, that’s obsolete.
I’ve told my clients—and my own family—for years:
Hackers count on two things: people love to be helpful, and they love to show how much they know.
Your staff aren’t foolish. They’re trying to help. Attackers know that’s the easiest exploit in your organization.
What You Should Do:
- Mandate multi-channel verification for wires, password changes, and access approvals.
- Establish challenge phrases for verbal requests.
- Train for skepticism. Simulate deepfake scenarios so staff know to slow down and verify.
- Document it. Enforce it. Regulators won’t accept “we trusted them to be careful.”
This isn’t red tape. It’s the new cost of doing business securely.
2. We Think Ransomware is About Data (It’s About Downtime)
When I talk to CEOs, they often say, “We’re fine, we have backups.”
That’s not the point.
Ransomware today isn’t just about encrypting files. It’s a full-spectrum extortion strategy aimed at operational paralysis.
Your factory floor goes silent. Your law firm can’t access case files. Your clinic can’t schedule patients.
Backups don’t fix that in real time.
I know a manufacturing client who was down 21 days—even with backups. The cost? Over $5 million in missed production, penalties, and lost customer trust.
What You Should Do:
- War-game your recovery. Can you be fully operational in 24 hours? If not, you have your answer.
- Prioritize business continuity over data restoration.
- Map downtime costs so you understand the true risk you’re accepting.
- Include leadership in drills. Ransomware is a business problem, not an IT-only problem.
Your reputation isn’t built on data. It’s built on delivery. That’s what attackers are really holding hostage.
3. We See a Request (But It’s a Trap)
We’ve all seen them: the urgent email from a “boss” needing a quick favor.
This isn’t clumsy, typo-ridden spam anymore. Attackers do their homework. They know your projects, your team names, your internal lingo.
They craft messages that sound exactly right—because they’ve studied you.
And a single mistake doesn’t just cost money. It corrodes trust throughout your organization.
What You Should Do:
- Run live-fire drills with your leadership team.
- Practice failure. It’s better to be embarrassed internally than breached externally.
- Encourage reporting. Make it normal—even celebrated—to flag suspicious requests.
- Review internal processes. How easy is it for someone to impersonate your leaders?
Attackers aren’t hacking systems. They’re hacking people. And they’re betting you won’t take that seriously enough.
4. We Assume Our Partners Are Secure (They’re Not)
This is the blind spot I see most often.
One client found their 46 vendors had 487 critical vulnerabilities. That’s like hiring caterers for your wedding who have a history of food poisoning complaints.
Your supply chain is your attack surface.
And insurers know it. A CFO once told me, “We didn’t get breached—but our vendor did. And the insurer still denied the claim.”
What You Should Do:
- Stop accepting handshakes as security guarantees.
- Run third-party risk scans and demand real reports.
- Put security requirements with teeth into contracts.
- Prioritize critical vendors. You can’t fix everything at once, but you can manage your biggest risks.
If your partners push back on security requirements, that’s not a negotiation. That’s a red flag.
5. We See Innovation (But Criminals See Opportunity)
Every new cloud app. Every remote employee. Every “smart” device.
They’re all productivity boosters—and new backdoors.
I tell leaders to think of it like renovating a house. Every new door or window you add improves the space—but you’d better remember to lock it.
The real problem? Shadow IT. Teams adopt tools on their own, leaving IT unaware of half the new entry points.
What You Should Do:
- Map your attack surface. Commission an asset discovery project.
- Create a single source of truth for all internet-facing systems and apps.
- Establish approval processes for new tools.
- Educate teams about the risks of unvetted solutions.
You can’t protect what you don’t even know you have.
6. We’re Hunting for Talent (But Overlooking a Strategy)
I get it. The cybersecurity talent shortage is real. Good people are expensive and hard to find.
But too many companies think, “If I can just hire the right person, this problem is solved.”
That’s magical thinking.
You don’t have a headcount problem. You have a strategy problem.
Your IT team is already overworked. Hiring one “unicorn” CISO won’t fix systemic issues if there’s no plan to support them.
What You Should Do:
- Consider fractional leadership. A vCISO can give you top-tier guidance at a fraction of the cost.
- Build smart partnerships for monitoring, incident response, and compliance.
- Prioritize strategy over firefighting. Don’t let urgent requests crowd out big-picture planning.
- Invest in training. Don’t just buy tools. Make sure your team knows how to use them.
Security isn’t about hiring one genius. It’s about building a system that works even on their day off.
Three Moves to Make Before Quarter-End
If you want to start addressing these blind spots now, here’s your short list:
✅ Quantify Your Risk: Put a dollar figure on your top three cyber risks. Nothing changes a board conversation faster.
✅ War-Game Your Response: Walk your leadership team through a simulated crisis. Expose the gaps now—not when you’re paying ransom.
✅ Hold Your Partners Accountable: Put security clauses with teeth in your contracts. If they won’t sign, you have your answer about their priorities.
Ready to Find Your Blind Spots?
If this conversation resonated with you, please share it with another leader in your network. These are discussions we all need to be having.
Want to know how exposed your business really is? Schedule a Strategy Call with NCX Group, take our free risk assessment at training.ncxgroup.com/risk, or subscribe for more insights like this.
P.S. If you’ve read this far and still haven’t asked your CISO (or IT provider) to pull your third-party risk report… I’ve got bad news: You ARE the risk.
Let’s Talk
If it’s been more than a year since your last cybersecurity assessment—or if you’ve never done one—now is the time.
👉 Schedule a Strategy Call with NCX Group
Repost from LinkedIn – https://www.linkedin.com/pulse/beyond-firewall-frank-conversation-cyber-risk-2025-mike-fitzpatrick-causf/