Our Security Standards

Zero ROI Technology clients have ever suffered a successful ransomware incident — $0 in ransomware losses across our entire client base. Our security philosophy is infrastructure-level defense: Cloudflare WAF, endpoint detection and response, dark web monitoring, security awareness training, and MFA everywhere. We do not blindly rely on security tools to keep our clients safe — we adopt a defense-in-depth approach where every layer of the environment is measured against our best-practice security standards checklist.

Get a Security Assessment Call Us: (888) 707-3652

Security Is Not a Product. It Is a Practice.

Most IT providers sell security as an add-on. Buy this firewall. Install this plugin. Subscribe to this tool. Then they move on to the next ticket.

That approach fails because security is not a thing you buy. It is a discipline you maintain every single day. A firewall that nobody monitors is a decoration. A backup that nobody tests is a hope. An antivirus that nobody updates is a liability.

At ROI Technology, security is not a line item. It is the foundation everything else is built on. Every decision we make starts with: "Does this reduce attack surface or increase it?"

Why We Do Not Use WordPress Security Plugins

Every plugin is attack surface

WordPress plugins run PHP code on your server. Every plugin is another codebase that could contain vulnerabilities, another update to track, another potential entry point. WordFence alone adds over 50,000 lines of code.

Plugin security is the wrong layer

WordPress security plugins operate inside WordPress itself. An attacker who reaches your WordPress application has already bypassed your real defenses. Application-level security is like locking your bedroom door after someone is already in your house.

Our Approach: Infrastructure-Level Defense

Instead of plugins, we secure at the infrastructure level. The result: zero WordPress security plugins, smaller attack surface, faster performance, better security.

Cloudflare WAF

Malicious traffic blocked at the edge before it reaches the server. WordPress never sees the attack.

XML-RPC Disabled

Blocked at Cloudflare, not with a plugin. The request never reaches the server.

REST API Hardened

User enumeration endpoints disabled. Only intentionally needed endpoints are exposed.

CSP with Nonces

Every script must be explicitly authorized. Injected scripts are blocked by the browser.

File Editor Disabled

Even with admin access, code cannot be modified through the WordPress interface.

Author Archives Redirected

Prevents username enumeration through default WordPress author archive URLs.

Version Stripped

WordPress version removed from HTML, RSS feeds, and HTTP headers to prevent fingerprinting.

wp-config.php Protected

The most sensitive file stored above the web root, outside the publicly accessible directory.

Our Security Standards Checklist

Every client environment is measured against this checklist. This is not a one-time audit. It is a living standard verified continuously.

Endpoint Protection

  1. EDR deployed on every workstation, laptop, and server
  2. Real-time threat detection with automated isolation
  3. Application whitelisting on critical systems
  4. USB device control policies enforced
  5. Full-disk encryption on all portable devices

Patch Management

  1. OS patches deployed within 72 hours
  2. Third-party patches deployed within 7 days
  3. Firmware updates tracked on network equipment
  4. Monthly compliance reporting with exceptions
  5. Zero-day patches deployed within 24 hours

Access Controls

  1. MFA enforced on every account, no exceptions
  2. Principle of least privilege on all accounts
  3. Admin accounts separated from daily-use
  4. Offboarding within 4 hours of departure
  5. 14+ character password policy, no reuse

Backup & Recovery

  1. Daily automated backups of all critical data
  2. Geographically separate backup storage
  3. Monthly restore tests with documented results
  4. RTO defined and tested
  5. RPO of 24 hours or less

Monitoring & Response

  1. 24/7/365 monitoring of all endpoints and network
  2. Dark web monitoring for compromised credentials
  3. SIEM log aggregation
  4. Incident response plan tested annually
  5. Quarterly security awareness training

Client Infrastructure Security

When you become a managed IT client, we deploy a comprehensive security stack across your environment. This is not optional. It is the baseline.

Endpoint Protection

Every device gets EDR — not just traditional antivirus. EDR monitors behavior patterns, detects ransomware in progress, and stops lateral movement before it spreads across your network.

Patch Management

Unpatched software is the number one attack vector for small businesses. We automate patches for Windows, macOS, and 200+ third-party applications. Target: 95% deployed within 72 hours.

Dark Web Monitoring

Continuous scanning of dark web forums, paste sites, and breach databases for your credentials. When we find a match, we force a password reset before the attacker uses it.

Security Awareness Training

Quarterly training covering phishing, social engineering, password hygiene, and physical security. We run simulated phishing campaigns to measure and improve your team.

MFA Everywhere

Multi-factor authentication is not negotiable. Every account that supports MFA gets MFA. Email, VPN, cloud apps, admin panels — everything. MFA blocks 99.9% of automated attacks.

Zero Successful Ransomware Incidents

Attackers try constantly — phishing, exploit kits, credential stuffing. None have ever succeeded in deploying ransomware against a client we manage. $0 in ransomware losses across our entire client base since 2014.

This is not luck. It is the result of layered defense:

  1. Email filtering catches 99%+ of phishing attempts before they reach inboxes
  2. Security awareness training teaches employees to recognize the 1% that gets through
  3. EDR detects and isolates ransomware behavior even after a click
  4. MFA prevents stolen credentials from deploying ransomware remotely
  5. Patch management closes the vulnerabilities ransomware exploits
  6. Network segmentation limits lateral movement if a single endpoint is compromised
  7. Verified backups mean data is recoverable without paying a ransom

Each layer is a safety net. An attacker must bypass every single one to succeed. That has not happened. We work every day to keep it that way.

Compliance Support

We implement and maintain the technical controls that compliance frameworks require, and document everything for your auditors.

HIPAA

Business Associate Agreements, encrypted communications, access logging, breach notification procedures. Supporting dental, clinics, and healthcare across Western Washington.

SOC 2

Security, availability, and confidentiality controls. Access management, change management, monitoring, and incident response documentation.

FERPA

Student data protection, access controls for educational records, vendor agreements, data retention and destruction policies.

SEC/FINRA

Cybersecurity risk assessments, records preservation, business continuity planning, vendor due diligence, customer data protection.

PCI DSS

Cardholder data segmentation, access controls, encryption, vulnerability scanning, penetration testing support.

ROI Technology Security by the Numbers

$0 Ransomware Losses
25 Security Checklist Items
72 hrs Patch Deployment Target
24/7 Security Monitoring

Frequently Asked Questions

Talk to Us About Your Security

Whether you are concerned about a specific threat, preparing for a compliance audit, or want to understand where your vulnerabilities are, we are here.

Get a Security Assessment Or see our pricing

Our Security Standards

Security at ROI Technology is not a product we sell on top of our services. It is the foundation everything else is built on. Every client gets the same security baseline — no tiers, no “basic” packages, no optional add-ons. We build environments that are defensible by default, and we enforce standards without exception.

This page describes how we approach security for the businesses we manage. If you want to understand what your IT provider should be doing — and whether they actually are — this is a good place to start.

Zero-Trust Architecture

We do not trust any device, user, or application by default — even inside your network. Every access request is verified against identity, device health, location, and context. A compromised workstation on your network cannot reach your file server just because it is on the same subnet. This model eliminates the “hard outside, soft inside” approach that most small business networks still use.

Infrastructure-Level Defense

We do not rely on a single product or software layer to keep you safe. Security is implemented across your entire infrastructure — firewalls with active threat intelligence, network segmentation, DNS filtering, endpoint detection and response, and identity management. A layered defense means that if any single control fails, the next one catches it. This is the difference between “we have antivirus” and “we have a security posture.”

Network Segmentation & Access Control

Your guest Wi-Fi, employee workstations, servers, and IoT devices should never share the same network. We segment your network so that a compromised device in one zone cannot reach resources in another. Access controls are enforced at every boundary — between network zones, between cloud applications, and between on-premises and remote access paths. We review and tighten these controls continuously.

Multi-Factor Authentication Everywhere

MFA is enforced on every account — email, VPN, cloud applications, admin portals, remote access tools. No exceptions. Compromised passwords are the leading attack vector, and MFA stops the vast majority of credential-based attacks. We use phishing-resistant MFA methods wherever supported.

Endpoint Protection

Every managed workstation and server runs next-generation endpoint protection with behavioral analysis and endpoint detection and response (EDR). Signature-based antivirus alone has not been sufficient for years. Our endpoint tools detect suspicious behavior, isolate compromised machines, and alert our team in real time.

Email Security

Email is the primary attack vector for business email compromise, phishing, and malware delivery. We secure email at every layer — from filtering and authentication to encryption-in-transit and continuous monitoring.

Threat filtering. Advanced email filtering with impersonation detection, attachment sandboxing, and malicious link rewriting. Threats are neutralized before they reach your inbox.

Authentication (SPF, DKIM, DMARC). We configure SPF records to authorize which servers can send on your behalf, DKIM to digitally sign your outbound mail so recipients can verify it has not been tampered with, and DMARC policies that tell receiving servers to reject spoofed messages — not just flag them. Together, these prevent attackers from impersonating your domain.

Encryption in transit (MTA-STS, DANE). Authentication stops spoofing, but it does not guarantee your email is encrypted on the wire. We deploy MTA-STS and DANE to enforce TLS encryption between mail servers, preventing man-in-the-middle interception and downgrade attacks. Without these, a determined attacker between your server and your recipient’s server could read your messages in plain text — even if both sides support encryption.

Reporting and monitoring (TLS-RPT, DMARC reports). Configuring security records is not enough — you need to know when something fails. We configure TLS-RPT so your domain receives daily reports from external mail servers about any TLS connection failures or encryption problems encountered during delivery. Combined with DMARC aggregate reports, we have continuous visibility into authentication failures, delivery issues, and potential abuse of your domain. We monitor these reports actively, not just collect them.

Forwarding integrity (ARC). When your email is legitimately forwarded — through mailing lists, shared mailboxes, or multi-hop routing — SPF and DKIM checks can break, causing valid messages to be rejected. We implement ARC (Authenticated Received Chain) to preserve authentication results across forwarding hops, so your email stays trusted even when it takes an indirect path.

DNS Filtering

Malicious domains are blocked at the DNS level before a connection is ever established. This catches malware callbacks, phishing sites, command-and-control traffic, and newly registered domains that are overwhelmingly malicious. DNS filtering works on and off your network.

Security Awareness Training

Technology alone does not stop every attack. Your employees are the last line of defense. We run continuous phishing simulations and training — not an annual video, but an ongoing program that keeps your team alert and gives us data on who needs additional coaching.

Patch Management

Unpatched software is the second-most exploited attack vector after compromised credentials. We patch operating systems, firmware, and third-party applications on a rigorous schedule. Patches are tested before deployment to prevent compatibility issues. Critical vulnerabilities are patched within 24 hours of release.

Dark Web Monitoring & Incident Response

We actively monitor the dark web for your company’s compromised credentials. When leaked credentials are found, affected accounts are flagged and remediated before they can be exploited. If a security incident does occur, our incident response plan is documented, rehearsed, and ready — not something we figure out in the moment.

The Result

Zero ransomware events across our entire client base. zero voluntary churn. These numbers are not aspirational targets — they are our track record, built on the standards described on this page.

Learn more about our cybersecurity services or contact us to discuss your security posture.