What would you do if you woke up and found a stranger living in your attic?
It sounds like something out of a thriller — but it's a real phenomenon, and it happens more than you'd think. In this episode of UnHacked, hosts Justin Shelley, Bryan Lachapelle, and Mario Zaki use that deeply unsettling true story as the jumping-off point for one of the most important cybersecurity conversations they've had yet: what happens after an attacker gets into your business — and whether you'd even know.
The Uncomfortable Truth About Cyber Breaches
Most business owners picture a cyberattack as a dramatic, obvious event — files suddenly encrypted, systems crashing, a ransom note on the screen. The reality is far more disturbing.
Modern attackers don't break down your front door. They find a quiet way in, and they stay. They create hidden admin accounts with ordinary-sounding names. They map your network. They quietly harvest credentials. They may use your servers to mine cryptocurrency, host illegal content, or launch attacks on your clients and vendors — all while your business runs normally and no alarms go off.
In one case discussed in this episode, a client's backups were compromised so far back that restoring them just restored the attacker's access. In another, multiple attackers had been living inside the same network simultaneously — one mining Bitcoin, another encrypting files, a third re-encrypting what the second one had already encrypted. By the time anyone noticed, it was too late.
This isn't a rare edge case. It is the norm.
Prevention Is Not Enough. You Need Detection.
Episode 85 is Part 11 of UnHacked's cybersecurity basics mini-series, and it marks a critical turning point: the shift from prevention to detection.
As Bryan Lachapelle puts it: "A lot of us MSPs will concentrate a lot of our efforts on protection, prevention, and very little time on detection and logging. These days, you have to assume they're already in — and ask: how do I detect them?"
The hosts break down exactly what logging, monitoring, and detection means in practice:
- Logging means recording every event across your servers, workstations, firewalls, Microsoft 365 accounts, and cloud applications — thousands of entries per hour, per device.
- Monitoring means having trained experts — not your regular IT team — reviewing those logs around the clock using AI and automation to separate signal from noise.
- Detection means being alerted the moment something anomalous happens, whether it's a suspicious login at 2 a.m., a remote access tool being launched, or a hidden "canary file" being touched by something that shouldn't know it exists.
Together, these form the backbone of a Security Operations Center (SOC) — a dedicated, 24/7/365 operation focused solely on watching for threats. As Mario Zaki explains: "These guys are not fixing printers. They are literally watching your perimeter, your Microsoft 365, your servers — every aspect of your business. That is their one job."
The Metric That Could Save Your Business: Mean Time to Detection
One of the most valuable concepts introduced in this episode is mean time to detection (MTTD) — how long it takes from the moment an attacker enters your environment to the moment you know about it.
Bryan shares a real client story that illustrates what this looks like when it works: an attacker got in through a weak password at 2 a.m. and began moving laterally through the network. Within 90 seconds, the monitoring team detected the anomalous behavior, locked every device in the organization as a precaution, and contained the threat — before a single file was stolen. The client woke up to a resolved incident report, not a ransomware demand.
That is what proper detection looks like.
Without it? Attackers can live inside your environment for weeks, months, or even years — and by the time you find out, they've likely already deleted your logs, covered their tracks, and made off with everything valuable.
Why Almost No One Has This In Place — And Why That Has to Change
The hosts are candid about a hard reality: out of every 20 companies they audit, roughly one has meaningful logging and detection in place. And even businesses with IT providers often fall short — because detection requires specialized third-party tools, significant licensing costs, and dedicated expertise that most traditional IT setups simply don't include.
Several factors drive this dangerous gap:
- Cost: Cybersecurity is expensive, and detection tools are among the priciest layers — often requiring minimum license thresholds that make them inaccessible for smaller businesses through typical IT channels.
- Complexity: Unlike a backup drive you can physically see, monitoring and detection are invisible by design. Business owners can't easily verify whether it's working, and many don't know the right questions to ask.
- The unregulated IT industry: There's no governing body requiring IT providers to meet a security standard. A competitor can promise the same results for 60% less — and the business owner has no way of knowing they're getting a Chevette instead of a Ferrari.
- False confidence: Many business owners assume they'll know when they've been breached. They won't — not without the right tools.
As Justin puts it: "Are you getting attacked right now? Yes. One hundred percent. You are being attacked right now."
The Analogy That Makes It Click
Think of your business like your home. You have locks on the doors (firewalls, passwords). You have alarm contacts on the windows (endpoint protection). But what about motion detectors inside — for the intruder who found the unlocked basement window, the cracked attic hatch, the crawl space entrance nobody thought to check?
That's what logging, monitoring, and detection is. It's the motion detector. It's the security camera that records what actually happened. It's the alarm that goes off at 2 a.m. when someone who shouldn't be there starts moving through the halls.
And right now, most businesses don't have it.
Your Action Step — Starting Today
Brian's takeaway is simple and immediately actionable: Ask the question. Call or email whoever manages your IT today and ask: "What are we doing for detection and response? What are we doing to monitor and detect a breach that has already occurred?"
If the answer is "I don't know" — or worse, silence — you have your answer.
Mario adds an important caveat: once you know you have a gap, you are now aware of a known risk. That awareness carries responsibility. Don't ask the question unless you're prepared to act on the answer.
The good news? Acting doesn't have to be overwhelming. It starts with a conversation.
🔒 Is Your Business Protected? Find Out — For Free.
At Phoenix IT Advisors, we offer a free cybersecurity risk assessment that tells you exactly where your business stands — including whether you have any meaningful detection and monitoring in place. No jargon, no pressure, no obligation.
Most business owners who go through it are surprised by what they find — and relieved they found out before an attacker did.
👉 Visit phoenixitadvisors.com and mention UnHacked to schedule your free assessment today.
Because the question isn't if someone will try to get in.
It's whether you'll know when they do.
Schedule Your Free Security Assessment - and mention UnHacked.