What is the Trust Gap?

The Trust Gap is the distance between what your business actually does to protect client data and what your clients can verify. Most small businesses have reasonable practices in place. Almost none have verifiable proof they can point to. That gap is invisible — until it costs you a client.

Is this guide about compliance?

No. This guide is about awareness — understanding what the 18 controls are and where your business currently stands. Compliance is a deeper, separate process. This is the starting point.

Do I need an IT background to use this?

No. This guide is written for business owners, not IT professionals. If you can read a commercial lease or a business insurance policy, you can follow this.

What is the Trust Gap Worksheet?

After you download the guide, you'll receive the Trust Gap Worksheet — a simple checklist to mark off which of the 18 controls your business currently has in place. Most small businesses find 4–6 open gaps on the first pass. That is normal. That is the Trust Gap.

What happens after the worksheet?

Step 3 is a free Trust Audit — a 15-minute conversation with a Legacy Core advisor to review your worksheet and tell you exactly where your business stands. No sales pitch. No commitment required.

What does Legacy Core do?

Legacy Core™ is America's Small Business Trust Credentialing Authority. We issue verifiable cybersecurity credentials and Trust Badges to small businesses that demonstrate a documented security posture — so clients and partners can verify it in seconds.

Your Clients Already Have a Security Question.
Here's How to Answer It.

A plain-language breakdown of the 18 cybersecurity controls every small business should understand — and what it means when you can't point to any of them.

When a client asks how you protect their data, most small business owners have a reasonable answer. Good habits, solid software, a trustworthy team.

But having a reasonable answer and having verifiable proof are two different things — and your clients know the difference.

As of January 1, 2026, California SB 446 requires any business that handles personal information to notify affected clients within 30 days of a breach. There is no exemption for small businesses. No minimum size threshold.

The 18 controls in this guide are the foundation every professional services business needs to have in place — not to satisfy auditors, but to show clients and regulators something real when the question comes.

This guide breaks them down in plain language. No IT background required.

Where These 18 Controls Come From

The 18 controls in this guide are drawn from CIS Controls v8 — the framework used by the federal government, insurance carriers, and security professionals to evaluate a business's cybersecurity posture.

For enterprise companies, implementing these controls fully means months of work and six-figure budgets. For a small professional services firm, the awareness baseline is far simpler: understanding the 18 areas that matter most, what you already have in place, and where the gaps are.

Legacy Core's Bronze cybersecurity credential is built around this same framework — structured and simplified for non-technical business owners who handle client data.

California Just Removed the Small Business Exemption

California SB 446, effective January 1, 2026, requires any business handling personal information to notify affected clients within 30 days of a data breach — regardless of company size.

A two-person CPA firm now carries the same breach notification obligation as a 500-person corporation.

The 18 controls in this guide are not just good practice. They are the documented foundation for demonstrating that your business took reasonable steps — before the question is asked by a regulator, an insurer, or a client who did not renew.

Your Clients Already Have a Security Question.
Here's How to Answer It.

Where These 18 Controls Come From

California Just Removed the Small Business Exemption

Download the Guide — Free

Frequently asked questions