Contact us Get in touch with
Most frequently asked.
-
System security
Where should we start with security?
-
Start with visibility: what devices, systems, and data you have. Then focus on the basics. Don’t try to do everything at once – prioritise by risk.
-
System security
Do we need a dedicated security person?
-
Not usually. Many businesses with 20–200 employees manage security with IT handling day-to-day tasks and external support for strategy, assessments, or incidents. A fractional or virtual CISO often makes more sense than a full-time hire.
-
Compliance
Privacy
Does GDPR apply to us?
-
If you process personal data of people in the UK or EU (customers, employees, or website visitors), then yes. Size doesn’t remove the obligation, but expectations are proportionate to your scale and risk.
-
System security
How do I know if my business is “secure enough”?
-
There’s no such thing as perfect security. “Secure enough” means having controls that are proportionate to your size, industry, and risk. At a minimum, that usually includes MFA everywhere, managed and encrypted devices, prompt patching, tested backups, and someone actively paying attention to alerts.
If you’re being asked questions you can’t confidently answer, it’s usually time for an independent sense-check.
-
Compliance
What is ISO 27001?
-
ISO 27001 is an international standard for managing information security risks through a structured management system. Certification means an independent auditor has verified that the system meets the standard.
-
System security
How often should we review our security?
-
At least annually, with some areas reviewed more often. Patching should be continuous, access reviewed quarterly, and security tools checked regularly. Any major business change should also trigger a review.