Following a study of business relevant and impactful cybersecurity events, discussions with small and medium business owners, business brokers, closing attorneys, and lenders, Steven identified multiple areas where cybersecurity and business resilience expertise would improve the profitability and long-term viability of small and medium businesses. These include:
Pre-sale assessments aiding sellers in identifying shortcomings which could be concerning to a buyer, and which could then result in buyer hesitancy, deal failure, or reduction in price to seller.
Due diligence assessments aiding buyers in identifying shortcomings which could, post-sale, result in costly cybersecurity incidents and/or business disruptions. The purchase price for the business could also be reduced commensurate with the identified shortcomings or the shortcomings remedied prior to the deal closing by the seller. The cybersecurity and business resiliency risks which the buyer assumes as part of the deal can result in significant financial costs, as observed in the many examples of cybersecurity incidents attributed to compromised acquired systems.
Post-sale cybersecurity & business resilience improvement plans aiding new owners by providing multi-year prioritized plans for improving businesses resilience and cybersecurity posture, building on the due diligence assessment findings.
Existing business cybersecurity & business resilience assessment & go-forward plan aiding existing businesses in assessing their current state and future vision; providing a multi-year plan for improving their cybersecurity posture and business resilience, essential to the business’ long term viability, resilience, profitability, and future expectations.
Lender’s cybersecurity posture assessments aiding existing businesses with a robust cybersecurity posture and practices to obtain more favorable loan terms by describing their cybersecurity posture for a lender (interested in reducing the loan risk which arise from shortcomings in resilience and cybersecurity practices).
Fractional CISO and Customized Services providing targeted expertise for specific cybersecurity business concerns and challenges. These include projects which
Establish strategies and plans essential for business operations and the owner’s future vision.
Provide assistance in creating and implementing operational aspects of cybersecurity.
Enable effective outsourcing of selected operational tasks to third-parties.
Other tasks or concerns which a business may face not addressed by the other services.
Small and medium businesses with significant reliance on IT (computers and various business applications) typically do not have the deep financial pockets of larger businesses. As a result, they do not have the financial means to conduct comprehensive cybersecurity assessments or deploy extensive or costly cybersecurity controls. Typically, these businesses do not have the know-how and expertise to consider the many aspects of cybersecurity. These businesses are caught between a “rock and a hard place”, as hackers and ransomware purveyors specifically target small and medium businesses because they are an exceptionally vulnerable, easy target as these businesses have limited resources to assess and arrange defenses against their advisories.
Typical cybersecurity assessment services are comprehensive, deep, and costly; intended for well financed larger businesses. Instead of a broad and expensive assessment service, a collection of cost effective, focused services was created. These assessment services follow the 80-20 rule, also known as the Pareto principle, narrowing the assessment scope to a few, higher value cybersecurity considerations, thus reducing the cost to the small and medium business. This is sometime known as focusing on considerations which yield the most "bang for the buck".