Cybersecurity Consulting

Cyber-attacks target every kind of business. Many "hacks" are automated (think viruses and e-mail spam) so even if you don't think you're on anyone's radar, you can still be hit, and lose valuable data or the ability to carry out your business. Maine businesses are vulnerable. For example, Augusta's City Center was shut down for two days in April 2019 when they were hit by a ransomware virus -- the kind that locked up their data and threatened to delete it if they didn't pay $100,000 to the hacker.

Securing information systems is difficult particularly because it requires knowledge of many aspects of the technology, not only coding but also databases, networking, server administration, hardware, and even a bit about user psychology. My knowledge in each of these areas comes from over 20 years working with, researching, and teaching about information technology. I'd like to use that knowledge to help you identify and manage the risks you face.

comptia security+ certified
I've earned the CompTIA Security+ certification, a process that both refreshed and confirmed my knowledge in the area of cybersecurity. Although cybersecurity is a new specialty for me, compared to my longer experience in software development and data analytics, I think it's an area where I can make a big impact for you and your business.

What I can offer:

Auditing & Mitigation

No organization can be completely secure from all threats, but any business can strive for improvement in that direction. One of the first things you will need is to assess your current risks and identify the low-hanging fruit -- those things that you can do most easily that will significantly reduce your risks.

My most basic offering is a cybersecurity audit that will help you get this process going. I'll visit your location, ask lots of impertinent questions about your IT setup, and help you work through a questionnaire and some worksheets to identify vulnerabilities and threats, and quantify your risks. During the visit, I'll also help you perform some of the easiest and most powerful risk-mitigation measures, such as installing antivirus software, adopting a corporate security policy, or linking your employees to video training.

At the end of my audit, you'll receive a detailed report assessing your cybersecurity situation based on the NIST standards, and a prioritized list of recommendations for further risk mitigation. This will be something you can show to your insurance agency, your customers, your investors, or other business partners; and if you repeat it a year later, you'll have concrete evidence of improvement.

Secure Coding

One of the easiest things to get wrong in application development is security. Web and mobile apps that are coded quickly often leave the door open to hackers, pranksters, and other malevolent forces such as spam. As a veteran developer, PhD, and certified cybersecurity pro, I can help you find and plug vulnerabilities like these:

  • SQL injection attacks that expose or damage your database
  • Cross-site scripting and clickjacking attacks on your users
  • Cross-site request forgery hacks that leverage other sites to compromise yours
  • Rookie mistakes like insecure protocols and plaintext passwords

If you're hiring me as a software developer, all the code I'll write for you is designed with security built in. However, I can also help with code written by others. If you'd like to make sure your applications are secure, I would be happy to to review your code, give your IT department a second opinion, or add new security controls to an existing codebase. My skills are sharpest in the Java, Python, and JavaScript languages, although I have worked with many others.

Employee & Manager Training

Many of the most damaging "hacks" target your employees first, their computers second. A fraudulent e-mail may trick you into clicking on a link that downloads malware, or a voice on the phone claiming to be from the IT department may trick you into giving up your password (these are known as "phishing" attacks). The best way to prevent these "social engineering" attacks is by training employees. As a Ph.D. and former faculty member at Arizona State and UMaine, training is one of my greatest strengths.

As with other aspects of cybersecurity, there is a lot of low-hanging fruit. I can offer a half-day seminar to a pretty large group that will raise awareness of the most significant threats and arm your employees with tools and strategies to prevent many of the most common "hacks". This will improve your cybersecurity audit result and may be the minimum expected by your insurance company, investors, for government contracts, etc.

If that doesn't meet your needs, we could scale it up or down. I could design a multi-day training series with hands-on activities to prepare your team for the worst that could happen, including simulated incident response procedures and/or disaster recovery plans. Or going the other direction, I could set up watch-at-your-own-pace video training and give you reports on who has watched which lessons.

Ongoing Monitoring

There are many levels of continuous monitoring of your cybersecurity situation possible. On the technical side, I could monitor your security logs, including firewalls and intrusion detection systems, remotely from my office and give you regular reports. On the organizational side, I can set up video training and monitor employee participation, as well as regularly checking compliance with password policies and the like.

There are also a number of third-party tools I can set up for your organization. For example, a dark-web scan keeps an eye on some of the seedy anonymous websites where identity theft occurs, and can alert us if any of your employees' usernames and passwords come up for sale. The value of tools like this is well above their price, if only you have an experienced professional to configure them for you.

Rate Sheet

Rates are negotiable based on circumstances. To learn more about the discounts I can offer, call 207-307-1457.

Cybersecurity audit (0-20 employees) $1800
Cybersecurity audit (20+ employees) call
Half-day employee training (up to 40 attendees) $2400
Development of corporate security policy, disaster recovery plan, etc call
Vulnerability scanning & penetration testing call
Ongoing technical and/or policy monitoring call
Security-oriented code review & retrofit call
Standard cybersecurity consulting rate $600/day
or $100/hour
Initial consultation Free!