FAQs What do I do if I don’t know where to start in making my business cyber secure? The obvious answer is; talk to us. However, you may want some reassurance that this really is a good first step. There are obviously many talented people and organisations who can give you good advice on cyber security but Demystify Security specialises in supporting small and medium-sized organisations in making themselves cyber safe. Most importantly, we pride ourselves on making it as simple as possible, so that you don’t have to become an expert in cyber security, while ensuring that you make the decisions. How do I know that you won’t just sell me an expensive box of technology and leave me? We will sometimes recommend that you buy some technology – although more likely to be software than hardware – but the most important cyber security controls are focused on processes and human behaviour. So we are most likely to advise you about how to manage your existing technology to make it secure and to set up security procedures that help people avoid leaving creating or leaving holes in your security controls. And we will be happy to continue to support you, even if we never sell you any technology. Will you guarantee that my business will be safe from hackers? We’d love to say yes, but we can’t. Just as with physical security – such as for a house, or a car – a determined, skilled attacker can get in, whatever security controls are in place. However, few organisations or individuals outside government or healthcare face targeted attacks by skilled adversaries. The main risk to small and medium-sized enterprises is from opportunistic or even random attacks, or human error by staff. We’ll help you ensure that your protection is good enough to make very unlikely that these kinds of threats can succeed. You may already have the right kinds of controls, managed effectively, to fend of such threats. If so, we’ll tell you this as soon as possible. However, if there are gaps, we’ll tell you how you could close them, and help you to do this if you want us to. Am I wasting effort on unnecessary or ineffective data privacy controls because of GDPR? There is a fair bit of mystique, or confusion, around what GDPR (or, more accurately, the UK’s Data Protection Act 2018, which, for the moment, includes all the requirements of the EU’s General Data Protection Regulations) requires. We can give honest, simple advice on what controls and processes you need to have in place to keep the Information Commissioners’ Office (the ICO) happy and to do right by your customers, suppliers and other contacts. If we think that your current controls are too tight or too loose, we’ll tell you how to fix this as simply as possible. What happens if you find that we can only be safe by putting on so many security controls that we can’t operate? That can be a problem, but we will help you make sure it doesn't happen to you. As a business ourselves, we know that the main thing you need to do is to operate – selling goods and or services – and you need freedom to do this. In cyber security, as in all aspects of managing an organisation, we cannot avoid all risks and we need to manage them. We won’t, and cannot, make your business decisions for you but we can make it clear what your choices are. We see cyber security as a tool that will allow you to run your business as safely as possible; it should not be a barrier to your doing what you need to do. Does Cyber Essentials really make any difference? The Cyber Essentials standard and system was established by the UK Government’s primary cyber security organisation, the National Cyber Security Centre, and has been endorsed by many other governments – who are not under the NCSC’s control – and independent cyber security organisations. The things that the standard checks are the key elements of any cyber security protection system and the assessment standard is thorough. If an organisation really meets the standard, it will be safe against the vast majority of random or targeted attacks, unless the attacker is a nation-state (choose your own suspect) or a well-resourced organised crime group. How much will it cost? Ah, that’s a good question. A basic Cyber Essentials assessment is only £300 but beyond that... it depends. All we can say is that: We know a lot about cost-effective security controls (because these are what we use ourselves) We take pride in being fair to our customers, We know that our customers, as SMEs, have to keep their costs low, and we can give you clear estimates of the costs, which are likely to be a lot lower than the big companies with their high overheads.