Security assessments and small business
Since CyberScale’s inception almost six years ago, one of our most popular and arguably most important services has been our cyber security assessments. We undertake these for all sorts of companies, of various sizes across multiple sectors. The assessments provide them with a clear view of cyber risks within their organisations, how they pose a business risk, and provide them with an equally clear action plan to address those risks and gain competitive advantage over others in their industry who may not be taking quite so much care of the security and privacy of their, and their clients’ data.
The value of assessments
At the core of these assessments is the understanding that business owners and leaders gain through engagement with our consultants. Our security assessments have always been conducted by one of our qualified, experienced Cyber & Information Security team, who advise SME as well as larger clients day in, day out. The assessments start with a workshop where the consultant leads a discussion with the appropriate people from the client organisation to obtain relevant information needed to understand the client business, identify risks and understand their potential impact on the business.
Throughout the workshop process, the consultant will ask questions, explain the rationale behind them, and help the client start to understand their risks – even before any report is written. We collect relevant information about the business operation, technology in use, policies and processes in place, employee and senior leadership awareness, interaction with suppliers and clients and many other things that contribute to the overall security posture of the organisation.
Once we’ve collected all the relevant information in the workshop, we take this information away and analyse it in detail and write up a comprehensive report which outlines what we’ve learned, the key areas of risk, and a prioritised list of recommendations.
The challenge with helping smaller businesses
We’ve always wanted to make these accessible to small and micro business owners who see the value in specialist advice, as these are in many cases the types of organisations that are most at risk from today’s cyber threats. However, consultants with the skills and experience needed to conduct these types of assessments and deliver an exceptional standard of advice are in high demand, which along with the time needed, contributes to what we need to charge for our assessments. This can put them out of reach for smaller businesses with limited budgets.
We’ve noticed more recently that there’s a growing awareness amongst small business owners of the need for specialist advice, but that our peers in the security industry typically have the same challenges as we do with cost.
What about automating assessments?
One way to reduce the cost to the client would be by leveraging automation, and this seems to be largely the trend in the industry. This typically means filling in a form consisting of several questions about your IT infrastructure and devices and current security practices, and receiving an automated report based on this information.
We’ve looked at this option carefully and compared it with how we deliver our assessments now, and what the key benefits have been to our clients, in considering our best approach. Here’s what we concluded.
Firstly, we can see the logic in providing automated reports. There are a lot more smaller businesses than there are larger businesses, which requires an ability to scale delivery. That means potentially more businesses helped, and a reduction in cost to provide assessments, therefore making them more accessible to smaller businesses.
Automation vs Human
There are however several challenges and limitations with these types of assessments and reports. They’re usually broad, designed for as large an addressable market as possible, and don’t take account of the specific challenges in different sectors, different working practices, company structures or other organisation specific context.
There’s no real way of telling whether the business owner or other representative filling in the form has really understood the questions correctly or has access to all the information required (often they would need to get this from an IT provider/MSP for instance). In some cases, there may be a motivation to try and get the best result possible from the report (treating it as a compliance exercise rather than a genuine effort to increase security), which may influence the answers. As you can imagine – the output of the report is very dependent on the input.
Useful – or just a lead generation tool?
There’s also a lot of variation in the level and quality of questions, the logic used to generate the reports, and the output. In many cases, one might reasonably draw the conclusion that the questionnaire and output constitutes more of a lead generation tool, rather than something really useful for the client – particularly with the free versions that are widely available.
The value of an expert
Secondly, and focusing on our own assessments, we looked carefully at where the value is. There are really two key aspects to the assessments that we deliver; firstly, the workshop and secondly the report. Many medium and larger organisations benefit from a detailed assessment report, which is something that we’ve always provided as a key deliverable. This is particularly the case where they need to share the findings of the assessment with other people internally or share with external parties such as insurance companies or clients to demonstrate their commitment to cyber and information security. But for a small business, we’ve realised that this may not be quite as necessary.
We believe that the most important aspect of our assessments is actually the workshop. When we conduct a security workshop with a client, we ask questions, often questions that have never been asked or considered before by the business owner and their teams. The experience of the consultant means that they can expand on questions, provide context and explanation, and make appropriate judgments where full information may not be available. During the workshop, we often see what we might refer to as light bulb moments where the client comes to realise the link between cyber security vulnerabilities and risks to their business.
When we compare the value of that workshop against a standard form and an automated report, we feel like our decision is pretty straightforward.
Enter consultant-led, one day cyber assessments
So, our key conclusions are:
- the experience of the consultant is vital;
- the workshop is more important than the report for small businesses; and
- we still need to reduce the cost for small businesses.
Our one-day assessments, therefore, will retain the workshop element, and we will deliver these in largely the same way with the same experienced consultants that we use for existing assessments, but with the analysis and explanation all being completed on the day. We will optimise the reporting element by providing a short summary which gets straight to the point, is consumable for small business owners, and critically reduces the time required from a consultant and therefore the cost of the engagement.
We’ll be making our one-day cyber assessment available to book online via our website, and via selected MSP’s who see the value of these independent assessments to their clients – bearing in mind that our assessments cover people, process AND technology – all critical components of effective security. In most cases, the biggest improvements smaller companies can make to their security and resilience aren’t about spending more money on expensive software or the latest shiny security box. Improving processes, raising awareness, and doing fundamental things right are more important – but business owners don’t necessarily know what those things are or how to prioritise them.
This is what the One Day Cyber Assessment will tell you.