Solanasis Docs

talking-points

18 min read

Talking Points: The 5 Things That Will Actually Save Your Business

Presenter: Dmitri Sunshine, CEO, Solanasis Format: 20-minute Chamber of Commerce presentation Audience: SMB owners and operators (mixed industries) Total slides: 16

Pre-Talk Checklist

  • QR code printed/displayed for go.solanasis.com/intro
  • Business cards available
  • Slide deck loaded and tested on venue projector
  • Water bottle at podium
  • Chamber contact has your intro bio

Slide 1: Cover (0:00 - 0:30)

What to say:

Welcome everyone. I’m Dmitri Sunshine, CEO of Solanasis. We’re a fractional CIO and CISO firm based here in Colorado; we help small businesses build operational resilience without needing a full-time executive team.

Today I’m going to walk you through the 5 things that, in my 23 years of enterprise architecture and security work, consistently separate the businesses that survive a crisis from the ones that don’t. This is the 80/20; the 20% of effort that covers 80% of your risk.

No jargon, no fear-mongering. Just practical stuff you can start doing this week.

Transition: Let’s start with why this matters right now.

Slide 2: The Uncomfortable Truth (0:30 - 1:30)

What to say:

So here’s the uncomfortable truth. 60% of small businesses that experience a major cyber incident close within 6 months. Not because the attack itself was catastrophic; but because they didn’t have the systems in place to recover.

75% of SMBs already know this is a problem. They rank cyberattacks as their top operational threat. And 43% of all cyberattacks specifically target small businesses; because attackers know you’re less likely to have defenses in place.

But here’s the thing I want you to take away from this slide: resilience isn’t just about cyberattacks. It’s about any disruption. Your key IT person quits. A vendor goes down. A pipe bursts in your server room. The question isn’t whether something will go wrong; it’s whether you’ll be ready when it does.

Audience engagement: Pause after the 60% stat. Let it land.

Transition: So who am I to be telling you this? Quick background, and then we’ll get into the actual framework.

Slide 3: About Me (1:30 - 2:00)

What to say:

I’ll keep this short because you’re here for the content, not my resume.

I went back to my roots about a year ago and started Solanasis. 23 years in enterprise architecture, security, and operations. I’ve worked with organizations from startups to Fortune 500.

What I do now is fractional CIO and CISO work for small businesses and nonprofits. Think of it as having a senior technology executive on your team a few days a month instead of paying $200,000+ a year for a full-time hire.

The thing that makes us different is verification culture. We don’t just write policies and check boxes. We actually test whether your backups restore. We actually run through your incident response plan. If we haven’t tested it, we don’t count it.

Delivery note: Keep this tight. 30 seconds max. The audience wants the content, not a bio. Smile. Be warm, not performative.

Transition: So let’s get into it. The 5 things that cover 80% of your operational resilience.

Slide 4: The 80/20 of Resilience (2:00 - 2:45)

What to say:

Here’s the framework. Five things. That’s it.

You don’t need a $500,000 security program. You don’t need to hire a full-time CISO. You don’t need to become a cybersecurity expert. You need these 5 things done right.

Tested backups. Key-person documentation. Multi-factor authentication everywhere. An incident response plan. And vendor and insurance readiness.

And here’s the thread that ties all five together: each one has the same test. Can you prove it works? Not that it exists on paper; not that someone told you it’s set up; but that you’ve actually tested it and it performed.

That’s the difference between having a plan and having resilience.

So let’s go through each one. I’ll give you the “why it matters” and then a specific action you can take this week.

Transition: Number one. Backups.

Slide 5: #1 Tested Backups - Problem (2:45 - 4:30)

What to say:

Number one: tested backups.

I’m going to ask everyone in the room a question, and I want you to be honest with yourself. When was the last time you actually restored from your backup? Not the last time your IT person told you “backups are running.” The last time someone actually pulled a file, or restored a system, from backup and confirmed it worked.

If you can’t answer that question, you’re in the majority. 58% of backup restores fail when they’re actually needed. Think about that. More than half the time, when a business desperately needs their backup, it doesn’t work.

Why? Corrupted files. Configuration drift. Storage that quietly filled up three months ago. The backup software says “success” every night, but nobody’s checking whether what it backed up is actually usable.

So here’s the uncomfortable distinction: having backups is not the same as having tested backups. And most businesses have the first one but not the second one.

Audience engagement: The opening question gets heads nodding. Look around the room. Let the silence after the question do the work.

Transition: So what do you actually do about this? It’s simpler than you think.

Slide 6: #1 The Backup Test - Action (4:30 - 6:00)

What to say:

So here’s what you do. And this is simple; you just have to actually do it.

Schedule a quarterly restore test. I mean literally put a recurring calendar event in right now. Every 90 days, someone on your team restores from backup and confirms it works.

And don’t just restore a single file. Do a full system restore to verify the whole thing works end to end. Measure how long it takes. Your time-to-recovery is one of the most important numbers in your business, and most business owners have no idea what theirs is.

Also, verify your backup scope. I can’t tell you how many businesses I’ve worked with where the backups cover the main server but miss the accounting database, or the email archive, or the custom application that runs half their operations.

Pro tip: ask your IT provider right now, “When was the last successful restore, and how long did it take?” If they can’t answer that question with a date and a number, that’s something to look into.

Delivery note: The “put a calendar event in right now” line is literal. Encourage people to do it. This is the most actionable moment in the talk.

Transition: Number two. The thing nobody wants to think about.

Slide 7: #2 Key-Person Documentation - Problem (6:00 - 7:30)

What to say:

Number two: key-person documentation. This one hits close to home for a lot of business owners.

I want you to think about this question: if your IT person, or your office manager, or your bookkeeper quit tomorrow with no notice, does anyone else in your organization know how to keep things running?

Where are the admin passwords? Who has the vendor contacts? What’s the process for running payroll if that one person isn’t there? How do you access the security cameras, the phone system, the cloud storage?

The average SMB has 3 to 5 single points of failure in their operations. These are people who, if they’re unavailable for any reason, significant parts of the business stop working.

In tech we call this the “bus factor.” How many people have to get hit by a bus before your business can’t function? For most small businesses, the answer is uncomfortably small. Often it’s one.

And this isn’t just about someone quitting. People get sick. People take vacations. People retire. The question is whether the knowledge walks out the door with them.

Audience engagement: Watch for knowing looks when you mention the bookkeeper or office manager. These are the unsung single points of failure in every SMB.

Transition: The fix is straightforward, and you can start it today.

Slide 8: #2 The Keys List - Action (7:30 - 9:00)

What to say:

The fix is a document I call “Keys to the Kingdom.” It’s exactly what it sounds like.

Admin credentials. And I don’t mean written on a sticky note under the keyboard. I mean stored in a password manager like 1Password, Bitwarden, or LastPass, with at least two people who have access to the vault.

Vendor contacts. Who do you call when the internet goes down? When the phone system breaks? When QuickBooks stops syncing? You’d be surprised how many businesses have this information in exactly one person’s head.

A system map. Nothing fancy; just a document that says “this application runs on this server, this service depends on that service.” So when something breaks, you know what else might be affected.

Renewal dates. Domains, software licenses, contracts. I’ve seen businesses lose their domain name because the person who set it up used their personal email and left the company, and nobody knew the renewal was coming.

And emergency procedures. Not a 50-page disaster recovery plan. A simple “when X happens, do Y” reference card.

Pro tip: the Keys document doesn’t contain passwords. It documents where the passwords are stored and who can access them. The password manager is the vault; the Keys document is the map.

Transition: Number three. This one is the easiest win on the list.

Slide 9: #3 MFA Everywhere - Problem (9:00 - 10:30)

What to say:

Number three: multi-factor authentication everywhere. MFA. This is the single easiest, most impactful thing on this entire list.

99.9% of automated account attacks are blocked by MFA. That’s not my number; that’s Microsoft’s security research. 99.9%. Just by requiring a second factor beyond a password, you eliminate virtually all automated attacks.

The number one attack vector for small businesses right now is business email compromise. Here’s how it works: an attacker gets into one person’s email account, usually through a phished password or a reused password from a breach. Then they sit quietly, reading emails, learning the business. And then they impersonate that person. They send a fake invoice to a client. They request a wire transfer from the bookkeeper. They redirect a payment to their own account.

This happens to small businesses every single day. And in almost every case, it started with a compromised email account that didn’t have MFA turned on.

Passwords alone are not security. A strong password is better than a weak one, sure. But passwords get phished, they get reused, they get stolen in breaches. MFA adds a second lock on the door that makes all of that irrelevant.

Audience engagement: When you describe the BEC scenario, slow down. This is the “oh no” moment for half the room. Let them picture it happening to their business.

Transition: And the good news is, setting this up takes less time than this presentation.

Slide 10: #3 MFA in 30 Minutes - Action (10:30 - 12:00)

What to say:

Here’s your action, and I’m not exaggerating when I say you can do this today.

Priority one: email. Start with email because that’s where 80% of attacks begin. If you’re on Google Workspace or Microsoft 365, MFA is already built in. You literally just have to turn it on. It’s in the admin settings. If you don’t know how, your IT person does, or Google has a step-by-step guide that takes about 5 minutes.

Priority two: banking. Your bank almost certainly offers MFA for online banking. If they don’t, that’s a conversation worth having with them; honestly, it might be worth switching banks. Your money should have a second lock on it.

Priority three: cloud storage. Google Drive, Dropbox, OneDrive, SharePoint. Wherever your business files live, make sure access requires more than just a password.

For the authenticator app, I recommend Microsoft Authenticator or Google Authenticator. Both are free. Both work great. Try to avoid SMS-based MFA; that’s the text-message code. App-based is significantly more secure because phone numbers can be hijacked.

Transition: Number four. This one is about what you do when, not if, something goes wrong.

Slide 11: #4 Incident Response Plan - Problem (12:00 - 13:30)

What to say:

Number four: incident response. When something goes wrong, panic is not a plan.

Here’s the reality: most small businesses have zero written incident response procedures. Zero. When something happens; a ransomware attack, a data breach, even just the server going down on a Friday afternoon; nobody knows who’s supposed to do what.

There’s a concept in emergency response called the “golden hour.” The first 60 minutes of a critical incident determine about 90% of the outcome. In that first hour, the decisions you make about what to shut down, who to call, how to contain the damage; those decisions shape everything that comes after.

And most SMBs spend that entire golden hour in chaos. Who makes decisions? Nobody knows. Who calls the insurance company? Nobody knows. Who talks to the clients? Nobody knows. What systems should you shut down immediately versus keep running? Nobody knows.

That hour of confusion is where the real damage happens. Not from the attack itself; but from the delayed, disorganized response.

Audience engagement: The “nobody knows” repetition builds tension. Deliver each one a little more emphatically than the last.

Transition: The fix is simpler than you might think. It’s a single page.

Slide 12: #4 Your One-Page IR Plan - Action (13:30 - 15:00)

What to say:

Your action for this one: create a one-page “When Things Go Wrong” card. One page. Not a 50-page disaster recovery plan that nobody will read. One page with four sections.

Section one: who to call. Your IT support number. Your cyber insurance company’s incident hotline (this is different from your regular agent number; check your policy). Your lawyer. Law enforcement contacts. All with phone numbers. When you’re panicking at 2am, you don’t want to be searching through emails for a phone number.

Section two: what to shut down. Which systems do you disconnect immediately to contain the damage? And just as importantly, which systems do you keep running so you preserve evidence? Your insurance company and law enforcement will need that evidence.

Section three: who to notify. Clients, employees, vendors, regulators. And the timeline for each. Some industries have 24-hour or 72-hour breach notification requirements. You need to know that before the incident, not during it.

Section four: how to communicate. Who handles internal updates? Who talks to clients? What’s your social media posture; do you post something, or do you stay quiet until you have facts? These decisions should be made calmly in advance, not in the middle of a crisis.

And then laminate it. I’m serious. Put it next to the fire extinguisher, because it serves the same purpose. It’s the thing you grab when there’s an emergency.

Delivery note: “Laminate it” always gets a laugh. Lean into it.

Transition: Last one. Number five. This one is about the business side of resilience.

Slide 13: #5 Vendor & Insurance - Problem (15:00 - 16:30)

What to say:

Last one. Number five: vendor and insurance readiness. This is the business side of resilience that most people overlook.

Two numbers for you. 41% of cyber insurance applications are denied on first submission. Almost half. And when I ask business owners why, it’s almost always the same answer: they didn’t have the controls in place that the insurance company requires. No MFA. No endpoint detection. No incident response plan. Sound familiar?

And here’s the other number: supply chain attacks have increased 742% since 2020. A supply chain attack is when the attacker doesn’t come after you directly; they compromise one of your vendors, and use that as a doorway into your systems. Your payroll provider. Your CRM. Your cloud storage. Your MSP.

So your vendors aren’t just service providers; they’re part of your attack surface. And your insurance isn’t just a policy you pay for; it’s a safety net that only works if you’ve maintained it properly.

Most SMBs don’t manage either of these things proactively. They sign up for insurance once, never read the policy again, and never ask their vendors a single question about security.

The last place you want to read your insurance policy is during an incident.

Audience engagement: “Sound familiar?” after listing the controls ties back to items 1-4. This is where the framework clicks into place for the audience.

Transition: So here’s what you do about it.

Slide 14: #5 Vendor Audit & Insurance Check - Action (16:30 - 18:00)

What to say:

Two actions here, and both are about knowing what you have before you need it.

First, the vendor audit. Make a list of your top 10 vendors. The ones that have access to your data or your systems. Your IT provider, your payroll company, your CRM, your cloud storage, your accounting software.

Then ask each of them a simple question: do you have a SOC 2 certification, or an equivalent security certification? A SOC 2 means an independent auditor has verified that the company meets certain security standards. Not every vendor will have one, especially smaller ones, but you should know which ones do and which ones don’t.

Review what data each vendor has access to. Some of them have more access than you realize. And check your contracts; do they include a requirement to notify you if they have a breach? If not, you might not find out until the damage is done.

Second, the insurance check. I know this sounds basic, but read your cyber insurance policy. Most business owners couldn’t tell me their coverage limit, their deductible, or their exclusions. Know what isn’t covered; that’s often more important than what is. And know your incident reporting timeline. Many policies require you to report an incident within 24 to 72 hours. Miss that window and your claim could be denied.

Save the claims hotline number in your incident response plan; the one-page card we talked about earlier. Everything connects.

Delivery note: “Everything connects” is a subtle callback to the framework. Don’t over-emphasize it; just let it land naturally.

Transition: So let’s pull all of this together.

Slide 15: The Checklist (18:00 - 19:00)

What to say:

So here’s your checklist. Five things. Each one has a specific action you can take this week.

[Read through each item, but briefly; don’t repeat the full explanations]

One: schedule your quarterly backup restore test. Two: start your Keys to the Kingdom document. Three: turn on MFA for email, banking, and cloud storage. Four: write your one-page IR card and laminate it. Five: list your top 10 vendors and read your insurance policy.

You don’t have to do all five this week. Start with one. Start with whichever one made you the most uncomfortable during this presentation; that’s probably the one you need most.

The beautiful thing about this list is that none of it requires special expertise. None of it requires expensive software. None of it requires hiring someone. These are things you can do with the resources you already have.

Audience engagement: This is the moment of empowerment. Shift your energy from urgency to encouragement. You’ve spent 18 minutes creating constructive tension; now release it.

Transition: And if you want help figuring out where you stand, that’s what this last slide is about.

Slide 16: CTA - Let’s Talk (19:00 - 20:00)

What to say:

So if any of this resonated with you, and especially if you’re thinking “I should really look into this but I don’t know where to start,” I’m offering a free Resilience Pulse Check.

It’s 15 minutes. No pitch. No sales deck. Just a quick diagnostic conversation about where your business stands on these 5 items and which one to tackle first.

You can scan this QR code right now, or go to go.solanasis.com/intro to book a time that works for you. Or just grab my card on the way out; I’m happy to chat after this as well.

My name is Dmitri Sunshine, I’m at 303-900-8969, or hi@solanasis.com.

Thank you for your time and presence.

Delivery note: “Thank you for your time and presence” is your signature sign-off. Deliver it warmly and make eye contact with the room. Then pause. Don’t rush into Q&A.

Q&A Guidance (if time permits)

  • If someone asks about a specific tool/product: “That’s a great question. Rather than recommending something generic, I’d want to understand your setup first. That’s exactly the kind of thing we’d cover in a Pulse Check.” (Redirects to CTA without being evasive)
  • If someone asks about cost of implementing these 5 things: “Honestly, all five can be done with free or existing tools. The investment is time, not money. The hard part is making it a priority.”
  • If someone asks about compliance requirements: “Great question. The specific requirements vary by industry. Healthcare has HIPAA, financial services has various regulations, government contractors have CMMC. But these 5 things are the foundation that supports all of them.”
  • If someone shares a horror story: Listen. Nod. Don’t one-up it. Say “That’s exactly why this matters. Thank you for sharing that.”

Post-Talk Checklist

  • Collect business cards from anyone who approached you
  • Send follow-up email to Chamber contact within 24 hours
  • Connect on LinkedIn with anyone who mentioned specific interest
  • Log contacts in CRM (ClickUp)
  • Note any common questions or concerns for future presentations

Graph View