• Home
  • Understanding Defensibility: A Moving Target

Understanding Defensibility: A Moving Target

Understanding Defensibility: A Moving Target
19Feb

Understanding Defensibility: A Moving Target

Let’s be real: no system is 100% secure.

Even the best defenses can’t guarantee you’ll never face a breach or an attack. That fact leaves some business owners wondering, “If I can’t stop everything, why spend any money on prevention at all?”

It’s a fair question, but it’s based on bad logic. Prevention isn’t about perfection; it’s about doing enough to reasonably reduce your risks.

This is where defensibility comes into play: could a “reasonable person” look at your efforts and say you did enough to protect your business?

Why Defensibility Matters

Defensibility is about demonstrating that your cybersecurity measures were appropriate and aligned with what could reasonably be expected for your business size and industry. It’s not about being perfect; it’s about being responsible.

Think of defensibility as your safety net. When something goes wrong — and let’s be honest, something eventually will — it’s what helps you navigate the aftermath.

Whether it’s explaining to customers, dealing with regulators or talking to your insurance provider, defensibility is what says, “We took this seriously and did what we reasonably could to prevent this.”

Here’s why it’s critical:

  • A Reasonable Standard: No one expects a small business to spend like a Fortune 500 company, but basic safeguards like firewalls, multifactor authentication (MFA) and phishing training aren’t optional anymore — they’re reasonable expectations.
  • Trust and Accountability: Defensibility shows your employees, customers and partners that you’re responsible, even if something unexpected happens.
  • The “Moving Target” Problem: Technology changes fast, and what was considered “enough” a year ago may not meet today’s standards. That’s why defensibility is a balancing act; it requires keeping up with changes without overspending or overcomplicating things.

Prevention vs. Perfection

We understand spending money on cybersecurity can feel frustrating when no system is foolproof. But the alternative (doing nothing) leaves your business completely exposed, and it doesn’t hold up under scrutiny if something happens.

“Defensibility isn’t about achieving perfection or passing audits; it’s about being able to show that you took reasonable steps to prevent problems.”

Here’s a helpful way to think about it:

  • Good defense stops most threats, minimizing your risk and protecting your business.
  • Defensibility isn’t about adding more tools or overanalyzing every decision; it’s about making thoughtful, reasonable choices that anyone could look at and say, “They did the right things.”

Why It’s Not Always Easy

Finding the line between “enough” and “too much” is tricky, and it’s different for every business. What’s reasonable for a company with five employees won’t be the same for one with 50. And because technology changes so quickly, that line is constantly shifting.

That’s why our job isn’t just to sell you tools, it’s to help you navigate these decisions: what protections to prioritize, where to spend your money wisely and how to keep up as the landscape evolves.

Examples of Defense vs. Defensibility

  1. Managing MFA for Shared Accounts
    You’ve implemented MFA for all Microsoft 365 users, but shared accounts, like a team inbox, create challenges. If the account only handles nonsensitive communications and is locked down from critical systems, skipping MFA can be defensible. However, if the account has access to sensitive data or admin privileges, leaving MFA off becomes much harder to justify.
  2. Backup Retention Periods
    To save costs, you shorten backup retention from two years to six months. For most SMBs, this is defensible, especially if your operations rely on recent data. But shortening retention to 30 days introduces risks, especially for businesses with annual audits or compliance requirements. Anything less than three months rarely meets the “reasonable person” standard.
  3. Running Unsupported Windows OS for Specialized Systems
    Your CNC machines run on Windows XP, and upgrading would require hundreds of thousands of dollars in new tooling. This can be defensible if mitigations like removing internet access and isolating the machines from the domain are in place. While unsupported systems carry higher risks, reasonable steps to address those risks make this decision defensible.

The Bottom Line

Defensibility isn’t about achieving perfection or passing audits; it’s about being able to show that you took reasonable steps to prevent problems.

It’s the filter we always use when recommending solutions, ensuring your cybersecurity strategy makes sense for your business, your budget and today’s threats.

Make Your Defense Defensible

Unsure if your cybersecurity measures would pass the “reasonable person” test? Let us help you evaluate your defenses and ensure your business is prepared for today’s challenges. Contact us to learn how we can help secure your sensitive data.

Stay updated! Get tips and insights delivered to your inbox weekly by subscribing to our newsletter.

Get Support
Subscribe To Our Newsletter

Share this post

Related Posts

Add Exchange Online Plan 2 Microsoft 365 Subscription
17Mar

When Should You Add Exchange Online Plan 2 to Your Microsoft 365 Subscription?

Tired of spending time deleting emails just to free up... read more

What is Microsoft Exchange Online?
12Mar

What is Microsoft Exchange Online?

Microsoft Exchange Online is for email without the Microsoft Office... read more

What is Microsoft 365 Apps for Business?
10Mar

What is Microsoft 365 Apps for Business?

Editor’s note: Microsoft is raising prices for all Business licenses... read more

Microsoft Business Licenses and Why You Might Purchase Them
05Mar

Microsoft Business Licenses and Why You Might Purchase Them

Editor’s note: Microsoft is raising prices for all Business licenses... read more

5 Reasons Proactive IT Management is Critical for Small Businesses
03Mar

5 Reasons Proactive IT Management is Critical for Small Businesses

Small and medium-sized businesses (SMBs) face constant challenges to stay... read more

Which Workplace Setup is Best for Your Organization?
26Feb

Which Workplace Setup is Best for Your Organization?

As the technology in computers continues to evolve, organizations have... read more

The Dangers of Running Unsupported VMware Software
24Feb

The Dangers of Running Unsupported VMware Software

Imagine this scenario: A cybercriminal finds a weakness in your... read more

How MSPs are Adapting to Remote Work
17Feb

How MSPs are Adapting to Remote Work

Remote work, once a necessity during the pandemic, has now... read more

Set IT Goals, Prevent Drift and Adapt to Change
13Feb

Set IT Goals, Prevent Drift and Adapt to Change

One of our clients once said, “My IT is the... read more

What to Expect from a Computer Setup for a New Employee
10Feb

What to Expect from a Computer Setup for a New Employee

Hiring a new employee is both exciting and stressful for... read more