Cybersecurity on a Budget: Kenneth Ellington’s Tips for Small Business Protection

In this video, you’ll learn: 

• Kenneth’s Journey: Plugging into Cyber Security
• Emerging Security Risks for Small and Mid-Size Businesses\
• Build a Team From Within or Outsource Your Cyber Needs?
• Don’t Wait Until Your House Is Burning: Building an Incident Response Plan
• Rapid Fire Round: Kenneth’s Favorite App and More!

Search for industry-leading cybersecurity companies on Clutch. Read client reviews to find the perfect partner for your upcoming social media project.

Kenneth’s Journey: Plugging into Cyber Security

Cybersecurity, it's probably one of the most fast evolving and high stakes industries out there. For you, what was the ‘aha’ moment that made you say, this is my calling? Was there a specific breach attack or experience that made you want to get into this career?

Kenneth Ellington (00:58): Initially, I never wanted to do this because I thought it would be boring. Honestly, it happened by chance. My dad, a software engineer for nearly 29 years, pushed my brother and me toward cybersecurity or technology in general. After earning my associate's degree at Hillburg Community College, I transferred to USF in Tampa. From there, I focused on a niche area for better job prospects after graduation, following my dad’s suggestion.

Funny story—I met my cybersecurity executive at Publix Supermarket. If you’ve lived in the South, you know it's the go-to place to shop. I was surprised to learn they had a cybersecurity division. He gave me an opportunity to work in a SOC environment, and I did everything he asked. Nine months later, I got an interview, landed the job, and realized my passion for cybersecurity. I enjoy learning, even the hard stuff. From there, I kept going and eventually reached this point.

Emerging Security Risks for Small and Mid-Size Businesses

So today, common threats like ransomware, what other things are right now are emerging or frequently overlooked that are security risks for small and mid-size businesses, especially ones that might not have the funds to hire extraordinarily large teams?

Kenneth Ellington (02:44): I would say phishing is probably still the biggest vertical. So basically it's where an attacker will send a malicious attachment or link or an email towards a corporation. It could be small, medium-sized businesses and they use it to either download malware, steal credentials, or put ransomware on someone's machine, encrypted files. So that's still probably the biggest attack vector for I think all industries and all firms for the most part. So having proper assistance in place to prevent that would be beneficial for those forms.

Are phishing scams more cultural where people have to look out for it or are they also technical as well?

Kenneth Ellington (03:25): I’d say it’s a bit of both. From a cultural and human standpoint, people get busy, and when we’re busy, we make mistakes. Tech exploits this by playing a numbers game, tricking people through sheer volume. I once fell for a phishing email at my own company because I was too busy to pay attention—despite my job being to prevent these things. If it can happen to me, it can happen to anyone.

That’s why training and corporate buy-in are crucial. Employees need to understand the consequences of mistakes, but many firms approach security as a “gotcha” moment, making people hesitant to click anything, which creates other issues. Security should involve everyone in the company, from people to processes to technology. The human element is the most critical—no matter how advanced your firm’s tech is, security falls apart if the people aspect isn’t addressed.

Build a Team From Within or Outsource Your Cyber Needs?

For growing small firms, based on your experience, is it difficult to hire and train cybersecurity professionals, or are there alternative options in the early stages?

Kenneth Ellington (04:56): From a small business standpoint, finding a cybersecurity professional is incredibly difficult, primarily due to cost. Specialists charge high fees—often around $90 an hour for niche expertise—making them unaffordable for many. Typically, businesses rely on an IT personnel, if they even have one, who manages everything from servers and websites to payment processing. Adding cybersecurity responsibilities can be overwhelming, especially since not all IT professionals specialize in security.

To address this, many firms hire a Managed Security Services Provider (MSSP) like ReliaQuest, CrowdStrike, Deepwatch, or Expel. These companies have dedicated cybersecurity teams and offer support for a set fee. Instead of hiring multiple expensive security professionals—such as engineers, SOC analysts, and penetration testers, which could exceed $500,000—businesses can pay around $60,000 for full security management, making it a much more viable option.

Since outsourcing provides access to security experts, and you've mentioned penetration testing as a high-ROI service, are there other cybersecurity functions you’d recommend outsourcing over handling in-house?

Kenneth Ellington (06:45): Businesses typically outsource non-essential functions. For most small firms, cybersecurity isn’t a core focus unless they specialize in it, like we do. In that case, much of it is handled in-house.

For a small business—say, a local bakery with five locations in the DMV area—it may not make sense to hire and train a full-time cybersecurity professional. Instead, outsourcing to a firm dedicated to security is often the better option. However, for a large, rapidly growing company, building an in-house cybersecurity team might be worth considering. It all depends on the business’s size and needs. 

So for example, should organizations with resource constraints, if they wanted to implement a risk-based patch management strategy to cover some of the critical vulnerabilities, keep an in-house team, outsource, or use one of the people you spoke with about?

Kenneth Ellington (07:53): It depends. There are tools like Nessus Tenable for vulnerability management and Atomic Red Team for attack simulations, but without someone experienced, you could waste time, money, and energy. That’s why I usually advise businesses below a certain revenue threshold to outsource cybersecurity until they can hire or bring in a part-time specialist. It’s a more efficient approach.

Don’t Wait Until Your House Is Burning: Building an Incident Response Plan

I was just at a summit and people don't think they can get hacked until they do, and there was a story that was told where the hackers, they got into their system, they deleted all their backups, for 72 hours their site was down and this company did not have an incident response plan and that caused some significant issues. One thing I was going to ask you is, what would you include in an incident response plan that makes it practical, actionable?

Kenneth Ellington (09:17): Most small businesses don’t have a cybersecurity plan or even know what one is, which is a major issue. The worst time to plan for a disaster—whether a fire or a flood—is when it’s already happening, and you’re trying to escape. That’s when people realize they should have planned ahead. Unfortunately, this is exactly what happens with cybersecurity. That’s why over 50% of small businesses that suffer cyberattacks shut down within a couple of years—they simply can’t afford to recover due to a lack of preparation.

At a bare minimum, businesses need to identify their critical assets—the key functions necessary for generating revenue. Since budgets are limited, you can’t protect everything, so prioritization is essential. This is where basic risk management principles come in—understanding threats and vulnerabilities.

For example, think about a car. The tires could be shot out, but how likely is that? Not very. A more realistic threat is hitting a pothole. So, in cybersecurity, you assess risks similarly—evaluating the likelihood of a threat and its potential impact. You then assign a risk score to help prioritize protections. Having a structured method for this assessment is crucial.

You can find risk assessment frameworks online, or I can help guide you through one. Once you identify risks, work backward to determine what needs protection, plan for worst-case scenarios, and simulate responses. For small businesses, running a tabletop exercise quarterly or bi-annually is a practical approach.

If there’s a cyberattack, fire, flood, earthquake, or system failure, do you have response plans in place? Running through these scenarios—whether with an in-house team or an MSSP—ensures preparedness. Your security provider should help develop a plan and offer training to keep your business resilient.

That's great advice. If they don't have an incident response, and let's say tomorrow they get hacked, what's the first thing they should do and what's the biggest mistake some companies make in this scenario?

Kenneth Ellington (11:55): First, pray—you’re going to need it. Second, if you don’t have a plan, at least have the contact information of someone who can help. Every minute and hour is critical in these situations.

Once you find a professional—whether through a referral or an online search—you likely won’t have time to do a deep dive into their background or compare pricing. When your house is on fire, your priority is escaping safely, not shopping around for the best deal. Because of this urgency, you’ll likely be overcharged since you’re not negotiating from a position of strength. Understand that going in.
From there, work with the professional to address the issue. Be cooperative—many people waste valuable time arguing, but if your house is on fire, debating with the firefighter won’t help. You hired them for a reason, so trust the process.

Once the situation is under control, you can assess the damage and create a plan to move forward.

If you had a magic wand and could instantly fix one major weakness that most businesses suffer from, what would it be? And then why do companies get it so wrong?

Kenneth Ellington (13:44): I’d probably say documentation is my biggest pet peeve. I really don’t like repeating myself or doing things twice. In particular, technology and security professionals are often very poor when it comes to maintaining documentation. Most firms I’ve worked with have very little—if any—good documentation. Even large firms you might shop at don’t do a great job of this, and it’s something that affects day-to-day operations.

The issue is this: let’s say Sergei is the senior person, and you, as the lead, get hired by Google and take a $500,000 offer. That’s great for you, but if you didn’t document your work, I now have to figure everything out on my own, on top of my regular duties. This leads to gaps in our systems, which is very common. Gaps lead to mistakes, and mistakes can eventually result in attacks, which costs the company money—and potentially gets people fired.

So, being able to document your processes and make them repeatable is crucial. It saves a lot of time and makes your day-to-day work much more efficient.

Rapid Fire Round: Kenneth’s Favorite App and More!

What's the one app on your phone that you can't live without?

Kenneth Ellington (15:16): Probably CBS sports.

Who's your team?

Kenneth Ellington (15:20): The Buccaneers. Tampa Bay.

Do you listen to any podcasts? And if you do, what is your go-to podcast?

Kenneth Ellington (15:43): I have to go back to sports, Get Up with Mike Greenberg in the morning.

If you didn't have your career in cybersecurity, what would you be doing?

Kenneth Ellington (15:58): Funny enough, I'd be a chef.

Favorite cuisine?

Kenneth Ellington (16:04): Probably Jamaican food because my family is from Jamaica. So beans and rice, cocoa bread, jerk chicken, jerk salmon, rum cake....

About Kenneth Ellington, Founder of Ellington Cyber Academy

Kenneth Ellington, is a cyber security instructor and cyber threat hunter. He helps Cybersecurity Professionals and Organizations Strengthen Defenses, Build Teams, and Advance Careers.

Interviewed by: Sergei Dubograev, Senior Vice President of Development at Clutch 
 

About the Author

Sergei Dubograev VP of Development at Clutch

Sergei Dubograev is the VP of Development at Clutch, the leading global marketplace of B2B service providers. With a proven track record of driving innovation and delivering exceptional results, Sergei has led cross-functional teams to create and launch products successfully in-market. His strategic mindset, coupled with his ability to identify industry trends and customer needs, has consistently propelled organizations to new heights of success. At Clutch, he oversees the strategic planning, execution, and optimization of the company's development portfolio, ensuring alignment with business objectives. 

See full profile