Watch out for that “Foot in the Door”

Table of Contents

Protecting Your Data and Networks: Why It Matters and How to Do It Right

A vendor calls with an offer: a basic firewall and antivirus package at a low monthly price. The sales rep is friendly, the cost is low, and getting something in place feels better than nothing. You sign a contract.

Six months later, you're hit with a ransomware attack. Your firewall wasn't configured to block the entry point. Your antivirus didn't catch the payload. The vendor offers to help, for a substantially higher monthly fee to upgrade to the tier that actually covers what just happened. This is the "foot in the door" tactic, and it's one of the most common ways small and mid-size businesses end up with security that looks real but doesn't work.

How the Foot in the Door Tactic Works

The foot-in-the-door tactic in managed IT and cybersecurity works like this: a vendor offers a stripped-down service at an attractive price to win the contract, knowing the initial project will surface opportunities to upsell. The entry offer is real, you do get a firewall, or antivirus, or a basic monitoring dashboard, but it's architected to be insufficient on its own. The protection gaps become apparent only after an incident, at which point the vendor proposes an upgraded package that addresses what the basic tier never covered.

Common variations include:

• Firewall-lite: A consumer-grade or unconfigured firewall installed without rule sets matched to your environment. It blocks known malicious IPs but does nothing to detect lateral movement, unusual outbound traffic, or application-layer attacks.
• Antivirus without EDR: Legacy signature-based antivirus that catches known malware but misses fileless attacks, living-off-the-land techniques, and ransomware that evades signature detection. Sold as endpoint protection; doesn't behave like it.
• Monitoring without response: A dashboard that shows alerts but has no defined response procedure, no NOC, and no one responsible for acting on what it detects. You're paying for visibility into incidents that no one is stopping.
• Compliance-checkbox packages: Vendors who will sign a BAA or run a vulnerability scan to satisfy an audit requirement, without implementing the underlying controls the audit is supposed to verify.

The tell is always the same: the vendor can't clearly explain what their service does when something goes wrong, who responds, and how fast. If the answer involves calling a help desk that escalates to a third party with no defined SLA, the "security" you're buying is mostly paperwork.

What Protection Your Business Actually Needs

Effective cybersecurity isn't a single product, it's a stack of controls that address different attack vectors. For most SMBs, the baseline that actually reduces breach risk includes:

• Endpoint Detection and Response (EDR): Unlike signature-based antivirus, EDR monitors endpoint behavior in real time, flagging unusual process execution, lateral movement, and encryption patterns that indicate ransomware before it spreads. Products like CrowdStrike Falcon Go, SentinelOne, or Microsoft Defender for Business are accessible at SMB price points.
• Multi-Factor Authentication (MFA): Mandatory on all cloud applications, VPN, email, and remote access. Not optional, not limited to admin accounts. Authenticator apps are more resistant to SIM-swapping than SMS-based codes.
• DNS Filtering: Blocks connections to known malicious domains before any payload is delivered, stopping malware callbacks, phishing links, and C2 communication at the network level, even on unpatched endpoints.
• Tested Backups: Offsite or air-gapped backups with a defined recovery time objective, tested quarterly. Ransomware targets backup systems, backups stored in the same environment they protect are encrypted along with everything else.
• Patch Management: Automated patching enforced across every endpoint on a defined schedule. Vulnerabilities in unpatched systems are actively scanned and exploited within hours of public disclosure.
• Incident Response Plan: A documented procedure, even a one-page flowchart, specifying who gets called, what gets isolated, and how customers and regulators get notified when something happens.

Understanding Your Risk Profile

The right security investment depends on what you're protecting and what risks you actually face. A 20-person professional services firm handling client contracts has a different risk profile than a 150-person manufacturer handling export-controlled technical data. Spending the same amount on the same stack makes no sense for both.

A risk profile documents the types of data your organization handles, the regulatory requirements that apply, the threat vectors most likely to target your industry, and the financial and operational impact of a successful attack. Risk profiling is the starting point of every engagement, developed in collaboration with your business leaders, data owners, and compliance teams. Key elements include:

• Data inventory and classification, what you have, where it lives, who can access it
• Regulatory requirements, HIPAA, CMMC, PCI-DSS, state privacy laws applicable to your business
• Access control review, identifying over-privileged accounts, former employee credentials, and vendor access that hasn't been revoked
• Gap analysis against a baseline framework, NIST CSF or CIS Controls, to prioritize remediation by risk impact

The output is a prioritized remediation backlog, not a generic list of security recommendations. The highest-impact gaps get addressed first, within a realistic budget. A structured cybersecurity audit checklist is the practical tool for working through this process systematically.

Building a Security Culture That Holds

Technology controls alone aren't enough. Verizon's 2024 Data Breach Investigations Report found that 68% of breaches involved a human element, employees falling for phishing, reusing passwords, or misconfiguring systems. No firewall stops a credential-stuffing attack against an account with no MFA. No EDR catches a fraudulent wire transfer authorized by a CFO who received a convincing impersonation email.

Security awareness training that works isn't a one-time annual module, it's ongoing simulated phishing campaigns that test employees against real attack patterns, with immediate feedback when someone clicks. Platforms like KnowBe4 or Proofpoint Security Awareness send regular simulated phishing emails, train anyone who falls for them, and track improvement over time. Combined with clear policies on password management, data handling, and incident reporting, this layer closes gaps that no technical control can fully address.

Work with a Partner Who Shows You What You're Getting

Stratify IT doesn't offer budget entry packages designed to grow into something more expensive. We assess your environment, build your risk profile, and implement the controls your business actually needs, EDR, MFA, DNS filtering, backup, patch management, and incident response planning, without selling you what you don't need or leaving you with gaps the next invoice will fill.

Contact us to schedule a security assessment, or explore our cybersecurity services to see how we structure engagements.

Stratify IT, cybersecurity that does what it says, and shows you the proof.

Frequently Asked Questions

How do I actually verify whether my current firewall is properly configured, or just plugged in?

Ask your vendor for a copy of the active rule set and request a firewall audit, any competent provider should be willing to produce this without a fight. Look for evidence of outbound traffic filtering, application-layer inspection, and rules specific to your environment. If the documentation is vague or they resist sharing it, that tells you something. Third-party tools like Nmap or a brief engagement with an independent penetration tester can surface gaps quickly.

What's a reasonable monthly spend on managed cybersecurity for a small business with, say, 25 employees?

A credible managed security program for a 25-person business typically runs $3,000 to $7,000 per month depending on industry, compliance requirements, and the complexity of your environment. That range should include endpoint detection and response, monitored SIEM, patching, and a defined incident response process. Anything significantly below that floor warrants scrutiny about what's actually included. Healthcare or financial services firms should expect the higher end due to regulatory obligations.

If we've already signed a contract with one of these vendors, what are our options?

Start by getting a written scope-of-work document that clearly defines what's covered. If the vendor can't or won't produce one, you have grounds to dispute the contract's adequacy. Review termination clauses carefully, many of these agreements have 30 to 90-day out provisions. While you're still under contract, bring in an independent security assessor to document the gaps. That report becomes useful both for negotiating your exit and for briefing a replacement provider.

Are there specific certifications or accreditations I should require a managed security vendor to hold?

SOC 2 Type II is the most meaningful baseline, it means the vendor's own controls have been independently audited. For providers handling healthcare data, HITRUST certification matters. Beyond credentials, ask whether their security operations center is staffed 24/7 or whether after-hours alerts go to an on-call rotation, because the distinction matters enormously during an active incident. Membership in organizations like CompTIA's MSP Verify program adds some accountability but is not a substitute for the SOC 2 audit.

How does cyber liability insurance fit into this, does having coverage mean we don't need stronger security controls?

Insurance and security controls solve different problems. A policy pays out after a loss; controls prevent or limit the loss in the first place. Insurers have also gotten significantly stricter since 2020, many now require documented evidence of multi-factor authentication, endpoint detection, and regular backups before issuing a policy at all. A weak security posture can result in claim denial if the insurer determines the incident was foreseeable and preventable. Treat insurance as a financial backstop, not a substitute for actual controls.

What's the fastest way to assess whether our current setup would actually stop a real attack?

Commission a penetration test from a firm that has no relationship with your current vendor, the conflict of interest matters. A basic external network pen test typically costs $3,000 to $8,000 and will reveal whether your perimeter controls hold up against common attack techniques. If budget is tight, start with a phishing simulation and a vulnerability scan using something like Tenable or Qualys. The results will give you concrete findings to bring back to your vendor or use as a baseline for switching.