Cybersecurity · For Small Business

Security that actually fits a business your size.

A fixed-scope engagement that locks down the essentials, Google Workspace, backups, edge security, the human layer, without the enterprise tools, enterprise hours, or enterprise invoice.

Flat fee, no surprises · Delivered in 2–4 weeks · Built on NIST & CIS

Built on the frameworks insurers and auditors actually recognize.

NIST CSF · CIS Controls · SOC 2 · Google Workspace · Cloudflare

01 The Problem

You're running a business, not a SOC.

Small businesses get hit for the same reasons big ones do — but without the budget, team, or tools to see it coming. Three pressures small operators tell me about, over and over:

i.

Your insurance application just got harder.

Carriers now ask about MFA, backups, endpoint coverage, and training, and they’re rejecting policies when the answers don’t hold up. One “no” on the form can double your premium or cancel you outright.

ii.

One click can cost you everything.

The median ransomware demand for a small business is in the six figures. The real cost, downtime, lost clients, legal exposure, is usually several times that. And it almost always starts with one email to one employee. 

iii.

Your "IT guy" isn't a security team.

Keeping laptops online is not the same job as hardening an environment. Most MSPs are excellent at the former and quietly hoping you don’t ask about the latter. You deserve a straight answer about where you actually stand.

02 — The service

One engagement.
Fixed scope.
Fixed price.

No open-ended retainers. No surprise invoices. A focused engagement that takes a business from “we should probably do something about security” to “we’ve done the things that matter.”

Core offering

Security & Recovery Foundation

$4,000

Flat fee · 2–4 week delivery · No retainer

Everything included

01

Google Workspace hardening

MFA, admin controls, access review, logging

02

Backup verification

Confirming what’s actually recoverable

03

Cloudflare edge security

DNS, email auth, bot & threat filtering

04

Incident response playbook

Branded, ready to use when it matters

05

Employee security training

Live session + cheat sheet for the team

06

Uptime & availability monitoring

So you know before a client does

07

Executive summary report

Your insurance-ready posture document

03 — The approach

Four steps. No jargon.

A predictable process designed for operators, not CISOs.

You get the plain-English version of what’s happening, and the documentation version for when your insurer asks.

01

30 min

Discovery

We talk about what you run, what keeps you up, and whether the Foundation is actually a fit. No sales pitch, no deck.

02

Week 1

Assess

A structured review of your environment against the frameworks. You get the honest version of where you stand, strong points and gaps.

 

03

Weeks 2-3

Harden

We implement the fixes, turn on the controls, and hand your team the tools. Actual configurations, not recommendations on a PDF.

04

Week 4

Report

An executive summary your partners, board, and insurance carrier can read without a translator. You own the document.

04 — Resources

Not Ready? Start here.

Designed for operators who want to do better tomorrow than they did today.

 

05 — Questions

Things people ask before booking.

Do we have to be on Google Workspace?

No. The Foundation is built around Google Workspace because that’s where most small businesses live now, but the same controls translate to Microsoft 365.

If you’re on M365, we’ll cover the equivalent hardening (Conditional Access, Defender, audit logging) and the rest of the engagement is unchanged.

What does the $4,000 actually cover, and what doesn't it?

It covers everything listed in the Foundation:

  • hardening Google Workspace (or M365),
  • verifying your backups,
  • configuring Cloudflare,
  • writing your incident response playbook,
  • training your team,
  • setting up monitoring,
  • and delivering an executive summary your insurer can read.

 

What it doesn’t cover: building infrastructure from scratch, migrating you off legacy systems, ongoing 24/7 monitoring, or compliance work for specific regulations like HIPAA or PCI.

How long does the whole engagement take?

Two to four weeks from kickoff.

The variance is mostly about your team’s availability, how quickly we can get the access we need, schedule the employee training session, and get sign-off on changes.

What happens after the engagement ends?

You own everything: the documentation, the configurations, the playbook, the training materials.

No retainer, no lock-in, no monthly fee waiting in the background.

The Foundation is designed to leave you in a defensible position without an ongoing dependency on me.

We're really small. Are we too small for this?

If you have at least 3 employees and store client data, money, or anything regulated, you’re the target audience.

Below that, solo operator, no employees, the Foundation is more than you need, and I’ll usually point you toward the free Cyber Safety Cheat Sheet and a 30-minute consult instead of selling you something.

Ready when you are

Find out where you actually stand.

You’ll leave with a straight answer about whether the Foundation makes sense for you.

Or write directly – [email protected]