Ironside Group

Cybersecurity
Assessment

Ironside Group

February 2026

Prepared by

M3 Networks

Executive Summary

D

0.0 / 4.0

Overall NIST Grade

Critical

0

Unsupported OS, exposed credentials, and no tested recovery plan

Moderate

0

Policy gaps, missing assessments, and infrastructure items

Hardware

0

Aging devices past recommended 4-year lifecycle

Strengths

0

Active security platforms and Platinum tier protections

Ironside Group operates with strong detection capabilities through the M3 Platinum security stack, but lacks foundational governance policies, documented procedures, and has aging endpoint hardware that introduces significant risk.

NIST CSF 2.0 Posture

Security Function Breakdown

Govern F

1.3 / 4.0

No policies, no risk management framework, no oversight structure

Identify D

1.8 / 4.0

No risk assessments, no asset classification, no data handling policies

Protect D

1.7 / 4.0

Legacy OS, no MDM, encryption unverified, M365 security not audited

Detect B

3.0 / 4.0

Blackpoint MDR active, BSN awareness training deployed

Respond C

2.0 / 4.0

No formal IR plan, incident response handled ad-hoc by MSP

Recover F

1.2 / 4.0

No BCP, no documented recovery plan, no tested backup procedures

Strengths

Active Security Protections

Blackpoint MDR

24/7 Managed Detection & Response

0

Active devices

0

Total enrolled

Breach Secure Now

Security Awareness + Phishing Tests

0

Users enrolled

625

ESS / 1000

0%

Phishing fail rate

Keeper Security

Enterprise Password Manager

0

Active users

60

Allocated seats

Mailprotector

Email Security Filtering

0

Licensed mailboxes protected

Platinum Tier

Full M3 Security Stack

M3SecTools bundle: BSN + Mailprotector + Blackpoint + ImmyBot + Keeper + Cisco Umbrella

Hardware

Within Lifecycle

0

Devices running current OS and within lifecycle

Critical Finding

Immediate Action Required

PR.PS-03

Unsupported Operating System

CANNON

Windows Server 2008 R2

End of support: January 2020 — over 6 years without security updates

No patches available for newly discovered vulnerabilities

Active attack vector — known exploits exist in the wild

Why This Matters

This server has been running without security updates for over six years. Think of it as an unlocked door that leads to your entire network. Attackers know exactly how to exploit this software because Microsoft stopped fixing its vulnerabilities in 2020. If CANNON is compromised, it could give an attacker access to every system in your environment.

Your Options

A Replace the server $1,000–$2,500

Migrate workloads to a modern Windows Server with current security patches and ongoing support.

B Isolate from network $500–$1,000

If the server must stay online temporarily, segment it from the rest of the network to contain potential damage.

C Accept the risk $0

Continue as-is, understanding this is the single highest-probability attack vector in your environment.

Critical Findings

Active Threats & Recovery Gaps

DE.AE-02

Dark Web Credential Exposure

0

Breached identities

0

Total records exposed

Why This Matters

Your employees' passwords are already on the dark web. Attackers don't need to hack you — they can just log in. These aren't theoretical risks. These are active credentials circulating in criminal marketplaces right now.

Your Options

A Full credential reset + Keeper enforcement $2K–$3.5K

Force password reset for all breached users, enforce Keeper password manager, enable MFA on all exposed accounts.

B Targeted remediation $1K–$1.5K

Reset credentials for highest-risk users (executive team, finance, admin access) as an immediate first step.

RC.RP-01

No Tested Backup & Recovery

F

Recover score

1.2

/ 4.0

0

Tested recovery plans

Why This Matters

If ransomware encrypts your systems tonight, there is no tested way to get your data back. No documented recovery plan, no verified backup procedures. Every hour of downtime costs real money — payroll still runs, revenue stops, and customers can't be served.

Your Options

A Full BDR + tested recovery $5K–$8K

Deploy verified backup solution, document recovery procedures, run quarterly test restores.

B Emergency verification + runbook $2K–$3.5K

Verify current backup status, create basic recovery runbook with priority system list and contact tree.

Moderate Findings

Governance & Policy 1 of 4

4 findings

$10.5K–$19K total range

NIST: Govern & Identify

GV.PO-01 $3.5K–$6K

No Formal Cybersecurity Policies

If we do nothing: No documented rules for passwords, device use, or data handling. Insurance claims ask "Where are your policies?" — today the answer is "We don't have any."

A Custom policy package — tailored AUP, password, BYOD, encryption policies $3.5K–$6K

B Template starter — industry templates, customize over time $1.5K–$2.5K

ID.RA-05 $4K–$7K

No Prior Risk Assessment

If we do nothing: First formal security review — no risk register tracking which threats matter most. Security spending decisions made without knowing which risks are highest. Insurance apps increasingly require this.

A Full risk register — threats, probability, impact, treatment plan $4K–$7K

B Simplified top-10 — focus on highest-priority risks only $2K–$3.5K

GV.RM-07 $1K–$2K

No Change Management Process

If we do nothing: IT changes happen without documentation or approval. No audit trail means if a change causes a breach or outage, you can't trace what happened. Fails compliance and insurance audits.

A Formal change process — request, review, approve, implement, verify $1K–$2K

B Simple change log — start tracking all IT changes $0–$500

GV.SC-01 $2K–$3.5K

No Vendor Security Risk Assessment

If we do nothing: You share data with dozens of third-party vendors. If one is breached, your data goes with it. No formal security assessment of vendor posture — no inventory of who has access to what.

A Formal risk program — assess vendor security, data handling, breach history $2K–$3.5K

B Critical vendor review — top 5 vendors who handle sensitive data $750–$1.5K

Moderate Findings

Testing & Risk Assessment 2 of 4

4 findings

$9K–$17.5K total range

NIST: Identify & Govern

ID.IM-02 $5K–$10K

No Penetration Testing

If we do nothing: Network never independently tested. Strong defenses exist but no one has verified they actually stop a real attacker. Like having a security system and never testing the alarm.

A Full pen test — external + internal + social engineering $7K–$10K

B External-only test — test what an outsider can reach $5K–$7K

ID.RA-01 $2K–$4K

No Vulnerability Scanning

If we do nothing: 25,000+ new vulnerabilities published every year. Without scanning, you won't know which affect your systems until an attacker finds them first.

A Managed scanning — quarterly internal + external with tracking $2K–$4K/yr

B Annual scan — one comprehensive scan per year $1K–$2K

GV.RM-02 Included

Cyber Insurance Compliance Review

If we do nothing: Insurance policy likely has requirements not met today. If you file a claim and the insurer finds non-compliance, they could deny the claim entirely.

A Included in Platinum — review policy against posture, close gaps $0

B Extended audit — deep-dive with insurer for full alignment $500–$1K

ID.AM-07 $2K–$3.5K

No Data Classification Policy

If we do nothing: Not all data is equal — SSNs are more sensitive than marketing materials. Without classification, everything gets the same minimal protection. In a breach, you need to know immediately what was exposed.

A Full framework — define categories, train staff, handling rules $2K–$3.5K

B Simple 3-tier — Public / Internal / Confidential labels $750–$1.5K

Moderate Findings

Infrastructure & Endpoints 3 of 4

4 findings

$6.5K–$13K total range

NIST: Protect

PR.PS-03 varies

19 Devices on Windows 10 (End of Life)

If we do nothing: Microsoft stopped security updates for Windows 10 in Oct 2025. These 19 machines accumulate unpatched vulnerabilities monthly. Attackers target end-of-life software specifically.

A In-place upgrade — Win11 where hardware supports it $200–$400/device

B Hardware + OS refresh — replace devices that can't run Win11 $2,085/device

PR.DS-01 $1K–$2K

Full Disk Encryption Not Verified

If we do nothing: Lost or stolen laptop data is only safe if encrypted. Can't confirm encryption is active across the fleet. Unencrypted laptop = every file accessible to whoever has it.

A Full audit + enforcement — verify all, enable BitLocker, manage keys $1K–$2K

B Spot check — test sample of devices to estimate exposure $250–$500

PR.PS-01 $2K–$4K

Microsoft 365 Security Not Audited

If we do nothing: M365 has hundreds of security settings — most off by default. Secure Score unknown. Misconfigured M365 is the #1 entry point for business email compromise ($125K avg per incident).

A Full M365 hardening — Secure Score, conditional access, DLP $2K–$4K

B Secure Score baseline — measure current, implement top-5 wins $750–$1.5K

PR.PS-01 $1.5K–$3K

No Mobile Device Management

If we do nothing: Company email/data on personal phones with no controls. Lost phone = no remote wipe. When someone leaves, their device still has company data cached.

A Full MDM — Intune for all, enforce PIN/encryption/remote wipe $1.5K–$3K/yr

B App protection — M365 mobile policies, block data leakage $0–$500

Moderate Findings

Business Continuity & Response 4 of 4

2 findings

$6K–$10K total range

NIST: Respond & Recover

PR.IR-03 $3K–$5K

No Business Continuity Plan

If we do nothing: If your office flooded, had a fire, or suffered ransomware tomorrow — does everyone know what to do? Who calls who? Where do people work? Every hour of unplanned downtime costs real money — payroll still runs, revenue stops, customers aren't served.

A Full BCP — impact analysis, recovery priorities, communication plan $3K–$5K

B Lightweight disaster plan — communication tree, critical systems, contacts $1.5K–$2.5K

RS.MA-01 $3K–$5K

No Incident Response Plan

If we do nothing: When — not if — a security incident occurs, there's no playbook. Who gets called first? What's the immediate action? Without a plan, the first hour is spent figuring out roles instead of responding. That delay is when damage compounds.

A Full IR plan + tabletop — roles, escalation, comms, simulated incident $3K–$5K

B Basic IR runbook — contact list, escalation chain, first steps $1.5K–$2.5K

Hardware Findings

Endpoint Lifecycle Assessment

Replace

0

Devices past 4-year lifecycle

Assess

0

Device with unknown purchase date

Age Range

4.8 - 7.1

Years old (oldest to newest)

Device	Assigned To	Model	Purchased	Age	Status
ISG-LT-021	Anna MacMaster	Lenovo 20L5004HUS	2019-02-06	7.1 yr	Replace
ISG-LT-022	Bob O'Donnell	Lenovo 20QNCTO1WW	2020-09-08	5.5 yr	Replace
ISG-LT-018	Former employee	Lenovo 20SUS34900	2020-11-25	5.3 yr	Replace
ISG-LT-033	Rio Jiang	Lenovo 20SUS34900	2020-11-25	5.3 yr	Replace
DESKTOP-IEM5OVV	Former employee	Lenovo 20SUS34900	2021-01-07	5.1 yr	Replace
ISG-LT-012	Lucinda Linde	Lenovo 20SUS34900	2021-01-25	5.1 yr	Replace
PF2515YK	Glenn Lightfoot	Lenovo 20SUS34900	2021-02-19	5.0 yr	Replace
ISG-LT-020	Dave LeBlanc	Lenovo 20SUS34900	2021-02-26	5.0 yr	Replace
DESKTOP-G2NTJK5	Local admin only	Lenovo 20SUS34900	2021-04-02	4.9 yr	Replace
ISG-LT-003	Local account only	Lenovo 20SUS34900	2021-04-09	4.9 yr	Replace
ISG-LT-045	Dmytro Kreiza	Lenovo 20SUS34900	2021-05-14	4.8 yr	Replace
ISG-LT-037	Tim Kreytak	Unknown	Unknown	? yr	Assess

All devices running Windows 10 (10.0.19045) — end-of-life since October 2025

Remediation Roadmap

90-Day Security Improvement Plan

1

Phase 1

0 - 30 Days

Critical Security Gaps

CRITICAL

CANNON Server Replacement

Windows Server 2008 R2 — isolate or replace immediately

CRITICAL

Dark Web Credential Reset

146 breached identities — force resets for exposed users

CRITICAL

Backup & Recovery Verification

Deploy + verify backup, document basic recovery procedures

HARDWARE

Hardware Refresh

Replace 11 aging devices past 4-year lifecycle

2

Phase 2

30 - 60 Days

Security Foundations

Cybersecurity Policies

AUP, password, BYOD, data classification, remote access, encryption

Penetration Testing

External + internal with social engineering component

Vulnerability Scanning

Recurring internal + external scans with remediation tracking

Risk Assessment + BCP

Formal risk register, business impact analysis, recovery priorities

3

Phase 3

60 - 90 Days

Compliance & Hardening

Windows 10 Upgrades

19 devices to Windows 11 — verify hardware compatibility first

Incident Response Plan

Roles, escalation, communication templates, tabletop exercise

Insurance + Change Mgmt

Review cyber insurance adequacy, implement change control

Vendor Risk Program

Inventory vendors, assess risk, document SLAs and security reqs

Items not addressed
= accepted risk.

Every finding in this assessment represents a gap that threat actors actively exploit. M3 Networks is ready to begin remediation immediately upon approval.

Your Point of Contact

Michael Moore

mmoore@m3networks.com

(832) 930-3463

Investment Summary

Estimated Remediation Costs

These are one-time investments to close the gaps found in this assessment. Each addresses a specific business risk — not just a technical checkbox. Your team decides which to prioritize based on risk tolerance and budget.

Critical

3 Findings — Unsupported Server, Exposed Credentials, No Recovery Plan

$8,000 - $14,000

These three findings represent the highest-probability attack vectors in your environment. Each one alone could lead to a full business disruption.

CANNON server replacement$1K-$2.5K

Dark web credential reset$2K-$3.5K

Backup & recovery plan$5K-$8K

Moderate

14 Findings — Policies, Assessments, Compliance, Infrastructure

$30,000 - $55,000

These address the documentation, testing, and process gaps that cyber insurers and auditors look for. Without them, a claim could be denied or a breach response becomes chaotic. Prioritize based on which risks matter most to your business.

Cybersecurity policies$3.5K-$6K

Penetration testing$5K-$10K

Vulnerability scanning$2K-$4K

Risk assessment$4K-$7K

Business continuity$3K-$5K

Incident response$3K-$5K

Insurance reviewIncluded

Change management$1K-$2K

Vendor risk$2K-$3.5K

Data classification$2K-$3.5K

Encryption audit$1K-$2K

M365 security$2K-$4K

MDM deployment$1.5K-$3K

Hardware

11 Device Replacements + 1 Assessment

$23,325

Every one of these laptops runs Windows 10, which stopped receiving security patches in October 2025. They can't be upgraded to Windows 11 without hardware replacement. Aging hardware also means higher failure rates and lost productivity when a laptop dies mid-workday.

11 replacements at $2,085 each + 1 assessment at $390 Lenovo fleet, 4.8-7.1 years old

Estimated Total Investment

Not all items need to happen at once — your 90-day roadmap phases these by priority

$61,325 — $92,325

CybersecurityAssessment

Security Function Breakdown

Active Security Protections

Immediate Action Required

Active Threats & Recovery Gaps

Governance & Policy 1 of 4

Testing & Risk Assessment 2 of 4

Infrastructure & Endpoints 3 of 4

Business Continuity & Response 4 of 4

Endpoint Lifecycle Assessment

90-Day Security Improvement Plan

Items not addressed = accepted risk.

Estimated Remediation Costs

Cybersecurity
Assessment

Items not addressed
= accepted risk.