If you run a business and you have an IT person — whether in-house or outsourced — there is one question you need to ask them. Right now. Today.
"Show me the process you use to know where everything lives and how you're protecting it."
If they can't answer that clearly and confidently, you have a problem. And in this episode of UnHacked, Justin Shelley and Bryan Lachapelle walk you through exactly why that question matters more than almost any other in cybersecurity today.
The Perimeter You Think You Have Doesn't Exist
There was a time when securing a business network was relatively straightforward. You put a firewall at the edge of your office network, you installed antivirus on the computers inside it, and you were reasonably well-protected. The perimeter was physical. It was defined. It was manageable.
That time is over.
Today, your business data doesn't live in one place. It lives in Microsoft 365. In SharePoint. In QuickBooks Online. In Dropbox. In whatever app your operations manager discovered six months ago and never told IT about. It lives on your remote employees' home networks — networks that are also connected to their kids' gaming PCs, their smart TVs, their baby monitors. It lives on the cloud servers of vendors you trust implicitly but have never actually audited.
The perimeter is no longer the edge of your building. The perimeter is everywhere your business data exists — and that means everywhere it exists has to be secured.
What You'll Learn in This Episode
The firewall conversation has changed — but firewalls still matter.
Justin and Bryan break down why physical firewalls are still an essential layer of protection for office-based teams, but explain clearly why a box on the wall is no longer the whole answer. Modern security means applying the concept of a firewall to every environment where your data lives — including cloud platforms, remote workstations, and even AI tools you may have recently started using.
Microsoft 365 is not automatically secure.
Many business owners assume that because they're paying Microsoft, their data is protected. It's not — at least not by default. Bryan explains what ITDR (Identity Threat Detection and Response) monitoring actually looks like inside a Microsoft 365 tenant, and why third-party tools are often required to detect the threats that Microsoft itself won't catch — like an employee logging in from two countries simultaneously, or someone quietly setting up email forwarding rules.
Your VPN might be a wide-open back door.
When COVID forced a mass migration to remote work, the rapid solution was to give everyone VPN access — essentially drilling a tunnel straight through the firewall. The problem? No one knew what was on the other end of that tunnel. Justin explains how this well-intentioned shortcut created massive exposure, and why that exposure didn't go away when people started coming back to the office.
Your guest Wi-Fi probably isn't really a guest network.
Bryan reveals that in the vast majority of business audits his team conducts, what's labeled "guest Wi-Fi" turns out to be the same network as everything else — just with a friendlier name. A properly segmented network means guests, staff devices, and IoT devices like smart TVs and thermostats each live on their own isolated network segment. Anything less is a liability.
Shadow IT: the threat you've probably never thought about.
This is one of the most eye-opening segments in the episode. Shadow IT refers to software, apps, and cloud services that employees sign up for on their own — without IT's knowledge or approval. Maybe someone in HR thought Dropbox would be convenient. Maybe a project manager set up their own Notion workspace. The risk? An employee could potentially copy your entire SharePoint file library into a personal Dropbox account, and you would have no idea it happened. No alert. No log. Nothing.
The single most important first step: know what you have.
Both Justin and Bryan arrive at the same conclusion independently: you cannot protect your business if you don't first know what exists to be protected. That means every device connected to your network. Every cloud application in use across every department. Every user account. Every third-party integration. The CIS (Center for Internet Security) framework — one of the most respected cybersecurity standards in the industry — lists inventory of hardware, software, and users as the very first control, and for good reason. You can't defend what you haven't identified.
Why This Episode Is for You — Even If You're Not Technical
Justin and Bryan are not talking to IT directors or security engineers in this episode. They're talking to you — the business owner who is responsible for everything that happens inside your company, including a data breach you may not even know is possible yet.
The message of this episode is not that you need to become a cybersecurity expert. The message is that you need to be asking the right questions of the people who are supposed to be handling this for you — and you need to be able to recognize when the answers you're getting aren't good enough.
Justin shares that his own onboarding process for new clients has evolved from a matter of days to a 90-day intensive engagement — and that the majority of that time is spent doing exactly what he recommends to you in this episode: systematically mapping every business function to the software it touches, identifying where data lives, and building a protection strategy around it. That's not a small thing. But it's the right thing.
Key Takeaways
🔑 Justin's Takeaway: Ask your IT person — right now — to show you the process they use to track where your data lives and how it's being protected. If they can't show you a clear, documented answer, you have a gap that needs to be addressed immediately. Don't just write a check and assume. Verify.
🔑 Bryan's Takeaway: Know what you have. Every device. Every cloud service. Every application. If you can't list them, you can't protect them. Start there, and everything else becomes possible.
This Is Part 7 of the Cybersecurity Basics Mini-Series
UnHacked is working through the cybersecurity fundamentals that every business owner should understand — not in theory, but in practice. If you've been listening from the beginning, this episode connects directly to the earlier discussions on data protection and backup. If this is your first episode, it's a great entry point. Either way, there's a full library of episodes waiting for you at unhackmybusiness.com.
🔐 Is Your Business Actually Secure? Let's Find Out — For Free.
Everything discussed in this episode points to one uncomfortable reality: most businesses don't know what they have, don't know where it lives, and don't have a clear picture of how it's being protected. That's not a criticism — it's the norm. But it's also fixable.
Phoenix IT Advisors offers a free cybersecurity risk assessment designed to give you an honest, plain-language picture of where your business stands. We'll look at your network, your cloud environment, your endpoints, and your processes — and we'll tell you exactly what we find, no jargon, no sales pressure.
Visit phoenixitadvisors.com and mention UnHacked to schedule your free assessment.
Because the best time to find out you have a problem is before someone else finds it for you.
Schedule Your Free Security Assessment - because discovering your backups don't work during an emergency is a mistake you can't afford to make.