SMB Security & BDR Services — Complete FAQ Library

Version 1.0 | February 2026 Pick-and-Choose Format: Multiple Answer Options Per Question

HOW TO USE THIS DOCUMENT

Every FAQ below has 2-3 answer options labeled Option A, Option B, and sometimes Option C. Each option has a different tone, length, or angle:

Option A = Concise and direct (best for website FAQ sections, quick reference)
Option B = Conversational and warm (best for marketing materials, email sequences, social media)
Option C = Detailed and authoritative (best for proposal appendices, sales collateral, in-depth landing pages)

Pick the one that matches your brand voice and where you’re using it. You can also mix and match — use Option A for your website but Option C in your proposals.

Questions are organized into categories:

General / “What Is This?” — For people who don’t know what a security assessment is
Process & What to Expect — For people who are interested but want to know how it works
Pricing & Value — For people comparing options or justifying budget
Technical & Scope — For IT-savvy buyers or MSPs asking detailed questions
Backup & Disaster Recovery Specific — For BDR-focused questions
Compliance & Insurance — For regulated industries and insurance-driven buyers
About You / Trust & Credibility — For people evaluating whether to trust you
After the Assessment — For people wondering what happens next
Retainers & Ongoing Services — For recurring service questions
Objection-Framed FAQs — Questions that are really objections in disguise

CATEGORY 1: GENERAL — “WHAT IS THIS?”

Q1: What is a security assessment?

Option A (Concise): A security assessment is a structured review of how well your business is protected against cyber threats. We examine your passwords, email security, device protection, network configuration, data handling, backup systems, and employee awareness — then give you a prioritized plan to fix what matters most.

Option B (Conversational): Think of it like a physical exam for your business technology. Just like a doctor checks your heart, lungs, blood pressure, and bloodwork, we check your passwords, email defenses, computer security, network setup, backups, and more. At the end, you get a “health report” with a letter grade and a clear list of what to fix first. No jargon, no scare tactics — just a clear picture of where you stand and what to do about it.

Option C (Detailed): A security assessment is a systematic, non-invasive evaluation of your organization’s cybersecurity posture across nine critical domains: identity and access management, email security, endpoint protection, network security, data protection, cloud configuration, security awareness, vendor and third-party risk, and compliance readiness. Using industry-standard frameworks like CIS Benchmarks and NIST guidelines, we evaluate your current configurations, policies, and practices against established best practices. The result is a comprehensive report that includes an overall security grade (A through F), domain-by-domain findings with evidence, and a prioritized remediation roadmap with estimated costs and timelines. This is not a penetration test or active attack simulation — it’s a thorough configuration review and risk evaluation designed to identify gaps before attackers do.

Q2: What is backup and disaster recovery (BDR) verification?

Option A (Concise): BDR verification proves whether your backup systems actually work. We inventory your backups, review their health, and perform real test restores to measure how long recovery would take and how much data you’d lose in a disaster. Most businesses have never tested this — and many are surprised by the results.

Option B (Conversational): Here’s a scary fact: most small businesses have backups running, but they’ve never tested whether those backups can actually restore their data. It’s like having a fire extinguisher that’s never been inspected — it might work, or it might be empty. We open the hood on your backup systems, test actual restores, measure how long recovery would really take, and tell you honestly whether you’d survive a ransomware attack, hardware failure, or accidental deletion.

Option C (Detailed): Backup and disaster recovery verification is a hands-on evaluation of your organization’s ability to recover from data loss events. We perform a complete inventory of all backup systems, review 30-60 days of backup job logs, verify compliance with the industry-standard 3-2-1 backup rule (3 copies, 2 media types, 1 offsite), and execute actual test restores at the file, application, and full-system levels. We measure your real Recovery Time Objective (RTO — how long it takes to get back online) and Recovery Point Objective (RPO — how much data you’d lose), then compare those measurements to your business requirements. We also assess ransomware resilience by verifying backup immutability, air-gap status, and credential isolation. The deliverable is a detailed report documenting test results, recovery gaps, and specific recommendations to ensure your business can actually recover when it matters.

Q3: Who needs a security assessment?

Option A (Concise): Any business that uses technology to operate, stores sensitive data (customer information, financial records, health data, intellectual property), or wants to qualify for cyber insurance. We specialize in businesses with 10-200 employees — the size that’s most targeted and least prepared.

Option B (Conversational): If your business uses email, stores customer data, processes payments, or relies on technology to operate (which is basically every business), you need a security assessment. The businesses that need it most are the ones that think they don’t — small and mid-size companies that assume they’re “too small to be a target.” In reality, automated cyberattacks don’t care how big you are. They scan the internet for easy wins, and unprotected small businesses are the easiest targets out there.

Option C (Detailed): Security assessments are relevant for any organization that handles sensitive data, relies on technology for operations, or faces regulatory or contractual security requirements. However, the need is particularly acute for small and medium-sized businesses (10-200 employees) because they typically lack dedicated security staff, have limited IT budgets, and face the same threat landscape as larger organizations. Specific triggers that indicate an immediate need include: cyber insurance applications or renewals requiring security documentation, client or vendor security questionnaires you can’t answer, compliance requirements (HIPAA, SOC 2, PCI-DSS, CMMC), recent security incidents at your company or competitors, planned growth or technology changes, and the simple realization that no one has ever formally evaluated your security posture. Industries with the highest need include healthcare, legal, financial services, manufacturing, professional services, and any company handling personally identifiable information (PII).

Q4: What’s the difference between a security assessment and a penetration test?

Option A (Concise): A security assessment reviews your configurations, policies, and practices to identify gaps. A penetration test actively attempts to exploit vulnerabilities by simulating a real attack. We perform assessments — they’re less expensive, lower risk, and identify the vast majority of issues SMBs face without the legal complexity of active exploitation.

Option B (Conversational): Great question — people mix these up all the time. A security assessment is like a building inspector walking through your property, checking the locks, testing the alarm system, and reviewing the blueprints. A penetration test is like hiring someone to actually try to break in. Both are valuable, but for most small businesses, the assessment is what you need first. It identifies 90%+ of the gaps at a fraction of the cost and risk. If you need a pen test down the road, we can refer you to a specialist.

Option C (Detailed): A security posture assessment and a penetration test serve different purposes and are appropriate at different stages of a security program. Our security assessment is a comprehensive, non-invasive review of your security configurations, policies, procedures, and controls across nine domains. We identify gaps by comparing your current state against industry benchmarks (CIS, NIST) and evaluating risk. A penetration test, by contrast, is an authorized simulated cyberattack that actively attempts to exploit vulnerabilities in your systems — attempting to breach your defenses the way a real attacker would. Penetration testing requires specialized certifications (OSCP, CEH), additional insurance coverage, and carries inherent risk of system disruption. For the vast majority of small and medium businesses, a security assessment should come first — it identifies the foundational gaps (missing MFA, poor email security, untested backups, excessive admin privileges) that account for 90%+ of successful attacks against SMBs. Once those fundamentals are addressed, a penetration test can validate whether your defenses hold up against active exploitation. We do not perform penetration testing, but we can refer you to trusted partners who do.

Q5: What does “fractional CISO” or “virtual CISO” mean?

Option A (Concise): A fractional CISO (also called virtual CISO or vCISO) is an outsourced cybersecurity executive. Instead of hiring a full-time Chief Information Security Officer at $175, 000 -$ 300,000 per year, you get executive-level security leadership on a part-time basis for a fraction of the cost — typically $1, 500 -$ 3,000 per month.

Option B (Conversational): A CISO is a Chief Information Security Officer — the executive responsible for a company’s cybersecurity strategy. Big companies have them full-time. Small businesses can’t afford a $200K+ salary for that role, but they still need the expertise. That’s where we come in. As your fractional (part-time) CISO, we provide the same strategic leadership — security planning, policy development, vendor reviews, incident response, compliance management — without the full-time headcount. Think of it like having a CFO-level resource on retainer instead of on payroll.

Option C (Detailed): A fractional CISO (Chief Information Security Officer), also known as a virtual CISO or vCISO, is an outsourced security executive who provides strategic cybersecurity leadership to organizations that need the expertise but cannot justify or afford a full-time hire. A full-time CISO commands a salary of $175, 000 -$ 300,000+ plus benefits — well beyond the budget of most small and mid-size businesses. Our vCISO service provides the same core functions at approximately 10-15% of the cost: monthly security strategy meetings with your leadership team, quarterly comprehensive security assessments, security policy development and maintenance, compliance management and audit preparation, vendor security reviews, incident response planning and leadership, board and investor security reporting, and ongoing advisory for technology decisions. You get a dedicated security leader who knows your business, your systems, and your risk profile — available when you need them, without the overhead of a full-time executive.

CATEGORY 2: PROCESS & WHAT TO EXPECT

Q6: How does the assessment process work?

Option A (Concise): Six phases over approximately 10 business days: (1) Discovery call to understand your business, (2) We gather data from your systems, (3) We analyze everything against security benchmarks, (4) We write your reports, (5) We present findings in a live meeting, (6) We follow up at 2 weeks and 30 days.

Option B (Conversational): It’s designed to be as painless as possible for you. Here’s what happens:

First, we have a discovery call where I learn about your business, your technology, and your concerns. Then I send you a short questionnaire — think of it as the “health history form” you fill out before a doctor’s visit.

Next, I do the technical work — scanning your external exposure, reviewing your admin settings, checking your email security, auditing your backups, and testing actual restores. Most of this happens in the background without disrupting your team.

Then I write up your reports — an executive summary for you (plain English, no jargon) and a technical report for whoever will implement the fixes.

Finally, we sit down together for a live presentation where I walk you through everything, answer your questions, and help you prioritize next steps. I never just email a PDF and disappear.

The whole process takes about 8-10 business days from start to finish, and it requires roughly 2-3 hours of your team’s time total.

Option C (Detailed): Our engagement follows a structured six-phase workflow:

Phase 1 — Discovery & Scoping (Day 1): We conduct a 45-60 minute call to understand your business, technology environment, compliance requirements, and specific concerns. We define the scope, sign the engagement letter, and send you a pre-assessment questionnaire.

Phase 2 — Information Gathering (Days 2-3): We collect your completed questionnaire, obtain temporary admin access to in-scope systems, run external security scans, pull security configuration data from your cloud platforms, and document your environment.

Phase 3 — Assessment Execution (Days 3-5): We analyze all collected data against CIS Benchmarks and industry best practices. For BDR engagements, we execute actual test restores and measure recovery times. Every finding is documented with evidence and classified by severity.

Phase 4 — Report Development (Days 5-7): We produce an executive summary (1-2 pages, written for business owners), a technical findings report (5-15+ pages, written for IT staff), and a prioritized 30/60/90-day remediation roadmap.

Phase 5 — Presentation (Days 8-10): We present all findings in a live 60-90 minute meeting, explain risks in business terms, and help you prioritize next steps. We strongly recommend including your IT contact or MSP representative.

Phase 6 — Follow-Up (Days 14-30): We check in at 2 weeks to answer questions and help with quick wins, and again at 30 days to discuss progress and ongoing support options.

Total client time commitment: approximately 2-3 hours across the entire engagement.

Q7: How long does an assessment take?

Option A (Concise): Most assessments are completed within 8-10 business days from kickoff to report delivery. The actual time you and your team spend is about 2-3 hours total — we handle the rest.

Option B (Conversational): From “let’s go” to “here are your results” is typically 8-10 business days. The biggest variable is how quickly you can complete the questionnaire and grant us admin access — once we have those, the clock really starts moving. Your team’s total time commitment is about 2-3 hours: a discovery call, maybe a short screen-share session, and the findings presentation.

Option C (Detailed): Timeline varies by package:

Package	Typical Duration	Client Time Required
Quick-Start Bundle	5-7 business days	1-2 hours
Business Shield	8-10 business days	2-3 hours
Business Shield Pro	10-15 business days	3-5 hours
Industry-specific packages	10-15 business days	3-5 hours

The most common delay is on the client side — completing the pre-assessment questionnaire and providing admin access. We recommend completing the questionnaire within 3-5 business days of receiving it to keep the timeline on track. Expedited timelines are available for an additional fee.

Q8: What do you need from us to get started?

Option A (Concise): Three things: (1) A signed engagement letter, (2) A completed pre-assessment questionnaire, and (3) Temporary admin access to your cloud platform (Microsoft 365 or Google Workspace) and any in-scope systems. We provide detailed instructions for all of this.

Option B (Conversational): We try to keep this as simple as possible. Here’s what we need:

Sign the engagement letter — This is our agreement on scope, timeline, and terms. Takes 5 minutes.
Fill out a questionnaire — About 15-20 minutes. It asks about your business, your technology, your backups, and your security practices. “I don’t know” is a perfectly valid answer — that’s useful information too.
Give us temporary admin access — We’ll walk you through creating a temporary admin account in your Microsoft 365 or Google Workspace. We use it during the assessment and you delete it when we’re done.

That’s it. We handle everything else.

Q9: Will the assessment disrupt our business operations?

Option A (Concise): No. Our assessment is non-invasive. We review configurations, run external scans, and analyze settings — we don’t make changes, install software, or disrupt your systems. Your team can work normally throughout the process.

Option B (Conversational): Not at all. This is one of the most common concerns we hear, and I’m glad you asked. Our assessment is 100% non-invasive — we’re looking, not touching. We review your settings, scan what’s visible from outside your network, and analyze your configurations. We don’t install anything, we don’t make changes, and we don’t run anything that could impact your systems. Your team works normally the entire time. The only thing anyone might notice is a brief login from an unfamiliar admin account — that’s us.

Option C (Detailed): No. Our assessment methodology is specifically designed to be non-disruptive:

External scans are passive and originate from outside your network — they have no impact on your systems’ performance or availability.
Internal reviews are read-only — we examine configurations, export reports, and review settings. We do not modify, delete, or install anything.
Backup test restores are performed to isolated or temporary locations, never overwriting production data.
No agents or software are installed on your systems.
No active exploitation or attack simulation is performed.
Admin access is used solely for read-only configuration review and is revoked upon engagement completion.

The only potential impact is the brief period during backup test restores, which may consume some additional bandwidth or storage temporarily. We coordinate the timing of test restores with your team to minimize any effect.

Q10: Is our data safe during the assessment?

Option A (Concise): Yes. We treat all client data as strictly confidential. We use encrypted connections, encrypted storage, and delete all client data within 30 days of engagement completion. Our engagement letter includes confidentiality and data handling provisions, and we carry professional liability insurance.

Option B (Conversational): Absolutely — and we take this extremely seriously. We access your systems through encrypted connections, store any assessment data on encrypted devices, and never share your information with anyone. When the engagement is done, we securely delete all your data within 30 days. Our engagement letter spells all of this out in detail, and we carry professional liability and cyber liability insurance for additional protection. If you’re trusting us with your security, we’d better be walking the walk ourselves.

Option C (Detailed): Data security is foundational to our practice. Here are the specific protections we maintain:

Confidentiality: All client data, findings, and business information are treated as strictly confidential per our engagement agreement. We never disclose findings to third parties without written consent.
Encryption in transit: All remote access uses encrypted connections (VPN, HTTPS, SSH).
Encryption at rest: All devices used in the assessment employ full disk encryption (BitLocker/FileVault). Assessment artifacts are stored in encrypted containers.
Access controls: Client credentials are stored in an encrypted password vault with MFA. Only the assigned consultant accesses your data.
Data retention: All client data is securely deleted within 30 days of report delivery unless otherwise agreed in writing. We provide written confirmation of deletion upon request.
Insurance: We maintain Professional Liability (E&O), General Liability, and Cyber Liability insurance. Certificates of insurance are available upon request.
No data exfiltration: We do not copy, transfer, or store your actual business data (files, emails, databases). We access configurations and settings only, and our documentation consists of findings, screenshots, and scan outputs — not your underlying data.

Q11: Do you need to come to our office, or can this be done remotely?

Option A (Concise): Both options work. Most of our assessment work can be done remotely. On-site visits are included with our larger packages and available as an option for others. For clients in the Boulder/Denver area, we’re happy to come to you.

Option B (Conversational): Great news — most of the work can be done entirely remotely. We connect to your cloud admin portals, run external scans from our side, and review configurations without needing to be physically present. That said, some things are better done on-site — reviewing firewall hardware, checking physical server setups, and the findings presentation is always more impactful face-to-face. For clients in the Boulder/Denver metro area, on-site visits are included in our larger packages and available as an add-on for others. For clients outside the area, remote delivery works great.

Q12: What happens during the findings presentation?

Option A (Concise): A 60-90 minute meeting where we walk you through your results: overall security grade, top critical findings, quick wins you can implement immediately, and your prioritized remediation roadmap. We explain everything in plain English and answer all your questions. We recommend having your IT contact or MSP join.

Option B (Conversational): This is the most important part of the engagement — and it’s why we never just email you a PDF. We sit down together (in person or virtually) for 60-90 minutes and walk through everything:

First, I show you your overall security grade and what it means. Then we go through the most critical findings — I explain each one in plain English, show the evidence, and tell you exactly what’s at risk. We cover the quick wins you can tackle this week for free, and then I present the full 30/60/90-day action plan.

The whole time, you can ask questions, push back, or drill deeper into anything. I want you to walk out of that meeting with absolute clarity on what to do next — not more confusion.

I always recommend inviting your IT person or MSP to this meeting. They’re the ones who will implement the fixes, and having them hear the findings directly saves a lot of telephone-game back-and-forth.

CATEGORY 3: PRICING & VALUE

Q13: How much does a security assessment cost?

Option A (Concise): Our assessments range from $1, 500 t o$ 12,000+ depending on scope, company size, and complexity. Most small businesses invest between $3, 500 an d$ 7,000 for a combined security and backup verification assessment. We offer several package tiers to fit different budgets and needs.

Option B (Conversational): It depends on the size and complexity of your environment, but here’s a realistic range:

For a very small business (under 25 employees, cloud-only) — starting around $1, 500 -$ 2,500
For a typical small business (25-75 employees) — $3, 500 -$ 5,500 for a combined security + backup assessment
For larger or regulated businesses (75-200 employees, compliance requirements) — $7, 000 -$ 12,000+

We always present multiple options so you can choose what fits your budget. And many of the fixes we recommend cost nothing to implement — so the assessment often pays for itself before we even finish the report.

Option C (Detailed): Our pricing is based on engagement scope, company size, environment complexity, and industry requirements. Here’s a general guide:

Package	Best For	Price Range
Security Essentials	Small businesses, 5-25 employees, cloud-only	$1, 500 -$ 2,500
Security Professional	Mid-size businesses, 15-75 employees	$2, 500 -$ 5,000
Security Comprehensive	Larger SMBs, 50-200+ employees, regulated industries	$4, 500 -$ 8,000+
BDR Verification (standalone)	Backup audit and test restores	$1, 000 -$ 6,000
Combined Security + BDR	Most popular — full assessment plus backup verification	$3, 500 -$ 12,000+

Factors that affect pricing: number of employees, number of locations, on-premises vs. cloud-only infrastructure, regulated industry requirements (HIPAA, SOC 2, CMMC), and complexity of the environment. We provide a specific quote after our discovery call so you know exactly what to expect — no surprises.

Q14: Why should I pay for this when there are free security scanning tools online?

Option A (Concise): Free tools check one or two things. An assessment checks everything — your configurations, policies, processes, backups, and people — and tells you what matters most. The value isn’t the scan; it’s the expert analysis, the prioritized recommendations, and the actionable report that lets you actually fix things in the right order.

Option B (Conversational): Free scanning tools are great — and we actually use several of them as part of our process. But a scan only tells you one piece of the story. It’s like checking your blood pressure at the pharmacy kiosk versus getting a full physical exam. The kiosk tells you one number. A doctor examines everything, understands your history, and gives you a treatment plan.

We check 9 different security domains, test your actual backup restores, evaluate your policies and processes (not just technology), compare everything against industry benchmarks, and produce a report with specific, prioritized, actionable recommendations — including cost estimates and timelines. A free scan can tell you a port is open. We tell you why it matters, what the business risk is, and exactly how to fix it.

Option C (Detailed): Free online tools serve a narrow purpose — they check a single aspect of your security (open ports, email authentication records, SSL certificate status). They are one input into a comprehensive assessment, not a substitute for one. Here’s what free tools cannot do:

Evaluate your identity and access management (MFA adoption, admin account hygiene, offboarding procedures)
Assess your internal configurations (firewall rules, cloud security settings, endpoint protection)
Test your backups by performing actual data restores
Evaluate your policies, processes, and employee awareness
Provide context-specific, business-relevant risk analysis
Prioritize findings by severity and business impact
Produce a remediation roadmap with implementation guidance
Satisfy cyber insurance requirements for a formal security assessment
Provide an independent, third-party evaluation for auditors and clients

We use automated tools as data inputs, but the value of an assessment is in the expert human analysis, the business context, and the prioritized action plan that results from it.

Q15: What’s my return on investment? How do I justify this cost?

Option A (Concise): The average ransomware recovery costs SMBs $150, 000 + . T h e a v er a g ecos t o fd o w n t im e i s$ 8,000- $25, 000 p er d a y . A$ 4,500 assessment that identifies and helps prevent even one of these events pays for itself many times over. Plus, many of the fixes we recommend cost nothing to implement.

Option B (Conversational): Here’s the math: a single ransomware attack costs the average small business $150, 000 or m ore in reco v ery, l os t b u s in ess, an d re p u t a t i o n d ama g e . A d a yo fd o w n t im ecos t s$ 8,000- $25, 000. A b u s in esse mai l co m p ro mi se in c i d e n t a v er a g es$ 125,000.

Our assessment costs a fraction of any one of those scenarios — and it identifies exactly how to prevent them. On top of that, many of the highest-impact fixes we recommend (enabling MFA, fixing email authentication, reducing admin privileges) cost literally zero dollars to implement.

So the real question isn’t “can we afford an assessment?” It’s “can we afford not to know where our gaps are?”

Q16: Do you offer payment plans?

Option A (Concise): Yes. For engagements over $3,000, we offer a 50/50 split — half at signing, half upon report delivery. For larger engagements, we can split into three payments. We accept bank transfer, credit card, and check.

Option B (Conversational): Absolutely. We want to make this accessible. Our standard structure is 50% when we kick off and 50% when we deliver the report. For larger engagements, we can split it into three payments spread over the engagement timeline. We accept bank transfers, credit cards, and checks — whatever’s easiest for you.

Q17: Can I start small and expand later?

Option A (Concise): Yes. Many clients start with a focused assessment and expand later as they see the value. We have packages starting at $1,500 that cover the essentials, with clear upgrade paths to more comprehensive reviews.

Option B (Conversational): Absolutely — and that’s actually a smart approach. You can start with our Quick-Start Bundle or Security Essentials package, address the most critical findings, and then do a more comprehensive assessment in a future quarter. The only thing to know is that doing them as separate engagements costs a bit more than bundling upfront — but there’s zero pressure to commit to more than you’re comfortable with. We’d rather earn your trust with a smaller engagement first.

CATEGORY 4: TECHNICAL & SCOPE

Q18: What exactly do you check?

Option A (Concise): Nine security domains: identity and access management, email security, endpoint protection, network security, data protection, cloud configuration, security awareness, vendor and third-party risk, and compliance readiness. For BDR engagements, we also verify backup systems, execute test restores, and measure recovery times.

Option B (Conversational): We check everything that matters for a business your size. In plain English:

Who can log in and how? — Passwords, multi-factor authentication, admin accounts, former employee access
Is your email protected? — Spoofing prevention, phishing filters, suspicious forwarding rules
Are your computers secure? — Antivirus, software updates, hard drive encryption
Is your network locked down? — Firewall rules, Wi-Fi setup, VPN configuration, what’s exposed to the internet
Is your data controlled? — File sharing permissions, sensitive data locations, who can access what
Are your cloud settings right? — Microsoft 365 or Google Workspace security configuration
Do your people know what to look for? — Security training, phishing awareness, incident reporting
Are your vendors secure? — Who else has access to your systems and data
Would your backups actually save you? — We test real restores and measure recovery time

Q19: What tools do you use?

Option A (Concise): We use a combination of industry-standard tools including Nmap (network scanning), MXToolbox (email security), Qualys SSL Labs (encryption analysis), Shodan (exposure detection), Have I Been Pwned (breach checking), Microsoft Secure Score, CIS Benchmarks, and custom PowerShell scripts. For BDR verification, we work directly with the client’s backup platforms to execute test restores.

Option B (Conversational): We use the same types of tools that large security firms use, scaled appropriately for small business environments. Everything from network scanners and email security analyzers to breach databases and cloud security dashboards. More importantly, we use industry-standard benchmarks (CIS Benchmarks, NIST frameworks) as our measuring stick — so our recommendations aren’t just opinions, they’re backed by the same standards used by Fortune 500 companies and government agencies.

Q20: What kind of access do you need to our systems?

Option A (Concise): Temporary, read-only admin access to your cloud platform (Microsoft 365 or Google Workspace), and optionally to your firewall and backup console. We provide specific instructions for creating a temporary admin account, which you revoke after the engagement. We never ask for your personal passwords.

Option B (Conversational): Less than you’d think. We need temporary admin access to your Microsoft 365 or Google Workspace — you create a temporary account for us, we use it during the assessment, and you delete it when we’re done. If your firewall and backup system are in scope, we either get read-only access or do a guided screen-share session with your IT person. We never ask for personal passwords, we never install persistent software, and all access is documented in the engagement letter. You’re in control the entire time.

Q21: Will you be able to see our emails, files, and sensitive data?

Option A (Concise): We review security configurations and settings, not your actual content. We can see things like “MFA is enabled for 12 of 30 users” or “this mailbox has a forwarding rule” — but we don’t read your emails, open your files, or access your business data. Our engagement letter explicitly defines this boundary.

Option B (Conversational): No — and this is an important distinction. We’re looking at the locks on the doors, not rummaging through the house. We check things like: Is MFA turned on? How many admin accounts are there? Are your backups running successfully? What firewall rules are in place? We see configurations, settings, and security status — not your emails, documents, financial records, or personal information. Our engagement letter explicitly states that we access only what’s necessary for the security review, and we never exfiltrate or store your actual business data.

Q22: Can you assess our systems if we use [specific platform]?

Option A (Concise): We have deep expertise in Microsoft 365 and Google Workspace environments, which cover the vast majority of SMBs. We also assess common firewall brands (SonicWall, Fortinet, Meraki, Ubiquiti, pfSense), backup solutions (Veeam, Datto, Acronis, Barracuda, cloud-native tools), and cloud platforms (Azure, AWS). If you use something we haven’t worked with before, we’ll let you know during the discovery call.

Option B (Conversational): Almost certainly, yes. We work with the platforms that the vast majority of small businesses use — Microsoft 365, Google Workspace, SonicWall, Fortinet, Meraki, Ubiquiti, Veeam, Datto, and many more. During our discovery call, we’ll ask about your technology stack and confirm everything is within our wheelhouse. If you have something unusual, we’ll tell you upfront rather than waste your time.

CATEGORY 5: BACKUP & DISASTER RECOVERY SPECIFIC

Q23: We already have backups running. Why do we need verification?

Option A (Concise): Because a backup that’s never been tested is an assumption, not a safety net. Industry data shows approximately 30-40% of backup restores fail on the first attempt when they haven’t been regularly tested. We see “successful” backup dashboards every week that hide silent failures — wrong directories, corrupt files, incomplete databases. The only way to know your backups work is to test them.

Option B (Conversational): This is the most common thing we hear — “We have backups, they’re fine.” And then we test a restore and discover that the backup has been silently failing, backing up an empty folder, or missing the most critical database for months.

About 80% of the businesses we assess have never tested a restore. Of those, roughly a third discover a problem during our testing that would have caused data loss in a real emergency. Backup software dashboards are designed to show green — that doesn’t mean your data is actually recoverable.

Think of it this way: you wouldn’t buy fire insurance and never test the smoke detectors. Backup verification is your smoke detector test.

Q24: Doesn’t Microsoft 365 / Google Workspace back up our data automatically?

Option A (Concise): No. Microsoft and Google provide infrastructure uptime, not data backup. Their retention policies have limited recovery windows and do not protect against permanent deletion, ransomware, malicious insiders, or retention period expiration. Both companies explicitly state that protecting your data is your responsibility. This is called the “shared responsibility model.”

Option B (Conversational): This is the single most common misconception we encounter — and honestly, it’s the reason we’re able to close about 40% of our deals.

Microsoft and Google are responsible for keeping their servers running. But your DATA is your responsibility. Here’s what that means in practice:

If an employee permanently deletes files from their recycle bin — gone.
If your retention policy expires on old emails — gone.
If ransomware encrypts files that sync to OneDrive/Google Drive — the encrypted versions sync over your good copies.
If a malicious employee mass-deletes data on their way out — you have a very limited window to recover.

Microsoft’s own service agreement says: “We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”

That’s Microsoft telling you, in writing, that they don’t back up your data. You need a third-party backup solution, and our BDR verification checks whether you have one — and whether it actually works.

Q25: What’s the 3-2-1 backup rule?

Option A (Concise): The industry-standard backup architecture: keep 3 copies of your data, on 2 different storage types, with 1 copy offsite or in the cloud. We verify whether your backup setup meets this standard and identify the gaps.

Option B (Conversational): It’s the gold standard for backup architecture, and it’s simple to remember:

3 copies of your data (your original + 2 backups)
2 different types of storage (for example, a local NAS drive + cloud storage)
1 copy offsite or in the cloud (so if your office floods, burns, or gets hit by ransomware, you still have a copy somewhere else)

Most small businesses fail this test — they usually have one backup, stored in the same location as their servers. Our assessment checks 3-2-1 compliance and tells you exactly what’s missing.

Q26: What does “ransomware resilience” mean for my backups?

Option A (Concise): It means: if ransomware encrypts everything on your network, would your backups survive? We check three things — whether your backups are immutable (can’t be altered or deleted), whether there’s an air-gapped copy (disconnected from the network), and whether the backup system uses separate credentials from your main network (so compromised domain passwords can’t access backups).

Option B (Conversational): Modern ransomware doesn’t just encrypt your servers — it specifically hunts for backup files and encrypts those too. Attackers know that if they destroy your backups, you’re much more likely to pay the ransom.

So “ransomware resilience” is our way of asking: would your backups survive a sophisticated ransomware attack? We check three specific things:

Immutability — Can the backup files be altered or deleted? Modern solutions offer “immutable” backups that can’t be changed for a set retention period, even by an admin.
Air gap — Is there a backup copy that’s physically or logically disconnected from your network? If ransomware can reach the backup server, it can encrypt it.
Credential isolation — Does the backup system use completely separate login credentials from your main network? If an attacker captures your domain admin password, can they also log into the backup system?

If the answer to any of these is “no,” your backups may not survive a ransomware attack — which means they’re not really protecting you.

CATEGORY 6: COMPLIANCE & INSURANCE

Q27: Will this help us qualify for cyber insurance?

Option A (Concise): Yes. Our assessment evaluates exactly the controls that cyber insurance carriers require — MFA, endpoint protection, backup verification, email security, access management, and security awareness. The report provides documentation you can share with your insurance broker, and we can help you accurately complete insurance security questionnaires.

Option B (Conversational): It’s one of the top reasons clients come to us. Cyber insurance carriers now require specific security controls before they’ll issue or renew a policy — things like MFA on all accounts, endpoint protection, tested backups, email filtering, and security awareness training. They send you a security questionnaire that can feel overwhelming if you’re not in the cybersecurity world.

Our assessment checks every single thing carriers typically ask about. You get a report that documents your current posture, identifies what needs to be fixed to meet carrier requirements, and gives you a clear roadmap to get compliant. Many of our clients share the assessment report directly with their insurance broker. Some even use it to negotiate better premiums.

And here’s the flip side that people don’t think about: if you have cyber insurance but DON’T have the controls they require, the carrier can deny your claim. We’ve seen it happen. Our assessment helps make sure your insurance will actually pay out when you need it.

Q28: Can this help us with HIPAA compliance?

Option A (Concise): Yes. Our Healthcare Security Package includes a HIPAA Security Rule gap analysis that satisfies the annual risk assessment requirement. We evaluate your technical safeguards, administrative safeguards, and physical safeguard awareness, then produce a compliance gap matrix with specific remediation steps.

Option B (Conversational): Absolutely — and here’s a bonus most healthcare practices don’t know about: HIPAA requires you to conduct an annual security risk assessment. It’s not optional. Our Healthcare Security Package is designed to satisfy that requirement while also giving you a complete picture of your security posture and backup readiness. You’re checking a compliance box AND actually improving your security — not just generating paperwork.

We evaluate your environment against HIPAA’s technical safeguards (encryption, access controls, audit logging), identify gaps, and provide a remediation roadmap. The deliverables include a HIPAA compliance gap matrix that you can show to auditors, partners, and your legal counsel.

Q29: Can you help with SOC 2 / PCI-DSS / CMMC compliance?

Option A (Concise): Yes. Our Comprehensive and industry-specific packages include a gap analysis against your target compliance framework. We identify where you stand today, what’s missing, and what needs to change — with a prioritized remediation roadmap. We do not perform the formal certification or audit itself, but we prepare you for it.

Option B (Conversational): Yes — with an important distinction. We perform the gap analysis that tells you exactly where you stand relative to your target framework and what needs to change. Think of us as the “pre-flight checklist” before the official audit. We identify gaps, prioritize remediation, and help you prepare — so when the formal auditor or certification body comes, you’re ready instead of scrambling.

We don’t perform the formal certification or audit ourselves (that requires a different type of firm for frameworks like SOC 2 and CMMC). But we get you ready for it, which dramatically reduces the time, cost, and stress of the formal process.

Q30: My client / vendor sent me a security questionnaire I can’t answer. Can you help?

Option A (Concise): Yes. This is one of the most common reasons clients reach out to us. We can help you accurately complete security questionnaires by assessing your actual posture first, then helping you answer truthfully. We also identify gaps that you should address before submitting — because inaccurate answers can create liability.

Option B (Conversational): This is literally one of the top three reasons people call us. A big client or vendor sends you a 50-question security questionnaire, you stare at it, and you realize you can’t confidently answer half of them. Sound familiar?

Here’s the thing — guessing on these questionnaires is dangerous. If you say “yes, we have MFA enabled” and you don’t, and a breach occurs, that false answer can be used against you in litigation or insurance claims.

We assess your actual posture first, then help you complete the questionnaire accurately and honestly. Where there are gaps, we tell you what needs to be fixed — often before you submit. That way your answers are truthful AND you’re improving your security at the same time.

CATEGORY 7: TRUST & CREDIBILITY

Q31: What qualifies you to do this work?

Option A (Concise): We bring hands-on experience assessing SMB environments using industry-standard frameworks (CIS Benchmarks, NIST CSF), combined with deep knowledge of the platforms small businesses actually use (Microsoft 365, Google Workspace, common firewalls and backup solutions). We carry professional liability insurance, follow documented methodologies, and deliver results — not just opinions.

Option B (Conversational): Fair question. Here’s what we bring to the table:

We specialize in small and medium business environments — not enterprise, not government, but the 10-200 employee companies that make up the backbone of the economy. We know these environments inside and out because it’s all we do.

Our assessments use the same industry-standard frameworks (CIS Benchmarks, NIST Cybersecurity Framework) used by the largest security firms in the world. The difference is that we apply them in a way that’s practical and actionable for a business your size — not a 200-page report full of enterprise jargon you’ll never read.

We carry professional liability and cyber liability insurance, follow a documented methodology that ensures consistency, and we stand behind our work with follow-up support. And perhaps most importantly: we explain everything in plain English. If you can’t understand and act on our recommendations, then the assessment didn’t do its job.

Option C (Detailed): Our qualifications are rooted in three areas:

Methodology: Every assessment follows a documented, repeatable methodology based on internationally recognized frameworks — primarily CIS Benchmarks and NIST Cybersecurity Framework. These are the same baselines used by Fortune 500 companies, government agencies, and major security consulting firms. Our methodology ensures thoroughness, consistency, and defensibility.

Specialization: We focus exclusively on small and medium-sized businesses. This means every recommendation we make is practical, achievable, and cost-appropriate for organizations with limited IT staff and budget. We don’t produce enterprise-scale reports full of controls you can’t implement — we produce actionable roadmaps you can execute.

Accountability: We carry Professional Liability (E&O) insurance, General Liability insurance, and Cyber Liability insurance. We sign confidentiality agreements for every engagement. We deliver work product that we stand behind, and we provide follow-up support to ensure our recommendations drive real improvement.

Q32: Do you have references or testimonials I can see?

Option A (Concise): Yes. We’re happy to share testimonials and case studies from previous clients (with their permission). We can also connect you with a reference client for a brief conversation if that would be helpful. Please ask, and we’ll provide what’s available.

Option B (Conversational): Absolutely. We have testimonials from clients across several industries — healthcare, legal, professional services, and more. I’m happy to share those with you. If you’d prefer to talk to a reference directly, I can arrange a brief phone call with a current client who can share their experience firsthand. Just let me know what would be most helpful.

Q33: Are you insured?

Option A (Concise): Yes. We maintain Professional Liability (Errors & Omissions) insurance with minimum $1 million coverage, General Liability insurance, and Cyber Liability insurance. Certificates of insurance are available upon request.

Option B (Conversational): Yes — and I’m glad you asked, because it’s a sign you’re vetting your vendors properly (which is exactly the kind of security awareness we want to see). We carry three types of insurance: Professional Liability (E&O), which covers our work product; General Liability, which covers standard business risks; and Cyber Liability, which covers us if our own systems are compromised. All at $1 million minimum coverage. I can send you a certificate of insurance any time.

Q34: What happens if your assessment misses something?

Option A (Concise): Our engagement agreement is transparent about this: a security assessment is a point-in-time evaluation, not a guarantee that every vulnerability has been found. That said, our structured methodology, industry-standard frameworks, and comprehensive checklists are specifically designed to minimize blind spots. If we identify something post-engagement that was in scope, we’ll disclose it to you at no charge.

Option B (Conversational): This is why we’re transparent in our engagement letter — a security assessment is a thorough, structured review, but no assessment can guarantee that every possible vulnerability has been found. Security threats evolve daily, and no methodology is omniscient.

What we CAN guarantee is thoroughness. Our methodology is based on industry-standard checklists and benchmarks that cover the issues responsible for 95%+ of successful attacks against small businesses. We follow the same process for every client, which means nothing gets skipped because we were in a hurry.

If we do discover something post-engagement that was within scope, we’ll reach out and tell you about it — no charge. And this is exactly why we recommend quarterly re-assessments: security isn’t a one-time snapshot, it’s an ongoing practice.

CATEGORY 8: AFTER THE ASSESSMENT

Q35: What happens after we get our report?

Option A (Concise): We present your findings in a live meeting, then follow up at 2 weeks and 30 days. You’ll have a prioritized action plan and can start implementing fixes immediately — many of the most critical ones cost nothing. We’re available to help with implementation, answer questions, and discuss ongoing protection options.

Option B (Conversational): After the presentation, you’ll have a clear roadmap of exactly what to fix and in what order. Here’s what typically happens:

Week 1-2: Most clients tackle the quick wins immediately — things like enabling MFA, fixing email authentication records, and revoking old admin accounts. These are free and high-impact.

Week 2 check-in: I call to see how it’s going, answer any questions, and help troubleshoot if needed.

Week 3-4: Clients start tackling the 30-day items — things like deploying backup solutions, reviewing firewall rules, setting up security training.

Day 30 follow-up: I check in again. At this point, I also present options for quarterly re-assessments to keep the momentum going.

If at any point you want hands-on help implementing a fix, I’m available for that too — either as quick-win implementation support or as part of an ongoing retainer.

Option A (Concise): That depends on your team. Many quick wins can be done by anyone with admin access (enabling MFA, fixing DNS records). More complex items may require your internal IT person, MSP, or us. We provide specific implementation guidance in our technical report, and we’re available for hands-on implementation support as an add-on service.

Option B (Conversational): We’re flexible here. Our report includes specific, step-by-step implementation guidance — not just “fix this,” but “here’s exactly how to fix this, in which admin console, with which settings.”

For simple fixes (enabling MFA, updating DNS records, adjusting sharing permissions), anyone with admin access can follow our instructions. For more complex items, your IT person or MSP can use our technical report as a detailed work order. And if you want us to roll up our sleeves and help directly, we offer implementation support starting at $150 -$ 300 per hour.

Many of our clients use a mix: they handle the free quick wins themselves, send the technical report to their MSP for the bigger items, and call us for guidance along the way.

Q37: Can you fix the issues you find, or do you only identify them?

Option A (Concise): Both. Our core service is assessment and recommendation. Implementation support is available as an add-on — either hourly for specific fixes, or as part of an ongoing retainer. We also work alongside your existing IT team or MSP, providing them with detailed implementation guidance.

Option B (Conversational): We can do both, and our clients handle it different ways:

Option 1: We assess, you (or your IT team/MSP) fix. We give you detailed instructions, and your team implements them. This is the most cost-effective approach if you have capable IT resources.
Option 2: We assess AND help fix. We offer hands-on implementation support for quick wins and specific recommendations. This is great for companies without dedicated IT staff.
Option 3: We assess, then provide ongoing advisory. Through a quarterly retainer or vCISO engagement, we guide and verify implementation over time.

We’re not an MSP and we don’t want to replace your IT team. But if you need hands-on help, we’re happy to provide it. And when fixes are beyond our scope (like major infrastructure changes), we refer you to trusted partners.

CATEGORY 9: RETAINERS & ONGOING SERVICES

Q38: Why do I need ongoing assessments? Isn’t one enough?

Option A (Concise): Security is a moving target. Your environment changes (new employees, new software, configuration drift), the threat landscape evolves (new attack methods, newly discovered vulnerabilities), and compliance requirements update regularly. A quarterly check-up ensures you stay protected, catches new risks early, and provides documentation that insurance carriers and auditors increasingly require on an ongoing basis.

Option B (Conversational): Great question, and here’s the honest answer: a one-time assessment is absolutely better than nothing. It gives you a baseline and a roadmap. But here’s what happens without ongoing check-ups:

New employees get added without proper security setup
Someone changes a setting and accidentally opens a hole
A software update introduces a new vulnerability
An employee leaves and nobody remembers to revoke access
Your backup stops working silently and nobody notices for months
A new compliance requirement goes into effect

Quarterly re-assessments catch all of these before they become problems. Think of it like going to the dentist — you can skip it, but the problems just compound. Our retainer clients consistently improve their security scores quarter over quarter, and they have peace of mind knowing someone’s watching.

Q39: What’s the difference between your quarterly retainer and the vCISO service?

Option A (Concise): The quarterly retainer is periodic check-ups — we assess, report, and advise every 3 months. Between assessments, you’re on your own. The vCISO service is ongoing partnership — monthly strategy meetings, continuous advisory, policy development, vendor reviews, incident response leadership, and quarterly assessments included. It’s the difference between periodic check-ups and having a dedicated security leader.

Option B (Conversational): Think of it this way: the quarterly retainer is like seeing a specialist every 3 months for a check-up. They review your progress, run tests, and send you off with updated recommendations.

The vCISO service is like having that specialist on your team. They’re in your monthly leadership meetings, advising on every technology decision, reviewing vendor contracts, developing your security policies, running tabletop exercises, and serving as your first call if something goes wrong. They know your business, your people, and your risk profile intimately.

The retainer is right for companies that have capable IT resources and just need periodic independent validation. The vCISO is right for companies that need ongoing strategic security leadership but can’t afford (or don’t need) a full-time $200K+ CISO.

Q40: Can we cancel the retainer at any time?

Option A (Concise): Yes. Our quarterly retainers are commitment-free on a quarter-by-quarter basis. We ask for 30 days’ notice before the next quarter to cancel. Annual prepayment plans (which include a 10% discount) have a different structure — please ask for details.

Option B (Conversational): Yes — we don’t lock you into long-term contracts because we believe you should stay because the value is clear, not because you’re stuck. Our retainers renew quarterly with 30 days’ notice to cancel. If you want to cancel before the next quarter, just let us know and we’ll wrap things up cleanly.

That said, if you commit to an annual plan (pay for 4 quarters upfront), we offer a 10% discount. You can still cancel mid-year — we’ll refund the unused portion minus the discount adjustment.

CATEGORY 10: OBJECTION-FRAMED FAQs

These are questions people ask when they’re really expressing a concern or resistance. The answers are designed to overcome the underlying objection.

Q41: We already have an IT company / MSP. Why do we need you?

Option A (Concise): We’re not replacing your MSP — we’re complementing them. Your MSP handles day-to-day operations. We provide independent, focused security assessments that verify your security posture from an outsider’s perspective. It’s a second opinion from a specialist. We work alongside MSPs regularly, and they appreciate having independent validation of their work.

Option B (Conversational): This is the most common question we get, and the answer is simple: we’re not your MSP’s replacement, we’re their backup (pun intended).

Your MSP is busy keeping your systems running, handling tickets, managing updates, and putting out fires. They rarely have time to step back and do a thorough, structured security review across your entire environment. That’s what we do.

Think of your MSP as your general practitioner — they handle everything day to day. We’re the specialist you see once or twice a year for a focused evaluation. We often find things the MSP didn’t have bandwidth to check, and the MSP often tells us they appreciate having the independent validation.

In fact, many of our best referrals come from MSPs who want to offer their clients a security assessment but don’t do it themselves. It’s a partnership, not a competition.

Q42: We’re too small to be a target. Why would hackers come after us?

Option A (Concise): They don’t “come after you” specifically — they scan the entire internet with automated tools looking for easy targets. A business with 20 employees and no MFA is easier to breach than a Fortune 500 company. FBI data shows that businesses under 500 employees account for the majority of reported cyber incidents. Size doesn’t protect you — security controls do.

Option B (Conversational): I hear this a lot, and it’s one of the most dangerous assumptions in cybersecurity. Here’s the reality:

Hackers aren’t sitting in a dark room choosing targets. They’re running automated scripts that scan millions of IP addresses looking for open doors — no MFA, exposed remote desktop, unpatched software, misconfigured email. They don’t care if you have 10 employees or 10,000. They care if you’re easy.

The analogy I like is car theft. A car thief doesn’t target your specific car — they walk down the street trying door handles until one opens. Automated cyberattacks work the same way. A small business without MFA is an unlocked car with the keys on the seat.

And here are the numbers: the FBI’s Internet Crime Complaint Center reports that businesses with fewer than 500 employees account for the majority of reported cyber incidents. Small businesses are not “too small to be targets” — they’re the primary targets.

Q43: We haven’t had any problems so far. Why fix what isn’t broken?

Option A (Concise): The absence of a known incident doesn’t mean the absence of risk — or even the absence of a breach you don’t know about yet. The average time to detect a breach is over 200 days. Many small businesses that have been compromised don’t know it. A security assessment tells you whether you’ve been lucky or actually protected.

Option B (Conversational): That’s actually great to hear — and I hope it stays that way. But I’d offer two thoughts:

First, many breaches go undetected for months. The average time to discover a breach is over 200 days globally. If someone is in your email reading invoices or slowly exfiltrating data, you might not know for a very long time. “We haven’t had problems” might actually mean “we haven’t NOTICED problems.”

Second, it’s a bit like saying “I’ve never had a house fire, so I don’t need smoke detectors.” The whole point of a security assessment is to identify risks BEFORE they become incidents. The businesses that avoid costly breaches are the ones that proactively found and fixed their gaps — not the ones that got lucky.

I’d rather help you stay lucky than help you recover from an expensive surprise.

Q44: Can’t we just buy cyber insurance and be covered?

Option A (Concise): Cyber insurance is smart, but it’s not a substitute for security controls. Policies require specific controls to be in place (MFA, backups, email filtering, etc.) — without them, claims can be denied. An assessment ensures you meet those requirements so your coverage actually works. Better security also means lower premiums.

Option B (Conversational): Cyber insurance is a great idea — and we actually recommend it. But here’s what most people don’t realize: your policy almost certainly has technical requirements baked in. Things like MFA on all accounts, endpoint protection, working backups, email security, and security awareness training. If you file a claim and can’t prove you had these controls in place, the carrier can deny your claim.

Imagine paying premiums for years, getting hit with ransomware, filing a claim, and hearing: “Sorry, your policy required MFA on all accounts and you didn’t have it. Claim denied.” It happens more often than you’d think.

Our assessment serves two purposes: it makes sure your insurance will actually pay out by verifying the controls your carrier requires, and it reduces the likelihood of needing to file a claim in the first place. Think of it as protecting your investment in the insurance.

Q45: We just don’t have the budget for this right now.

Option A (Concise): We have packages starting at $1,500 and offer payment plans. Many of the highest-impact security improvements we recommend cost nothing to implement. We also offer a free external quick-check that takes 15 minutes — it might be the wake-up call that helps you prioritize the budget.

Option B (Conversational): I completely understand — and I’d never pressure you into something that doesn’t make financial sense. A few thoughts:

We have options at every budget level. Our most focused assessment starts at $1,500, and payment plans are available. If that’s still tight, we can start even smaller — I’m happy to run a free 15-minute external security check on your domain right now, no strings attached. It usually turns up at least one or two surprises.

Also, here’s the thing that changes the budget conversation for most business owners: the average ransomware recovery costs $150, 000 + . A d a yo fd o w n t im ecos t s$ 8,000-$25,000. If the assessment prevents even one incident, it’s paid for itself dozens of times over.

And many of the most critical fixes we identify cost literally nothing to implement — enabling MFA, fixing email records, revoking old admin accounts. You’d be improving your security immediately, regardless of what else you decide to invest in.

If now truly isn’t the right time, that’s okay. Can I at least run that free quick-check and send you a brief report? That way when budget does open up, you’ll have a head start.

Q46: Our employees are the problem, not our technology. Can you help with that?

Option A (Concise): Yes. Security awareness is one of the nine domains we assess. We evaluate your training program, incident reporting processes, and overall security culture. We also offer phishing simulation campaigns and security awareness training setup as add-on services. People and technology work together — strong technology with untrained people still has gaps, and trained people with weak technology are still vulnerable.

Option B (Conversational): You’re not wrong — people are often the weakest link. Over 90% of successful cyberattacks start with someone clicking a phishing email or falling for a social engineering trick. But here’s the full picture:

Technology and people work together. The best employee training in the world won’t save you if your admin accounts don’t have MFA, your backups aren’t working, and your email isn’t filtering threats. Conversely, the best technology won’t save you if your employees are clicking on every link in their inbox.

Our assessment evaluates both. We look at your technology controls AND your security awareness program (or lack thereof). Then we can help you close both gaps — technology fixes through our recommendations, and people fixes through phishing simulations and security awareness training programs.

The ideal outcome: trained people backed by strong technology. That’s how you build real resilience.

Q47: How is this different from what we’d get from a big consulting firm?

Option A (Concise): Same frameworks, same rigor, dramatically different price and experience. Big firms charge $25, 000 -$ 100,000+ and often staff your project with junior consultants while a senior partner handles the sales meeting. With us, the person you meet is the person doing the work. We deliver tailored recommendations for your business size — not an enterprise template that’s irrelevant to a 50-person company.

Option B (Conversational): Three big differences:

1. The person doing the work. At a large firm, the impressive senior partner runs the sales meeting, then hands your project to a junior analyst you’ve never met. With us, the consultant you talk to is the one who does the assessment, writes the report, and presents the findings. No handoffs.

2. Relevance. Big firms use enterprise-grade methodology designed for Fortune 500 companies. Their recommendations often include controls that are irrelevant, impractical, or financially impossible for a 50-person company. Our methodology uses the same frameworks (CIS, NIST) but applies them practically for your size and budget. Every recommendation is something you can actually do.

3. Price. A comparable assessment from a Big 4 or large MSSP would cost $25, 000 -$ 100,000+. We deliver similar depth and rigor at 80-90% less because our overhead is lower, our process is efficient, and we’re built specifically for your market. You don’t need a $50, 000 a u d i t . Y o u n ee d a$ 5,000 assessment that finds the same issues and gives you a clear roadmap.

Q48: What if we disagree with your findings?

Option A (Concise): We welcome discussion. Every finding in our report includes specific evidence (screenshots, scan outputs, configuration data). If something seems inaccurate, we’ll review it together. We’re not trying to scare you — we’re trying to give you an accurate picture. If we’re wrong about something, we’ll correct it.

Option B (Conversational): That’s totally fair, and I welcome it. Every finding in our report is backed by evidence — screenshots, scan outputs, specific configurations. Nothing is based on opinion or guesswork. During the presentation, I encourage you to push back on anything that doesn’t seem right. If your IT person says “actually, we fixed that last week” — great, I’ll update the report. If there’s a context I missed — “we left that port open intentionally because of X vendor requirement” — that changes the risk assessment and I’ll adjust accordingly.

Our goal is accuracy, not alarm. I’d rather you trust the report completely because we addressed every question than have you walk away with doubts.

These are ultra-condensed versions for tight spaces like website FAQ accordions:

Question	One-Line Answer
What is a security assessment?	A structured review of your cybersecurity posture across 9 critical areas, producing a letter grade and action plan.
How much does it cost?	$1, 500 -$ 12,000+ depending on scope and company size. Most SMBs invest $3, 500 -$ 7,000.
How long does it take?	8-10 business days. Your team’s time: ~2-3 hours total.
Will it disrupt our operations?	No. The assessment is non-invasive and read-only.
Is our data safe?	Yes. All data is encrypted, confidential, and deleted within 30 days.
Can this be done remotely?	Yes. Most work is remote. On-site visits available for local clients.
Do you do penetration testing?	No. We do configuration review and risk assessment. We refer pen testing to partners.
Will this help with cyber insurance?	Yes. We verify the controls carriers require and help with security questionnaires.
We already have an MSP.	We complement your MSP with independent, specialized security assessment.
We’re too small to worry about this.	60%+ of cyberattacks target businesses under 500 employees. Size doesn’t protect you.
What happens after the assessment?	You get a prioritized roadmap and follow-up support. Many fixes cost $0.
Do you offer ongoing services?	Yes. Quarterly retainers start at $500/ q u a r t er . v C I SO re t ain erss t a r t a t$ 1,500/month.
Are you insured?	Yes. Professional liability, general liability, and cyber liability — all $1M+ coverage.

APPENDIX: FAQ USAGE GUIDE BY CHANNEL

Channel	Best FAQ Format	Recommended Questions
Website FAQ page	Option A (concise) or Short-Form one-liners	Q1, Q6, Q7, Q8, Q9, Q10, Q13, Q16, Q18, Q31, Q33, Q41, Q42, Q45
Sales proposal appendix	Option C (detailed)	Q1, Q2, Q4, Q6, Q10, Q13, Q15, Q18, Q19, Q20, Q21, Q31, Q34
Email nurture sequence	Option B (conversational), one per email	Q24 (backup awareness), Q42 (too small), Q43 (no problems yet), Q44 (insurance), Q15 (ROI)
LinkedIn posts	Rework Option B into standalone posts	Q24, Q42, Q43, Q44, Q46 — each is a great standalone topic
In-person / phone sales	Memorize Option B answers	Q13, Q15, Q41, Q42, Q43, Q44, Q45, Q47
Industry-specific landing page	Option C + relevant compliance Qs	Q27, Q28, Q29, Q30 + industry-specific Q from Category 6
Partner (broker/MSP) communication	Option A + partner-relevant context	Q4, Q13, Q27, Q41

This library gives you 48 FAQs with 2-3 answer options each (100+ unique answer variations), plus short-form one-liners and a channel mapping guide. Pick what fits your voice, your brand, and where you’re using it. Mix, match, and customize.

Solanasis Docs

Explorer

SMB_Security_BDR_FAQ_Library