A single phish can take down an entire business, and too many small teams only discover that truth after it’s too late. We unpack how security and gap assessments give SMBs a clear, practical path to defend revenue, earn trust, and meet compliance without chasing shiny tools or boiling the ocean.

We start with a cautionary tale: a young intruder reused stolen credentials, posted proof online, and exposed how everyday weaknesses become public and painful. From there, we translate the chaos into structure. You’ll hear the difference between a security assessment and a gap assessment, how to map your environment to NIST CSF, SOC 2, ISO 27001, HIPAA, PCI, or CMMC, and why most organizations don’t need “gold standard” everything—just strong fundamentals executed well. We outline a seven-phase plan that scales to your size, covering the twelve core domains from governance and access control to backups, incident response, vendor risk, and physical security.

Expect concrete fixes you can start today: enable MFA on Microsoft 365 or Google Workspace, remove excess admin rights, test a full restore, patch critical systems, and publish an incident contact list. Then build momentum with a 90‑day sprint featuring EDR rollout, DKIM/DMARC hardening, phishing simulations, and an acceptable use policy. Over six to twelve months, segment networks, centralize logs, formalize vendor reviews, and write incident response plans. If you’re aiming for certifications or federal contracts, we break down when to DIY and when to bring in a fractional CISO or third-party assessor, plus how to judge partners by methodology, deliverables, and business fluency.

By the end, you’ll know how to measure progress with real metrics—critical findings closed, MTTD/MTTR, phishing fail rates, audit results—and how assessments can reduce insurance premiums, win deals, and prevent ruinous incidents. If you’ve failed a customer questionnaire, seen premiums jump, had a near miss, or are moving into regulated markets, this is your signal. Subscribe, share with your team, and leave a review telling us the first control you’ll implement this quarter.

TRANSCRIPT

Welcome to the new Cyber Risk Podcast, where we provide you the cybersecurity training, tools, and expertise you need to protect your company from the evil hacker whore. Hi, my name is Sean Gerber, and I'm your host for this action-packed and informative podcast. Join me each week as I provide the information you need to secure and protect your organization and reduce your cybersecurity risk. All right, let's get started. Hey, Alex John Gruber with Reduced Cyber Risk Podcast, and today we are going to be talking about security and gap assessments for small and medium businesses. As you all know, Reduced Cyber Risk's purpose is to provide security services for small and medium businesses so that you guys can actually help stave off the evil hacker horde. And that's the ultimate goal is to provide you the skills you need and the knowledge you need to be able to make great decisions to protect you and your company. Also, just a quick shout out for CISSP Cyber Training. This is also a we're a parent company, is or I should say we are a sister company to reduce cyber risk. We provide cybersecurity training resources for security professionals. So go check out CISSP Cyber Training and see how they can potentially help you as well. Well, before we get started in today's chat and talk, is we're going to get into an article that I saw and wanted to kind of share this information with you. So this is an article about a Tennessee man who pleads guilty to repeatedly hacking Supreme Court's filing system. Now, this is out of security week. And the reason I'm bringing this up is because there's a lot of interesting things with people and what they do. And this is something you as a small medium business need to understand what some of your employees might do, because this can happen anywhere at any time. And this individual, Nicholas Moore, he's a 24-year-old man from Springfield, Tennessee, and he pleaded guilty to misdemeanor charge for computer fraud for repeatedly hacking into multiple U.S. government electronic systems. Now, these systems he did between August and October of 19, or 19, of 2023. And so it was a very short window, but he did it 25 times. And the interesting part on all this is that he utilized credentials that he obtained from somebody else. So he ate he went and basically went to the My Health Vet platform where he accessed personal information of other users. Now, I understand I've been to that spot. I know that website well, my background in the military. And the challenge is that he utilizes other people's credentials on this AmeriCorps computer system. So Americorps did not uh basically allow the ability for the credentials to be cached, and he then went in and did this. Now, what he this the this the part is you're just brilliant. I mean, I'm sorry, buddy. You're just not I guess it's in this age of everybody wanting to be famous. He decided to take screenshots of personal information he obtained from the from this system to an Instagram account and basically under the handle of I hacked the government. And so needless to say, that was probably his one of many of his bad mistakes that he made. One was getting on the system to begin with, two is then start making screenshots and posting it to a public area. Not a good option, right? So this misdemeanor carried one year in prison and a possible fine. Okay, so this is this is not good, right? So the individual, he's gonna be sentencing, get the sentencing in April 17th of 2026, and that's when he's gonna actually end up finding out what his fate is. However, he he's gonna go to jail. There's just no question about it. But what did he do wrong and what could have been done differently? So if we take it as we peel this back, that one, he should have been trained, and maybe he was trained and he was just being honre, you know, like a 24-year-old. Sometimes I'll tell you right now, men that are in their 20s don't always get their brain until a little bit later on. I got raised a bunch of them, and that's the truth. So he made a bad choice. Now, on top of that, though, the AmeriCorps computer system, if they are caching credentials for individuals that use them, that's bad. That opens them up to all kinds of issues. So, you as a small and medium business, if you have any sort of cafe type area where you allow people to use a personal computer, uh maybe a uh a computer that is sitting in a cafe format, and you don't do really good control over that, you are setting yourself up for disaster. Same thing with hotels and so forth. If you have that cafe where there's a computer that somebody else can use, those things typically are just full of all kinds of bad stuff. So I highly recommend that if you have something like that, I would just go to a guest Wi-Fi and force people to bring their own computer. Get rid of that computer completely. Don't keep it on your system. It just opens you up to more risk that you really do not need. So that's the ultimate article around this. Just kind of want to highlight the fact that what are some things we can learn from people that make poor choices and poor decisions. I hope Mr. Moore gets off of this after a little while here. But to think about it, for a couple months made such a bad decision, and now he's gonna spend a year in jail. Now he probably already spent some time in jail, but he's gonna spend a whole year in jail to think about what he did and didn't do correctly. Okay, so before we get started on our topic for today, I really wanted to quick have a quick shout out for Reduce Cyber Risk. Go on over to Reduce Cyber Risk. We've got a lot of great content that's there and available for you. There are services that we provide at Reduce Cyber Risk to consult in consulting, fractional uh vis CISO, fractional CISO, assessments, audits, you name it. I can help you with your insider threat as well as exercises and training. All of those things we can do for you at Reduce Cyber Risk. So head on over there, just go contact, you can email me at contact at reduce cyberrisk.com, and I'm happy to provide you some information on how we could potentially work together. Okay, so let's get into what we're gonna talk about today. Okay, so this is security and gap assessments for small and medium-sized businesses. So if you're not aware of what a security and gap assessment is, it's basically designed for you to understand what could be done within your organization, what are some things that could happen for to that can be fixed, and is to determine what do you have right now that's good, what do you have that's maybe not so good, and what are some areas that you're missing completely. The ultimate goal is that to try to understand what do you have within your environment. And a security and gap assessment is one of the foundational pillars that you need to consider when doing any sort of security for your organization. So, what are the stakes, right? So, for small and medium businesses, what let's just kind of talk about that a little bit. So 43% of cyber attacks will target small businesses. So you're thinking about this. I mean, that's two-thirds, or actually a third, I can't do math in public, a third or more of the attacks globally are going to be coming after you. So that is a substantial amount of attacks that are coming after small and medium businesses. Only 14% of small businesses are prepared to defend themselves. Hence, this is why we have reduced cyber risk is to provide you some of the self-help tools you can use to help protect from these types of activities. 60% of small companies close within six months of a cyber attack. And we've mentioned this time and again that the moment you get a cyber attack within your organization, it can also completely disrupt and deplete the resources that you have within your company. So it's an imperative aspect that you have what you need in place to protect you from cyber insurance to having the right people, to having the right tools and having the right processes. The average will breach will cost around$3 million, so$2.98. So what it comes down to is if you can afford to absorb a$3 million hit to your bottom line, hey, don't worry about it. Not a big deal. But I would be willing to bet most small and medium businesses really cannot truly take a$3 million hit. A medium business might be able to do that, but in many cases, that$3 million is probably their margin for the year, and that's what they make. So you could lose your entire year's margin because of a cyber attack. So again, think about that as it relates to what are some of the things you should do to better prepare for this. So, what are security and gap assessments? So, a security assessment is a comprehensive evaluation of your current security posture. It examines technical controls, policies, procedures, and your overall preparedness and what you're ready to do. So if you're asking yourself and you're listening to this going, well, I don't really have any policies and I may not have any procedures, ha ha, you need a security assessment. So you might want to think about that. Gap assessment, this identifies the difference between where you are and where you need to be. So if where you need to be is gold standard, then okay, you maybe have a ways to go. But it in most cases, most businesses don't need to be at the gold standard. They need to be somewhere in the middle. They don't have to have all that fancy stuff in place. Just having the basics, the blocking and tackling, the foundational pieces, you can do a lot to reduce your risk to your company. Compare your current goals against compliance frameworks or best practices. And that's what it does. It looks at what are some of the compliance frameworks out there. Let's say, for example, SOC 2, ISO 27001, NIST Cybersecurity Framework. Those are all frameworks. And then we'll look at where you're at in relation to that. And once that's done, you can find out okay, how do I rack and stack? So the ultimate goal is to know your risk, prioritize your fixes, and protect your business, right? I mean, that's really what you're in business, that's what you want to do. And many people know it's security. Oh, Yan, I don't want to spend the money. It's just voodoo magic. Yeah, well, it is kind of voodoo magic, it's kind of cool. But that being said aside, you do have to really prioritize the money for this. So, some types of assessments you may need. One risk assessment. This identifies and the prioritizes your business risks. What are the risks to your organization from a cybersecurity situation? Now, it could be you have the ability that if something goes down and you have a uh, what do you call it, a data center, do you have the ability to live off-site at a different location? Uh, do you have what are the risks from maybe you are in the uh Department of War space and attackers are coming after you all the time? Well, that's a different type of cyber risk. So you have to figure out what is the overall risk to your organization and what is the, what it, how do you prioritize that? A vulnerability assessment. This is a technical scanning for weaknesses. We would do a vulnerability assessment of your organization, both internally and externally, to determine where are some of the holes that you may have. You you may understand where some of the holes are. You may go, you know what, we have a good grasp of the vulnerabilities within our organization. I will tell you this: that the moment I give you an example. I have my business plan. I have a business, I have a couple businesses. And my businesses, I'm like going, okay, I'm not making money here, I'm making money here, how does this all work out? And I get very laser-like focused on what I know. That being said, I also have an outside accounting firm going to look at what I'm doing and have them look at, okay, what am I missing? And the point of it is that's where the vulnerability assessment comes into. Sometimes I get so focused on what I know that I lose sight of everything else around it. Compliance assessment, maybe an evaluation against regulatory frameworks such as HIPAA, PCI, CMMC. They, these are also kind of assessments that can occur against that. And then a security posture assessment, a comprehensive program evaluation of all of that. Now you choose this based on the industry, the regulations, and the immediate business needs. You may not need all four of those. You may just need one of those. And ideally, that's probably where we would start is just doing a risk assessment to figure out what are your business risks, unless you have a really good handle and understanding of those. Now, the article, but we're too small for regulations. Well, yeah, we all know this, that that's actually not true, right? The regulations are becoming a bigger, bigger factor. So the myth is that regulations only apply to large enterprises. We we know that that's not the case, right? Because any sort of organization of any size can have these problems. So one of the examples that's commonly brought out is the medical practice, the 20-person medical practice. If you have under that number, you then a lot of times those regulations kind of really don't bother you a whole lot. However, if you have that 20-person medical practice, you have the same HIPAA requirements as the hospital. And if something were to happen, you can be held just as liable as the hospital can. The difference is they typically have deeper pockets when it comes to money. They also have cyber insurance, they have all those things that you may not have. And so you're going, oh, bye-bye, out of business. I mean, I hate to be trying to flip it with it, but that's the way it is. Okay, so key regulations for SMBs. So we'll look at HIPAA as an example. So the healthcare data, you can have to$2 million per violation plus criminal penalties. Now, okay, so you get the situation. You have a thing that occurs to you, and you have one record that's out there and exposed. Okay, that's not, it's like maybe there's a very small amount. You're talking like$150 to$250 per record, is typically what it is. I think I say it's$250, is what, if I'm not mistaken. However, you can have up to a$2 million situation where you can have a violation that can be a fine up to$2 million per year on healthcare data if you're basically being negligent. Plus, you can throw on criminal penalties for that as well. PCI DSS, there's five to$100,000 a month fines based on if you're doing this. You also can lose access to credit cards, so then therefore that can affect you as well. CMMC defense contractors, you can lose DOD or Department of War contracts, as well as you may not even get them to begin with if you're not CMMC certified. Those are big issues. And then GDPR is the big one that's been out for a long time. It's around 4% of your revenue can be filed in penalties as well. So if you're a small business, regulations will apply to you. There's just no way around it. And so therefore, you must understand some of these things so that you can be better prepared to manage these risks out there. So there's a seven-phase assessment type process. One would be a planning and scoping. This would be like week one. You define the objectives, your scope, and your framework, and what you're going to do. Then the second two weeks two through three, you do information gathering, interviews, documentation, asset inventory. Now I'll tell you when I do information gathering, it is, it takes two to three weeks because I'm meeting with your technical folks, asking very detailed questions, and they can't always get on their calendar. So it will take two two to three weeks, or week two to three, but it can actually take up to three weeks to do this, depending upon availability. Technical assessment, you do a vulnerability scan and configuration review. You do then map controls and in your gap analysis on week five, and you understand what are some of the risks with your organization. And then in week six, you do a remediation planning, prioritize a roadmap, and assign ownership. And then in your week seven, you'll provide a report, presentation, and deliver your findings and go from there. Now I will tell you that this is a very I set this weekly thing up very basically. So it's very logical and it's very set up. One, two, three, four, five, and so forth. I will tell you though, that this can actually go out. This is all dependent on the size of your company. If you have a very large company, this can take on the upwards of 12 weeks to get this completed. So just keep that in mind. This is just the logical progression in which it would occur. And and boss bottom line is I'm trying to not paint myself into a corner saying, well, you said on your presentation you can get it done in seven weeks. Yeah. If you're a very small business, we can get it done in seven weeks. If you're a medium-sized business, then we're not getting it done in seven weeks. Uh, so keep that in your in perspective, is a lot of this is dependent upon the size of your company and your organization. So, what gets assessed? There's 12 key domains. You've got governance and risk management that deals with how is your policies and procedures done. Asset management, where's all your stuff located? Computers, tablets, uh, account, all those kind of things, accounts and you name it. Access controls, who has access, what accounts have access, security awareness and training, what kind of training process do you have in place and how are they being trained? Network security, endpoint security, these are all the security pieces on your endpoints, the devices that your people are logging into, as well as your network security, your firewalls, your uh all of the pieces that are in your internal network. And then how are you protecting your data? From the fact that is it encrypted? Is it being encrypted while it's traveling? All of those pieces are part of the data protection aspects. You have application security. How is your application protected? And all the different applications you interact with. Do you have backup and recovery established? Is that set up for you and your company? Do you have it set up for just parts of your company? How is that done? Instant response. How do you respond in the event something bad were to occur? Do you have a program in place? Do you have processes in place? Vendor and third party risk. This is probably one of the biggest ones that people struggle with. And third party risk is a big deal because, in many ways, many businesses rely on third parties to get business done. It's an example. I own a coffee truck and I own a shaved ice truck. They I am reliant upon the shipping people to bring me my product. If they don't bring me my product, I can't run my business. So they're a third-party risk. Same kind of situation you have to decide within your company. And then finally, physical security. Now, if you have a business, I've my business, I've got alarms on my in my facilities. And the reason is is because I have to worry about physical security. So again, comprehensive coverage of all these areas will prevent blind spots in one space. So here are 10 gaps that I find basically in every small and medium businesses that are out there. Um, and there's a few more here and there, but these are the big ones that kind of highlight it, right? No written security policies. 67% of all small and medium businesses have little to nothing related to security policies. Inadequate access controls, too many admins, former employees with access, etc. They don't have enough controls. You have all these people have credentials, and they're all everywhere. They don't have multi-factor authentication. So you do not have that little, you get your phone, right? You get your phone, you go and you you type in what you need, it kicks off a code, you put that code in. That's multi-factor authentication. You have untested backups. Okay, you don't have back one, you may have a backup, but you've never tested it. You've never recovered from it. And so they usually don't deal with that until a ransomware or a bad event occurs. Then they go to their backups. And then what happens? Yeah, then it's not so good, right? Because they don't have what they need. Inconsistent patch management, critical systems that are set out there with known vulnerabilities that haven't been patched, right? Because they you set them up and you forget it. You don't deal with it after that. No incident response plan. Who do I call? And it can't be Ghostbusters. You who you're gonna call. You got to have a plan around that. No training for your people, little to no training, only at hiring and no phishing tests. What that basically means is your person comes in, sits across the table. Oh, you're hired. Awesome. Here's security things. Don't click on fishing, uh phishing things that come after you. Any link that you don't know, don't click it. Oh, okay, great, great. That's it. They're done. They don't do anymore. Bad idea. Unmanaged shadow IT. Uh, this is where you have unapproved cloud services that are running. Uh, basically, people are setting stuff up within Amazon and you don't even really know they're doing it. And then you have weak vendor risk management, no security vetting before they have access, and then lack of network segmentation. What this means is that it's everybody's a flat network. And what I mean by that is in the process that I had was in manufacturing, you typically had a manufacturing network and then you had your business network. And those two should not connect except for very specific reasons and very specific ways. In most businesses, and I was even in the large manufacturing, they didn't have this, they had this, they had one flat. So when it was flat like that, that's all they had. So, therefore, it's important that you understand network segmentation is a big factor. You need to have them separated. So, some critical gaps, and this is kind of a deep dive into the critical aspects of this. One is email compromise is the number one attack vector. Single phish password can. potentially lead to a full organizational access. And I did that. In the red team world, that's what we would do. We would go after individuals. I'd get probably six or seven people to click on links and from there I could take over in some cases I took over a large chunk of I won't say their names, but large chunk of a of a Department of War area. Quick wins, we had you way you can do this is enable multifactor authentication on Google 365 or Google Workspace and then utilizing VPNs of some kind. The effort is low. The impact is critical. It truly is these are big things you can do right now. Untested backups. Okay backups that don't work basically means no backup. So what can you do if you haven't restored from backup in six months, you don't have a backup. So you need to test the restoration of at least one critical system I would recommend per month, but even if that's too much, at least do a couple a year so that you understand what you're dealing with. And then we walk through and keep listening to reduce cyber risk and all the different aspects around backups. You need to put those things in place for your organization. Now building a remediation roadmap this is an important part. You have risk severity is likelihood times impact, right? You got what is the risk severity going to be here? And then what are the requirements that you have from a regulatory standpoint that you have to comply with. You have immediate compliance obligations do you need to make those and make that happen? And then you have quick wins versus strategic initiatives. You need to determine what do I want to get done now versus something that's going to be a long-term effect that I'm going to have to go through and deal with in the future. So here's a four phase approach that you can use as it relates to all of this stuff deploying within your company. Immediate within the next 30 days what are some quick wins that you can do some examples would be reduce local admins on your devices. What that basically means is not everybody who logs in is an admin. Get rid of all of that that's gone. Just have one admin. Reduce some of the admins that have all kinds of God credentials within your company that's a huge win. Understanding your backups big win so just get some quick wins done. Then the short term do foundational aspects deploy multifactor authentication. Deploy T DKIM in your email make sure that your email is tight uh so again all of those pieces you can just focus on one area as a foundational piece email's an example and then start tweaking it to make it as strong as you possibly can with the resources that you have those are quick wins and those are also foundational pieces. Medium term figure out maturity are you going to have how are your policies and procedures in place? Do you have standards? Do you have guidelines? Do you have any of these these governance aspects there? If not in the next six months start putting some of them in do you have an acceptable use policy? What that basically means is when your people show up and you tell them you cannot surf porn and this document says you can't do that either then they know going into it that if you surf porn you're out now unless you allow unless you're a porn company and you allow them to do that, well then you wouldn't have that in your acceptable use but that's your acceptable use policy. Long term is you're figuring out excellence. How do I set myself at a higher level at a higher bar? And again a lot of this can be done very easily and also with a little bit of guidance and direction. We offer a virtual CISO or a fractional CISO that can come in and we can actually help you read phase three and four in a relatively short timeframe and be in a really good position for one regulatory aspects and also if you're in the Department of War area you can get a contracts that are associated with it. So what are some things in mediation phase? Again we talked about already MFA, VPNs, admin accounts big deal. Remove access for terminated employees, verify test backup restorations, deploy critical security patches, and create an instant response contact list. Those are right there are five quick wins if you did that you would already be light years ahead of many people. And this is easy right I mean I'd say it's easy it's not easy but it's not easy because you just don't do it. You have to dedicate the resources and the time to make this happen. But if you do this it will have a significant risk reduction for your company. Deploy EDR which is your antivirus across all devices implement patch management launch security awareness training program and document essential policies. Now this is the short term piece. This is the thing that you can do in the next 60 to 90 days and kind of we talked about if you run your first phishing simulation in the next 90 days that can go a long way in and helping other people get people in the mindset that security is an important part. This is a foundational security control thing that you can put in today the cost on this it is moderate right because you're dealing with phase one that's just people doing stuff that's opportunity costs that go with that. But in this case you're going to have to probably spend some money you're going to have to buy EDR you're going to have to buy phishing simulation software you're going to have to buy some things but by doing that now you are going to save yourself in the long run. So now we're talking midterm six months to 12 months you implement network with segmentation you deploy centralized logging develop comprehensive incident response plans and then you have a vendor risk assessment program. And then look at your gaps. That's what you can do in the next six months my virtual CISO and fractional CISO pieces we can help you with that. And then that way you're not having to try to figure that part out on your own and just having a virtual CISO to help you for a few hours a month can actually help build this program out. Long term, yeah 12 plus months you got to achieve compliment or compliance certifications such as SOC 2 type 2, implement advanced security controls, you can maybe need to be CMC certified, establish continuous improvement cycle how do you keep reiterating and making this process better? All of those can be done in the next 12 plus months. So if you set this goal right you're brand new into this year of 2026 you can set a goal that you want to be in a certain place by a certain time and this can help you get to the location. So DIY versus professional assessment okay self-assessment works when the IT team has security expertise and certification. So what do I mean by this? So if you're going to do what do this yourself say well I'm just going to have my IT team do this then it works well when your team has security expertise. If they don't have expertise you're just going to be really you're not going to have the information you really need to protect your company. And conducting an initial baseline for internal planning that's another part of it that's important when you're you're doing a self-assessment and then there are no compliance requirements for third party assessments. So if you're doing a SOC two that needs a third party assessment of your organization. So you can do a one for your company at the beginning and find it just figure out from a self-assessment but you're going to have to bring in a third party at some point. So professional help is needed when you have compliance mandates independent mandate and independent assessment. You are preparing for a certification or an audit you might want to make sure you get professional help with that. The IT team lacks security specific expertise. I see this a lot. Now they may have read the book they may have the CISSP that actually would be very helpful but if they are don't have good security expertise you're going to want to bring in somebody else to help you. And then they need objective evaluation around somebody from the outside looking at it to evaluate is this something that they should look be at and they should be worried about cyber insurance does require a third party assessment. So if you have cyber insurance within your company or you're looking to get it, procure it, you're going to need a third party assessment of where you're at so just kind of put that on the line item of all the expenses that you need to pay for that's going to be one as well. So again in reality most small and medium businesses do need some sort of professional expertise. Don't fool yourself. Do not think that you know what my IT guy he's good. He's really good. Well all you're doing is you're saying I don't want to spend the money I'm going to let my IT guy do it. And you're right go for it. That's awesome. But back to what I said before can you afford a$3 million hit? If you can afford a$3 million hit, stick with your IT guy because they will take care of you. However, if your company goes out of business your IT guy got no job. So just again I'm highlighting this not to say you need to hire me. No, I'm not saying don't don't hire me. I don't care. Hire somebody else but if you need to get some small and medium business help please reach out to somebody to help you do that at least at a minimum give you a sanity check. Because I'll I'll say for an example we had a we were doing a vulnerability assessment and we looked at the organization and we knew we needed to do we're going to set up our own scanners to do vulnerability assessments of an organization. Can we do that? Yes. However we wanted to have a third party just take a look at it to make sure we're we're understanding what we're doing and and how that scan's going to work and if there's anything that maybe we don't see it cost$5,000. Again five grand is a lot of money but in the grand scheme of things they brought back some level of feeling of going you know what we're going to a good spot. That is a positive state. So therefore you know what you need to think about those kinds of aspects with this. Do not, I repeat, do not just rely on your own skills for this. I'm beating this drum pretty hard because I want you to be successful and I don't want you to go out of business. Why does it make sense for small and medium businesses? Okay, enterprise expertise is basically you can get this at the at 15 to 30% of a full-time CISO. So I'm talking fractional aspects but 280 to half a million dollars basically it'll cost you 60 to 180 grand. That's where a fractional CISO can come into play and it'd be helpful. They provide objective assessments without internal biases they they don't they don't know all the stuff going on and they come in there with a different perspective. The experience with compliance frameworks and audits they know these things you don't have to go on chat GPT or somebody else and try to figure all this stuff out. They will help you with it. The experience is valuable you can get a lot of great stuff off of AI and there's lots of people out there making all kinds of stuff up off AI. However I'll be blunt the experience that people have that are CISOs or in then in cybersecurity for a while is will never be replaced. It can be modified and it can be enhanced but it cannot be replaced because the the the the robot just doesn't know everything and it doesn't have these unique nuanced human experiences that it can't get um strategic and guidance plus implementation support. You get the guidance and you get the support when you're trying to deploy this translate technical findings into business language that they can understand. And you can use ChatGPT for that actually I think that's an amazing way to help do that. However when it still doesn't quite confirm or it doesn't really truly understand this is where the virtual CISO can actually help with that a lot. So what's the deal? You bring enterprise level security leadership to organizations that need it most that is your fractional CISO advantage. So what are some things that you can get as a deliverable from your assessment executive summary which is usually about two to three pages. Detailed technical findings with evidence what did they find and why what are some of the risks that they discovered a gap analysis matrix basically a visual visual that goes into where are you at, what are some of the gaps that we found and then how do we help remediate those a risk register with severity ratings and a risk register is someplace where you store the risks that you have within your company along with the severities that are occurred. And then that's a tracking and documentation method that you have to have especially in the financial industry but many other companies have to have this. And then you have a phase remediation roadmap that includes timelines, costs and priorities as well. And then finally obviously a management presentation on what did they find and how does that work. So all of those are some typical things you might get out of an assessment report. So keep that in mind if you're going out and searching for somebody how do you measure success this has to be done with technical metrics. You've got to have metrics for everything. If you don't measure it it didn't happen. So technical metrics could be percentage of critical findings that are medium reduction in vulnerabilities over time mean time to detect another good one right there and then also mean time to respond to these various incidents. So MTTD, MTTR. Employee and security awareness scores, are they clicking on links? How often are they clicking on links? Why are they clicking on links? All of those pieces I had a senior vice president come up to me one time when people were clicking on links saying fire them. And I'm like no okay if they fail it a couple times then we'll consider that but until then no we don't need to just get rid of everybody. It's too hard to get them. So security awareness is an important part. Business outcomes compliance audit results passing without findings those are an interesting piece of this this is what would come out of your compliance out or audit. Cyber insurance premium reductions you can typically get 10 to 30% reduction in cyber insurance by just doing these things and having them well documented. Customer security questionnaires you have different pass rates that go with that and then you can also get new contracts based on them requiring certifications because you went and did all this work. So those are the different business outcomes that can occur from this so here's a real world ROI example, right? So we've got 150 employees did about 50 million in revenue and I've talked about this in some various other podcasts that I've gone through but 150 employees 50 million in revenue they needed to get CMMC level two for their contractors. They engaged a fractional CISO and for the assessment and implementation and when they did that they basically within nine months they received their certification so by doing all of those things they able to win a$5 million contract reduce their insurance by 25% and then helped reduce the chance of having a breach so if you're looking at ROI within the first year that's about a 40x increase now that isn't going to happen potentially couldn't happen every year but I mean if you just focus on the last thing avoiding the breach and the$3 million neon sign focus blasting you in the face that right there alone is worth spending the money so the cost of inaction what happens without an assessment so blind to critical vulnerabilities until they've been exploited. If something are to happen you don't know it until basically a balloon goes up or there's a big large explosion around somewhere compliance violations discovered during audits that can be very expensive. These auditors come in they go oh I like you you like me yeah we're awesome until they find something. Then when they find something then the hammer comes down and then nobody wants to talk to you. Failed customer security reviews can be lost business. You also want to do the fact is if you have third parties that are involved and they don't pass security reviews you now have a situation where maybe potentially your custom or your third party goes out of business or is sanctioned or whatever and now you don't have the ability to get the information or the product you need. Cyber insurance denied or is totally unaffordable seeing this this is not good. So if you don't have cyber insurance what happens you possibly can't get contracts you possibly could go out of business because maybe you need to have that your breach response costs will go anywhere from five to 10x more than what the prevention would cost you as well. So if you think about this it's a no-brainer it truly is you just have to decide do you want to spend the money? And I know it owning a business I'm like man it is hard as a small business you got a line item here a line item there at the end of it you're going I got no money and now you want me to spend X on some security guy? What are you talking about? I get it. Totally get it. However, what's your business worth to you? If this is your baby and this is your nest egg and this is something you want to air quotes retire off of then is it worth that risk of just rolling a dice and just hopefully nothing happens. Again, that is really what it comes right down to can you afford not to know and not to make it happen. So what are some common objections? We're too small. Obviously we talked about that 43% of a target attacks target SMBs can't afford security assessments you can afford not to do it. Again comes back to breach costs our IT handles security handles operation. Security requires security or strategic expertise I got a friend that is that they own a bunch of banks and he's like I've got I've got my IT guy he's on it he's on top of it. Are you willing to trust that to your IT guy? I mean again that's fine three million dollars it's okay we'll do it it when it grows okay security incidents they don't wait neither should you again you're going to wait till it grows I know I've heard that I've been there done that had I've talked that but you're going to have to do it now. Insurance covers us yeah insurance covers you you think but the moments happenings are seeing that insurance companies are not wanting to pay especially when it comes out that you didn't do all the things you air quote said you did. A lot of times these guys will say on their assessment forms, yes, I have multifactor yes I have this yes I have that and in reality they got a little of it or what their assessment or understanding of air quotes multifactor is very different than what the insurance people say. And the insurance people control the money. And if they say ah no I don't want to do it you're not doing it. We're not going to pay that is not the place you want to be and I've seen it I have it's not good. Some warning signs you need to determine that you need an assessment at this moment. Failed customer security questionnaire. So you failed it someone sent you a questionnaire and you failed it. Your cyber insurance has been denied or rates are going up. You're preparing for compliance you have a recent security incident or near miss, right? You had a grazing shot right by you. Expanding into regulated industries if you're going into any regulated industry you better just get your bat start pull them up buddy let's get going because you're going to need it. Are you buying a company? Because here's the thing that I've seen I've been there is that we bought a company we bring this company on oh they look all shiny and pretty until you lift the covers up and then you see all the cockroaches not a good place to be. You want to bring in a security professional if you're even considering doing MA activity. Border investors asking about the security posture of your company again easy peasy. It doesn't cost a lot of money to do this. So again if any two of these apply two plus apply assessment is urgent it's really not optional you need to really consider it for you and your company so what makes a good assessment partner look for an actual CISO experience not just search somebody that says they have their CISSP have they been a CISO? You need to ask them these questions tell me these who you work for ask me some experience around that. Experience with your industry or regulations it doesn't have to have complete um knowledge around it. So example I'm a big into manufacturing and understanding that space but I have dabbled in healthcare and financial services. So I understand it. Can I be a good experience for you, a good help? You bet. Am I the best person out there for the financial industries areas? Probably not right there's probably way better people and I know of a couple that are probably better than me in that space. But can I help you? Oh most definitely I can get you 98% there but there's somebody out there that probably can get you at 100% there. So you just got to determine what is best for you. Clear methodology and deliverables specifically this is what you need to have business focus on communication skills. If you're listening to this podcast this is the kind of skills that you want someone who can talk to you about. You don't want someone that just doesn't really talk or talks in big language that is really confusing. I hate people using$10 words. And so if I don't understand Them, there's at least one other person in the room that doesn't understand them. Business focused, communication skills, references from other similar organizations, and then ongoing support model. Okay, not just report, give me the assessment, and then leave. How are you going to continue to do this? Some red flags on somebody that is a is that may not be a good assessment partner. Promises 100% security or quick fixes. Run away. Tool focused rather than risk focused, run away. And can't explain findings in business terms. Run away. Those are all funds that you want to avoid if you're trying to find a good assessment partner. Some other common assessment mistakes to avoid. Treating this as a compliance checkbox exercise. I went and did the assessment. Check. Done. Not doing anything with it, it's going to sit on the shelf. Bad idea. Not involving business leadership. Do not bring them in. I'm saying I'm going to do this on my own with you. Yeah, we'll do it. And none of this information is going to go beyond that person. It doesn't go to leadership. Doesn't go to the board. Bad idea. Ignoring findings after report delivery. Don't make taking any action on it. Trying to fix everything at once. That's a big factor. Oh my gosh, this report is terrible. Let's fix it all. No, don't do that. Fix this first. Then fix this. The old proverbial analogy: how to eat an elephant? One bite at a time. Not allocating budget for remediation. Definitely not doing enough of that. And then conducting assessments, but not following through. And then this one here's the big one. Using unqualified assessors to save money. Yeah, that's a bad idea. You're basically cutting your nose off because you're upset with your face. Yep, that's the to spite your face. I'm like, I don't like you, face, so I'm gonna cut my nose off. That doesn't really make sense. It's kind of gross, but it doesn't even make sense, right? Why would you do that? So assessment value comes from what you do with the findings, not that you actually got the piece of paper. That's step one is getting the piece of paper. The subsequent steps is actually doing something with it. So, how can I help your organization? So, comprehensive security and gap assessments is what I can do. I can provide those for you. I have people that can help us with that. Compliance readiness with HIPAA, PCI, DSS, CMMC, SOC2, all of those pieces we can help with as well. Fractional CISO or capabilities or virtual CISO, ongoing strategic leadership, all of that is available through reduced cyber risk. Instant response planning and tabletop exercises, a product we can provide, as well as security program development from scratch. Enterprise expertise, SMB focus, practical solutions to help you. Again, that's the goal. Creating something that can help you in this space so that you can protect your company. So last thing is some key takeaways for you to go from this. You can't protect what you don't understand. An assessment will provide clarity for you and your organization. You gotta do an assessment. Regulations apply to SMBs like everybody else. Size does not exempt you from compliance and meeting these requirements. And common gaps are predictable. Most SMBs have the same vulnerabilities that everybody else does. They all got them. They all the same cockroaches. Roadmap matters more than report. If you have a report, that's great, but what is your roadmap to get better, to get healthy, to get in a position that's much more secure? And then professional help will accelerate your results. Fractional CISO, enterprise architects, this kind of expertise, and they can help you at an SMB cost, right? That's a goal. Give you that capability at a cost that's effective for you and your small business. The last thing is start now, not later. Security instance do not wait for perfect timing or the perfect budget. They just don't. So it really comes down to you and what do you think about this? Okay, thank you so much for joining me today at Reduce Cyber Risk and at our Reduce Cyber Risk podcast. You can get this video on my blog as well. So if you want to go through it a couple times and listen to it, uh, the ultimate goal is to try to help you provide you the skills you need to protect your business. That's all that it comes down to is that Reduce Cyber Risk is here for you. If you have security professionals and you need them to get access to uh their security certifications, head on over to CISSP Cyber Training. You got, I've got lots of content out there for you that's specifically available for security professionals wanting to get their CISSP. So again, Reduce Cyber Risk and CISSP Cyber Training, the partners that are here to help you succeed in protecting your small business. Thank you. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube. Just head on over to my channel, Reduce Cyber Risk, and you will find a lot of content to help you protect your company from the evil hacker horde. Lastly, head to reduced cyberrisk.com and sign up for my free cybersecurity assessment to provide your guidance around the protection of your organization. Thanks for listening.