CyberScale Launches Affordable One Day Assessment Service to Boost Cyber Resilience for Small and Micro Businesses

The specialist cyber security consultancy will provide comprehensive risk assessments and recommendations to help safeguard against cybercrime. Monday 20 March 2023: Norwich-based Cyber Security Consultancy, CyberScale, has launched its One Day Cyber Assessment service to help strengthen resilience for small and micro businesses who have become prime targets for cybercriminals. According to the Cyber Security Breaches Survey 2022, 38% of small businesses in the UK fell victim to an attack in 2022, and around four in five (82%) of boards or senior management rated cyber security as a ‘very high’ or ‘fairly high’ priority. Despite this, only 19% of businesses have a formal incident response plan and only 6% have the Cyber Essentials certification to understand what risks they face. The One Day Cyber Assessment prioritises attack prevention by identifying gaps in security measures policies and offering expert advice on how to keep company and customer data secure. The tailored evaluations explore every aspect of a business across technology, people and processes. This includes network, email, laptops and mobile devices alongside staff and management awareness of the risks associated with business practices such as remote working. Specialist consultants identify areas of potential risk and recommend remediation to reduce vulnerabilities, signposting free or low-cost resources that help improve cybersecurity measure. At the end of the assessment, they provide clear actionable reports to help business owners make improvements to their security controls and understand specific legal or regulatory requirements and any security frameworks relevant to their clients. Darren Chapman, Founder and Principal Consultant at CyberScale said: “We identified a need to support those businesses who have no dedicated security resources and want to learn more about the risks they face. Our One Day Cyber Assessment will empower small business owners to make informed decisions about best security practices and help them gain a competitive advantage. Raising awareness among smaller businesses about the potential threats they face not only benefits them directly, but also the UK’s overall cybersecurity posture.” The One Day Assessment is available at a discounted rate for small and micro businesses. For more information visit https://www.cyberscale.co.uk/cyber-security-assessments/. Our one-day assessments, therefore, will retain the workshop element, and we will deliver these in largely the same way with the same experienced consultants that we use for existing assessments, but with the analysis and explanation all being completed on the day.  We will optimise the reporting element by providing a short summary which gets straight to the point, is consumable for small business owners, and critically reduces the time required from a consultant and therefore the cost of the engagement. We’ll be making our one-day cyber assessment available to book online via our website, and via selected MSP’s who see the value of these independent assessments to their clients – bearing in mind that our assessments cover people, process AND technology – all critical components of effective security.  In most cases, the biggest improvements smaller companies can make to their security and resilience aren’t about spending more money on expensive software or the latest shiny security box.  Improving processes, raising awareness, and doing fundamental things right are more important – but business owners don’t necessarily know what those things are or how to prioritise them.  This is what the One Day Cyber Assessment will tell you. One Day Cyber Assessments Security assessments and small business  Since CyberScale’s inception almost six years ago, one of our most popular and arguably most important services has been our cyber security assessments.  We undertake these for all sorts of companies, of various sizes across multiple sectors.  The assessments provide them with a clear view of cyber risks within their organisations, how they pose a business risk, and provide them with an equally clear action plan to address those risks and gain competitive advantage over others in their industry who may not be taking quite so much care of the security and privacy of their, and their clients’ data. At the core of these assessments is the understanding that business owners and leaders gain through engagement with our consultants.  Our security assessments have always been conducted by one of our qualified, experienced Cyber & Information Security team, who advise SME as well as larger clients day in, day out.  The assessments start with a workshop where the consultant leads a discussion with the appropriate people from the client organisation to obtain relevant information needed to understand the client business, identify risks and understand their potential impact on the business. Throughout the workshop process, the consultant will ask questions, explain the rationale behind them, and help the client start to understand their risks – even before any report is written.  We collect relevant information about the business operation, technology in use, policies and processes in place, employee and senior leadership awareness, interaction with suppliers and clients and many other things that contribute to the overall security posture of the organisation. Once we’ve collected all the relevant information in the workshop, we take this information away and analyse it in detail and write up a comprehensive report which outlines what we’ve learned, the key areas of risk, and a prioritised list of recommendations. We’ve always wanted to make these accessible to small and micro business owners who see the value in specialist advice, as these are in many cases the types of organisations that are most at risk from today’s cyber threats.   However, consultants with the skills and experience needed to conduct these types of assessments and deliver an exceptional standard of advice are in high demand, which along with the time needed, contributes to what we need to charge for our assessments.  This can put them out of reach for smaller businesses with limited budgets. We’ve noticed more recently that there’s a growing awareness amongst small business owners of the need for specialist advice, but that our peers in the security industry typically have the same challenges as we do with cost. How about automating assessments? One way to reduce the cost to the client would be by leveraging automation, and this seems to be largely the trend in the industry.  This typically means filling in a form consisting of several questions about your IT infrastructure and devices and current security practices, and receiving an automated report based on this information. We’ve looked at this option carefully and compared it with how we deliver our assessments now, and what the key benefits have been to our clients, in considering our best approach.  Here’s what we concluded. Firstly, we can see the logic in providing automated reports.  There are a lot more smaller businesses than there are larger businesses, which requires an ability to scale delivery.  That means potentially more businesses helped, and a reduction in cost to provide assessments, therefore making them more accessible to smaller businesses. There are however several challenges and limitations with these types of assessments and reports.  They’re usually broad, designed for as large an addressable market as possible, and don’t take account of the specific challenges in different sectors, different working practices, company structures or other organisation specific context. There’s no real way of telling whether the business owner or other representative filling in the form has really understood the questions correctly or has access to all the information required (often they would need to get this from an IT provider/MSP for instance).  In some cases, there may be a motivation to try and get the best result possible from the report (treating it as a compliance exercise rather than a genuine effort to increase security), which may influence the answers.  As you can imagine – the output of the report is very dependent on the input. There’s also a lot of variation in the level and quality of questions, the logic used to generate the reports, and the output.  In many cases, one might reasonably draw the conclusion that the questionnaire and output constitutes more of a lead generation tool, rather than something really useful for the client – particularly with the free versions that are widely available. Secondly, and focusing on our own assessments, we looked carefully at where the value is.  There are really two key aspects to the assessments that we deliver; firstly, the workshop and secondly the report.  Many medium and larger organisations benefit from a detailed assessment report, which is something that we’ve always provided as a key deliverable.  This is particularly the case where they need to share the findings of the assessment with other people internally or share with external parties such as insurance companies or clients to demonstrate their commitment to cyber and information security.  But for a small business, we’ve realised that this may not be quite as necessary. We believe that the most important aspect of our assessments is actually the workshop.  When we conduct a security workshop with a client, we ask questions, often questions that have never been asked or considered before by the business owner and their teams.  The experience of the consultant means that they can expand on questions, provide context and explanation, and make appropriate judgments where full information may not be available.  During the workshop, we often see what we might refer to as light bulb moments where the client comes to realise the link between cyber security vulnerabilities and risks to their business. When we compare the value of that workshop against a standard form and an automated report, we feel like our decision is pretty straightforward. Enter consultant-led, one day cyber assessments So, our key conclusions are:

• the experience of the consultant is vital;
• the workshop is more important than the report for small businesses; and
• we still need to reduce the cost for small businesses.