Why Backups Are Not Enough: Building Proactive Cyber Defenses for Small Businesses

On this episode of the Cyber Brisket podcast, Chris Engler sat down with Rob Allen, Chief Product Officer at ThreatLocker, to talk about one of the biggest challenges facing businesses today: how to stop cyberattacks before they become full-blown disasters.

Rob brings more than 30 years of IT and cybersecurity experience, including hands-on work responding to ransomware incidents. In the conversation, he explained why small business cybersecurity can no longer rely on old-school thinking like “we have backups, so we’re fine” or “our antivirus will catch it.”

The big message? Businesses need to move from reactive security to proactive cyber defenses.

Ransomware Has Changed

For years, many businesses treated ransomware as a recovery problem. If files were encrypted, the answer was simple: restore from backup and move on.

That used to work better than it does today.

Rob explained that earlier ransomware attacks were often focused on locking files and demanding payment for the decryption key. Backups could help a business recover quickly. But modern ransomware attacks are different. Attackers often steal data before encrypting systems, which creates a much bigger problem.

Now, a company is not only trying to restore files. It may also be dealing with exposed customer data, legal concerns, compliance issues, reputational damage, and difficult conversations with clients.

That is why backups are still important, but they are not a complete cybersecurity strategy.

Backups Matter, But They Are Not Security

One of the strongest takeaways from the episode is that backups should be part of the plan, not the entire plan.

Backups help a business recover after something goes wrong. But they do not necessarily stop data from being stolen. They do not prevent an attacker from getting into the environment. They do not tell you whether sensitive files were copied before the ransomware was launched.

Rob also raised an important point many business owners may not consider: backup tools themselves can potentially be abused. If an attacker gains enough control, data can be moved somewhere it should not go while looking like normal backup activity.

The lesson is simple. Recovery matters, but prevention matters more.

Detection Alone Is Not Enough

Many companies rely on traditional security tools like antivirus and endpoint detection tools. These tools are useful, but they are often focused on identifying known threats or suspicious behavior after something has already started.

Rob explained the difference between detection and control in a way that is easy to understand.

Detection says, “We noticed something bad may be happening.”

Control says, “That thing was never allowed to run in the first place.”

For small businesses, this difference matters. If your security strategy depends only on catching every bad thing, you are asking your tools to recognize every threat, every tactic, and every new attack. That is hard to do, especially as attackers change their methods.

A stronger approach combines detection with control. That way, businesses are not just waiting for something bad to happen. They are limiting what can run, what can connect, and what can access sensitive data.

Zero Trust Explained Simply

Zero Trust can sound like a complicated cybersecurity buzzword, but Rob made the concept much more practical.

At its core, Zero Trust means you do not automatically allow everything by default. Instead, systems, users, and applications only get the access they actually need.

For a business owner, this can be thought of as a guest list. If an application, tool, or user is not on the approved list, it does not get in.

This approach helps reduce risk because attackers often use tools that are already available inside a business environment. They may abuse remote access software, scripting tools, file compression tools, or browser extensions. These tools may be legitimate on their own, but dangerous in the wrong hands.

That is why application control, least privilege, and ring fencing are becoming more important. Businesses need to know what is allowed, what is not allowed, and what each tool is permitted to access.

The Danger of “Living Off the Land” Attacks

One of the most eye-opening parts of the conversation focused on “living off the land” attacks.

In plain English, this means attackers use tools that already exist on a computer instead of bringing in obvious malware. For example, they may use PowerShell, remote access tools, or file compression software in ways those tools were never intended to be used.

This is a major issue because normal tools do not always look suspicious. A tool like PowerShell may be used by IT teams for legitimate work, but it can also be abused by attackers. The same goes for remote access software. It can help support teams fix problems, but if it is left installed and unmanaged, it can become an open door.

For small businesses, the practical question is not just “Do we have security software?”

The better question is: “Do we know what is running in our environment?”

Visibility Comes First

Rob emphasized that businesses cannot fix what they cannot see.

Before building a stronger cybersecurity plan, companies need visibility into their environment. That means knowing what software is installed, what applications are running, what remote access tools exist, what browser extensions are being used, and what normal activity looks like.

He shared examples of businesses discovering old remote access tools, previous vendor software, and unexpected applications still running on company machines.

These are the kinds of gaps attackers look for.

Visibility gives business owners and IT teams a starting point. Once you know what is there, you can begin cleaning it up, reducing unnecessary access, and building a safer baseline.

Practical Cyber Resilience for Small Businesses

Cyber resilience does not mean having a massive IT department or buying every security tool available.

It means building a practical plan that helps your business prevent, detect, respond, and recover.

For small businesses, that starts with smart basics:

  • Know what is running on your systems
  • Remove tools and accounts that are no longer needed
  • Limit user permissions
  • Control which applications can run
  • Protect cloud platforms like Microsoft 365
  • Watch for suspicious activity early
  • Keep backups, but do not rely on them alone
  • Work with vendors who respond quickly when help is needed

Rob’s advice was also refreshingly simple: start somewhere. Cybersecurity can feel overwhelming, but doing nothing is the biggest risk.

Key Takeaways

  • Ransomware is no longer just about encrypted files; data theft is often part of the attack.
  • Backups are important, but they are not a complete cybersecurity strategy.
  • Detection tools are useful, but businesses also need control.
  • Zero Trust helps reduce risk by only allowing approved access and applications.
  • Legitimate tools can be misused by attackers if they are not properly managed.
  • Visibility is the first step toward stronger security.
  • Small businesses should focus on practical, proactive cyber defenses before an incident happens.

Final Thoughts

The biggest lesson from Chris Engler’s conversation with Rob Allen is that cybersecurity has moved beyond simply reacting after something goes wrong.

Today, businesses need proactive cyber defenses that reduce risk before attackers get a foothold. That does not mean making cybersecurity complicated. It means knowing what is in your environment, limiting unnecessary access, controlling what can run, and having the right partners in place.

Because when it comes to modern cyber threats, the best time to stop an attack is before it starts.