Got questions? Schedule a call with us!

A Security Framework Sized for the Business You Actually Run

by Levi Durfee

Every year, Verizon publishes its Data Breach Investigations Report (DBIR). It’s a dense, 117-page analysis of more than 22,000 real-world security incidents, written mostly for enterprise security teams. We dug into this year’s edition because the findings about small businesses rarely make the headlines – and the 2025 numbers are worth paying attention to.

The 2025 DBIR found that small and medium-sized businesses experienced nearly four times as many confirmed breaches as large enterprises. Ransomware showed up in 88% of those SMB breaches, compared to 39% for enterprises. The median ransom paid last year was $115,000 – a number that would end most of the 10-person businesses we work with.

The uncomfortable takeaway: attackers aren’t skipping small businesses anymore. They’re prioritizing them.

The problem with the security frameworks that exist today

When a small business owner decides to take security seriously, the first thing they usually do is Google around for a framework to follow. What they find is a familiar shortlist: NIST Cybersecurity Framework, CIS Controls, ISO 27001, SOC 2.

These are genuinely excellent frameworks. The problem is that they weren’t written with a 10-person ad agency in mind. They assume you have dedicated IT staff, a budget for auditors, and time to produce dozens of pages of documentation. When a business owner who’s also the CEO, head of sales, and HR department tries to work through one, they usually do the reasonable thing and give up.

We see this pattern with the small businesses that come to us. It’s the same pattern we wrote about in why one-size-fits-all cybersecurity fails small businesses. Tools and frameworks built for much larger companies don’t just fail to help – they actively push small businesses away from doing anything at all.

So we’re building a framework that’s shaped for the businesses we actually serve.

Introducing the NerdSec Security Framework

We’re calling it the NerdSec Security Framework (NSF), and it’s designed from the ground up for businesses of roughly 10 to 30 people who don’t have an IT department.

Here’s what that means in practice.

You get a letter grade, not a 50-page report

NSF produces a single-page scorecard with a letter grade from A to F. Behind the grade is a numeric score built from 33 controls, each weighted by how much real-world risk it actually reduces – not by how important a committee felt it was.

If you want the detail, it’s there. But the grade is the thing you’d hand to a client, an insurer, or your board.

It’s built on proven foundations

NSF is derived from CIS Controls v8.1.2 Implementation Group 1 – the tier CIS itself describes as the minimum baseline every organization should meet. We extend it with selected Implementation Group 2 safeguards where they meaningfully reduce risk for small businesses.

We don’t pretend you need a formal vulnerability management program or a written data retention policy. If a control is mostly documentation overhead without meaningful risk reduction at your scale, it isn’t in NSF. That honesty is the point.

Four controls act as gates

The 2025 DBIR found that 88% of SMB breaches involved ransomware. The vast majority of those ransomware incidents trace back to the same small set of failures. So in NSF, four controls act as gates – if you fail any of them, your grade is capped at D regardless of how well you do elsewhere:

  1. MFA enforced on email. Credential abuse was the top initial access vector in the DBIR. Email without MFA is the most exploited door attackers walk through.
  2. Endpoint protection on every device. Modern EDR is what catches the behavior-based attacks we wrote about in The Attacks Hitting Big Companies Are Now Coming for You.
  3. Automated patching. DBIR found vulnerability exploitation rose 34% year-over-year, with attackers weaponizing new vulnerabilities within hours.
  4. Automated backups. The difference between restoring your business and paying a ransom is whether your backups actually exist and work.

These aren’t the only controls in NSF. But they’re the ones that, if missing, mean nothing else you’ve done will save you when things go wrong.

You can prove it three ways

Every control in NSF supports three levels of evidence:

  • Self-attested – you answer a question and we take you at your word. Fast, good for getting an initial score.
  • Verified – we check the work ourselves. Good for insurance applications or client security questionnaires.
  • Automated – we pull the data directly from your tools (M365, Google Workspace, your EDR, your backup platform). Good for continuous monitoring so your grade reflects reality, not a snapshot from six months ago.

Each level carries a different weight toward your score, so the businesses that invest in proof get credit for it.

Who it’s for

NSF is built for businesses that:

  • Hold client data, financial information, or creative work worth protecting
  • Don’t have a dedicated IT or security team
  • Are being asked by insurers, clients, or regulators to prove their security posture
  • Need a practical baseline – not a certification project that costs $30,000 and takes nine months

If you have 500 employees and a CISO, you already know NSF isn’t for you. Everyone else – this is the framework we’d want if we were running your business.

What’s coming

NSF v1 launches in the coming weeks. It will include:

  • All 33 controls with plain-language descriptions, why each one matters, and what evidence counts
  • A scorecard you can complete in an afternoon
  • Remediation guidance for every control – ordered steps, honest time and cost estimates, and the common pitfalls to avoid
  • A printable one-page summary you can send to your insurer, your biggest client, or your board

We’ll be opening early access to a small group of businesses first. If you’d like to be part of that group, schedule a call with us and we’ll walk you through it. If you just want to get started on the fundamentals now, you can start for free – no credit card required.

Small businesses deserve a security framework built for the businesses they actually are. That’s what we’re building.