SMB Tech & Cyber Newsletter | CPF Coaching

What inside your business can act before a human verifies it? This week, we dive into the convergence of three major tech shifts: the modular infostealer economy, costly regulatory enforcement after ransomware, and the mainstream arrival of computer-using AI agents like Gemini 3.5 Flash.If you lead tech or cybersecurity for an SMB, this episode provides a localized execution plan to bridge the gap between risk awareness and actual protection. We cover:Cyber Threats: Why treating browsers, endpoints, and admin sessions as a single identity risk surface is critical to stopping credential theft.Compliance: How to build an evidence trail that satisfies regulators (like HHS OCR) before a ransomware incident occurs.AI Governance: Setting up "advise, draft, and act" lanes for AI to prevent unverified execution.Listen in for the 3 steps you need to take this week to secure your unverified workflows. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

January 2026 Alert: Critical Microsoft Copilot vulnerability (Reprompt), Bluetooth "WhisperPair" exploit affecting Sony/Google devices, and new privacy laws in IN, KY, & RI. Get the executive summary and 30-day mitigation plan for SMBs. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

From building software to defending it: Jason Casey (CEO, Beyond Identity) shares his journey from Software Engineer to Cybersecurity Expert. Discover why mastering network protocols and engineering fundamentals is the secret to a successful cyber career. Listen now on Breaking into Cybersecurity. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

CES 2026 changed the threat landscape. From "Superuser" AI agents to "cute" surveillance robots like Mirumi, we outline the top 4 trends SMB tech leaders must address immediately to secure their organizations. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Urgent briefing for US SMBs: Critical patches needed for WatchGuard, Fortinet, & Cisco. Discover how to stop AI attacks and avoid $3M breach costs. Read the Urgent briefing for US SMBs: Critical patches needed for WatchGuard, Fortinet, & Cisco. Discover how to stop AI attacks and avoid $3M breach costs. Read the plan. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

CMMC Phase 1 is effective as of Nov 2025. DIB leaders: Get the strategic guide to CUI, VDI, and NIST 800-171 compliance before the 2026 deadline. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Is your business one tragedy away from collapse? Learn how to mitigate "Key Person Risk" and the "Bus Factor" with our 2025 guide to IT succession planning. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

The “One-Size-Fits-All” ProblemWe’ve all been there. A mandatory, hour-long cybersecurity training video that covers everything from phishing to physical security in a bland, generic way. Your marketing team is half-listening while thinking about their next campaign, and your finance department is wondering how any of this applies to their daily invoice processing. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

In the latest episode of “Breaking into Cybersecurity,” host Chris Foulon sits down with Eric Stride, the Chief Security Officer at Huntress. Eric’s journey into cybersecurity is not only inspiring but also enlightening for anyone looking to enter this ever-evolving field. With over two decades of experience in the military and private sectors, Eric shares his insights on career development, leadership, and the future of cybersecurity. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Quantum Computing: The Future of Innovation and Security In this episode, we explore the revolutionary impact of quantum computing on the future of technology, innovation, and security. Learn about the key differences between classical bits and quantum qubits, and how superposition and entanglement enable unprecedented computational capabilities. Discover the strategic opportunities quantum computing presents for industries such as pharmaceuticals, logistics, and artificial intelligence, as well as the urgent cybersecurity threats it poses. Finally, gain actionable insights on how to prepare your organization for the quantum age by conducting risk assessments, exploring post-quantum cryptography, and ensuring crypto-agility. Don't be left behind—embrace this transformative technology and secure your place in the future. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Don't assume your cloud provider has you covered. Master the Shared Responsibility Model, build a comprehensive SRM, and align your strategy with frameworks like NIST and CMMC. Read our guide to achieve total accountability. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Discover what lies ahead in cybersecurity with technology expert Bill Welser IV. Gain insights into AI's influence, key skills needed, and ways to prepare for the future. From his experience in the Air Force to AI startups, Bill Welser IV discusses his distinctive cybersecurity career path. Explore topics like systems thinking, new technologies, and advancing your career. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

By Chris Foulon & Sinan ErenIntroductionIn this episode of "Breaking into Cybersecurity," we sat down with Sinan Eren, a seasoned cybersecurity professional, entrepreneur, and founder. Sinan’s journey from a curious hobbyist in Istanbul to a serial founder in Silicon Valley offers a wealth of insights for anyone interested in cybersecurity, entrepreneurship, or both. Here are the highlights and lessons from our conversation.From Hobbyist to Professional: The Early DaysSinan’s entry into cybersecurity wasn’t a deliberate career choice. In the late 1990s, cybersecurity wasn’t even a defined field—just a function of IT. Resources were scarce, and much of the learning happened in underground communities like IRC and through publications like FRAC magazine. For Sinan, curiosity and a desire to experiment led him to discover vulnerabilities and share his findings on platforms like Bug Track, which eventually opened doors to job opportunities.Key Takeaway: Sometimes, passion and curiosity can be more important than formal education in breaking into a new field.Signature-Based vs. Heuristic Security: A Technical EvolutionSinan explained the shift from signature-based antivirus solutions to heuristic and behavioral approaches. Early security tools relied on known patterns to detect threats, but as malware evolved—like the infamous Code Red worm—this reactive approach proved insufficient. The industry began to focus on detecting abnormal behaviors, setting the stage for modern endpoint security.Key Takeaway: The cybersecurity landscape is always evolving. Staying ahead means understanding both the history and the latest trends in threat detection.Entrepreneurship in Cybersecurity: Two PlaybooksSinan’s entrepreneurial journey followed two main playbooks:* The Hype Playbook: Attach security to the latest technology trend (e.g., AI + Security).* The Next-Gen Playbook: Take an existing solution and make it better, faster, or more secure (e.g., reinventing VPNs with Zero Trust Network Access).His first company focused on mobile security, capitalizing on the rise of mobile apps and their security flaws. Later ventures addressed remote access and automation, always driven by real-world needs and feedback from users.Key Takeaway: Successful startups often solve existing problems in new ways or improve on what’s already out there. Listen to the market and adapt.Lessons Learned: Growth, Pivots, and ExitsSinan shared candid stories about the challenges of scaling a startup, including the risks of over-reliance on a single partner and the importance of diversifying your customer base. He emphasized the value of learning from mistakes and knowing when to pivot or sell.Key Takeaway: Flexibility and self-awareness are crucial in entrepreneurship. Sometimes, the best move is to exit and apply your lessons to the next venture.Automation and the Future: Beyond CybersecuritySinan’s latest venture emerged from listening to managed service providers who struggled with operating and automating a growing stack of security tools. By leveraging process mining, UI automation, and AI, his team built solutions that automate repetitive tasks—not just in cybersecurity, but also in finance and other fields.Key Takeaway: The skills and solutions developed in cybersecurity can often be applied to other industries. Don’t limit your vision to a single domain.Advice for Aspiring Professionals and Leaders* For Beginners: The field is more exciting than ever, especially with the rise of AI and LLMs (Large Language Models). Red teaming and offensive security remain fertile ground for creative minds, regardless of background.* For Experienced Pros: Embrace the challenge of integrating AI responsibly. Focus on building guardrails and understanding business processes, not just deploying tools.* For Entrepreneurs: Understand your customers’ workflows and pain points. Document processes, model workflows, and always be ready to adapt your product or business model.ConclusionSinan Eren’s story is a testament to the power of curiosity, adaptability, and listening—both to technology and to people. Whether you’re just starting out or leading a team, the lessons from his journey can help guide your own path in cybersecurity and beyond.To hear the full conversation, listen to the episode of Breaking Into Cybersecurity (and uploaded as the video in this post ;-) The YouTube channel has years of previous conversations)Some security tools you can consider for improving your business security posture:CrowdStrike Falcon: An AI-driven platform for securing your infrastructure at scale and keeping up with AI advancements. https://crowdstrike2001.partnerlinks.io/Cpf-coachingINE Security Awareness and Training is essential for your team to stay updated with the evolving threat landscape, enhancing the effectiveness of the teams supporting your organization. https://get.ine.com/cpf-coachingTenable helps identify weaknesses in your infrastructure, whether on-premises, in the cloud, or in your software, providing your vulnerability management with the visibility it needs. https://shop.tenable.com/cpf-coachingCyvatar.AI Managed endpoint protection solution for SMBs and digital cloud environment https://cyvataraif5706.referralrock.com/l/CHRISTOPHE77/Omnistruct helps you with privacy, GRC, and security programs. They can serve as your BISO to help scale your team and security program. https://omnistruct.com/partners/influencers-meet-omnistruct/Guidde helps you turn your tribal, undocumented processes into easy-to-follow documented videos and instructions. https://affiliate.guidde.com/cpf-coachingCyberupgrade simplifies the process of enhancing your cyber and digital risk management, allowing you to grow your business without having to be a compliance expert. We take care of the complexities associated with frameworks like DORA, ISO 27001, and NIS2, enabling your team to concentrate on building, scaling, and serving your customers. https://join.cyberupgrade.net/cpf-coaching1Password secures your secrets, tokens, passwords, documents, and more, whether you're at home, work, or school. They offer programs suited for everyone. https://1password.partnerlinks.io/cpf-coaching This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Foster a true security-first culture by mastering effective cloud security reporting. Learn to translate technical risk into business impact for leadership and technical teams using tools like Microsoft Power BI. Move security from a cost center to a strategic business enabler. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Supercharge your vulnerability management with a data-driven approach! Discover the 15 essential key performance indicators (KPIs) that will help you track your progress, highlight the value of your efforts, and elevate your security program. Embrace actionable metrics to continuously measure, monitor, and enhance your strategy—it's a journey towards a more secure future! This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

The Ghost in Your Cloud: How Hackers Use Social Engineering to Infiltrate and AttackUnmasking the "low and slow" identity attacks where threat actors lie in wait within your cloud accounts, and how to fight back before they strike.Discover the new wave of silent cyber threats. Learn how hackers use social engineering to compromise cloud accounts, stay dormant to evade detection, and launch devastating attacks later. Protect your organization now. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Stop chasing every vulnerability. Learn how a Data-Centric Security approach using Microsoft Defender for Cloud helps you discover, classify, and protect your most sensitive cloud data. Prioritize real business risks and prevent impactful breaches. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

🚀 Transform Your Cybersecurity Approach! 🚀 Join me on a journey through "The Phantom Workforce," where I delve into combating state-sponsored IT infiltration. Equip yourself with knowledge and strategies to protect your organization's sensitive information from modern threats. Let's enhance our cyber defenses together! #cyberawareness #protectyourdata #ITinfiltration This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Strengthen your organization's security response with robust Remediation Policies and SLAs! Discover how to transform your vulnerability management program into a mature, auditable business function that ensures accountability and timely risk reduction. Learn more about the essential components of a successful policy in our latest discussion. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

In this episode of Breaking into Cybersecurity, host Chris welcomes Craig Taylor, CEO of Cyber Hoot, as he shares his inspiring journey into the cybersecurity industry. Known for his role as a virtual CISO and cybersecurity awareness advisor, Craig discusses how he began his career with a psychology degree and eventually transitioned into cybersecurity. He delves into the importance of positive reinforcement over punishment in cybersecurity training and the evolving role of AI in detecting and mitigating threats. Craig also offers valuable advice for those looking to enter the field and emphasizes the need for organizations to understand and manage AI-related risks. Tune in for insights on cybersecurity, AI advancements, and practical tips to enhance cybersecurity awareness. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Learn to "shift left" with DevSecOps. Discover how to integrate security into your development lifecycle, from Infrastructure as Code (IaC) scanning to container analysis, using Microsoft Defender for Cloud to build a proactive, code-to-cloud security posture. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

In a recent episode of CISO Tradecraft, host G Mark Hardy sat down with cybersecurity expert Christophe Foulon to explore the intricacies of entering and thriving in the cybersecurity industry. Christophe, a seasoned professional and podcast host, shared his wealth of experience and offered valuable insights for anyone considering a career in cybersecurity or looking to advance within the field. Breaking into Cybersecurity The episode began with a discussion about the challenges and rewards of breaking into cybersecurity. Christophe highlighted his own journey, starting from a help desk role and eventually transitioning into cybersecurity. He emphasized the importance of staying current with certifications and the ever-evolving nature of the industry. "Technology moves along with or without us," Christophe noted, emphasizing the necessity of continuous learning. Understanding the CISO RoleA key focus of the conversation was the allure of the CISO (Chief Information Security Officer) title and its associated responsibilities. Christophe pointed out that while the title and paycheck might seem attractive, the reality involves continuous learning, long hours, and high-pressure situations. He stressed the importance of understanding these demands before aspiring to such a position. The Importance of Leadership and OwnershipChristophe shared that becoming a successful CISO requires more than just technical expertise. It involves political and management skills, and the ability to communicate effectively with the board and other executives. He also emphasized the need for CISO candidates to have political awareness and the capacity to work with stakeholders to own and manage risk. Building a Strong Cybersecurity Team Leadership was another crucial topic discussed. Christophe underscored the importance of understanding personal motivations and career aspirations within a team. By aligning roles with individual strengths and desires, leaders can foster productivity and satisfaction. He advocated for methods like personality assessments and one-on-one conversations to optimize team dynamics. Leveraging NeurodiversityA particularly insightful part of the discussion revolved around the role of neurodiversity in cybersecurity. G Mark Hardy and Christophe agreed that cybersecurity often attracts neurodiverse individuals, whose unique skills can become superpowers within the field. Ensuring these individuals find roles that align with their strengths not only enhances organizational productivity but also boosts individual fulfillment. Advice for Aspiring CISOs and New EntrantsChristophe provided guidance for those considering a career as a fractional or virtual CISO, emphasizing the importance of understanding legal responsibilities and setting clear scope and expectations with clients. He also advised on staying true to one’s passions to prevent burnout. Conclusion and Contact Information The episode wrapped up with Christophe encouraging strategic thinking in both career development and cybersecurity program planning. For those interested in learning more from Christophe, his resources, including his podcast "Breaking into Cybersecurity" and books, are available on platforms like YouTube, Apple Podcasts, and Amazon. Additional information can be found on his website at christophefoulon.com. CISO Tradecraft continues to provide invaluable content for cybersecurity professionals seeking to elevate their careers and leadership skills. As the industry evolves, the lessons from thought leaders like Christophe Foulon remain crucial for both personal and professional development. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

In this episode of CISO Tradecraft, host G Mar welcomes Christophe Foulon, founder of CPF Coaching LLC. Christophe shares insights on enabling businesses to use technology safely through strategic planning, risk management, and tailored cybersecurity measures. He emphasizes the importance of a holistic approach to security, addressing people, processes, and technology to enhance business resilience. Christophe also discusses his efforts in developing leaders within organizations and his support for the community through his podcast and involvement with various non-profits. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Ditch slow manual processes. Discover how security automation and SOAR reduce human error, accelerate threat containment, and free up your security analysts. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Discover how a robust Identity and Access Management (IAM) strategy, with JIT access and adaptive controls, can transform your cloud security and virtually patch vulnerabilities. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Discover how to mature your vulnerability management from a reactive chore to a continuous, risk-based program. This guide helps leaders protect their multi-cloud enterprise, prevent data breaches, and measurably reduce business risk. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Mastering Third-Party Risk Management for SMBsIn today's interconnected business environment, SMBs increasingly rely on third-party vendors and partners, heightening risk factors. This episode dives into essential strategies for effective Third-Party Risk Management (TPRM). Learn to inventory and assess third-party relationships, conduct thorough due diligence, set clear contractual requirements, and continuously monitor and reassess security postures. Discover how to form incident response plans, train your team effectively, and leverage external resources to bolster your TPRM program. Enhance your cybersecurity approach to safeguard assets, reputation, and customer trust. For personalized assistance, contact [email protected]. Plus, discover how easyDMARC can ensure your emails reach their intended destination. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Discover how to mature your vulnerability management from a reactive chore to a continuous, risk-based program. This guide helps leaders protect their multi-cloud enterprise, prevent data breaches, and measurably reduce business risk. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

The cyber environment presents ongoing challenges with increasing cyber threats, and Small to Medium Businesses (SMBs) often find themselves particularly at risk. Although high-profile breaches frequently make the news, SMBs are sometimes targeted because they are viewed as more vulnerable and have limited resources, making them what some might call "low-hanging fruit" for cybercriminals. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

The 2025 Verizon DBIR is out! Learn the critical cybersecurity shifts impacting SMBs: soaring third-party risks, rising espionage, persistent ransomware, and the continued threat of credential abuse. Get actionable insights for stronger defenses. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Navigate CMMC 2.0 compliance for government contractors protecting CUI. Understand the 3 levels, key requirements, and how it compares to FedRAMP and DoD Impact Levels. Learn about Microsoft GCC High for CMMC readiness. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Small and medium-sized enterprises (SMBs) increasingly rely on digital presence, facing IT and business challenges. Tech leaders launching initiatives need a robust risk management strategy that is careful yet efficient. This report provides SMBs with a comprehensive template that combines industry insights, risk management best practices, and case studies to recognize, evaluate, and mitigate risks while aligning with business goals. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Discovering NIST 800-171 & CMMC ComplianceThe threat landscape is filled with growing cyber risks, making it vital for organizations to protect sensitive information. This is particularly critical for Small and Medium-sized Businesses (SMBs) operating within the Defense Industrial Base (DIB), where safeguarding Controlled Unclassified Information (CUI) is not just a matter of security but a prerequisite for survival. The National Institute of Standards and Technology (NIST) Special Publication 800-171 is the cornerstone for this protection in non-federal systems. Furthermore, the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework builds upon NIST 800-171, underscoring its importance. For SMBs in the DIB, achieving and maintaining compliance is not merely a regulatory hurdle; it represents a strategic imperative for accessing Department of Defense (DoD) contracts and ensuring the long-term viability of their business.1 NIST SP 800-171 provides the necessary guidelines and requirements for protecting this sensitive government data, making its adherence a contractual obligation for organizations that handle CUI.4The Dual Challenge and Opportunity: Balancing Security with SMB RealitiesWhile the importance of cybersecurity compliance is evident, SMBs often face a unique set of challenges in achieving NIST 800-171 and CMMC compliance. Limited resources, financial constraints, a scarcity of dedicated personnel, and a lack of in-house cybersecurity expertise frequently present significant obstacles.6 Implementing NIST SP 800-171 using only internal resources can demand a substantial investment of time and money, potentially straining the already tight budgets of smaller organizations.13 Furthermore, the technical and often intricate requirements of both NIST 800-171 and CMMC require specialized cybersecurity knowledge that many SMBs may lack internally, making accurate interpretation and practical implementation considerable challenges.7 The daily demands of running a small business often leave owners and employees with stretched schedules, making it difficult to allocate the dedicated time required for thorough compliance planning, implementation, and the creation of necessary documentation.7 Adding to this complexity is the fact that cybersecurity standards are not static; NIST 800-171 and CMMC are subject to revisions and updates, requiring SMBs to commit to ongoing monitoring and adaptation of their security practices to maintain a compliant posture.7 Finally, accurately identifying all instances of Controlled Unclassified Information (CUI) within an SMB's diverse IT environment and implementing the appropriate technologies for its effective management and protection can be a particularly challenging aspect of compliance.7Despite these considerable challenges, achieving NIST 800-171 compliance presents significant opportunities for SMBs within the defense sector. Compliance is a key that unlocks access to the substantial and often high-value contracting opportunities available within the Department of Defense and its extensive network of partners.1 By implementing the security controls and measures mandated by NIST 800-171, SMBs significantly strengthen their defenses against various cyber threats, including data breaches, malware attacks, and unauthorized access, leading to a more resilient and secure business operation.1 Adhering to recognized cybersecurity standards such as NIST 800-171 sends a powerful message to customers, clients, and partners, showcasing a strong commitment to data security and privacy, which fosters greater trust and strengthens business relationships.1 Achieving NIST 800-171 compliance can also set an SMB apart from its competitors, particularly when vying for government contracts or seeking partnerships with larger organizations that prioritize robust cybersecurity practices, providing a distinct edge in the marketplace.1 Furthermore, by complying with NIST 800-171, SMBs can significantly reduce the likelihood and impact of data breaches, thereby mitigating potential reputational damage, avoiding costly legal repercussions, and safeguarding their business continuity.1 NIST 800-171 also includes specific requirements for developing and documenting an incident response plan, equipping SMBs with the necessary strategies and procedures to react swiftly and effectively to security incidents, minimizing potential damage and downtime, and enhancing overall business resilience.15 Finally, although there is an initial investment, the proactive measures taken to prevent cyber incidents through NIST 800-171 compliance can result in substantial long-term cost savings by avoiding the significant financial burdens often associated with data breach recovery, legal actions, and reputational damage repair.15Decoding the Frameworks: Understanding NIST 800-171 and CMMC 2.0NIST Special Publication 800-171 is a set of security guidelines and requirements designed to protect Controlled Unclassified Information (CUI) when handled by non-federal organizations, particularly those contracting with the U.S. Department of Defense.1 It is organized into 14 distinct families of security controls, initially comprising 110 individual controls aimed at safeguarding CUI, with a recent update in Revision 3 reducing the total number of controls to 97.16 The latest updates, introduced in NIST SP 800-171 Revision 3 (released in May 2024), bring significant changes, including a closer alignment with the more comprehensive NIST SP 800-53 Revision 5, the introduction of Organization-Defined Parameters (ODPs) allowing for tailored security requirements, and the addition of new control families focusing on proactive planning (PL), secure system and services acquisition (SA), and supply chain risk management (SR).1 These updates also include enhanced tailoring criteria, control recategorization, and detailed clarifications and consolidations to simplify the implementation process.14 The Supplier Performance Risk System (SPRS) is the official Department of Defense repository where contractors, including SMBs, are required to upload their self-assessment scores reflecting their compliance with NIST 800-171, making it a critical component for demonstrating cybersecurity readiness to the DoD.1Building upon the foundation of NIST 800-171 is the Cybersecurity Maturity Model Certification (CMMC) 2.0, the Department of Defense's comprehensive framework specifically designed to ensure that all contractors within the Defense Industrial Base (DIB) implement and maintain adequate cybersecurity measures to protect sensitive government information, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).2 CMMC 2.0 features a streamlined three-tiered structure: Level 1 (Foundational) focuses on basic safeguarding of Federal Contract Information (FCI) through 15 fundamental security controls.7 Level 2 (Advanced) centers on protecting Controlled Unclassified Information (CUI) and requires adherence to the security controls outlined in NIST SP 800-171.1 Level 3 (Expert) aims to defend CUI against Advanced Persistent Threats (APTs) by incorporating controls from NIST SP 800-172.7 Assessment requirements vary by level, with Level 1 allowing for annual self-assessments. In contrast, Level 2 for prioritized contracts and Level 3 necessitate triennial third-party assessments conducted by Certified Third-Party Assessment Organizations (C3PAOs), with some Level 2 contracts potentially allowing self-assessment.7 The Department of Defense plans to begin incorporating CMMC requirements into select new contracts starting in 2025, with a broader and phased enforcement expected to continue over the following years.2Your Actionable Roadmap to NIST 800-171 Compliance: Practical Steps for SMBsNavigating the path to NIST 800-171 compliance can seem daunting, but by breaking it down into manageable steps, SMBs can work towards a more secure future.Step 1: Understand Your Requirements and Scope. The first critical step involves determining if your business handles Controlled Unclassified Information (CUI) and identifying the specific Cybersecurity Maturity Model Certification (CMMC) level required by your Department of Defense contracts.9 It is also essential to clearly define the scope of your information systems subject to these compliance requirements, focusing on those that process, store, or transmit CUI.Step 2: Conduct a Gap Analysis. Once you understand the requirements, the next step is to assess your cybersecurity posture against the specific controls outlined in NIST 800-171.7. This involves systematically evaluating your security measures and identifying areas where your current practices fall short of the NIST 800-171 standards.Step 3: Develop a System Security Plan (SSP). A comprehensive System Security Plan (SSP) is the cornerstone of your compliance efforts.8 This document should detail how your organization implements each security control mandated by NIST 800-171, providing specific information about your IT infrastructure, security policies, and operational procedures.Step 4: Implement the Required Security Controls. Based on the findings of your gap analysis and the roadmap outlined in your SSP, you will need to implement the necessary technical, physical, and administrative security controls.5 This will involve focusing on key areas such as access control, security awareness and employee training, establishing audit and accountability mechanisms, implementing robust configuration management, and developing a comprehensive incident response plan.Step 5: Create a Plan of Action and Milestones (POA&M). For any security controls identified in your gap analysis that are not yet fully implemented, you will need to develop a detailed Plan of Action and Milestones (POA&M).1 The POA&M should document the specific steps you will take, the resources you will allocate, and the target dates you aim to comply with each outstanding control fully.Step 6: Implement Continuous Monitoring. Achieving NIST 800-171 compliance is not a one-time event but requires the establishment of continuous monitoring processes.8 This involves ongoing assessment of your security controls and systems to ensure their continued effectiveness and regularly reviewing and updating your SSP and POA&M to adapt to evolving threats and maintain your compliant posture.Step 7: Prepare for Assessment (if applicable). The final step for SMBs pursuing CMMC 2.0 Level 2 or Level 3 certification involves engaging with a Certified Third-Party Assessment Organization (C3PAO) to conduct the formal assessment.2 It is highly recommended to conduct internal readiness reviews or mock audits beforehand to identify and address any remaining compliance gaps, ensuring a smoother and more successful official assessment.Navigating the Hurdles: Addressing Common Pain Points and FAQsSMBs embarking on the journey to NIST 800-171 and CMMC compliance often encounter several common challenges. One frequent pain point is the ambiguity inherent in some of the NIST 800-171 requirements, making it difficult for SMBs to determine the specific controls they need to implement and whether their solutions are sufficient.100 The significant lack of time and resources, both in terms of personnel and finances, required to implement the necessary technical and procedural controls and to create and maintain the extensive documentation is another major hurdle for SMBs.109 Budget constraints and the potential costs associated with compliance, including investments in new technologies, consultant fees, and employee training, are significant concerns for many SMBs.109 Ensuring that cloud service providers and third-party vendors who may handle or have access to their data also meet the stringent security requirements of NIST 800-171 and CMMC adds another layer of complexity.14 Furthermore, many SMBs find it challenging to view and manage compliance as a continuous process that requires ongoing monitoring and regular updates rather than a one-time project.14 Finally, understanding the precise relationship between NIST 800-171 and CMMC, and how the specific requirements of NIST 800-171 map to the different levels and assessment processes within the CMMC framework, can also be a source of confusion.110To help SMBs navigate these challenges, here are answers to some frequently asked questions:* What CMMC level do I need? The required CMMC level is determined by the type of information handled under your Department of Defense contracts. Level 1 is for Federal Contract Information (FCI), Level 2 is for Controlled Unclassified Information (CUI), and Level 3 is for CUI requiring protection against Advanced Persistent Threats (APTs).7* How long does the certification process take? The timeframe can vary significantly, typically ranging from several months to over a year, depending on your current cybersecurity maturity, the required CMMC level, the complexity of your IT environment, and the efficiency of your implementation process.6* Can small businesses afford CMMC/NIST compliance? While the costs can be substantial, affordability is possible through strategies like reducing the compliance boundary, leveraging existing resources, exploring financial assistance, and adopting a phased implementation.6* What happens if we are not compliant? Failure to achieve compliance can lead to severe consequences, including the loss of eligibility for bidding on new contracts, potential termination of existing agreements, imposition of financial penalties, and significant reputational damage.7Learning from Success: Case Studies of SMBs Achieving NIST 800-171 ComplianceExamining the experiences of SMBs that have successfully navigated the complexities of NIST 800-171 and CMMC compliance can provide valuable insights and actionable strategies for others. Many SMBs have succeeded by implementing strategies such as creating secure enclaves for CUI, which limits the scope and cost of compliance.12 one SMB defense contractor achieved a perfect NIST SP 800-171 score by deploying PreVeil as an overlay on their existing Microsoft 365 environment, showcasing a cost-effective approach.92 Another federal contractor partnered with Cleared Systems to address technology limitations and successfully implement the necessary controls, positioning them for lucrative DoD contracts.117 Certified Manufacturing Inc., a woman-owned small business, with guidance from the MEP National Network™, achieved CMMC Level 3 compliance within a tight 90-day timeframe, leading to the renewal of a significant DoD contract.70 Cape Henry Associates, an SDVOSB, successfully achieved compliance with both NIST 800-171 and CMMC by using Apptega as their compliance system of record, improving their cybersecurity posture and demonstrating their commitment to security for DoD and contracting partners.69 These examples highlight the importance of understanding the specific requirements, leveraging appropriate tools and expertise, and implementing focused strategies to achieve compliance success.The Cost of Inaction: Risks and Consequences of Non-ComplianceFor SMBs operating within the defense supply chain, failing to comply with NIST 800-171 requirements carries significant risks and consequences, particularly when working with the DoD. A primary and substantial risk is the potential loss of eligibility to bid on and be awarded contracts from the Department of Defense, which can severely impact SMBs that rely on government work.2 Existing Department of Defense contracts held by SMBs could also be terminated if they do not comply with the mandatory NIST 800-171 cybersecurity standards.5 Furthermore, SMBs failing to comply may face financial penalties, including potential fines and legal repercussions, especially under the False Claims Act if they misrepresent their compliance status to the government.1 Non-compliance can also lead to significant reputational damage, eroding the trust built with government agencies, prime contractors, and other partners, potentially jeopardizing future collaborations and business opportunities.1 The Department of Defense has been increasing its scrutiny of contractors' cybersecurity compliance, making non-compliant SMBs more susceptible to audits and stricter oversight.42 Ultimately, SMBs that fail to achieve NIST 800-171 compliance will likely face a significant competitive disadvantage compared to those who have invested in meeting these cybersecurity standards.1Tools of the Trade: Leveraging Resources for NIST 800-171 ComplianceSeveral valuable tools and resources can significantly aid SMBs in their journey toward NIST 800-171 compliance.Microsoft Purview offers a suite of features, including content search for identifying Controlled Unclassified Information (CUI), the ability to apply sensitivity labels for data classification and protection, and the implementation of Data Loss Prevention (DLP) rules, all of which can significantly assist SMBs in meeting various technical and administrative controls.120Tenable.io is a vulnerability management platform that provides SMBs with tools for actively and passively monitoring their IT environment, identifying vulnerabilities, and assessing compliance against the technical controls specified in NIST 800-171, offering dashboards, reports, and features to track and demonstrate conformance.130 Microsoft Defender now also provides a Vulnerability Management subscription that could help assess the vulnerability environment.Certified Third-Party Assessment Organizations (C3PAOs) are authorized entities that play a crucial role in the CMMC 2.0 framework by conducting independent assessments of an organization's cybersecurity practices and issuing certifications for Level 2 and Level 3 compliance, which are often required for Department of Defense contracts.2 When selecting a C3PAO, SMBs should consider their experience with federal compliance frameworks, understanding of the SMB landscape, communication style, and availability.11 Other invaluable resources include the official websites of the National Institute of Standards and Technology (NIST) and the Department of Defense's CMMC program, which provide the latest requirements, guidelines, and documentation.18 Additionally, Manufacturing Extension Partnership (MEP) Centers can offer training, guidance, gap analyses, and connections to cybersecurity experts for SMBs.18Smart Investments: Understanding and Optimizing the Costs of ComplianceNIST 800-171 compliance cost implications for SMBs can vary significantly. Initial costs often include conducting a thorough gap analysis, engaging cybersecurity consultants for guidance, upgrading existing hardware and software or investing in new solutions, and providing comprehensive cybersecurity awareness training to employees.5 Ongoing costs typically involve continuous security monitoring of systems and networks, regular maintenance of implemented controls, and the potential expense of periodic third-party assessments, particularly for higher CMMC levels.14 For SMBs seeking CMMC 2.0 Level 2 or Level 3 certification, a significant cost factor will be the expense of engaging a Certified Third-Party Assessment Organization (C3PAO) to conduct the required assessment and issue the certification.2To optimize resource allocation and minimize these costs, SMBs can employ several strategies. Carefully defining and limiting the scope of their CUI environment, potentially by creating a secure enclave, can significantly reduce the number of systems and users that need to meet the stringent NIST 800-171 controls.56 Thoroughly assessing their current security infrastructure and leveraging existing technologies, processes, or policies that align with NIST 800-171 requirements can also minimize the need for costly new solutions.10 Taking advantage of free resources, guidance documents, and policy templates often provided by NIST and other cybersecurity organizations can help save money on consulting fees and the development of compliance documentation.107 Partnering with a reputable Managed Service Provider (MSP) or engaging cybersecurity consultants specializing in NIST 800-171 and CMMC compliance can provide the necessary expertise and guidance, potentially proving more cost-effective in the long run.2 Adopting a phased approach to NIST 800-171 compliance, focusing on implementing the most critical security controls first based on a thorough risk assessment, allows for better budget and resource management.8 Exploring available federal or state funding programs, grants, or tax credits designed to help small businesses offset cybersecurity compliance costs is also worthwhile.6 Finally, leveraging compliance automation tools and platforms can streamline various aspects of the process, reducing manual effort and associated expenses.8Embracing NIST 800-171 Compliance for a Secure and Prosperous FutureFor SMBs operating within the defense supply chain, NIST 800-171 compliance is more than just a regulatory obligation; it is a fundamental necessity for ensuring their security and continued participation in the lucrative Department of Defense marketplace. By adhering to these stringent cybersecurity standards, SMBs strengthen their defenses against increasingly sophisticated cyber threats and unlock significant business opportunities, build trust with essential partners, and mitigate the potentially devastating risks related to data breaches and non-compliance. While the path to compliance may present challenges, particularly for organizations with limited resources, viewing it as a strategic investment in the future is vital. By understanding the requirements, leveraging available resources and tools, and implementing cost-effective strategies, SMBs can successfully navigate the complexities of NIST 800-171 compliance and position themselves for a secure and prosperous future within the defense industrial base. Taking proactive steps today to understand and implement these critical cybersecurity standards is not just about meeting a requirement—it's about safeguarding your business and securing your place in the evolving landscape of government contracting.Works cited* NIST Special Publication 800-171: Staying Secure with LastPass, accessed April 10, 2025, https://blog.lastpass.com/posts/nist-special-publication-800-171* CMMC Compliance Guide: Understanding the Cybersecurity Maturity Model Certification (CMMC 2.0) for Defense Contractors - Summit 7, accessed April 10, 2025, https://www.summit7.us/cmmc* CMMC Requirements for Small Businesses: What to Know - BeMoPro, accessed April 10, 2025, https://www.bemopro.com/cybersecurity-blog/get-cmmc-compliant-cmmc-for-small-business* How updated guidelines on protecting controlled unclassified information impact SMBs, accessed April 10, 2025, https://blog.barracuda.com/2024/07/08/updated-guidelines-controlled-unclassified-information-smbs* The Impact of NIST SP 800-171 on SMBs - Tripwire, accessed April 10, 2025, https://www.tripwire.com/state-of-security/impact-nist-sp-800-171-smbs* CMMC Requirements for SMBs: Navigating Compliance on a Budget, accessed April 10, 2025, https://isidefense.com/blog/cmmc-requirements-for-small-businesses-navigating-the-road-to-compliance-on-a-budget* CMMC Compliance for Small and Medium Businesses: Overcoming Challenges - Exostar, accessed April 10, 2025, https://www.exostar.com/blog/cmmc-compliance-for-small-and-medium-businesses-overcoming-challenges/* 8 Recommendations for Businesses Approaching CMMC in 2025 - Lazarus Alliance, Inc., accessed April 10, 2025, https://lazarusalliance.com/8-recommendations-for-businesses-approaching-cmmc-in-2025/* CMMC: What It Means for Small Businesses | BizTech Magazine, accessed April 10, 2025, https://biztechmagazine.com/article/2025/01/cmmc-what-it-means-small-businesses* The Economic Impact of CMMC Compliance on SMBs | RSI Security, accessed April 10, 2025, https://blog.rsisecurity.com/the-economic-impact-of-cmmc-compliance-on-smbs/* CMMC Compliance for Small Businesses: Challenges and Recommendations - Kiteworks, accessed April 10, 2025, https://www.kiteworks.com/cmmc-compliance/small-business/* The Impact of CMMC on Small Businesses - Core Business Solutions, accessed April 10, 2025, https://www.thecoresolution.com/the-impact-of-cmmc-on-small-businesses* The Cost of Taking on CMMC In-House - Summit 7, accessed April 10, 2025, https://www.summit7.us/blog/cost-of-taking-on-cmmc-in-house?hsLang=en* NIST 800-171 Compliance: What You Need to Know in 2025 - Cypago, accessed April 10, 2025, https://cypago.com/nist-800-171-2025/* NIST 800-171 Compliance for Small Business - Bright Defense, accessed April 10, 2025, https://www.brightdefense.com/resources/nist-800-171-compliance-for-small-business/* Breaking Down NIST 800-171 Controls: The Full List of Security Requirements - Sprinto, accessed April 10, 2025, https://sprinto.com/blog/list-of-nist-800-171-controls/* NIST SP 800-171 Compliance: Essential Guide for Organizations - Sprinto, accessed April 10, 2025, https://sprinto.com/blog/nist-800-171-compliance/* What Is the NIST SP 800-171 and Who Needs to Follow It?, accessed April 10, 2025, https://www.nist.gov/blogs/manufacturing-innovation-blog/what-nist-sp-800-171-and-who-needs-follow-it-0* CMMC Compliance: Why It's Essential for National Security and Your Business Success, accessed April 10, 2025, https://convergetp.com/2025/04/03/cmmc-compliance-why-its-essential-for-national-security-and-your-business-success/* CMMC Compliance 2025: What Every Defense Contractor Must Know Now!, accessed April 10, 2025, https://www.ecisolutions.com/blog/manufacturing/cmmc-compliance-2025-updates/* Everything DoD Contractors Need to Know About CMMC Compliance | Teal - tealtech.com, accessed April 10, 2025, https://tealtech.com/blog/cmmc-compliance-for-dod-contractors-dec162024/* 20 Key Takeaways from the CMMC Final Rule for SMBs - Bright Defense, accessed April 10, 2025, https://www.brightdefense.com/resources/20-key-takeaways-cmmc-final-rule/* CMMC Compliance and Small Businesses: Why It's More Important Than You Think - BitLyft, accessed April 10, 2025, https://www.bitlyft.com/resources/cmmc-compliance-and-small-businesses-why-its-more-important-than-you-think* NIST Compliance Checklist for Security-First Businesses 2025 - Cyphere, accessed April 10, 2025, https://thecyphere.com/blog/nist-compliance-checklist/* NIST 800-171 Compliance: How to Comply with the Latest Revision [+ Checklist], accessed April 10, 2025, https://secureframe.com/blog/nist-800-171-compliance* SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations - NIST Computer Security Resource Center - National Institute of Standards and Technology, accessed April 10, 2025, https://csrc.nist.gov/pubs/sp/800/171/r3/ipd* SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations - NIST Computer Security Resource Center - National Institute of Standards and Technology, accessed April 10, 2025, https://csrc.nist.gov/pubs/sp/800/171/r3/final* SP 800-171 Rev. 2, Protecting CUI in Nonfederal Systems and Organizations - CSRC, accessed April 10, 2025, https://csrc.nist.rip/publications/detail/sp/800-171/rev-2/final* NIST.SP.800-171r2.pdf, accessed April 10, 2025, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf* NIST 800- 171 Compliance Checklist - Complete Guide - Sprinto, accessed April 10, 2025, https://sprinto.com/blog/nist-800-171-compliance-checklist/* Understanding NIST 800-171 & What it Means for Your Organization - PreVeil, accessed April 10, 2025, https://www.preveil.com/blog/understanding-nist-800-171-what-it-means-for-your-organization/* SP 800-171 Rev. 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations - NIST Computer Security Resource Center - National Institute of Standards and Technology, accessed April 10, 2025, https://csrc.nist.gov/pubs/sp/800/171/r1/upd3/final* SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations - NIST Computer Security Resource Center, accessed April 10, 2025, https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final* SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations - NIST Computer Security Resource Center, accessed April 10, 2025, https://csrc.nist.gov/pubs/sp/800/171/r3/fpd* NIST 800-171 Compliance | How Totem can help small businesses, accessed April 10, 2025, https://www.totem.tech/nist-800-171-compliance/* Need-to-Know: Simplifying NIST SP 800-171 and CMMC for SMBs - Infinity Technologies, accessed April 10, 2025, https://it-va.com/need-to-know-simplifying-nist-sp-800-171-and-cmmc-for-smbs/* NIST SP 800-171 Revision 3 Goes Final: Who's Down with ODP?, accessed April 10, 2025, https://www.governmentcontractslaw.com/2024/05/nist-sp-800-171-revision-3-goes-final-whos-down-with-odp/* Report finds large gap in CMMC readiness among defense industrial base - DefenseScoop, accessed April 10, 2025, https://defensescoop.com/2025/01/28/redspin-report-cmmc-readiness-gap-2025-defense-industrial-base/* Supplier Performance Risk System (SPRS) - Cyber Reports, accessed April 10, 2025, https://www.sprs.csd.disa.mil/nistsp.htm* The Complete Guide to NIST SP 800-171 - Peerless Tech Solutions, accessed April 10, 2025, https://www.getpeerless.com/complete-guide-nist-800-171* About CMMC - DoD CIO - Department of Defense, accessed April 10, 2025, https://dodcio.defense.gov/cmmc/About/* Time for Compliance with DOD's Cybersecurity Regulations is NOW, accessed April 10, 2025, https://governmentcontractsnavigator.com/2024/04/24/time-for-compliance-with-dods-cybersecurity-regulations-is-now/* Federal contractor, not 100% NIST 800-171 compliant, but working toward it, how do I explain this when bidding on contracts? - Reddit, accessed April 10, 2025, https://www.reddit.com/r/NISTControls/comments/kmjqwy/federal_contractor_not_100_nist_800171_compliant/* KLC Consulting, Inc - C3PAO - CyberAB, accessed April 10, 2025, https://cyberab.org/Member/C3PAO-556-Klc-Consulting-Inc* Navigating CMMC Compliance and Key Insights from the National 8(a) Small Business Conference | Womble Bond Dickinson, accessed April 10, 2025, https://www.womblebonddickinson.com/us/insights/alerts/navigating-cmmc-compliance-and-key-insights-national-8a-small-business-conference* The Federal Funding Freeze and Why CMMC Compliance Remains Critical for Contractors, accessed April 10, 2025, https://v2systems.com/blog/the-federal-funding-freeze-and-why-cmmc-compliance-remains-critical-for-contractors/* DOD Issues Final CMMC Rule - SBA advocacy - Small Business Administration, accessed April 10, 2025, https://advocacy.sba.gov/2024/10/24/dod-final-cmmc-rule/* Joint Intermediate Force Capabilities Office > Media > Multimedia > IFC Videos - Non-Lethal Weapons Program, accessed April 10, 2025, https://jifco.defense.gov/Media/Multimedia/IFC-Videos/?videoid=944070&dvpTag=CIO* Cybersecurity Maturity Model Certification (CMMC) - Controlled Unclassified Information (CUI), accessed April 10, 2025, https://www.dcsa.mil/Industrial-Security/Controlled-Unclassified-Information-CUI/Cybersecurity-Maturity-Model-Certification-CMMC/* Cybersecurity Maturity Model Certification (CMMC) Model Overview | Version 2.13 - DoD CIO - Department of Defense, accessed April 10, 2025, https://dodcio.defense.gov/Portals/0/Documents/CMMC/ModelOverviewv2.pdf* Cybersecurity Maturity Model Certification - DoD CUI Program, accessed April 10, 2025, https://www.dodcui.mil/CMMC/Cybersecurity-Maturity-Model-Certification/* Cybersecurity Maturity Model Certification (CMMC) Program - Federal Register, accessed April 10, 2025, https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program* Policy - Cybersecurity Maturity Model Certification (CMMC) - Office of the Under Secretary of Defense for Acquisition and Sustainment, accessed April 10, 2025, https://www.acq.osd.mil/asda/dpc/cp/cyber/cmmc.html* CMMC Controls for SMB Owners: A Guide to the 14 Controls - Bright Defense, accessed April 10, 2025, https://www.brightdefense.com/resources/cmmc-controls-for-smb-owners/* Navigating CMMC Compliance and Risk Management: Essential Steps for SMBs - Sikich, accessed April 10, 2025, https://www.sikich.com/insight/navigating-cmmc-compliance-and-risk-management-essential-steps-for-smbs/* A Guide for SMB Defense Contractors to Achieve CMMC Compliance, accessed April 10, 2025, https://www.cyberdefensemagazine.com/a-guide-for-smb-defense-contractors-to-achieve-cmmc-compliance/* Unlocking CMMC Compliance: A Step-by-Step Guide for SMBs - ISI Enterprises, accessed April 10, 2025, https://isidefense.com/blog/unlocking-cmmc-compliance-a-step-by-step-guide-for-smbs* CMMC Requirements for Small Businesses - Vaultes, accessed April 10, 2025, https://www.vaultes.com/cmmc-requirements-for-small-businesses/* SMB DIBS guide to CMMC compliance: Essential checklist for cybersecurity - Hypori, accessed April 10, 2025, https://www.hypori.com/blog/smb-dibs-guide-to-cmmc-compliance* CMMC Final Rule Published - What Small Businesses Need to Know, accessed April 10, 2025, https://www.thecoresolution.com/cmmc-final-rule-published* CMMC Compliance: What You Need to Know - MyWorkDrive, accessed April 10, 2025, https://www.myworkdrive.com/blog/cmmc-compliance-updates/* 10 Answers to Demystify CMMC 2.0 Compliance Challenges - Hypori, accessed April 10, 2025, https://www.hypori.com/blog/10-questions-answers-to-cmmc-compliance* CMMC FAQs - DoD CIO, accessed April 10, 2025, https://dodcio.defense.gov/Portals/0/Documents/CMMC/CMMC-FAQs.pdf* CMMC and NIST 800-171 compliance? - Reddit, accessed April 10, 2025, https://www.reddit.com/r/CMMC/comments/17hoboh/cmmc_and_nist_800171_compliance/* Your Top CMMC Questions Answered - Pivot Point Security, accessed April 10, 2025, https://www.pivotpointsecurity.com/your-top-cmmc-questions-answered/* How to get a small business CMMC compliant? (Asking for advice) - Reddit, accessed April 10, 2025, https://www.reddit.com/r/CMMC/comments/1d3cymb/how_to_get_a_small_business_cmmc_compliant_asking/* CMMC Compliance: Key Strategies for Businesses - SMPL-C, accessed April 10, 2025, https://smpl-c.com/cmmc-compliance-key-strategies-for-businesses/* CMMC 101: Mastering Compliance for Federal Contracting Success - USFCR Blog, accessed April 10, 2025, https://blogs.usfcr.com/cmmc-101* Cape Henry Prepares for CMMC Certification and Accelerates Growth - Apptega, accessed April 10, 2025, https://www.apptega.com/case-studies/cape-henry* Leading the Way for CMMC Compliance | NIST, accessed April 10, 2025, https://www.nist.gov/mep/successstories/2020/leading-way-cmmc-compliance* Understanding the Impact of CMMC on Small Businesses - SSE Inc., accessed April 10, 2025, https://www.sseinc.com/blog/cmmc-small-business-impact/* Common small business CMMC compliance challenges - - Totem Technologies, accessed April 10, 2025, https://www.totem.tech/cmmc-compliance-challenges-for-small-businesses/* Economic impact of CMMC on Small Businesses and MSPs - Technology First, accessed April 10, 2025, https://www.technologyfirst.org/Tech-News/13377368* Seldom-Discussed CMMC Effects on a Defense Contractor's Business | PilieroMazza, Law Firm, Government Contracts Attorney, accessed April 10, 2025, https://www.pilieromazza.com/seldom-discussed-cmmc-effects-on-a-defense-contractors-business/* Proposed CMMC Rule Spells Out Liability Risks for Noncompliance, accessed April 10, 2025, https://www.nationaldefensemagazine.org/articles/2024/1/12/proposed-cmmc-rule-spells-out-liability-risks-for-noncompliance* CMMC Non-Compliance Penalties – OrionNetworks, accessed April 10, 2025, https://www.orionnetworks.net/what-are-the-penalties-for-cmmc-non-compliance/* Regulated Cybersecurity: Where We Are - The Consequences of Non-Compliance (June 2023) - NIST Computer Security Resource Center, accessed April 10, 2025, https://csrc.nist.gov/csrc/media/Presentations/2023/regulated-cybersecurity-the-consequences-of-non-co/images-media/RMetzger-ssca-forum-060123.pdf* Challenges of CMMC for Small Businesses - Cybernet Systems Corporation, accessed April 10, 2025, https://www.cybernet.com/challenges-of-cmmc-for-small-businesses/* Certified Third-Party Assessor Organizations (C3PAO): Understanding Their Role and How to Choose One for Your CMMC Certification - Secureframe, accessed April 10, 2025, https://secureframe.com/hub/cmmc/c3pao* What Is a CMMC C3PAO and What Do They Do? - ISI Enterprises, accessed April 10, 2025, https://isidefense.com/blog/what-is-a-cmmc-c3pao-and-what-do-they-do* CMMC Self-Assessed vs C3PAO Certified MSP - Corporate Information Technologies, accessed April 10, 2025, https://www.corp-infotech.com/blog/cmmc-self-assessed-vs-c3pao-certified-msp* CMMC Certified Third-Party Assessment Organization (C3PAOs) List - Secureframe, accessed April 10, 2025, https://secureframe.com/hub/cmmc/c3pao-list* Digital Beachhead - Cybersecurity - C3PAO -vCISO - CMMC - Small Business, accessed April 10, 2025, https://digitalbeachhead.com/* C3PAO Services - Kratos Defense, accessed April 10, 2025, https://www.kratosdefense.com/about/divisions/space-training-and-cybersecurity/cyber/c3pao-services* CMMC consulting services for small and medium-sized businesses - E-N Computers, accessed April 10, 2025, https://www.encomputers.com/cmmc-consulting-services-for-small-businesses/* SOCSoter becomes a Third-Party Accessor Organization (C3PAO) Candidate - SMB Nation, accessed April 10, 2025, https://www.smbnation.com/community-content/3916-socsoter-becomes-a-third-party-accessor-organization-c3pao-candidate* Cost of Compliance | CMMC and NIST 171 - Hyper Vigilance, accessed April 10, 2025, https://blog.hypervigilance.com/cost-of-cmmc-nist-compliance* How to Manage Costs for CMMC Level 2 Compliance - Axiom, accessed April 10, 2025, https://www.axiom.tech/how-to-manage-costs-for-cmmc-2-compliance/* 2 strategies to reduce your CMMC compliance costs - StreamScan, accessed April 10, 2025, https://streamscan.ai/en/blog/2strategies-reduction-couts-cmmc-fr/* Cybersecurity Maturity Model Certification (CMMC) Compliance Guide - Sprinto, accessed April 10, 2025, https://sprinto.com/blog/cmmc-compliance/* Govt Should be Stroking Checks for SMBs Doing CMMC - Reddit, accessed April 10, 2025, https://www.reddit.com/r/CMMC/comments/1gvt4xh/govt_should_be_stroking_checks_for_smbs_doing_cmmc/* Case Study: Defense contractor achieves 110/110 score in NIST SP 800-171 DoD audit | PreVeil, accessed April 10, 2025, https://www.preveil.com/wp-content/uploads/2023/09/PreVeil-Case-Study-110-Score.pdf* 3 Reasons Why You Should Probably Focus on NIST SP 800-171, Not CMMC, accessed April 10, 2025, https://www.pivotpointsecurity.com/3-reasons-why-you-should-probably-focus-on-nist-sp-800-171-not-cmmc/* www.brightdefense.com, accessed April 10, 2025, https://www.brightdefense.com/resources/nist-800-171-compliance-for-small-business/#:~:text=To%20achieve%20compliance%2C%20you'll,NIST%20800%2D171%20requirements%20effectively.* Understanding NIST 800-171 Requirements for Small Businesses - KNC Strategic Services, accessed April 10, 2025, https://www.kncss.com/blog/understanding-requirements-for-small-businesses* NIST 800-171 Compliance Checklist - Cuick Trac, accessed April 10, 2025, https://www.cuicktrac.com/nist-compliance/nist-800-171-compliance-checklist/* NIST'S 800-171 AS A CYBERSECURITY SYSTEM FOR SMB'S - Innovative Manufacturers Center, accessed April 10, 2025, https://imcpa.com/wp-content/uploads/2018/05/Zane-Patalive-800-171.pdf* Securing the defense supply chain: Critical insights on CMMC 2.0 preparedness, accessed April 10, 2025, https://www.scmr.com/article/securing-the-defense-supply-chain-critical-insights-on-cmmc-2.0-preparedness/software-technology* NIST 800-171 Compliance: How Much Does NIST Certification Cost? - Kelser Corporation, accessed April 10, 2025, https://www.kelsercorp.com/blog/nist-800-171-compliance-certification-cost* Five Compliance Challenges Clients Face When Implementing NIST 800-171, accessed April 10, 2025, https://www.wiley.law/newsletter-Five-Compliance-Challenges-Clients-Face-When-Implementing-NIST-800-171* 800-171 Implementation Guide: Requirements, Controls, Implementation - Cuick Trac, accessed April 10, 2025, https://www.cuicktrac.com/nist-compliance/800-171-implementation-guide/* Where to begin with NIST SP 800-171 Implementation - SAF/CN, accessed April 10, 2025, https://www.safcn.af.mil/Portals/64/Documents/Small%20Business%20Innovation%20Research%20(SBIR)/Resources/BC%2010%20-%20Where%20to%20Begin%20with%20NIST%20SP%20800-171%20Implementation%20Cleared%20for%20Public%20Release%20AFRL-2021-3219%2022%20Sep%202021.pdf?ver=i1y9v3ffIEIWbOfZwQK8vw%3D%3D* NIST 800-171 Implementation Guide for Small-Medium Sized Businesses | RSI Security, accessed April 10, 2025, https://blog.rsisecurity.com/nist-800-171-implementation-guide-for-small-medium-sized-businesses/* What is NIST Compliance? (The Ultimate Guide) - Sprinto, accessed April 10, 2025, https://sprinto.com/blog/nist-compliance/* NIST Compliance - Check Point Software, accessed April 10, 2025, https://www.checkpoint.com/cyber-hub/cyber-security/nist-compliance/* Guide to NIST Compliance - IS Partners, LLC, accessed April 10, 2025, https://www.ispartnersllc.com/blog/nist-compliance/* Very Small Business Becoming NIST SP 800-171 Compliant : r/NISTControls - Reddit, accessed April 10, 2025, https://www.reddit.com/r/NISTControls/comments/yl7e77/very_small_business_becoming_nist_sp_800171/* Navigate NIST 800-171 with Confidence, accessed April 10, 2025, https://nist171.fortifiedservices.com/* Top Six Challenges with DFARS and NIST 800-171 Compliance | True Digital Security, accessed April 10, 2025, https://truedigitalsecurity.com/blog/top-six-challenges-with-dfars-and-nist-800-171-compliance* What have been your biggest challenges/pain points trying to comply with CMMC? - Reddit, accessed April 10, 2025, https://www.reddit.com/r/CMMC/comments/1e755tn/what_have_been_your_biggest_challengespain_points/* Estimated Costs Associated with NIST 800-53 and NIST 800-171 Security Risk Assessments, accessed April 10, 2025, https://www.goldskysecurity.com/estimated-costs-associated-with-nist-800-53-and-nist-800-171-security-risk-assessments/* Estimating the Cost of NIST SP 800-171 - YouTube, accessed April 10, 2025, * DoD Cybersecurity, DFARS, and NIST SP 800-171 Compliance, accessed April 10, 2025, https://compliancy-group.com/dod-cybersecurity-dfars-and-nist-sp-800-171-compliance/* What Contractors Risk by Not Being NIST 800-171 Compliant - Peerless Tech Solutions, accessed April 10, 2025, https://www.getpeerless.com/blog/what-contractors-risk-by-not-being-nist-800-171-compliant* Top 5 Risks Of Non-Compliance With NIST SP 800-171, accessed April 10, 2025, https://nist800171compliance.com/top-5-risks-of-non-compliance-with-nist-sp-800-171/* What Are the Consequences of Noncompliance? - The Charles IT Blog, accessed April 10, 2025, https://blog.charlesit.com/what-are-the-consequences-of-noncompliance* Securing DoD Contracts: A Case Study in NIST SP 800-171 Compliance - Cleared Systems, accessed April 10, 2025, https://clearedsystems.com/nist-sp-800-171-compliance-success-story/* Is Your SMB Concerned About Cybersecurity? - Corporate Information Technologies, accessed April 10, 2025, https://www.corp-infotech.com/blog/smb-concerned-about-cybersecurity* NIST 800-171 Compliance: The Secret to Small Business Success! - YouTube, accessed April 10, 2025, * Microsoft Purview Compliance Manager regulations list, accessed April 10, 2025, https://learn.microsoft.com/en-us/purview/compliance-manager-regulations-list* How to Maintain NIST 800-171 Compliance in Microsoft 365 - Agile IT, accessed April 10, 2025, https://agileit.com/news/maintain-nist-800-171-compliance-microsoft-365/* National Institute of Standards and Technology (NIST) SP 800-171 - Azure Compliance, accessed April 10, 2025, https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-nist-800-171* Regulatory Compliance details for NIST SP 800-171 R2 - Azure Policy | Microsoft Learn, accessed April 10, 2025, https://learn.microsoft.com/en-us/azure/governance/policy/samples/nist-sp-800-171-r2* NIST SP 800-171 - Microsoft Compliance, accessed April 10, 2025, https://learn.microsoft.com/en-us/compliance/regulatory/offering-nist-sp-800-171* Regulatory Compliance details for NIST SP 800-171 R2 (Azure Government), accessed April 10, 2025, https://learn.microsoft.com/en-us/azure/governance/policy/samples/gov-nist-sp-800-171-r2* Put CUI Spillage in the Rearview with Microsoft Purview Information Protection (MPIP), accessed April 10, 2025, https://www.summit7.us/blog/microsoft-purview-information-protection* Identifying CUI with Microsoft 365 For CMMC - Summit 7, accessed April 10, 2025, https://www.summit7.us/blog/identifying-cui-with-microsoft-365-for-cmmc* Configure cloud settings for use with Compliance Manager - Learn Microsoft, accessed April 10, 2025, https://learn.microsoft.com/en-us/purview/compliance-manager-cloud-settings* Microsoft Office 365 NIST 800 171 Compliance: Top 5 Essential Steps, accessed April 10, 2025, https://ettebiz.com/microsoft-office-365-nist-800-171-compliance/* Solution Overview: NIST SP 800-171 | Tenable®, accessed April 10, 2025, https://www.tenable.com/solution-briefs/nist-sp-800-171* Compliance Frameworks - Tenable documentation, accessed April 10, 2025, https://docs.tenable.com/cyber-exposure-studies/host-audit-data/Content/compliance-frameworks.htm* 800-171 Audit Summary (Explore) - Tenable.io Dashboard, accessed April 10, 2025, https://www.tenable.com/vulnerability-management-dashboards/800-171-audit-summary-explore* NIST SP 800-171 | Tenable®, accessed April 10, 2025, https://pt-br.tenable.com/solutions/nist-sp-800-171* NIST SP 800-171 | Tenable®, accessed April 10, 2025, https://www.tenable.com/solutions/nist-sp-800-171* Tenable.sc Support for NIST SP 800-171 - White Paper, accessed April 10, 2025, https://ar.tenable.com/whitepapers/tenable-sc-support-for-nist-sp-800-171* NIST 800-171 based assessment using Nessus professional - Login, accessed April 10, 2025, https://tenable.my.site.com/s/question/0D53a00006dfgr8CAA/nist-800171-based-assessment-using-nessus-professional?language=en_US* Apps that help with NIST SP 800-171 & CMMC : r/NISTControls - Reddit, accessed April 10, 2025, https://www.reddit.com/r/NISTControls/comments/epx0ud/apps_that_help_with_nist_sp_800171_cmmc/* How do I set up Policy Compliance Auditing for NIST compliance? - Tenable Community, accessed April 10, 2025, https://community.tenable.com/s/question/0D53a00007sQ2BBCA0/how-do-i-set-up-policy-compliance-auditing-for-nist-compliance?language=en_US* Nessus professional compliance scan reports filtered using NIST SP 800-171 reference, accessed April 10, 2025, https://tenable.my.site.com/s/question/0D53a00006g8hxmCAA/nessus-professional-compliance-scan-reports-filtered-using-nist-sp-800171-reference?language=en_US* NIST 800-171 Controlled Unclassified Information Course from Cybrary | NICCS, accessed April 10, 2025, https://niccs.cisa.gov/education-training/catalog/cybrary/nist-800-171-controlled-unclassified-information-course* SP 800-171A Rev. 3, Assessing Security Requirements for Controlled Unclassified Information | CSRC, accessed April 10, 2025, https://csrc.nist.gov/pubs/sp/800/171/a/r3/final* Chief Information Officer > CMMC - DoD CIO - Department of Defense, accessed April 10, 2025, https://dodcio.defense.gov/CMMC/* CMMC Resources & Documentation - DoD CIO - Department of Defense, accessed April 10, 2025, https://dodcio.defense.gov/cmmc/Resources-Documentation/* Contact CMMC - DoD CIO - Department of Defense, accessed April 10, 2025, https://dodcio.defense.gov/cmmc/Contact/* NIST 800-171 - National Defense Industrial Association, accessed April 10, 2025, https://www.ndia.org/-/media/sites/ndia/divisions/archive/nist-800-171-realities-of-the-market2.pptx* Guidance for a small business doing a NIST SP 800-171 self-assessment - Reddit, accessed April 10, 2025, https://www.reddit.com/r/NISTControls/comments/nhctno/guidance_for_a_small_business_doing_a_nist_sp/* IT Cost Optimization for SMB & Mid-Size Businesses - Secur-Serv, accessed April 10, 2025, https://secur-serv.com/it-cost-optimization/* Changing Attitudes to Cybersecurity in the SMB Segment - CYRISMA, accessed April 10, 2025, https://cyrisma.com/smb-cybersecurity/* Where to Focus Your Cybersecurity Budget for Maximum Protection - Sprinto, accessed April 10, 2025, https://sprinto.com/blog/cybersecurity-budget-optimization/* Simple, Cost-Effective Ways for SMBs to Achieve Compliance - Access Point Consulting, accessed April 10, 2025, https://www.accesspointconsulting.com/resources/simple-cost-effective-ways-for-smbs-to-achieve-compliance This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Discover how to combat security platform fatigue by strategically consolidating tools around your primary security provider while filling gaps with specialized solutions. Learn practical approaches to reduce complexity, improve visibility, and enhance your security posture without overwhelming your team. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Discover how SMBs can boost productivity by safely using AI in areas like customer service, marketing, inventory, and cybersecurity. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Learn how small and medium businesses can enhance their cybersecurity with a Zero Trust strategy using Microsoft solutions. Discover practical steps to protect your business from evolving threats This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

The 2024 HIPAA Security Rule amendments represent a significant overhaul, demanding strategic realignment of governance, risk management, and compliance (GRC) programs, particularly for SMBs. The proposed rule changes have an open commentary period, which ends on March 7th, 2025. To leave comments, go here: https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information SMB Tech & Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.The elimination of the "addressable" implementation specifications, expanded technical safeguards, and compressed implementation timelines create compliance obligations and opportunities for strengthening organizational resilience. To navigate these changes successfully, SMBs must prioritize a phased approach, leveraging cost-optimization strategies and cultural change initiatives. The key is to transform compliance from a burden into a strategic advantage. Failing to adapt puts SMBs at considerable risk, as demonstrated by the statistic that "60% [of SMBs] fail within six months of a breach."1. Core Changes to the HIPAA Security Framework:* Elimination of "Addressable" Implementation Specifications: The removal of the distinction between "required" and "addressable" safeguards is a fundamental shift. The revised rule "mandates implementation of all security controls unless specific documented exceptions apply." This directly addresses the previous tendency of SMBs to treat these standards as optional. Specific examples now mandated include:* Multi-Factor Authentication (MFA): "Now required for all system access points handling ePHI, replacing previous conditional implementations."* Encryption: "Mandatory for ePHI both at rest and in transit, closing previous loopholes for internal network communications."* Network Segmentation: "Requires documented segmentation strategies preventing lateral movement during breaches."* Expanded Technical Safeguards: The updated Technical Safeguards (45 CFR §164.312) introduce 14 new implementation specifications aligning with NIST Cybersecurity Framework standards. This expansion creates "technical debt requiring immediate prioritization" for SMBs. Examples of the added or emphasized safeguards include:* Maintaining comprehensive technology inventories updated quarterly.* Developing network topology maps tracking ePHI flow across systems.* Implementing session timeout policies for inactive systems.* Extending workstation security controls to mobile devices.* Automated patch management within 30 days of release.* Removal of unnecessary software from ePHI systems.2. GRC Program Transformations:* Integrated Risk Management Frameworks: The updates mandate alignment between HIPAA compliance and enterprise risk management programs. Key integration points include:* Unified risk register (mapping HIPAA vulnerabilities to corporate risk appetite).* Annual security validation for all business associates.* Contractual requirements for 24-hour breach notifications.* Executive reporting (monthly dashboards and board-level briefings).* Compliance Lifecycle Acceleration: Implementation timelines are being compressed, requiring more agile compliance processes:* Previous Cycle: * Risk analysis - Biannual* Security training - Annual* Policy updates - Event-driven* 2024 Proposed Rule changes: * Risk analysis - Continuous monitoring + annual formal review* Security training - Quarterly + post-incident refreshers* Policy updates - Annual review + change-triggered updates 3. Technical Implementation Roadmap:* Phased Control Deployment: For resource-constrained organizations, a phased approach is recommended:* Phase 1 (0-6 months): Gap analysis, MFA implementation, enterprise encryption.* Phase 2 (6-12 months): Asset inventory, penetration testing, and network segmentation.* Phase 3 (12-18 months): GRC platform integration, automated vendor risk assessments, continuous monitoring.* Cost Optimization Strategies:* Leverage compliance-as-a-service: MSP partnerships, cloud-based encryption.* Automate documentation: Tools generating audit-ready reports and AI-assisted policy creation.* Pool resources: Join healthcare ISACs and collaborate on training.4. Operationalizing Cultural Change:* Leadership Engagement Tactics: Map HIPAA requirements to business outcomes (e.g., reduced insurance premiums) and implement cross-functional governance committees.* Staff Enablement Programs: Role-based compliance dashboards, gamified training, and recognition programs for control improvement suggestions.5. Anticipating Future Regulatory Trends:* Emerging Requirements: Anticipate requirements related to AI governance, Software Bill of Materials (SBOM) adoption, and Zero Trust architecture.* Strategic Preparation Steps: Conduct tabletop exercises, allocate a budget for adaptive controls, and build partnerships with academic cybersecurity programs."The 2024 HIPAA changes present SMB cybersecurity leaders with challenges and strategic opportunities." By modernizing GRC programs, SMBs can "reduce breach risks," "improve operational efficiency," and "enhance market position." The immediate next steps include conducting a formal gap assessment, briefing executives, and exploring managed security services. For SMBs that successfully navigate this transition, the HIPAA updates offer a pathway to building cyber resilience that supports compliance and business growth.Key Statistics & Concerns Highlighted:* 747 large breaches exposing 168 million records in 2023* 43% of SMBs historically treated "addressable" specifications as optional* 60% of healthcare organizations targeted by ransomware* 34% of breaches originate through business associates* $1.85M average breach cost threatening SMB viability* 49% of healthcare data breaches involving unencrypted devices* 58% of breaches stem from human error* 82% of healthcare employees targeted by social engineering* 73% of surveyed providers expect mandatory zero trust architectures by 2026* SMBs investing in HIPAA modernization achieve 34% faster audit cycles and 27% lower cyber insurance premiumsRecommendations:* Prioritize gap assessments against the updated requirements.* Secure executive-level buy-in and resource allocation.* Explore managed security services and compliance-as-a-service solutions.* Invest in staff training and awareness programs.* Begin planning for future regulatory trends like AI governance and Zero Trust architectures.Thank you for taking the time to read the SMB Tech & Cybersecurity Leadership Newsletter! I truly hope you found it valuable. If you did, I’d be grateful if you could share it with others who might also benefit from it!Product Shoutout: OmnistructExpert Governance Team + GRC Platform = Your Outsourced Risk Management LeadershipELEVATE YOUR CYBERSECURITY WITH OMNISTRUCT’S PROVEN SERVICES.Achieve superior data and privacy security at a fraction of the cost of building an in-house team. We can fast-track compliance, reduce risks, and help you focus on what you do best.Learn more here: https://omnistruct.com/partners/influencers-meet-omnistruct/References and resources:https://www.hipaajournal.com/new-hipaa-regulations/https://www.business-reporter.co.uk/management/the-future-of-grc-how-small-businesses-are-fighting-the-rise-of-cyber-crimehttps://www.hipaajournal.com/hipaa-updates-hipaa-changes/https://www.hipaajournal.com/hhs-strengthened-hipaa-security-rule/https://www.tenfold-security.com/en/hipaa-security-rule-update/https://hyperproof.io/resource/proposed-new-hipaa-rules-2025/https://360advanced.com/hipaa-compliance-tips-for-small-to-mid-sized-business-smb-healthcare-providers/https://greeneis.com/what-is-grc-in-cyber-security-comprehensive-guide/https://www.kirkland.com/publications/kirkland-alert/2025/01/proposed-changes-to-the-hipaa-security-rulehttps://www.techtarget.com/healthtechsecurity/feature/Things-to-know-about-proposed-HIPAA-Security-Rule-updateshttps://www.elisity.com/blog/hipaa-security-rule-changes-2025-new-network-segmentation-requirements-and-implementation-guidelineshttps://right-hand.ai/blog/grc-cyber-security/https://www.morganfranklin.com/insights/hipaas-new-era-navigating-the-regulatory-changes-to-strengthen-cyber-risk-tprm-privacy-and-grc/https://www.sheppardhealthlaw.com/2025/01/articles/hipaa/hhs-last-minute-holiday-gift-proposed-changes-to-the-hipaa-security-rule/https://info.docxellent.com/blog/hippa-updates-and-changeshttps://www.triagehealthlawblog.com/hipaa/hhs-publishes-notice-of-proposed-rulemaking-to-amend-hipaa-security-rule-requirements-comments-due-march-7-2025/https://www.hklaw.com/en/insights/publications/2024/12/big-changes-proposed-for-the-hipaa-security-rulehttps://www.cov.com/en/news-and-insights/insights/2025/01/hhs-issues-notice-of-proposed-rulemaking-to-update-the-hipaa-security-rulehttps://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.htmlhttps://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.htmlhttps://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-informationhttps://www.hipaaguide.net/new-hipaa-regulations/https://www.foley.com/insights/publications/2025/01/hhs-proposes-changes-strengthen-hipaa-security-rule/https://hallboothsmith.com/hipaa-privacy-rule-changes-2024/https://www.nixonpeabody.com/insights/alerts/2024/12/31/ocr-announces-proposed-updates-to-hipaa-security-rulehttps://www.federalregister.gov/documents/2024/04/26/2024-08503/hipaa-privacy-rule-to-support-reproductive-health-care-privacyhttps://www.hipaaguide.net/recent-hipaa-changes/https://www.paubox.com/blog/upcoming-2024-hipaa-updates-and-changeshttps://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310\&RIN=0945-AA22https://deandorton.com/2024-hipaa-regulations-update/https://www.maynardnexsen.com/publication-hipaa-reproductive-health-care-phi-rules-compliance-date-approachinghttps://www.healthcarelawinsights.com/2025/01/ocr-announces-proposed-updates-to-hipaa-security-rule-raises-the-bar-for-healthcare-cybersecurity/https://www.barradvisory.com/resource/2024-year-in-review/https://www.onetrust.com/blog/10-grc-trends/https://www.navex.com/en-us/blog/article/the-state-of-cybersecurity-for-small-and-medium-businesses/https://blog.procircular.com/how-the-new-hipaa-security-rule-changes-will-affect-healthcarehttps://www.brightdefense.com/resources/cybersecurity-compliance-statistics/https://www.barradvisory.com/resource/hipaa-security-rule-changing/https://blog.rsisecurity.com/understanding-hipaa-violations-and-their-consequences/https://www.frazierdeeter.com/insights/article/understanding-the-proposed-changes-to-hipaas-security-rule/https://www.brightdefense.com/resources/hipaa-compliance-for-startups/https://hallboothsmith.com/hipaa-2024-and-beyond/https://www.sai360.com/resources/grc/hipaa-cybersecurity-updates-coming-soon-8-things-to-know-bloghttps://www.cybernetman.com/blog/hipaa-compliant-technology-the-ultimate-guide/https://www.compliancemanagergrc.com/blog/https://blog.cspire.com/outsourced-it-can-improve-hipaa-compliance.-heres-howhttps://clearwatersecurity.com/blog/ocrs-proposed-hipaa-security-rule-notice-of-proposed-rulemaking/https://thoropass.com/blog/compliance/hipaa-requirements-healthcare-smb/https://sprinto.com/blog/hipaa-security-rule-update/https://www.brightdefense.com/resources/what-is-grc-in-cybersecurity-2/https://www.fepbl.com/index.php/csitrj/article/view/1277/1509https://www.metricstream.com/insights/utilizing-HIPAA-as-the-starting-point-for-comprehensive-cyber-risk-and-compliance.htmlhttps://www.healthcarecompliancepros.com/blog/top-5-hipaa-challenges-for-small-health-practices This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Embracing the Importance of Data Security Posture Management (DSPM) for SMB Tech, Cyber, and Business LeadersIn today’s digital-first world, data is the lifeblood of every organization, including small and medium-sized businesses (SMBs). However, with the increasing adoption of cloud services, artificial intelligence (AI), and remote work environments, managing data security has become more complex. Data Security Posture Management (DSPM) is emerging as a critical solution for modern businesses to protect sensitive information, ensure compliance, and mitigate risks.SMB Tech & Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.Why DSPM Matters for SMBsDSPM is essential for SMBs because it provides comprehensive visibility into where sensitive data resides, whether on-premises, in the cloud, or across SaaS platforms. This level of insight is particularly valuable for smaller organizations that often face challenges with shadow IT and data sprawl. By understanding where their data lives, SMBs can better manage it and reduce risks associated with unknown or unprotected assets.Another critical benefit of DSPM is its ability to identify and mitigate risks proactively. It continuously monitors data access and usage patterns to detect vulnerabilities such as misconfigurations or over-permissive access controls. For SMBs operating with limited security resources, this proactive approach ensures that potential issues are addressed before they escalate into costly breaches.DSPM also simplifies compliance efforts by mapping regulatory requirements to an organization’s data policies. For SMBs that must adhere to regulations like GDPR, HIPAA, or PCI DSS, DSPM automates many processes involved in audits and reporting. This reduces the burden on internal teams and ensures compliance gaps are identified and resolved efficiently.From a financial perspective, DSPM offers cost efficiency by reducing the likelihood of data breaches. This provides an invaluable safeguard for SMBs that may struggle to recover from the economic and reputational damage caused by such incidents. Additionally, it enables secure collaboration by ensuring that sensitive data is only accessible to authorized users without disrupting workflows—an essential feature for businesses aiming to balance security with operational efficiency.Comparison of Leading DSPM ToolsHere’s a summary of some notable DSPM tools, including Microsoft Purview and other competitors:* Microsoft Purview is a strong choice for organizations already embedded in the Microsoft ecosystem. It integrates seamlessly with Microsoft 365 and Azure environments and offers advanced features like insider risk management and dynamic reporting. However, its effectiveness diminishes for businesses outside the Microsoft ecosystem or those using non-Azure platforms.* Varonis DSPM excels in automated risk remediation and insider threat detection while supporting multi-cloud environments. Its robust capabilities make it a good fit for SMBs looking for a comprehensive solution. However, it less emphasizes cloud-native environments and may require hands-on setup expertise.* CloudDefense.AI offers real-time monitoring and robust compliance automation features that are scalable for growing businesses. While its capabilities are impressive, initial setup can be challenging for teams without specialized knowledge, and new users may experience a steep learning curve.* Prisma Cloud by Palo Alto Networks provides comprehensive support for cloud-native environments and includes prebuilt classifiers for identifying sensitive data. Despite its strengths, its high cost may be prohibitive for smaller organizations, and scanning performance can slow down in larger cloud systems.* Securiti DSPM is particularly well-suited for compliance-heavy industries due to its extensive support of regulatory frameworks. However, its feature-rich platform can be overwhelming for smaller teams, and more effective improvements could be made in scanning unstructured data.How SMB Leaders Can Leverage DSPMTo successfully implement DSPM, SMB leaders should begin by conducting thorough discovery processes to identify all sensitive data across their organization’s environments. This includes structured data like databases and unstructured data stored in SaaS applications or cloud platforms. Understanding where sensitive information resides is the foundation of any effective DSPM strategy.Once discovery is complete, leveraging AI-driven classification capabilities to categorize data based on sensitivity levels, such as personally identifiable information (PII) or protected health information (PHI) is crucial. Automating this process minimizes human error while ensuring consistent application of security policies across all environments.Continuous monitoring should also be prioritized to detect real-time unauthorized access or suspicious activity. This proactive approach allows SMBs to respond quickly to potential threats before they escalate into significant incidents. Simultaneously, organizations must focus on aligning their data policies with relevant regulations using DSPM tools that offer automated compliance checks. This ensures that regulatory requirements are met without burdening internal teams.Integration with existing tools is another key consideration when adopting DSPM solutions. Choosing a tool that works seamlessly with an organization’s current cybersecurity stack—such as CSPM tools for infrastructure security—can enhance overall efficiency and effectiveness. Finally, educating employees about secure data practices and how DSPM supports business resilience is critical to fostering a culture of security awareness within the organization.Actionable SummaryImplementing a robust DSPM strategy is no longer optional for SMB tech, cyber, and business leaders seeking to strengthen their cybersecurity posture—it’s essential. Organizations can gain critical visibility into their sensitive data while proactively mitigating risks by embracing DSPM solutions like Microsoft Purview or alternatives such as Varonis or CloudDefense.AI. Automation should be leveraged wherever possible to reduce manual workloads while ensuring compliance with evolving regulations.Ultimately, SMBs must align their chosen DSPM solution with their business needs and industry requirements while prioritizing ease of integration with existing systems. Through careful planning and execution, DSPM can safeguard your most valuable asset—data—while enabling your business to thrive in an increasingly competitive digital landscape.Thanks for reading SMB Tech & Cybersecurity Leadership Newsletter! If you gained value from this post, please share it with others. Partner Shoutout: OmnistructExpert Governance Team + GRC Platform =Your Outsourced Risk Management LeadershipELEVATE YOUR CYBERSECURITY WITH OMNISTRUCT’S PROVEN SERVICES.Achieve top-notch data and privacy security for a fraction of the cost of creating an in-house team. We can expedite compliance, minimize risks, and enable you to concentrate on what you do best.Find out more here This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

The digital landscape is evolving rapidly, posing greater cybersecurity challenges for small and medium-sized businesses (SMBs). In 2024, 94% of SMBs reported experiencing cyberattacks—a sharp increase from 73% the year before. Despite limited resources, SMBs are prime targets due to perceived vulnerabilities. This guide explores critical cybersecurity trends shaping the SMB environment and actionable steps businesses can take to mitigate risks.Investing in robust cybersecurity strategies is not just about preventing attacks—it’s about safeguarding business continuity, customer trust, and long-term profitability. By staying ahead of emerging threats and implementing effective security measures, SMBs can reduce downtime, avoid costly breaches, and maintain a competitive edge in an increasingly digital economy.SMB Tech & Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.Key Cybersecurity Trends for SMBs1. Ransomware EvolutionRansomware-as-a-Service (RaaS) platforms are becoming more accessible, targeting businesses with fewer than 1,000 employees. With 82% of such companies already in the crosshairs, SMBs must adopt multi-layered defenses.Implementing ransomware protection ensures business continuity by minimizing operational disruptions and safeguarding sensitive data from extortion attempts.Actionable Takeaway: Implement advanced endpoint protection, regular backups, and ransomware-specific incident response plans.2. Cloud Security ChallengesAs more SMBs migrate to the cloud, misconfigurations and incomplete data deletion pose serious risks. Unsecured cloud storage can expose sensitive data.Securing cloud environments enables scalable business operations while protecting critical business assets and customer information.Actionable Takeaway: Conduct regular cloud configuration audits, enforce strict access control policies, and adopt Zero Trust security models.3. AI-Enhanced ThreatsCybercriminals increasingly leverage AI for more sophisticated attacks. Deepfakes for business impersonation and AI-driven phishing campaigns are on the rise.Staying ahead of AI-driven threats protects brand reputation and prevents financial and legal repercussions associated with data breaches.Actionable Takeaway: Invest in AI-powered threat detection tools, continuously train staff on spotting AI-driven scams, and update phishing simulations regularly.Strategic Cybersecurity Focus AreasIn a world where cyber threats evolve daily, SMBs must focus on key cybersecurity areas that deliver both immediate and long-term protection. The following strategic focus areas are foundational pillars that enable businesses to defend against modern cyber risks while aligning with broader organizational goals.Adopting a strategic cybersecurity approach helps SMBs enhance operational resilience, reduce financial and reputational risks, and ensure compliance with industry standards. By addressing these key areas, SMBs can transform cybersecurity from a reactive expense into a proactive investment that drives business success.1. Essential Security MeasuresRobust security measures form the foundation of any effective cybersecurity strategy. SMBs must adopt comprehensive and proactive approaches to safeguard their digital assets. This includes technical safeguards, system maintenance, and policy enforcement that collectively create a resilient security posture.* Multi-Factor Authentication (MFA): Strengthen access controls by requiring multiple verification methods, reducing the risk of unauthorized access.* Regular Updates & Patches: Keep all systems, applications, and devices up-to-date with the latest patches to fix known vulnerabilities and reduce exposure to cyber threats.* Endpoint Protection: Implement advanced endpoint protection solutions to detect, prevent, and respond to cyber threats targeting connected devices.By enforcing these security measures, SMBs can minimize vulnerabilities, improve incident response capabilities, and ensure data integrity, ultimately reducing potential business disruptions and fostering a secure operational environment.2. Employee Security AwarenessCybersecurity is only as strong as its weakest link, and employees often represent the first line of defense against cyber threats. Building a culture of security awareness through continuous training and clear policies can significantly reduce human-error-driven breaches.* Phishing Recognition Training: Conduct quarterly simulated phishing tests to help employees recognize and report suspicious emails, links, and attachments.* Remote Work Security: Enforce secure remote work protocols, including VPNs, encrypted devices, and secure communication tools.* Security Awareness Campaigns: Promote ongoing staff education through workshops, newsletters, and interactive modules that cover emerging threats and best practices.* Incident Reporting Protocols: Establish clear procedures for employees to report security incidents promptly, ensuring swift responses and minimal impact.An informed workforce strengthens organizational defenses and fosters a proactive security culture that continuously adapts to evolving threats.3. Zero Trust ArchitectureZero Trust Architecture (ZTA) is a comprehensive cybersecurity framework built on "never trust, always verify." It assumes that threats can originate inside and outside the network, necessitating strict access controls and continuous verification of every user, device, and application attempting to access resources.* Adopt the "Never Trust, Always Verify" Principle: Every access request should be considered untrusted until verified through identity checks, contextual data, and system health verification.* Enhance Identity Verification and Access Management: Use authentication methods such as Multi-Factor Authentication (MFA), role-based access controls, and biometric authentication to ensure only authorized users gain access.* Deploy Automated Threat Detection and Incident Response Tools: Use AI-powered monitoring systems to detect real-time anomalies, initiate automated responses, and isolate affected systems to contain breaches.* Micro-Segmentation: Divide the network into isolated segments to minimize potential damage from breaches by limiting lateral movement within the network.* Least Privilege Access: Restrict users to the minimum access required for their roles, reducing the risk of insider threats and compromised credentials.Implementing a zero-trust framework ensures continuous protection by verifying every access request, reducing potential damages from insider threats, and strengthening an organization’s overall security posture.ConclusionCybersecurity threats against SMBs are intensifying. By understanding these emerging risks and implementing strategic security measures, SMBs can fortify their defenses and maintain operational resilience. Stay proactive and secure your business against the evolving cyber threat landscape.Protect your business today! Contact our cybersecurity experts for a personalized security consultation and ensure your SMB stays ahead of cyber threats in 2025 and beyond.Thanks for reading SMB Tech & Cybersecurity Leadership Newsletter! If you have gained value from this post, please share it with others!Product of the Week Shout out: Cyvatar.ai How often do you track the maturity of your program or the implementation status of your controls? As an SMB, it can sometimes be hard to access cybersecurity assessments and tooling; here is a self-assessment tool that you can use to see where your business stands.If you are looking for a security resource to help guide you through the assessment or the maturation of your security program.See where your program scores https://cyvatar.ai/cybersecurity-self-assessment/?via-rr=CHRISTOPHE77 This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Discover essential cybersecurity metrics that can enhance the security posture and resilience of small and medium-sized businesses (SMBs) in a rapidly evolving digital landscape. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

An essential guide for SMBs to navigate cybersecurity insurance, covering key components, types, costs, and tips for selecting the right policy. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Cybersecurity protects digital assets, your business's reputation, and operational continuity. Recent trends reveal that nearly half of all cyberattacks target SMBs. The consequences of inadequate cybersecurity include data breaches, financial losses, and erosion of customer trust. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Small and medium-sized businesses (SMBs) often struggle with network security. The landscape can feel overwhelming, especially with limited budgets, constrained resources, and the need to wear multiple hats. Many SMBs view advanced security tools as out of reach and reserved for large organizations with expansive budgets and dedicated teams. However, NetFlow is a hidden gem within reach of most businesses.SMB Tech & Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.NetFlow is like having a security camera on your network. Still, instead of capturing visual data, it records the conversations happening within your network—who’s talking to whom, when, and what information is being exchanged. This network protocol collects IP traffic data flowing through your routers and switches, allowing you to monitor and analyze your network in real-time. With the right tools, NetFlow transforms this data into actionable insights, allowing you to proactively identify unusual patterns and address potential threats.Imagine a scenario where your business experiences a sudden website crash. This might be due to a Distributed Denial of Service (DDoS) attack. NetFlow analysis can help you detect such attacks early by identifying unusual traffic spikes from malicious IP addresses, enabling you to mitigate the threat before it disrupts your operations. Similarly, NetFlow can highlight subtle signs of data breaches, like unusual data transfers to unknown locations, even during off-hours.One of NetFlow's most compelling aspects is its accessibility for SMBs. Unlike many high-cost solutions, NetFlow leverages existing network infrastructure, making it cost-effective. Most modern routers and switches already support it, so there’s no need for expensive hardware upgrades.Beyond security, NetFlow offers operational benefits. It provides insights into bandwidth usage, application performance, and network bottlenecks, enabling you to optimize your network and plan for future growth. Additionally, its ability to integrate seamlessly with tools like Security Information and Event Management (SIEM) systems creates a unified security ecosystem, enhancing threat detection and response.For SMBs looking to get started with NetFlow, the first step is to assess your network infrastructure for compatibility. Begin by monitoring critical network segments, such as servers with sensitive data, and invest in training for your IT team to ensure they can interpret NetFlow data effectively. Consider your specific security and operational goals when choosing a tool that balances functionality, ease of use, and affordability.NetFlow empowers SMBs to improve their security, enhance network performance, and gain a competitive edge. It’s an essential tool in today’s cybersecurity landscape—powerful, accessible, and transformative. The journey begins with a single step: check your infrastructure, train your team, and start leveraging NetFlow's power.A Caveat for SMBs Using Cloud ServicesFor SMBs relying heavily on cloud services or Infrastructure as a Service (IaaS) platforms, NetFlow analysis might not fully apply. Many cloud providers do not offer granular access to traffic flow data at the level required for NetFlow analysis. Instead, these organizations might need to rely on the cloud provider’s monitoring tools and security features. If this applies to you, it’s essential to understand what visibility and controls your cloud provider offers and explore complementary solutions.Thanks for reading SMB Tech & Cybersecurity Leadership Newsletter! If you found value in this post, feel free to share it.Product shoutout: TenableCPF Coaching Recommends Tenable for your vulnerability scanning needs. Proactive vulnerability management is crucial to your organization's healthy hygiene.Check it out here: https://shop.tenable.com/cpf-coachingCyvatar.aiHow often do you track the maturity of your program or the implementation status of your controls? As an SMB, it can sometimes be hard to access cybersecurity assessments and tooling; here is a self-assessment tool that you can use to see where your business stands.If you are looking for a security resource to help guide you through the assessment or the maturation of your security program.See where your program scores https://cyvatar.ai/cybersecurity-self-assessment/?via-rr=CHRISTOPHE77 This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Maximizing Cybersecurity for SMBs: The Power of Alerting SystemsAs a senior cybersecurity leader and advisor, I've witnessed firsthand the evolving landscape of digital threats facing small and medium-sized businesses (SMBs). In today's interconnected world, cybersecurity is no longer a luxury but a necessity for businesses of all sizes. The rapid digitalization of operations, coupled with the increasing sophistication of cyber attacks, has made it imperative for SMBs to implement robust security measures. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Cybercriminals are progressively targeting small businesses. Implementing strong cybersecurity measures is essential to safeguarding your business. This guide provides a thorough overview of how to help protect your small business from cyber threats in 2024. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Learn the best practices for securing remote workforces, including implementing strong security policies, enhancing team-wide cybersecurity, and securing home networks. Protect your SMB from cyber threats with these expert insights.Subscribe for future episodes! This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Small and Medium-sized Businesses (SMBs) face numerous security challenges, with insider threats ranking among the most damaging but often undiscussed; with the right strategies and a proactive approach, these threats can be effectively mitigated. Insider threats arise from individuals within an organization who abuse their access to sensitive information or systems for unauthorized purposes and harm the company, intentionally or unintentionally. These threats can lead to data breaches, financial losses, reputational damage, and operational disruptions. Unlike external cyber-attacks, insider threats are more challenging to detect because the individuals involved already have authorized access to sensitive resources. Let's explore the growing concern of insider threats in SMBs and offer practical strategies to mitigate them, with the potential for success and a more secure future for your business.1. Introduction to Insider Threats in SMBsDefining Insider ThreatsAn insider threat occurs when someone authorized access to a company's systems and data misuses that privilege, maliciously or unintentionally, to harm the organization. This threat can come from current or former employees, contractors, or business partners with legitimate access to sensitive resources. In small and medium-sized businesses (SMBs), insider threats are particularly worrisome because these businesses often have fewer layers of security than larger enterprises. Employees in SMBs may have broader access to systems, which increases the risk of misuse. Insider threats can significantly impact a company's success, leading to severe consequences such as data breaches, financial losses, reputational damage, and operational disruptions. Whether the intent is to steal data, sabotage operations, or unintentionally expose sensitive information, the effects of insider threats can be devastating.The Growing Concern for SMBsRecent cybersecurity reports, such as one from the Ponemon Institute, indicate that insider threats have grown by nearly 50% over the past few years. This trend is alarming, particularly for SMBs, which often lack the sophisticated security infrastructure of larger organizations. These larger organizations might have dedicated security teams, advanced threat detection systems, and regular security audits, which SMBs may need more resources to implement. The smaller teams and limited resources of SMBs make it challenging to implement comprehensive security measures, leaving them more vulnerable to insider attacks. Additionally, SMBs may only sometimes have dedicated IT staff to monitor security threats in real-time. With the rise of remote work and increased digital reliance, insider threats are becoming an even more pressing issue for small businesses.2. Mitigating Employee-Related RisksIdentifying Potential RisksThe first step in addressing insider threats is identifying the potential risks that employees may pose. Common risk factors include disgruntled employees who may be motivated to harm the business, accidental data leaks due to negligence, and weak access control policies that give too much access to sensitive information. SMBs can reduce these risks by employing behavioral monitoring technologies that track abnormal employee activities. For example, unusual login times, unauthorized file access, or abnormal data transfers can serve as red flags. Identifying these risks early on enables SMBs to take proactive steps before damage occurs.Implementing Preventative MeasuresSmall and medium-sized businesses (SMBs) need to establish and enforce strong preventive measures to minimize the risk of insider threats. Implementing strict access control policies is one of the most effective methods for protecting sensitive data. These policies should follow the principle of least privilege, meaning that employees should only have access to the data and systems necessary for their specific roles. This principle ensures that even if an employee's credentials are compromised, the potential damage is limited to the data and systems they access, reducing the overall risk. It's crucial to regularly review and update these access controls to prevent employees from retaining unnecessary permissions after role changes. Additionally, businesses need to conduct thorough background checks on new hires, closely monitor employee activities for any signs of suspicious behavior, and ensure the encryption of sensitive data to prevent unauthorized access.3. Insider Threat Identification TechniquesBehavioral Monitoring TechnologiesBehavioral monitoring technologies are crucial in identifying insider threats; these technologies monitor and analyze employee activities, including email communications, network access, file transfers, and login patterns. For instance, sudden access to large volumes of sensitive data or downloading files outside of regular business hours could indicate an insider threat. However, small and medium-sized businesses (SMBs) must balance these technologies with privacy concerns by ensuring employees are aware of the monitoring while safeguarding their data. It's important to note that while these tools are powerful, they are not infallible and may sometimes produce false positives that require careful interpretation.Early Detection StrategiesEarly detection of insider threats is critical to limiting potential damage. Anomaly detection systems, user behavior analytics (UBA), and machine learning algorithms are powerful tools that can flag suspicious activities before they escalate into major incidents. These tools establish a baseline of normal behavior for each employee and then detect deviations that may signal malicious intent or accidental data exposure. For example, an anomaly detection system could identify employees accessing customer data they usually wouldn't, prompting a deeper investigation. SMBs that deploy these strategies can reduce the risk of significant financial or reputational harm by catching threats in their early stages.4. Effective Access Control PoliciesDeveloping Robust PoliciesSmall and medium-sized businesses (SMBs) must establish effective access control policies to safeguard sensitive information. The following guidelines dictate which employees can access particular data, ensuring access is only given to those needing it for their specific roles. Small and medium-sized businesses (SMBs) should focus on implementing role-based access control (RBAC) systems, where permissions are based on the employee's job function rather than their seniority or length of employment. This approach reduces the risk of unauthorized access. Additionally, these policies should include multi-factor authentication (MFA), which necessitates employees to confirm their identity through multiple methods before accessing critical systems. By limiting access, SMBs can significantly minimize their risk exposure.Regular Audits and UpdatesAccess control policies must be regularly audited and updated to remain effective. As companies grow, adopt new technologies, or restructure their teams, access requirements may change, making it necessary to review who has access to sensitive information. Regular audits of user permissions ensure access is appropriately restricted and help uncover potential vulnerabilities. SMBs should also keep up with technological advancements and regulatory changes that may impact their security policies. For example, a company handling personal data may need to adjust its access policies to comply with new data protection laws, such as GDPR or CCPA.5. Enhancing Employee Security AwarenessTraining Programs for EmployeesSecurity awareness training is an essential part of any insider threat mitigation strategy. Employees are often the first line of defense against insider threats, and ensuring they understand security best practices can significantly reduce risks. SMBs should implement regular training programs to educate staff on identifying phishing emails, recognizing suspicious behavior, and protecting sensitive data. These training sessions should be mandatory and updated to reflect new threats or technologies. By instilling a strong sense of security and responsibility among employees, businesses can reduce accidental leaks and empower workers to report potential threats.Creating a Security-Conscious CultureBeyond training, SMBs must foster a security culture where employees feel a shared responsibility for protecting the organization's data. This can be achieved by encouraging open communication about security risks and promoting a non-punitive approach to reporting mistakes. When employees are comfortable reporting potential security issues or acknowledging errors without fear of retribution, the organization can address vulnerabilities faster. Leadership should lead by example, emphasizing the importance of security at all company levels. Secure password managers and data encryption software can help employees make better daily security decisions.6. SMB Insider Threat SolutionsCustomized Solutions for SMBsSMBs face unique challenges regarding insider threats, and several solutions are designed specifically for smaller businesses. These solutions often prioritize ease of use, scalability, and cost-effectiveness, ensuring that SMBs can implement them without needing a large IT team. Some options include cloud-based security platforms that offer real-time threat monitoring, employee behavior analysis, and integrated access control management. SMBs should evaluate these solutions based on their specific needs, ensuring that the chosen tools can seamlessly integrate into existing systems without disrupting business operations.Integration and ImplementationCareful planning and a clear understanding of the organization's security infrastructure are necessary to implement an insider threat solution. Small and medium-sized businesses (SMBs) should begin by thoroughly assessing their current systems and identifying gaps in their defenses. Once a solution has been chosen, it is essential to ensure that employees are effectively trained to use it. Integration should be carried out in phases, with continuous monitoring to measure the new system's effectiveness. Regular reviews and updates are necessary to adapt the solution to evolving threats and ensure ongoing protection.Summary of Key PointsInsider threats pose a significant risk to SMBs, especially those with limited resources dedicated to security. Businesses can significantly reduce the chances of a damaging insider attack by identifying potential hazards, implementing robust access control policies, and leveraging behavioral monitoring technologies. Additionally, enhancing employee security awareness and creating a culture can help prevent accidental leaks and deter malicious actors.As cybersecurity technology advances, small and medium-sized businesses (SMBs) must proactively address insider threats. In the future, managing insider threats will likely involve improvements in AI-powered detection systems and more customized solutions for smaller businesses. SMBs that stay vigilant, regularly update their security measures, and cultivate a security-conscious workforce will be better equipped to protect their assets and succeed in the digital age.If you need help with your security strategy, CPF Coaching is here for you.Visit https://www.cpf-coaching.com/booking to have an introductory conversation. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Phishing attacks pose a growing threat to Small and Medium Businesses (SMBs), targeting their sensitive data and financial resources. These deceptive tactics, often delivered through fraudulent emails, trick employees into revealing confidential information or unknowingly downloading malware. For SMBs, the impact of a successful phishing attack can be devastating, leading to significant financial loss, data breaches, and reputational damage. In this guide, we'll explore the rising danger of phishing and the importance of solid email security. We'll also provide actionable strategies to protect your business from these increasingly sophisticated threats.SMB Tech & Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.1. Introduction to Phishing Attacks in SMBsPhishing attacks have significantly threatened Small and Medium Businesses (SMBs). These attacks involve malicious actors sending deceptive emails to trick recipients into revealing sensitive information. The impact on SMBs can be severe, leading to financial loss, data breaches, and reputational damage. Recent statistics show a sharp rise in phishing attacks targeting SMBs, highlighting the need for robust security measures.Email security is crucial in protecting SMBs from phishing attacks. Without proper safeguards, businesses are vulnerable to various email security threats such as malware, ransomware, and spear-phishing. Ensuring robust email security helps prevent unauthorized access and protects sensitive information.This guide educates readers on phishing prevention, threat identification, and effective response strategies. By the end, you will have a comprehensive understanding of how to protect your SMB from phishing attacks.2. Phishing Prevention StrategiesImplementing robust email security measures is one of the first steps in phishing prevention. These include using email filters and spam detection tools to identify and block suspicious emails. Secure email gateways add another layer of protection by inspecting inbound and outbound emails for threats.It is crucial to train employees to recognize phishing attempts. Regular updates and simulated phishing exercises can help employees stay vigilant. Teaching them to look for red flags, such as suspicious links and unfamiliar senders, can significantly reduce the risk of falling for phishing scams.Crafting clear policies on email use and security is essential. These policies should outline acceptable email practices and procedures for reporting suspicious emails. Regular audits and compliance checks ensure guidelines are followed and updated.3. Identifying Phishing ThreatsUnderstanding common phishing tactics is critical to identifying threats. Phishing emails often contain urgent messages prompting immediate action, such as clicking a link or providing personal information. Differentiating between phishing and spear-phishing attacks, which are more targeted, is also essential.Utilizing AI and machine learning can enhance threat detection. These technologies analyze email patterns and flag suspicious activities. Integrating threat intelligence feeds into your security infrastructure provides real-time updates on emerging threats.Continuous monitoring is vital for identifying phishing threats promptly. Tools and software that offer 24/7 monitoring ensure that any suspicious activity is detected and addressed immediately. This proactive approach helps in mitigating potential damage.4. Developing Effective Response StrategiesOnce a phishing attempt is identified, immediate action is required. Isolating affected systems prevents the spread of malicious software. Following a predefined response plan is crucial to minimize damage and secure your network.Informing stakeholders and affected parties is critical in managing a phishing incident. Transparent communication helps maintain trust, and managing public relations effectively ensures that your business reputation remains intact.After addressing the immediate threat, reviewing and revising security measures is essential. Conducting a post-mortem analysis helps identify weaknesses and prevent future attacks. Implementing lessons learned ensures continuous improvement in your security posture.5. Attack Simulation and Continuous ImprovementRegular phishing attack simulations prepare your team for real threats. These simulations help identify vulnerabilities and improve response strategies. They also provide valuable insights into how employees react to phishing attempts.Continuous improvement is vital for maintaining strong security measures. Regular updates and enhancements based on simulation results ensure your defenses remain effective. Encouraging a culture of constant learning and adaptation keeps your team prepared for evolving threats.Collecting and analyzing user feedback is crucial for refining training and security protocols. This feedback helps identify areas for improvement and ensures that security measures are effective and current.ConclusionEmail security, phishing prevention strategies, threat identification, user training, and effective response strategies are essential. Each plays a crucial role in protecting SMBs from phishing attacks.Mitigating phishing attacks requires a proactive and comprehensive approach. SMBs must stay vigilant and continuously improve security measures to protect against evolving threats. By implementing the strategies outlined in this guide, SMBs can significantly reduce the risk of phishing attacks and safeguard their business.Phishing attacks pose a severe threat to SMBs, but with robust email security, user training, and effective response strategies, businesses can defend against these malicious threats. Continuous improvement and vigilance are vital to maintaining a secure environment. Stay informed, stay prepared, and keep your business safe.Product of the Week: INE TrainingINE offers a wide range of training programs to help your technical and development teams take the necessary actions to protect your organization. These teams can then serve as your first line of support in aiding your users with their awareness and security posture. Whether you are an individual or a company, INE provides training options that you can use today!Thanks for reading SMB Tech & Cybersecurity Leadership Newsletter! If you found value in this post, share it with others who might appreciate it as well. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

The Business Value of Log Analysis and SIEM for SMBsAs threats become more sophisticated, robust security measures are paramount, even for small-medium businesses. One critical component of a comprehensive security strategy is log analysis and Security Information and Event Management (SIEM). These tools allow SMBs to detect potential threats early, allowing for timely intervention and mitigation. Log analysis involves reviewing and interpreting logs generated by computers, networks, and applications. These logs capture a wide range of activities, from user actions to system errors, providing invaluable insights into the health and security of IT environments. SIEM systems take this further by centralizing log data from multiple sources, correlating events, and providing real-time analysis to detect and respond to security incidents. For SMB leaders and security teams, investing in log analysis and SIEM can significantly enhance threat detection capabilities, improve compliance, and optimize operational efficiency.SMB Tech & Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.Log analysis is the foundation of effective cybersecurity, providing invaluable insights into the activities occurring within an organization's IT infrastructure. Businesses can uncover patterns, anomalies, and potential security incidents that might go unnoticed by meticulously examining log files generated by various systems, applications, and network devices. SIEM systems take this further by aggregating and correlating data from multiple sources, offering a holistic view of an organization's security posture and enabling real-time threat detection and response.Tasks and Organizational ValueImplementing log analysis and SIEM can transform how SMBs manage their cybersecurity efforts. These solutions go beyond mere security enhancements; they contribute to operational efficiency, regulatory compliance, and overall business resilience.* Real-time Threat Detection: By continuously monitoring logs, SIEM systems can identify suspicious activities, such as unauthorized access attempts or unusual network traffic patterns. This allows businesses to respond quickly, minimizing potential damage from cyber threats.* Compliance and Reporting: Many industries have strict regulatory requirements for data security and privacy. Log analysis helps ensure compliance by providing detailed audit trails and reports that can be used to demonstrate adherence to regulations like GDPR or HIPAA.* Operational Efficiency: Log analysis tools automate the collection and parsing of log data, reducing the manual effort required by IT teams. This saves time and allows staff to focus on more strategic initiatives, improving overall productivity.Current Challenges and SolutionsDespite the clear benefits of implementing log analysis, SIEM systems, and partnering with MSSPs, SMBs often encounter significant challenges in adopting and optimizing these solutions. These obstacles range from resource constraints to the sheer complexity of modern cyber threats, creating a landscape that can be daunting for businesses with limited IT and security resources.* Resource Constraints: Limited budgets and personnel can make it difficult for SMBs to deploy and maintain sophisticated SIEM systems. To address this, businesses can explore open-source or cloud-based services that offer scalability and cost-effectiveness.* Data Overload: The sheer volume of log data can be overwhelming, leading to alert fatigue and potential oversight of critical incidents. Effective log management strategies, such as data filtering and prioritization, can help manage this influx and ensure that only relevant alerts are escalated.* Complexity of Integration: Integrating SIEM systems with existing IT infrastructure can be complex. Choosing solutions with user-friendly interfaces and robust support can ease this process, ensuring seamless integration and operation. Partnering with a Managed Security Service Provider could be another avenue to consider.Optimizing with Future SolutionsAs the cybersecurity landscape evolves, so must the strategies and tools used to protect digital assets. The future of log analysis, SIEM systems, and managed security services holds exciting possibilities for enhancing threat detection, streamlining operations, and improving overall security postures.* Leverage AI and Machine Learning: Incorporating AI and machine learning into log analysis can enhance threat detection by identifying patterns and anomalies that traditional methods might miss. These technologies can also automate responses, reducing the time to mitigate threats.* Adopt a Zero Trust Model: Implementing a Zero Trust security framework can complement log analysis efforts by ensuring all access requests are verified and monitored, regardless of origin. This approach enhances security by minimizing the risk of insider threats and lateral movement within networks.* Continuous Training and Education: The cybersecurity landscape constantly evolves, so ongoing training for security teams is crucial. Investing in education ensures that staff are equipped with the latest skills and knowledge to effectively utilize log analysis and SIEM tools.Using a Managed Security Service Provider (MSSP) over an in-house Security Operations Center (SOC) offers several cost benefits, particularly for small and medium-sized businesses (SMBs). Here are the primary cost advantages:Cost Benefits of Using an MSSP* Cost Efficiency: Cost efficiency is one of the most significant benefits of using an MSSP. Establishing an in-house SOC involves substantial expenses, including hiring skilled cybersecurity professionals, purchasing hardware and software, and maintaining facilities. MSSPs, on the other hand, spread these costs across multiple clients, allowing businesses to access high-quality security services at a fraction of the cost.* Scalability and Flexibility: MSSPs offer scalable solutions that can adjust to a business's changing needs without additional capital investment. This flexibility is particularly beneficial for SMBs that may experience fluctuating demands and cannot afford the financial burden of constantly upgrading their in-house SOC capabilities.* Access to Advanced Technologies: MSSPs provide access to cutting-edge security tools and technologies, such as Security Information and Event Management (SIEM) systems, without the direct costs associated with purchasing and maintaining these tools in-house. This access ensures businesses can leverage the latest security innovations without significant expenses.* 24/7 Monitoring and Support: MSSPs offer round-the-clock monitoring and support, which would require significant investment if managed internally. This continuous service ensures that businesses are protected at all times, including nights, weekends, and holidays, without hiring additional staff for these shifts.* Reduced Overhead and Operational Costs: By outsourcing to an MSSP, businesses can convert fixed costs into variable costs, allowing them to pay only for the needed services. This model reduces overhead and operational costs, freeing up resources that can be allocated to other strategic business initiatives.Partnering with an MSSP can provide SMBs with a cost-effective, scalable, and technologically advanced security solution. This allows them to focus on their core business activities while ensuring robust cybersecurity protection.Actionable SummaryA strategic approach is essential for SMB leaders looking to harness the power of log analysis, SIEM systems, and MSSPs to bolster their cybersecurity defenses. This section provides a roadmap for organizations seeking to implement or optimize these critical security measures, offering practical steps to enhance threat detection capabilities, ensure compliance, and improve overall security posture.* Evaluate and Choose the Right Tools: Assess your organization's needs and select log analysis and SIEM solutions that align with your budget and operational requirements.* Implement and Integrate: Ensure seamless integration of chosen tools with existing IT infrastructure, prioritizing solutions with user-friendly interfaces and firm support. Assess whether an MSSP could help optimize your monitoring posture.* Train and Educate: Train your security teams on the latest technologies and best practices in log analysis and threat detection.By focusing on these areas, SMBs can significantly improve their ability to detect and respond to cybersecurity threats, safeguard their operations, and ensure compliance with industry regulations.Thanks for reading SMB Tech & Cybersecurity Leadership Newsletter! If you have found value in this post, please share it with others and consider becoming a subscriber.Proudshout out: INEReady to learn with INE? Discover content across Networking, Cybersecurity, Cloud Computing, and Data Science for IT professionals at every level.Why INE? Affordable | Hands-On | Continuous This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe

Understanding the Importance of Threat Detection in SMBsSmall and medium-sized businesses are increasingly vulnerable to cyber threats. To effectively scale and innovate, they must insert cybersecurity mechanisms that secure their assets and data for their customers. In any robust cybersecurity strategy, threat detection certainly needs to be included. This goes above traditional monitoring by hunting for potential threats across all planes of business operations: data, control, and identity. It is in these broad areas that the leaders of SMBs can make a difference in the detection capabilities of the NIST Cybersecurity Framework and provide a more secure environment for their business.SMB Tech & Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.The Role of Data, Control, and Identity PlanesIn cybersecurity, understanding the different planes of business operations—data, control, and identity—is crucial for effective threat detection. Each plane represents a unique aspect of your business's digital ecosystem that requires specific attention and strategies to safeguard against potential threats. By focusing on these planes, SMB leaders can develop a more comprehensive approach to threat detection that aligns with the NIST Cybersecurity Framework (CSF). This section will explore the significance of each plane and how they contribute to a robust cybersecurity posture.Data Plane: The data plane involves processing, storing, and transmitting data within a business. Effective threat detection ensures that sensitive information is safeguarded against unauthorized access and breaches. Here's where advanced data monitoring tools come in. These tools can help identify unusual patterns or anomalies that may indicate a cyber threat, giving you the reassurance that you're one step ahead in protecting your business.Control Plane: The control plane includes the systems and processes that manage data flow and access within the organization. Threat detection here focuses on ensuring that only authorized personnel have access to critical systems and data. By monitoring control plane activities, businesses can prevent unauthorized changes and detect potential insider threats, keeping you vigilant and aware of potential risks.Identity Plane: The identity plane pertains to the authentication and authorization of users accessing business systems. Effective threat detection in this plane involves monitoring user activities and ensuring robust access controls. Implementing multi-factor authentication and identity management solutions can significantly reduce the risk of identity-based attacks.Examples of Threat Detection Tasks and Their ValueImplementing threat detection capabilities involves various tasks that, when executed effectively, can significantly enhance an organization's security posture. From continuous monitoring to anomaly detection, these tasks are designed to identify and mitigate potential threats before they can cause harm. Understanding the value of these tasks helps build a resilient cybersecurity strategy and demonstrates the tangible benefits to stakeholders. This section will delve into specific threat detection tasks and highlight their importance to your organization.* Continuous Monitoring: By continuously monitoring network traffic and user activities, businesses can quickly identify and respond to potential threats. This proactive approach helps minimize the impact of cyber incidents and ensures business continuity.* Anomaly Detection: Machine learning algorithms can be utilized to detect anomalies in data and user behavior, providing early warnings of potential threats. This allows businesses to address vulnerabilities before attackers exploit them.* Incident Response Planning: Developing and regularly updating an incident response plan ensures businesses are prepared to handle cyber incidents effectively. This reduces downtime and mitigates the financial and reputational impact of breaches.Current Environmental Challenges and Overcoming ThemThe cybersecurity landscape constantly evolves, presenting SMBs with many challenges in implementing effective threat detection strategies. Limited resources, a shortage of skilled personnel, and the ever-changing nature of cyber threats are just a few hurdles businesses must overcome. However, with the right approach and tools, these challenges can be transformed into opportunities for strengthening security measures. This section will discuss the challenges SMBs face and provide insights into overcoming them to build a more secure business environment.SMBs face several challenges in implementing effective threat detection strategies, including limited resources, lack of expertise, and evolving threat landscapes. To overcome these challenges, businesses can:* Leverage Managed Security Services: Partnering with managed security service providers (MSSPs) can provide SMBs with access to advanced threat detection tools and expertise without significant in-house investment.* Invest in Employee Training: Regularly training employees on cybersecurity best practices can help prevent human errors that lead to security breaches.* Adopt Scalable Solutions: Implementing scalable cybersecurity solutions allows businesses to adapt to changing threats and needs without significant disruptions.Optimizing Threat Detection with Future SolutionsAs technology advances, so do the methods and tools available for threat detection. Embracing these innovations can provide SMBs with more efficient and effective ways to protect their digital assets. Future solutions offer promising avenues for optimizing threat detection capabilities, from artificial intelligence to zero trust architectures. In this section, we will explore potential future solutions that SMBs can leverage to enhance their cybersecurity strategies and stay ahead of emerging threats.Looking ahead, SMBs can optimize their threat detection capabilities by:* Embracing Artificial Intelligence (AI): AI-driven threat detection solutions can analyze vast amounts of data in real time, providing more accurate and timely threat identification.* Implementing Zero Trust Architecture: Adopting a zero-trust approach ensures that all users and devices are continuously verified, reducing the risk of unauthorized access.* Utilizing Threat Intelligence: Integrating threat intelligence feeds into security systems can provide businesses with up-to-date information on emerging threats, enabling proactive defense measures.Actionable SummaryTo enhance threat detection capabilities, SMB leaders should focus on the following action items:* Assess Current Security Posture: Conduct a thorough assessment of existing security measures and identify areas for improvement.* Invest in Technology and Training: Allocate resources to implement advanced threat detection tools and provide ongoing employee training.* Develop a Comprehensive Incident Response Plan: Ensure the business is prepared to respond swiftly and effectively to cyber incidents.By prioritizing threat detection across the data, control, and identity planes, SMBs can build a resilient cybersecurity posture that supports their growth and innovation goals.Product of the Week: YouAttestYouAttest has created a tool that is right for MSPs for identity compliance:• Plugs into existing identity systems in minutes• With NO API/coding experience, 100% GUI-driven• Can be integrated/supported with/ current MSP personnel• Anyone who can manage Azure AD, Okta, or similar IAM can manage YouAttestYouAttest is the fastest time-to-value identity audit product on the market.YouAttest identity audits specifically map to NIST SP 800-53 AC-1, AC-4, AC-6 and meet the following identity compliance requirements for the following markets:• Health Care: HIPAA/HITRUST• Financial: SOX, GLB• Retail: PCI-DSS• Cloud: SOC• D.o.D. Contractors: CMMC• Int’l: ISO 27001, GDPRIf you would like to learn more about how YouAttest or if I can help you with your identity governance, reach out to me. YouAttest: [email protected] (Let them know CPF Coaching sent you their way)https://youattest.com/youattest-in-the-news/Thanks for reading SMB Tech & Cybersecurity Leadership Newsletter! If this episode has provided you with value and you know others who could use this, please do share with them. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit substack.cpf-coaching.com/subscribe