CASE STUDY
From Reactive to Resilient: IT Risk Assessment for a Specialty Trade Subcontractor
Engagement Type: IT Assessment | Industry: Specialty Construction (Subcontractor) | Organization Size: ~10 employees
24+
Findings Documented |
18
Recommendations Delivered |
$50K–$500K+
Estimated Annual IT Exposure at Time of Engagement |
The Situation
Stone Brook Solutions was engaged by a family-owned specialty trade subcontractor operating in the commercial and residential construction market. The organization employed approximately ten people across office and field roles, with a mobile workforce dependent on smartphones and tablets to receive plans, communicate with prime contractors, and manage daily operations.
The company had never engaged a managed IT provider. Technology decisions had been made reactively over several years — adding tools as needs arose, renewing subscriptions without review, and relying on a consumer-grade support arrangement at roughly $200 per year. The engagement was initiated by ownership in response to two concerns: a vague but growing awareness that the company's IT posture was inadequate, and a specific worry about what would happen to system access if a key employee departed.
What the assessment revealed went significantly beyond the stated concern.
What We Found
Stone Brook Solutions conducted a full IT assessment covering seven domains: Infrastructure & Network, Security & Compliance, End-User Computing, Cloud & SaaS, Business Applications, IT Governance & Support, and IT Staff & Competency. Source materials included a structured discovery worksheet, financial data, network equipment photos, and mobile account records.
| Finding |
Business Risk |
Priority |
| No perimeter firewall |
Every device on the network reachable from the open internet with no barrier |
CRITICAL |
| No multi-factor authentication on any system |
Stolen or phished passwords give attackers full account access with no second factor to stop them |
CRITICAL |
| Consumer Microsoft 365 license (Family) used for business |
Terms-of-service violation; no admin console, no email threat protection, no device management |
CRITICAL |
| Email hosted on consumer GoDaddy plan |
No phishing or business email compromise (BEC) filtering; construction firms are high-value BEC targets |
CRITICAL |
| Manual, untested backup on local external drives |
No protection against ransomware, fire, or theft; no verified recovery capability |
CRITICAL |
| Cyber insurance cap: $10,000 |
Typical ransomware incident costs $50K–$500K; coverage provides no meaningful protection |
HIGH |
| No managed IT provider or documented IT support |
Security controls will degrade without active monitoring and maintenance |
CRITICAL |
| Unmanaged NETGEAR switch (8-port, all ports used) |
Network segmentation is impossible; a guest device has the same access as the accounting workstation |
HIGH |
| No mobile device management (MDM) for 7 company devices |
Lost or stolen phones cannot be remotely wiped; company email and documents remain accessible |
HIGH |
| Accounting system on a single workstation (QuickBooks Desktop) |
One hardware failure or ransomware event takes the accounting system offline with no failover |
HIGH |
| No documented IT policies or offboarding procedure |
Departing employees retain system access until it is manually discovered and revoked — inconsistently |
HIGH |
| Paper-based field time tracking |
No audit trail; payroll accuracy depends entirely on manual entry and verbal confirmation |
MEDIUM |
A Note on Risk Concentration
Five of the twelve primary findings were rated CRITICAL — a concentration that is uncommon even by small-business standards. The combination of no firewall, no MFA, no managed backup, consumer email hosting, and no IT provider meant that a single successful phishing email or ransomware payload would have encountered no technical control, no monitoring, and no tested recovery path. The company's effective cyber insurance coverage for such an event was $10,000 against an exposure floor of $50,000 or more. |
What We Delivered
Stone Brook Solutions produced a two-document deliverable package: a full IT Assessment Findings & Recommendations report and a standalone Recommendations Risk & Benefit Summary formatted as a decision tool for ownership review.
Eighteen recommendations were organized across three implementation phases:
PHASE 1 — Security Foundation
Target: 90 days | 8 recommendations
Firewall, MSP, M365 Business Premium migration, cloud backup, MFA, password manager, device encryption, cyber insurance upgrade |
PHASE 2 — Operational Modernization
Q4 2026 – Q1 2027 | 8 recommendations
MDM, security training, IT policies, asset inventory, disaster recovery, WiFi segmentation, cloud accounting, digital time tracking |
PHASE 3 — Strategic Enablement
2027+ | 2 recommendations
Construction management platform evaluation, formal IT budget and governance framework |
| Est. one-time: $3,300–$6,500 Est. ongoing: $800–$1,650/mo |
Est. one-time: $2,000–$4,000 Add'l ongoing: $150–$300/mo |
Add'l ongoing: $400–$800/mo |
Engagement Value
The assessment gave ownership a complete, prioritized picture of risk — many items of which were previously unknown. Several findings had direct financial consequences that became apparent through the assessment process:
5 of 12
Primary findings rated CRITICAL |
$10K
Cyber insurance cap (vs. $50K–$500K+ exposure) |
0
Verified backup restores on file |
~$200/yr
IT support spend at time of engagement |
Phase 1 delivered a concrete, sequenced action plan that addressed the five CRITICAL gaps in a single 90-day window — with clear cost ranges, vendor selection criteria, and a rationale for each item written in business language, not technical specifications. The Recommendations Risk & Benefit Summary gave ownership a standalone document to review independently, share with an accountant or insurance broker, and use as a vendor briefing tool during MSP selection.
The engagement also documented a path to prime contractor security prequalification — a growing requirement for specialty subcontractors seeking access to larger commercial projects.
About Stone Brook Solutions
Stone Brook Solutions is an executive IT consulting firm serving middle-market and growth-stage businesses. We specialize in IT assessments, strategic advisory, and managed IT program design for organizations that need enterprise-grade thinking without enterprise-scale overhead. Our engagements are designed to produce actionable, defensible deliverables — not lengthy reports that sit on a shelf.
richard.ferrara@stonebrooksolutions.com | www.stonebrooksolutions.com |
Stone Brook Solutions engages a limited number of clients per quarter. IT assessments are available on a fixed-fee basis. Contact us to discuss your engagement.
