Fixed-Fee Managed IT and Cybersecurity for Small Businesses in Ohio
- • Your cyber insurance application is asking about MFA, endpoint detection, and backup testing — and you're not sure what to put
- • A client or vendor has asked you to demonstrate how you protect their data, and you don't have documentation to show them
- • You're spending unpredictable amounts on IT support — a break-fix call here, a contractor there — and you can't budget around it
- • Your team handles customer data, payment information, or business-critical files, and your current backup is a portable drive or "the cloud" without tested recovery
- • You don't have an IT person on staff, and you're the one who ends up troubleshooting printers, resetting passwords, and wondering if your antivirus is actually doing anything
Capstone maintains documented security controls for your business, delivers quarterly evidence packages for insurance and vendor requirements, and handles day-to-day IT so you don't have to — all for a fixed monthly cost with no surprise invoices.
Designed for professional services firms, retail operations, and light manufacturing businesses with 2–50 staff that don't employ internal IT.
Most small businesses we work with aren't starting from zero — they've got antivirus on their machines, someone backing things up to a drive or cloud folder, and maybe a firewall they set up a few years ago. What they don't have is documentation that proves any of it works, a tested recovery process if something goes wrong, or a single point of contact when something breaks at 2pm on a Tuesday.
That's where Capstone fits. We're not here to replace everything you've built — we're here to organize it, secure the gaps, document it so you can prove it to an insurer or a client, and keep it running so you can focus on the work that actually makes you money. We've been doing this in Ohio since 2004, and we work exclusively with businesses your size.
The Requirements Your Business Is Actually Accountable For
Even without industry-specific regulators, small businesses face real security and documentation requirements from insurers, clients, payment processors, and state law.
Ohio Breach Notification Law
Ohio Revised Code § 1349.19 requires businesses to notify affected individuals after a data breach involving personal information. Having documented controls can demonstrate reasonable safeguards were in place.
Ohio Data Protection Act (SB 220)
Ohio's safe harbor law provides an affirmative defense against data breach claims for businesses that implement and maintain a cybersecurity program conforming to recognized frameworks like NIST or CIS Controls.
Cyber Insurance Application Requirements
Insurers commonly require documented proof of MFA, endpoint detection and response, backup testing, email filtering, and an incident response plan before issuing or renewing cyber liability coverage.
PCI DSS (If Accepting Cards)
Businesses processing credit card transactions must comply with Payment Card Industry Data Security Standards. Even small merchants using third-party processors typically need to complete a Self-Assessment Questionnaire annually.
Client and Vendor Contract Requirements
Larger clients and supply chain partners increasingly require vendors to demonstrate security controls as a contractual condition. Without documentation, you may not qualify to bid on or retain certain business relationships.
FTC Act Section 5 (Unfair Business Practices)
The FTC can take enforcement action against businesses that fail to implement reasonable data security measures and suffer a breach affecting consumers, even without industry-specific regulations.
Your Quarterly Evidence Package
✓ Privileged access documentation
✓ Password manager status
✓ SOC monitoring summaries
✓ Patch & vulnerability summary
✓ Vulnerability scan results
✓ Secure remote access config
✓ Backup test results
✓ Business continuity & disaster recovery plan
✓ Encrypted email configuration
✓ Retention/hold settings
✓ Phishing simulation results
✓ Policy acknowledgments
Updated quarterly. Ready for insurance applications, vendor questionnaires, and client requests.
What Happens When Controls Aren't Documented
The issue typically isn't that you have no security — it's that you can't prove what you have when it matters.
Insurance Claim Denial
Cyber insurance carriers may deny claims if the business can't demonstrate that the safeguards described in the application were actually in place at the time of the incident. Documented controls and evidence packages provide that proof.
Lost Business Relationships
When a client or supply chain partner asks how you protect their data and you can't produce documentation, the conversation typically ends there. Businesses increasingly treat vendor security as a qualifying requirement, not a nice-to-have.
Unrecoverable Data Loss
Without tested, encrypted backups and a verified recovery process, a ransomware attack, fire, or hardware failure can mean permanent loss of customer records, financial data, and operational files. "We back up to a drive" isn't a recovery plan.
"I wanted to take a moment to thank you again for the managed professional backup you convinced me to implement for my business. Who would have thought that within the next year a fire would destroy everything in my office. Capstone Technologies Group was able to recover all my client data and other important information to what it was before the fire, quickly and painlessly. And what a relief it was to be able to tell my clients that their information was safe and restored."
Controls Mapped to Requirements
Each safeguard we implement addresses specific requirements from insurers, clients, or state law. We deploy the controls, document them quarterly, and provide evidence packages you can attach to insurance applications, vendor questionnaires, and internal records.
Why your business needs this: Stolen or weak passwords are the most common way attackers get into small business systems. Multi-factor authentication adds a second step — typically a code on your phone — so a compromised password alone isn't enough. Cyber insurance applications now specifically ask whether MFA is enforced on email, remote access, and administrative accounts.
What we implement: MFA enrollment for all users across email, VPN, and cloud services. Enterprise password management so your team uses unique, strong passwords without writing them on sticky notes. Privileged access controls that limit administrative rights to only the accounts that need them. Learn more about access management →
Satisfies: Cyber insurance MFA requirements, Ohio Data Protection Act (SB 220) recognized framework controls, client/vendor security questionnaires
Why your business needs this: Attacks don't happen during business hours. Ransomware typically deploys at night or over weekends when nobody's watching. A Security Operations Center (SOC) monitors your systems around the clock and can isolate a compromised machine before the attack spreads to your server or other workstations.
What we implement: 24/7 SOC monitoring with endpoint detection and response (EDR) on every workstation and server. SIEM log collection and analysis that correlates events across your environment to catch patterns a single antivirus tool would miss. Automated alerting and containment so threats are addressed in minutes, not days. Learn more about managed security →
Satisfies: Cyber insurance EDR and monitoring requirements, Ohio SB 220 framework controls, incident detection and response documentation
Why your business needs this: Backups only matter if they actually work when you need them. We've seen businesses discover their "backup" was either corrupted, months old, or encrypted by the same ransomware that hit their server — because nobody tested it. Immutable backups are write-once, read-many, which means ransomware can't overwrite or encrypt your recovery copies.
What we implement: Encrypted, immutable backups with offsite replication. Scheduled recovery testing so we verify your data is actually restorable — not just "backed up." Documented recovery results included in your quarterly evidence package. Learn more about backup and recovery →
Satisfies: Cyber insurance backup and recovery requirements, business continuity documentation, Ohio SB 220 data protection controls
Why your business needs this: Most breaches start with an employee clicking something they shouldn't — a phishing email, a fake invoice, a spoofed login page. Training doesn't eliminate the risk entirely, but it significantly reduces it, and insurers specifically ask whether your staff receives regular security awareness training.
What we implement: Ongoing security awareness training with tracked completion. Simulated phishing campaigns that test your team's response to realistic attacks and identify who needs additional coaching. Training completion certificates and phishing simulation results included in your quarterly evidence package. Learn more about security training →
Satisfies: Cyber insurance training requirements, Ohio SB 220 employee awareness controls, client/vendor security questionnaires
Why your business needs this: Email is the primary attack vector for small businesses. Phishing, business email compromise, and invoice fraud all come through the inbox. Beyond blocking threats, businesses that handle customer data or financial information typically need email encryption and retention policies — especially if a legal dispute or insurance claim requires you to produce communications.
What we implement: Advanced email filtering that blocks phishing, malware, and spoofed messages before they reach your inbox. Email encryption for sensitive communications. Retention and archiving policies configured to your business needs. DNS filtering that blocks access to known malicious websites across your network. Learn more about email security →
Satisfies: Cyber insurance email security requirements, data handling and retention documentation, PCI DSS email and network security controls (if applicable)
Why your business needs this: Unpatched software is one of the most common entry points for attackers — known vulnerabilities with published exploits that simply haven't been fixed yet. Most small businesses don't have a systematic way to apply updates across all machines, and firewall configurations set up years ago may no longer reflect your current environment.
What we implement: Automated patch management across all workstations and servers so security updates are applied consistently, not when someone remembers. Firewall configuration and management. Vulnerability scanning to identify gaps before they're exploited. Secure remote access configuration for employees working offsite. Learn more about network management →
Satisfies: Cyber insurance patch management and vulnerability management requirements, Ohio SB 220 technical safeguard controls, network security documentation
Built for Businesses Without IT Staff
We work with professional services firms, retail businesses, and manufacturing operations where the owner or office manager is currently the de facto IT department. You shouldn't need to understand SIEM log correlation or EDR deployment to run your business — that's our job.
When something breaks, you call one number. When a vendor asks about your security controls, you forward the quarterly evidence package we already prepared. When your cyber insurance renewal comes up, the documentation is ready — not something you scramble to assemble the week before.
Everything is covered under a fixed monthly cost. No hourly charges for help desk calls, no surprise invoices for patch updates, no separate bills for monitoring versus support. You know what IT costs every month, and you can budget around it.
What Your Cyber Insurance Application Requires
Most SMBs we work with are applying for cyber insurance for the first time. Here's what underwriters typically ask for — and what we document so you can answer "yes" with evidence attached.
Multi-Factor Authentication
What insurers ask: "Is MFA enforced on all remote access, email, and privileged accounts?"
What we document: MFA enrollment reports showing all users, enforcement status by service, and configuration verification — updated quarterly.
Endpoint Detection and Response
What insurers ask: "Do you have EDR deployed on all endpoints with 24/7 monitoring?"
What we document: EDR deployment reports confirming coverage on every workstation and server, plus SOC monitoring summaries showing active threat detection.
Backup and Recovery
What insurers ask: "Are backups encrypted, stored offsite, and regularly tested?"
What we document: Backup configuration verification, encryption status, offsite replication confirmation, and recovery test results with timestamps.
Security Awareness Training
What insurers ask: "Do employees receive regular security awareness training?"
What we document: Training completion certificates for all employees, phishing simulation results and response rates, and policy acknowledgment records.
Email Filtering and Security
What insurers ask: "Do you have email filtering, anti-phishing controls, and email encryption?"
What we document: Email filtering configuration evidence, anti-phishing and anti-spoofing settings, encryption capability verification, and retention policy documentation.
Incident Response Plan
What insurers ask: "Do you have a documented incident response plan?"
What we document: A written incident response plan tailored to your business, including contact procedures, containment steps, notification requirements, and recovery protocols.
"Our company started working with Capstone Technologies Group in early 2020 for IT issues that we were having. Brian has been awesome to work with throughout our time with his business. Anytime we call him for assistance he is always prompt helping solve any problems we may have. If the issues cannot be solved from his office he comes out to our work site. Brian is always very friendly and professional. I would highly recommend his company for any IT issues."
What Your Business Receives
Everything listed here is included in your fixed monthly cost — no add-ons, no tiers, no surprise invoices.
Quarterly Evidence Package
Documented proof of all security controls across six categories — ready for insurance applications, vendor questionnaires, and internal records.
24/7 SOC Monitoring
Around-the-clock threat monitoring with EDR, SIEM, and automated containment — so threats are caught at 2am, not discovered Monday morning.
Encrypted Backups with Tested Recovery
Immutable, encrypted backups with offsite replication and scheduled recovery testing — verified and documented, not assumed.
Help Desk and On-Site Support
One number to call for any IT issue. Remote support for most problems, on-site visits when needed — included in your monthly cost.
Security Awareness Training
Ongoing training with phishing simulations for all employees, with completion tracking and certificates for your records.
Policy Development and Review
Written IT policies covering acceptable use, incident response, data handling, and remote access — developed for your business and reviewed annually.
"Capstone's team is not only highly skilled but also friendly and approachable. From minor troubleshooting tasks to major infrastructure projects like installing Wi-Fi throughout our facility, they have consistently demonstrated professionalism and a genuine commitment to our organization's needs. Their ability to remotely access our systems and promptly resolve issues has streamlined our day-to-day operations, allowing us to focus more on our mission of serving the community."
Frequently Asked Questions
Everything on this page — 24/7 SOC monitoring, EDR on all endpoints, encrypted backups with recovery testing, email security, DNS filtering, patch management, password management, security awareness training, help desk support, on-site visits, policy development, and quarterly evidence packages. There are no tiers and no per-incident charges. The monthly cost is based on the number of users and devices in your environment, and we'll give you the exact number during your assessment.
That's the situation for most SMBs we work with. We implement the controls that insurers require — MFA, EDR, backups, training, email security, incident response — and then document everything in a format you can attach directly to your application. Most clients are application-ready within 60–90 days of onboarding.
Typical onboarding takes 2–4 weeks depending on the size of your environment and what's already in place. We start with an assessment to understand your current setup, then deploy controls in a sequence that minimizes disruption to your daily operations. Most of the work happens in the background — your team's main involvement is enrolling in MFA and completing their first round of training.
In most cases, yes. We'll assess what you have during the initial review and tell you honestly what can stay and what needs to be replaced or upgraded. We don't push unnecessary hardware purchases — if your current equipment supports the security controls we need to deploy, we'll work with it.
Our SOC monitors your environment 24/7, so many issues are caught and contained automatically before you'd even notice. For things that need human intervention — a server issue, a workstation problem — you contact our help desk and we begin working it immediately. After-hours support is included in your monthly cost, not billed separately.
We work with businesses as small as 2–3 people. The controls we deploy aren't enterprise complexity scaled down — they're right-sized for businesses your size and managed entirely by us. You don't need to understand how any of it works. You just need it to work, and you need documentation to prove it when someone asks.
Capstone Technologies Group has been providing managed IT and cybersecurity services to Ohio businesses since 2004. We work exclusively with small and mid-size businesses, and we understand that your IT needs to work reliably, be documented properly, and cost the same amount every month. If that sounds like what you're looking for, let's talk.
Schedule Your IT Assessment
30-minute call to review your current setup, identify gaps, and walk through what a fixed-fee managed IT plan looks like for your business.
Pick a 30-minute slot that works for you
Talk to our team directly
Send us the details and we'll follow up within one business day.