Cyberattacks are no longer just an enterprise problem. As boutique professional services firms adopt more tech-enabled and AI-driven delivery models, their exposure to cyber threats grows exponentially. In this session, Katalyst CEO Luke Johnson breaks down why small firms are now prime targets—and what steps founders must take to protect their clients, their reputations, and their businesses. Learn how to choose the right MSP (managed service provider), implement essential security policies like MFA, and determine if cyber insurance is right for you. Walk away with a clear playbook to safeguard your firm and stay in the game.
TRANSCRIPT
Greg Alexander: Hey, everybody. This is Greg Alexander. You’re listening to the Pro Serv Podcast, brought to you by Collective 54. If you’re new to this show and you’re in the expertise business, this show is for you. We aim to help you make more money, make scaling easier, and make getting to an exit achievable. On today’s show, we’re going to talk about cybersecurity. And the reason why we’re going to talk about that is because if you’re following the Collective 54 framework—era one, era two, era three: professional services to tech-enabled services to AI-delivered services—the role of cybersecurity is going up for the boutique professional services firm. So it made sense for us to tap into our community and have a conversation with an expert to touch on a few things, and when we were looking for somebody to have on the call, we became aware of a report that one of our members, Luke Johnson of Katalyst, and his company recently put out. So it just lined up really well for us. So I’ve got four or five questions for Luke, but before I dive into those—Luke has been on the show before, but we’re at almost 250 episodes, so it’s been a little while—Luke, would you remind everybody who you are and what your company does.
Luke Johnson: Sure, Greg, glad to be here. Thanks for having me back. You mentioned it. I’m the CEO of Katalyst. We are a technology services boutique focused in helping organizations with IT, enabling them to go further, faster, and safer. Cybersecurity is a big part of what we do. It’s a big part of every conversation today.
Greg Alexander: What was the title of the report? And after this, if people want to get it, how do they find it?
Luke Johnson: Yeah, the title of the report was the 2025 Cyber Security Annual Report. And we’ll put a link in your show notes if they want to go download it, and it is a free resource that we hope everyone uses.
Greg Alexander: Okay, perfect. Okay, so I want to talk about why cybersecurity matters now more than ever, specifically to the professional services firm. And why, Luke, you feel that small consulting firms, creative firms, financial firms—what have you—are increasingly attractive targets for the bad guys.
Luke Johnson: Yeah, it’s a great question. So I think there’s a couple of points I would hit on, Greg. Why does it matter? The stakes are really high. The SBA reports that 60% of small businesses close their doors within six months of a significant cybersecurity event. So it can be a game-over event for small firms. I think that’s certainly an astounding data point in itself. But also, I think about pro serve firms. Many of us are small, but we serve a large number of clients, and many times those clients are very large. So we could be a conduit for bad people to get to these bigger firms. And that’s probably why I would prioritize this.
Greg Alexander: We also talk about—or I read in your report—this concept of the trust risk. Trust risk, excuse me. And this is emphasizing the kind of reputational fallout for a founder or a firm that manages client data. And it makes sense to me. Because let’s say I’m a Global 2000 company, and I decide to take a chance with a small firm and hire them because I believe that they’re the king of their niche and I want a specialist versus a generalist. And in so doing I share some sensitive data with them, and next thing you know, something happens. Like, that’s game over. I’m never hiring a small firm ever again. So tell us a little bit about this reputational fallout.
Luke Johnson: Yeah, I think that you can imagine that in many cases it’s hard to earn the trust of these firms. And when you do, you don’t want to ruin that. If I have your data or access to your data, and I am not protecting that, and someone gets to you or gets your data because of me, that is likely a relationship-ending move between you and that company. And should that information get out to others, it is likely going to make it very difficult to get other prospects, and it may end other relationships. People have bad things happen between them and a single client, and you can likely recover from that. Should you accidentally expose massive amounts of client data, that’s a tough one to recover from.
Greg Alexander: Yeah, yeah, I can certainly see that. And I think for our listeners, the reputational risk, although tough to quantify, is probably the reason why 60% is a game-over event. Because you only have one reputation. You know, at the top of the show I talked about era one, era two, era three. For first-time listeners, let me briefly describe that. Era one is the professional services era, and that’s where services are delivered by people. Era two, which we’re still in to a degree, is tech-enabled services, and that’s where services are delivered with a combination of technology and people. And era three, which is what we just started, is the AI-delivered services, where the majority, not all; humans are still in the loop, but the majority, maybe upwards of 80%, of the services are delivered with tech. So as a result of that, cybersecurity, which was not a factor way back in era one when people were selling their time and billing by the hour, like, there was no cybersecurity risk there, because you couldn’t hack somebody’s genetic code, at least not yet. These days, when you’re exchanging data with clients and using LLMs to help you deliver the service, as an example, cybersecurity risk goes through the roof. Now to bring this home, Luke, to the niche that we’re in the boutique pro serve firm.
Greg Alexander: There are some nuances with our sector, and that is one of them, and I want to get your commentary on. This is pretty much. Everybody is remote. You know the days of renting, you know, an office space in a downtown location are gone. We’re saving rent. But because everybody’s remote, cybersecurity risk is up. Would you agree with that?
Luke Johnson: Oh, yeah, yeah, definitely, it just it exposes so many more potential areas that can go badly. Even when you just think about, we used to stand next to each other at a coffee pot, and we got to know each other’s face and voice and all that. Now, in many cases that doesn’t happen. And it’s easy to just duplicate those things. I can mirror someone’s voice, you know, using some of this technology. And people probably wouldn’t know.
Greg Alexander: I know. Yeah. So that’s a heightened risk. Another one is, many of our members have a blended workforce meaning they have W. 2 and 1099. So they’re using a lot of contractors. So what does that have to do with cybersecurity risk.
Luke Johnson: Yeah, that’s a that’s a big one. Greg, and and just a just a massive piece. When I think about it is, you may. Let’s just say you do all the things right in your own company. You have all these tools, and you’re in your protecting data. But you bring in a 3rd party expert to help you deliver something to your client, and you forget that you need to make sure that they’re buttoned down, too, so accidentally you could expose. You could expose your client by bringing that 3rd party in. There’s also just another gap where, if you just think about, maybe they don’t know the client, the client, quite the same way that you do, and it. And it creates this potential loophole that people can punch through. So I think that I think that the big risk there is you could do all the things right. You bring one subject matter expert in to help you and Boom, you know there’s the reputation is is gone. And it’s an important factor. And quite frankly, it does just get overlooked. A lot.
Greg Alexander: Yeah. What we advocate for for a variety of reasons, cybersecurity, protection is one of them is for our members to outsource to a Msp. And the all of their it infrastructure. And the reason why we do that is because they’re not in the business of managing it, including cyber risk. Therefore just hire somebody who is, and that’s the way to do it. Unfortunately, some of our members have made their purchase decision based on Price. And they’ve hired the wrong. Msp. So you are an Msp, so this is somewhat of a self serving question. But I don’t care. I’m gonna ask anyways, sure, if I’m if I’m a small, let’s say I don’t know. Consulting Company 50 person shop, and I’m going to outsource it to an Msp. What should I be looking for?
Luke Johnson: I think that there’s a number of things one. I would say great decision, because if you’re in that size it is unlikely you have the resources to manage this yourself or that financially makes sense for you to even try. It’s a it’s a relationship, and it’s trust. So the 1st thing I would be looking for is somebody that you feel like you can invest time and energy with, and making this work. Secondly, if you’re a let’s say a 25 person firm. It’s probably overkill to go hire a High End Enterprise company to do this for you. You wanna find an Msp. That focuses in the segment that you are in and serves other businesses of your size. I would seek out actual subject matter, expertise referrals the best. If you know somebody that’s using that firm, and they’re having a good experience. That’s a great thing. Certainly seek out references. And talk to those folks that are working with with that Msp. Beware! If they say they do it all, as we know, at Collective 54. You cannot be all things to all people, and so if you do find one that says we got you covered everything under the umbrella that you could possibly want. The reality is, they probably only can cover a handful of things. And that’s okay. As a small firm, you only need to cover a handful of things to do a lot in the cyber Security realm.
Greg Alexander: You know. So if we stay on this for a moment, and we think about kind of basic must haves maybe a checklist or so in terms of like policy, must haves. What are some of the, you know, non-negotiable cybersecurity things that the Msp. Provider needs to provide our members.
Luke Johnson: So, Greg, when I think about this, we talk about this a lot in our company, and when you’re going into 2 clients if you’re a small firm, there would be 3 things that I would say minimally, you need to have. There is a concept called multi factor, authentication. Some sometimes called 2 factor authentication. So that might be a password and then a pop that you get through an application to sign into something. That’s thing one. And I’m gonna put a qualifier on that. Start there. You want to try and get to a hundred percent deployed. So a lot of mistakes, a lot of firms make the mistake of. They’ll get it deployed to half the people, and the other half won’t have it. So you still have this exposure, so you need to get it deployed across the board. There’s the concept of endpoint protection. And so that is a piece of software that runs on the laptop machine, whatever it is that if you happen to click or engage in a bad thing, it limits how wide and bad that thing can become. And so an endpoint protection software. And and that’s like a Microsoft defender or a Crowdstrike or sentinel one. There’s a million of them out there. And then the 3rd thing I would say is, there’s something called security, awareness, training, and as silly as that is, it is such an important thing. And that’s a a company like a know before or a proof point. But they run these simulated tests. It’s software that runs inside your company. It sends out emails that look legit. But they’re not legit. But when people click on them instead of it, actually taking them into bad places, they just get a you know, another training course that they have to take. And so you’re helping educate people on what bad things look like. You’re then simulating. How are they doing on it? Those 3 things are not all the things that everybody needs to do. But if you do those 3 things, you will have taken major steps in the right direction. These are not crazy, I investments or anything like that, either. I mean a basic Microsoft subscription. You’re getting a lot of those things included in them.
Greg Alexander: Yeah, okay, very good. You know the Mfa thing. I hate it from a user experience standpoint. But you know, I do appreciate why it exists. I wish it didn’t, but it does, at least, for now. What’s your take on cyber insurance? Is it worth the cost? Should we have it. What do you think.
Luke Johnson: I think it’s I think it’s always should be evaluated, and I’d say yes. In many cases it is worth the cost. I mean if you’re in our space as a boutique, and maybe you’re a 50 person, you know organization. And you’re serving very, very large organizations. If a bad thing happens in the cyber realm. It it could be a game over event for you, and in many cases you can buy cyber insurance, and it’s not crazy, expensive, and it will offer you a layer of protection. The devil is in the details, as we all know, with insurance, and so I would get, you know, one of our great attorneys within the collective to help you evaluate the policy, because in many cases the exclusions are are rough, and and it won’t help you. But I think, especially if you’re you’re in the financial services, you know, sector or in the technology sector. You’re probably going to be required to have it. The things that we talked about here, Greg, too. They will help manage the cost of that policy when you have. Mfa deployed. When you have endpoint protection, when you have immutable backups, those are all things that are. Gonna bring the premium down on that policy. Whatever you do, don’t lie when you fill out those applications. Use somebody like us to help you go through and fill them out accurately. It’s important, because if there is an event they’re gonna go back to that application. And if you said you had Mfa and you don’t, you’re you’re gonna disqualify, and you won’t get the coverage.
Greg Alexander: Alright. Let me try to summarize all this, and then end with a call to action for listeners or members. You know we are progressing from a time when people sold their time on a billable hour, and tech really wasn’t involved. We call that era one professional services. Cybersecurity during that time period was irrelevant. You’re all very busy people. You don’t need more things to put on your plate. So it was okay to blow cybersecurity off during era one. Ever, too, you become a tech-enabled service. Or maybe it’s a 50 50 equation, 50% humans, 50% tech productivity tools, etc, cybersecurity became an issue. and the basics were required. In fact, clients probably wouldn’t hire you unless you could demonstrate to them that you were going to be a good steward of their information. But it wasn’t a must have. It was a nice have. then, as we progress into the AI era. because the productivity enhancement for all of us goes through the roof where maybe 80% of the service is delivered with tech. and we can do wonderful things like go from an 8 h billable day to a 24 h billable day. and therefore increase revenue per head profit per head, and really scale our firms. Cybersecurity goes from a nice to have to a must have. and many of us in our community are certainly not cybersecurity experts. Not in this business. I’m not advocating for you to become one, because it’s a field that is rapidly evolving the remedy there is to pick the right Msp. And outsource and make sure that you know you don’t fall victim to a sales pitch, and you know which Msp. To pick. And the second remedy is to buy cyber security insurance, which is cost effective. and when measured against a 60% probability of going out of business. If you have a breach, it’s almost a no brainer. So those are the clear cut recommendations is to outsource to a high quality Msp, and buy some insurance. But that’s going to end the podcast. Luke, you always add a lot of value. Thank you for producing this report. Thanks for being on the show. Appreciate it very much.
Luke Johnson: Glad to be here. Thanks much.
Greg Alexander: Okay, and just a couple of calls to action for listeners. So if you’re a member and you’ve got a lot of questions regarding what your cyber exposure may be. Look for the invitation that’s on its way where we’re going to have a private member Q. And a. Luke will be our role model. He might bring some of his staff with him in the engineering realm that might help you, you know, get specific about your needs. If you’re not a member, and you want to become one. After listening to this, go to Collective54.com and fill out an application, and we’ll get in contact with you. but until next time I want to thank you all for listening, and wish you the best of luck, as you try to grow scale and someday. Exit your firm.
Note: This transcript was generated by Zoom.