What You'll Get (At No Cost)
- A complete cybersecurity and IT risk review
- Backup and disaster recovery check
- Honest insights into your compliance posture
- A fast, clear summary of what's working - and what's not
What We'll Look At
- Are you protected?
We'll check for vulnerabilities that could expose your systems to hackers or ransomware. - Would your backups actually work?
We test whether your data is recoverable, not just if it exists. - Are you at risk of compliance fines?
We'll identify gaps that could lead to violations under HIPAA, PCI, CMMC, and more. - Are you overspending on outdated tools?
We'll flag areas where smarter cloud tools or licensing changes could lower costs. - Is your system slowing you down?
We'll check for performance issues that waste time and drain productivity.
How It Works
Step One
Schedule a Call
We'll talk briefly about your current setup and make sure this is a good fit.
Step Two
Get Your Cyber Risk Assessment
We'll review your environment, identify risks, and answer your questions with no jargon or pressure.
Step Three
Receive Your Custom Action Plan
You'll get a clear plan to improve security, boost performance, and reduce costs whether you work with us or not.
What Happens Next
- You take the plan and run with it. That's a win. Let us know how it goes.
- You ask us to help implement it. We'll knock it out of the park.
- If you feel it wasn't valuable, we'll send you or your nonprofit of choice $100 for your time. Seriously.
🟢 No one's taken the refund yet, but the offer still stands.
See Our Work in Action
Assessment Examples:
🔒 Compliance & Risk Management
Area |
Details / Notes |
Regulatory Standards Applicable |
HIPAA, PCI-DSS, State Privacy Laws, IRS Requirements, [others if applicable] |
PCI-DSS Compliance |
- Cardholder data flow documented. (Y/N) - SAQ type completed (e.g., SAQ A, SAQ D)? (Y/N) - Tokenization in use? (Y/N) - Quarterly ASV scans conducted? (Y/N) - PCI Firewall and Change Control rules followed? (Y/N) |
HIPAA Compliance |
- BAA agreements in place? (Y/N) - ePHI encryption at rest/in transit? (Y/N) - Role-based access control enforced? (Y/N) - Audit logging & review processes in place? (Y/N) - Contingency and breach notification plan documented. (Y/N) |
Security Framework Alignment |
e.g., NIST CSF, CIS18 Controls, HITRUST, ISO27001 |
Risk Assessments |
- Date of most recent assessment: ___ - Gaps identified: ___ - Remediation plan has been documented and is under ongoing review. (Y/N) |
Security Policies & Procedures |
- Acceptable Use Policy (Y/N) - Data Classification Policy (Y/N) - Incident Response Plan (Y/N) - Password & Access Policy (Y/N) - Backup & DR Policy (Y/N) - Remote Work Policy (Y/N) |
Training & Awareness |
- HIPAA Security Awareness Training completed annually? (Y/N) - PCI DSS Training conducted? (Y/N) - Phishing simulations tested? (Y/N) - Insider threat and social engineering education? (Y/N) |
Third-Party Vendor Risk |
- Vendor list with risk scores maintained. (Y/N) - Vendor security questionnaires reviewed. (Y/N) - BAAs current and documented? (Y/N) |
Audit Readiness |
- Internal audit checklist maintained and reviewed? (Y/N) - External audit partner or support: ___ - Last audit outcome: ___ - Is the evidence collection repository in place (e.g., SharePoint, GRC)? (Y/N) |
Data Retention & Destruction Policies |
- Defined retention periods for ePHI, financial data, and PII? (Y/N) - Secure disposal methods implemented (e.g., shredding, destruction)? |
Policy Review Cadence |
- Is the annual review of all security and compliance policies completed? (Y/N) - Board or executive sign-off documented? (Y/N) |
🔁 Backup & Disaster Recovery (BCDR)
- Primary Data Storage Solution:
- Cloud Storage in Use? (Y/N):
- Backup Tool(s):
- Disaster Recovery Plan in Place? (Y/N):
Best Practice Area |
Compliant (Y/N) |
Details / Notes |
MFA on All Admin Accounts |
|
Ensure all administrative access to backup systems is protected with MFA. (including portals, management consoles, RMM tools) |
Immutable Backups |
|
Backups cannot be altered or deleted for a specified retention period. Supports ransomware resilience. |
Backup System Segmentation |
|
Backup infrastructure (storage, servers) is logically and physically segmented from production systems and domain authentication. |
3-2-1 Rule Compliance |
|
Maintain at least three copies of data, on two different media types (Snapshot, Backup Appliance), with one off-site/cloud. |
Air-Gapped / Offline / Cloud Copy |
|
Backups stored completely offline or with write-once access (e.g., tape, cloud cold storage) |
Automated Backup Testing |
|
Backups are automatically tested for integrity and restorable usability (daily/weekly) |
Documented Restore Procedures |
|
Clear, tested recovery playbooks are maintained and reviewed periodically. |
Backup Monitoring and Alerts |
|
Monitoring tools are in place to alert on failures, missed jobs, or unusual behavior. |
Backup Retention Policy |
|
Policies defined by data criticality and compliance (e.g., HIPAA 6 years, IRS 7 years) |
Role-Based Access Controls (RBAC) |
|
Access to backup systems is granted based on the least privilege and audit-logged evidence. |
Encryption at Rest and In Transit |
|
All backup data is encrypted using current industry-standard protocols. (AES, TLS) |
Cloud Backup Vendor Compliance |
|
Third-party backup vendors align with HIPAA/PCI and provide BAAs if applicable. |
Disaster Recovery Integration |
|
Backups are integrated into DR plans, and RTO/RPO thresholds are defined in policy and tested. |
🛡️ Cyber Insurance Security Posture
Item |
Details / Notes |
Cyber Liability Insurance Carrier |
(Carrier Name, Policy Number) |
Policy Coverage |
- Data Breach? - Network Interruption? - Ransomware? - Legal Costs? - Business Interruption? |
Coverage Limits |
(e.g., $1M/$2M/5M aggregate) |
Policy Renewal Date |
Date: |
Insurance Pre-Qualification Checks |
- MFA enforced? (Y/N) - EDR/XDR tools in place? - Data encryption in use? - Patch Management in Place? (Y/N) |
Microsoft Secure Score |
- Current Score: ___ - Industry Benchmark: ___ - Last Reviewed: Date: - Action Plan Created? (Y/N) |
Security Assessments for Insurance |
- Penetration Test Completed? (Y/N) Date: - External Vulnerability Scan Completed? (Y/N) Date: - Security Risk Assessment Report Submitted? (Y/N) Date: |
Policy Exclusions to Note |
(e.g., insider threats, social engineering limits) |
Incident Response Plan Documented |
(Y/N) - Includes contact flow, legal, comms, vendor notification |
Security Awareness Training Program |
(Y/N) - Frequency: (e.g., annually, quarterly) |
Compliance with Frameworks/Standards |
- NIST CSF / CIS18 / ISO27001 - PCI-DSS / HIPAA if applicable |
Retention of Logs & Forensic Readiness |
- Centralized log storage (SIEM) - Retention period: ___ - Alerting configured? (Y/N) |
Cyber Insurance Claim History |
- Past claims filed: ___ - Resulting changes implemented? |