security and compliance services

Network security seems simple enough!  Slap a firewall on your network and call it a day?  Unfortunately no.  That hasn't been good enough... well, ever... but especially in recent years.  The internet has made the world a smaller place and has also given you a much larger security perimeter... and the threats evolve constantly.  Like any perimeter, putting up a fence is only useful if the fence doesn't have holes in it.

If you aren't sure where your risks are, if you've had a breach, or if you're starting to get the impression that you're not keeping up with the times, I'd recommend giving me a call.  Let's setup an audit and put a report in your hands that will clearly identify any weaknesses and quantify the risks associated and the costs involved to close any gaps.  

As always, I will thoroughly document and explain anything I find so that you can feel confident moving forward, planning for future spending, or changing strategies with confidence.

Employee education, while often overrated and overused, can be an useful tool in some circumstances, and I am happy to write employee handbook sections, conduct training meetings, etc.  The reason I say it is often overrated is that I've never seen an employee handbook that (even if it was thorough and current) was actually read and understood by the employees, or an employee onboarding process that included enough training, or enough effort made to consistently retrain staff as network security measures evolve with time.  The best strategy is to assume all your employees are willfully incompetent and downright reckless, and to protect yourself against their mistakes as much as from the rest of the world.  Their fragile brains and unjustifiably large egos regarding their technical abilities are part of your security perimeter, regardless how much education you perform.  As such, employee education is not a replacement for serious threat prevention strategies.

I have negotiated with ransomware hackers on the dark web before.  I have no desire to ever do it again.  But I will, for you, if I have to.  Let's make it a priority to prevent that, shall we?

Ransomware is typically the largest security threat your company will face.  A multi-layered backup strategy, proper network security, multi-factor authentication, and high-quality endpoint protection (think antivirus but better) that includes the ability to detonate all executables in a cloud-based sandbox environment before allowing them to run anywhere on your network are the keys to ransomware prevention.  Does that sound expensive?  It's not as much as you'd think and nowhere near as much as buying your data back.  Does it sound complicated?  It's really not that hard.  It just takes buying the right products and services, being just a bit diligent to keep your staff from opening holes, and a comprehensive strategy that includes your entire security perimeter.

I've never had a breach when those steps were followed.  Breaches only happen when management is cheap, employees are lazy, or IT staff is incompetent. I've got the last one covered.  If you cover the first one, employee laziness can be entirely mitigated.  We both know we can't trust them all.  We don't have to, so let's not trust any of them.  The risks are too high for that.

Physical security overlaps to a large extent with IT security, especially since physical security systems like alarms, access control systems, camera and surveillance systems, theft deterrent systems, and the management systems for all of the above use network appliances, are passed through network firewalls, and access to them is controlled via usernames and passwords that are often shared with network security.  As such, having a comprehensive physical security plan should always involve competent IT staff making sure there aren't gaps that can be exploited, certainly by unknown bad actors, but typically even more so by current and former employees.

While it isn't the most common service I provide, I am experienced with configuring, wiring, and installing security and camera systems.  I've done it before and I'll happily do it again if I need to.  More typically however, I can use my experience to help you avoid making mistakes when you choose these types of systems and services. I will manage the installation process with any providers to make sure it seamlessly integrates with your infrastructure and works as intended, help stress-test it for weaknesses after the fact, and train staff on the best ways to use it.

And lastly, if you would like a consultation on more extreme forms of physical security, disaster recovery, and personnel protection strategies to include active shooter scenarios, riots, natural disasters, safe rooms, or armed security services, etc. I am happy to lend my knowledge to those discussions as well.  I will not provide any of these services directly, but I can help you include them in your security plan in such a way that the strategy remains comprehensive and seamless with the technology you use to protect everything else.

Feel free to perform any background checks on me that you can think of. I will gladly provide any documentation you need.  As a one-man operation, my security perimeter is limited to just me.  I have a sterling reputation and would dare you to find a single person I've known since reaching adulthood that would question my integrity. The worst thing people usually have to say about me is that I'm a bit too bluntly honest for their taste.  If you choose to include my company in your security provider portfolio, you can rest assured that who I choose to hire is not a security gap that you can't control.  I'm not hiring anyone, and I'm the only one with access to my systems.  But even more than that... I'm just suspicious enough as a person that I won't ask you to trust me any more than absolutely necessary.  I don't want to know any passwords other than my own, and all of my customers have the ability to rescind my access to everything in less than 5 minutes if they decide to move on. As soon as your security installers are done, I'll come along behind them and lock THEM out of our systems, and grant you the ability to lock me out if you want to.  This will limit your vulnerability to only +1 over installing it all with your own two hands.

The last line of defense for your company against the worst case scenario is a well-structured Cyber Insurance policy.  To get competitive rates, your company must almost always complete a lengthy yearly questionnaire that details your network topology, security measures, cyber-security budget, backup system architecture, and disaster recovery plans.  They will also require you to comply with certain security standards like having all remote access to your data, including cloud-based data, be protected by multi-factor authentication and/or encrypted VPN tunnels.  They have strict standards for the storage of personnel data, client data, and especially credit card and payment data.  I hate to be scary, but if you fill that paperwork out incorrectly or fail to maintain the security standards you claimed you had, they are entitled to reject your insurance claim when you need it the most.  If you don't have a policy, are paying too much for your policy, or are worried you may have misrepresented your current situation to your insurance company, you could use my help.

Similarly, many industries, especially those regulated by government entities including financial institutions and many vendors who provide services to government institutions, have security and compliance requirements that must be maintained to keep licenses or vendor relationships in good standing.  If these standards lapse and you are sued or a party to any litigation, you could be liable for a failure to do so... and I would be willing to bet that your cyber insurance won't cover your losses since your policy probably required you to maintain the same standards that the compliance agreement did. If you accept credit cards, you'll also have a separate compliance requirement to meet.  If you haven't had an audit you trust in recent memory, you'll want to get that done.  Give me a call and lets make consistently scheduling one a part of your long term plan.

If you do find yourself in litigation, I can prepare statements, package data, write reports, and even investigate and track abuses in many cases.  I will also make a great expert witness for you because I have a well-practiced ability to explain complex topics to the non-technical in an understandable and non-intimidating way. These services only come with one condition:  I only tell the truth.  To make sure you'll want me making statements on your behalf, let's make sure you're 100% compliant and have done your due diligence.