Read Blog Post (Click to Expand/Collapse)
Key Takeaways
- Compliance is not paperwork—it’s proof that your business is protected.
- Small businesses are prime targets for automated cyberattacks.
- Basic security controls can prevent the majority of incidents.
- Documentation is critical for protection and accountability.
- A proactive approach is far more effective than reacting after an attack.
- Partnering with experts can significantly reduce overall risk.
From Military Operations to Cybersecurity Advocacy
Edgar Ortiz’s journey into cybersecurity is rooted in his background in military intelligence and aviation, where operational discipline was critical. After transitioning to civilian life and starting his own business, a ransomware attack wiped out everything he had built.
Rather than stepping away, he used that experience as fuel to help other small and medium-sized businesses avoid the same fate. Today, his mission is centered on protection, resilience, and education.
What Compliance Really Means
One of the biggest misconceptions is that compliance is just an annual checkbox exercise. In reality, compliance is about proving that your business is actively protecting sensitive data.
In practical terms, this includes:
- Having a documented password policy.
- Regularly backing up and testing data.
- Monitoring system access.
- Maintaining clear security documentation.
At its core, compliance is simply good operational hygiene backed by documentation—a safety net when things go wrong.
The Dangerous Myth: “We’re Too Small to Be Targeted”
Many owners assume they aren’t attractive targets. Unfortunately, the opposite is true. Hackers often prefer small businesses because security measures are typically weaker and automated attacks scan for easy entry points. With a cyberattack occurring every 39 seconds, no business is too small to be at risk.
Lessons from a Ransomware Disaster
Edgar’s experience highlights a critical truth: most incidents stem from missing basic safeguards. When his attack occurred, the gaps were clear: no multi-factor authentication (MFA), untested backups, and no incident response plan. These foundational controls exist to prevent disasters or, at the very least, minimize the damage.
How Managed IT Services Strengthen Compliance
Working with a managed IT provider can dramatically improve your security posture. The process begins with a vulnerability assessment, followed by implementing essential controls:
- Multi-factor authentication (MFA)
- Zero trust access controls
- Regular patching and updates
- Endpoint protection and monitoring
Building a Strong Foundation
The first step in any compliance journey is understanding your current environment. This includes evaluating your infrastructure, understanding personnel workflows, and identifying risks. A thorough assessment provides the roadmap for implementing effective security strategies.
Frequently Asked Questions
1. What is compliance in simple terms?
Compliance means having documented processes and safeguards in place to protect sensitive business and customer data.
2. Why are small businesses targeted by hackers?
Because they often lack strong security measures, making them easier and more profitable targets for automated tools.
3. What are the most important first steps?
Start with MFA, secure backups, access control, and documented policies.
4. Is compliance only for large companies?
No. Any business handling sensitive data—regardless of size—needs to follow compliance best practices.
5. What happens if a business is non-compliant during a breach?
It can lead to legal consequences, heavy financial loss, and permanent reputational damage. Ignorance is not a legal defense.
6. How can a managed IT provider help?
They assess your systems, implement controls, monitor threats, and ensure your business stays compliant as regulations evolve.
From Military Operations to Cybersecurity Advocacy
Edgar Ortiz’s journey into cybersecurity is rooted in his background in military intelligence and aviation. After transitioning to civilian life, a ransomware attack wiped out everything he had built. Today, his mission is centered on protection, resilience, and education.
View Full Transcript (Click to Expand/Collapse)
Mike Downer: Hi, I’m Mike Downer, and I am your host today. I’m here with Edgar. Edgar Ortiz is the owner of CMIT Solutions of Des Moines. So Edgar, tell us a little bit about yourself, your background, and how you got into all this.
Edgar Ortiz: Yes, I’m Edgar Ortiz with CMIT Solutions of Des Moines. We are a managed IT provider and a cybersecurity and AI implementation company. We help small to medium-sized businesses with IT, cybersecurity, and now AI implementation.
How I came about all this was through operations and intelligence work in the military, and also aviation—pretty much working with systems and operational backgrounds for intelligence and aviation. I did a lot on the IT side in the military. Then when I got out, I worked for the government for a little bit in operations, and then I opened my own small business.
Unfortunately, we did have an attack where we pretty much lost everything. Like many small businesses, we don’t think about that. We think because we’re small, we’re not going to get hacked, or hackers are not looking for us. Boy, I was wrong about that. That is the reason we are here now—trying to help small and medium-sized businesses not go through what we went through.
Mike Downer: So it sounds like you’re a pretty resilient guy. Instead of just folding it up and going to work for somebody else, you decided to take charge of it and help other people not have to suffer what you went through.
Edgar Ortiz: Yeah, definitely. Just trying to help other small and medium-sized business owners understand what is out there right now and the threats we are all facing—especially now with AI increasing cyberattacks tenfold.
We’re not only here to help you connect your computer to the internet, connect your computer to your printer, or fix a blue screen. We’re here to protect your business and give you peace of mind so you can do what you do best—run your business and gain new clients in whatever sector you’re in.
That’s the reason we are here. We have a mission. The same mission we had in the military is how we treat our operations now. We are here to help people be in the best spot and not worry about cyberattacks.
The problem is we sometimes don’t worry about it because we don’t feel it or see it. We think, “I only have two computers, three computers, maybe five people in my office.” But yes, it can happen to you—and it happens every thirty-nine seconds in this country.
Mike Downer: Wow, that’s a lot—every thirty-nine seconds. Now that we know a little about your background and what you guys do, I think we should get started.
What I wanted to talk to you about today was why compliance is now mission-critical for a small business. Edgar, when you talk about compliance today, what does that actually mean for a small business in practical terms?
Edgar Ortiz: Definitely. Compliance isn’t a stack of paper or a checkbox you hand to your accountant once a year. For small businesses, compliance in practical terms means: do you have documented proof that you are protecting your customer data, your employees’ data, and your information? As a business owner, do you know who is in your system and who is using it?
That means things like:
Do you have a written password policy?
Are you backing up your data and testing those backups?
Do you know who is accessing and using your network?
Compliance is really just good operational hygiene with documentation behind it. The documentation is what protects you when something goes wrong—and believe me, something eventually will. That’s what compliance is about: protecting you from something coming in the future.
Mike Downer: In your experience, what’s the biggest misconception business owners have about compliance—especially being too small to matter?
Edgar Ortiz: That’s a great question. The number one thing I hear is, “I’m too small. Nobody is coming after me.” That is exactly backwards. Hackers love small businesses because they assume you are not protected.
Automation and AI-driven attacks don’t discriminate by revenue size. They don’t care how many people you have. They scan millions of addresses looking for an easy door. If you process credit cards, have health information, or handle sensitive data, you need compliance.
Ignorance of requirements is not going to defend you when a breach happens. Telling a judge, “I didn’t know, I’m too small,” is not going to fly. Ignorance is not a defense.
Mike Downer: Kind of like speeding. If you’re going 55 in a 35 and say you didn’t know, you still get a ticket.
Edgar Ortiz: Exactly.
Mike Downer: You personally lived through a ransomware disaster. How did compliance gaps contribute to that in your case?
Edgar Ortiz: That experience was a turning point for me professionally and personally. The gaps weren’t technical mysteries—they were basic controls that weren’t implemented or documented.
We didn’t have:
Proper multi-factor authentication
Tested backups
A clear incident response plan
When things went sideways, people panicked instead of executing. Compliance frameworks exist because smart people—regulators, insurers, and security experts—identified what prevents disaster or limits damage.
When you skip those steps, you’re not just non-compliant—you’re exposed. I lived that lesson the worst possible way. I lost everything. That’s why I do what I do now.
Mike Downer: Since you’ve lived it and started from ground zero, how does having a managed services partner like CMIT change the compliance equation?
Edgar Ortiz: When we onboard a new client, we start with the unglamorous fundamentals where most risk lives:
Multi-factor authentication everywhere
Zero trust access controls
Patch management and updates
Backup integrity and testing
Endpoint protection with real monitoring
Documented security policies
Those basics alone put small businesses ahead of most peers. Then everything builds from that foundation. You can build with confidence.
Mike Downer: If a business owner reaches out, what are the first compliance controls you put in place?
Edgar Ortiz: First, we complete an assessment. We ask a lot of questions and deploy an agent for about 24 hours. That generates a report showing what we discover in your system.
Then we:
Understand your business
Walk through your environment
Learn your people and processes
From there, we handle the IT and security. It starts with a thorough assessment.
Mike Downer: To sum it up, no business is too small. In fact, smaller businesses may be more susceptible.
Edgar Ortiz: Exactly.
Mike Downer: Is there anything you’d like to conclude with before we sign off?
Edgar Ortiz: Thank you to everyone watching. This is new for us, and we’ll be here a couple times a month to talk directly with you. We’re here in Des Moines and also Overland Park, Kansas. We cover the Midwest.
We’re different not because we have better tools, but because we went through it. We know what you’re going through as a business owner, and we’re here to protect you, your organization, and your family.
Mike Downer: Edgar, thank you for your time today. Next week we’ll get together and learn more. See you next week. Thank you very much.
Edgar Ortiz: Thank you.
