Not sure if your company needs a cybersecurity audit? Many companies in the UK, small and big, are not sure if they should check how digitally safe they are.

What if we get hacked? How much time offline can we afford? What would stolen data do to our brand, what would customers think? What are the solutions, how much do they cost, how much time would it take to “be secure”? Do we need to hire a security specialist?

Maybe you are feeling unsure about the answers available and are lost by all the complicated technical language. You may be concerned about the security of important data, ensuring the website and any other key systems are always available.

If those sound common, and your company is UK-based, has between 10-200 employees and hasn’t checked their security in the last 12 months (or ever), this article is for you.

You’ll find out how to check whether your company needs a security check, what the usual costs and timelines are, and how to get started.

There are many reasons for and against doing an online security audit, and there are cost and timeline factors too. Let's start out with the reasons for and against.

The case for doing an online security audit:

This is the main reason our customers come to us for an online security audit. They feel their company just isn’t fully ready to stop, find or react to an attack. It may be that they have experienced a close-call event, seen something in the news or heard of the effects of a security breach through someone they know.

Having an online security audit and taking action helps you get peace of mind.

Some organisations in various sectors are bound by regulation to have certain security measures in place. Finance and healthcare are two common industry examples. There are also regulations such as the UK GDPR and Data Protect Act 2018 which force organisations to take security seriously.

If your organisation services enterprise or bigger clients in those industries, they may have to pass such measures down their supply chain and onto your organisation, meaning your organisation also has to be compliant.

Having big enterprises as clients often means meeting their strict procurement and supplier requirements. In some cases, cybersecurity becomes a part of those requirements. We have helped clients complete heavy duty security questionnaires and due diligence procedures.

Having a cybersecurity audit is a great step to understanding your organisation's security gaps and can be used as evidence that you take security seriously and will protect your clients data and systems.

A CEO who took our cybersecurity audit once told us “my worst nightmare would be ringing my own clients, and telling them I’d lost their data”. If your organisation collects or processes a lot of data, especially personal or business sensitive, it’s worth ensuring it is protected appropriately. Think about who has access to it, if it’s backed-up, where it’s stored, how well it’s secured (through good passwords, multi-factor authentication etc.)

Protecting client and employee data is also a great way of showing a strong organisation culture.

Countless organisations have suffered data breaches leading to the theft of company data. This puts employees on alert that they may suffer identity or financial fraud and can lose trust in their organisation and its management team.

A cybersecurity audit identifies issues that can be fixed before a breach can happen, protecting employee and client data.

That simply isn’t true. In fact, cybercriminals often don’t target organisations at all. Instead, they create email phishing scams with thousands of recipients, knowing that a small percentage will become victims and give them a big pay day.

Some of our previous clients have taken our security audits so they can make improvements to their organisation before selling or passing it on. In the case of selling, it ensured they were handing over a well managed and resilient organisation, increasing the business value and perception of the owner. It also reduced the chance of a breach impacting the valuation and sale itself, as has happened to some businesses.

If your organisation has to be online 24/7 to meet your clients needs, it’s even more important to perform a cybersecurity audit. Cyber criminals are increasingly hacking online platforms, websites, and devices and holding businesses to ransom with the knowledge that they are more likely to pay for services which need to be running without disruption.

So, if your organisation uses at least one crucial online platform (e.g. a CRM, SaaS platform, Cloud service), or would face harsh consequences if your own systems would be offline for 24 hours, getting a cybersecurity audit is a great first step in keeping those systems safe..

Cybersecurity audits can be done to suit all budgets. From a £25,000 engagement from a Big Four consultancy, to a free security quiz that we developed, and everything in between. But sometimes, it doesn’t make sense to spend money on security.

I know what you’re thinking, “But a lack of security could end the business before it gets off the ground”. Hear me out here. If your organisation hasn’t yet validated it has a market fit, isn’t generating revenue, and altogether doesn’t have a moderately stable future, it may not make sense to spend a sum of your budget on security audits.

Instead, use our free quiz and fill the gaps with budget friendly solutions such as Antivirus, password managers and carrying out regular access reviews.

Not all organisations suffer breaches or serious security incidents every year. But, over a 5-10 year stretch, the likelihood goes up substantially and some type of security incident is almost guaranteed.

“Criminals won’t target us” / “We’re too small to be targeted”

We’ve already spoken about the fact that cybercriminals rarely target businesses and instead have a scattergun approach. Still, as mentioned in the “it might not make financial sense” argument, if you are a startup without revenue, then perhaps wait a little before investing a great deal of money on security.

So, how much should an organisation spend on security? Naturally this depends on a lot of variables such as company size, sector, clients, data held, use of technology etc.

To simplify this, aim for around 1% of annual revenue, or, 10% of all technology, IT and tech team costs. 1% of revenue to protect the other 99%. It isn’t perfect, but will give a rough idea and is the average security spend benchmark for most organisations.

If your organisation has been around for a few years and has never invested in security before, you may want to increase the spend to account for, and “catch up” on those years too.

A cybersecurity audit will advise you on how to get the best security risk reduction for your investment. It is the security equivalent to a financial advisor getting the best return on investment for your financial assets, or a personal trainer getting the most out of your time at the gym.

We have cybersecurity audit options to suit all budgets.

Comprehensive Security Health Check

The gold standard for most small and mid-sized organisations is a comprehensive Security Healthcheck which identifies the biggest security risks and prioritised recommendations. Our security experts complete a data-driven security assessment with your organisation and run a security scan of the website and other key systems.

The findings are then presented back to the organisation in an understandable report and discussed over a video call.

The price for the Security Healthcheck for companies with up to 25 employees is £2,500. For larger organisations, simply add £100 per extra employee.

For smaller organisations and startups, we offer a Light-Touch Security Healthcheck. It is better suited to smaller organisations with up to 25 employees. Also carried out by our security experts, it provides a clear snapshot of the organisation’s security against the key areas of threats but without diving in too deep. The findings are then presented back to the organisation in an understandable report and discussed over a video call.

The price for the Light-Touch Security Healthcheck is £1,500.

Optional extra - DataExposure Check

There is also an optional extra DataExposure Check which can be added to either health check service. It uses advanced tools to search the internet and dark web for any leaked or exposed information about the organisation, like passwords, email vulnerabilities, or sensitive data. It helps uncover hidden risks that cybercriminals could exploit and provides clear steps to protect the organisation.

The price is £750 and the findings are built into the Light-Touch or Security Healthcheck report.

Lastly, for organisations without any budget for security, we built a free-online security quiz that gives organisations a score out of 100 based on a set of questions. It takes 4-5 mins to complete and is completely free. Summary

Book a Security Health Check if you want to know where your organisation stands with its security and likelihood of being breached.

This is for you if you’ve never been through such an exercise and are unsure or worried about security breaches. This isn’t for you if you have a security department already, or recently completed an ISO 27001 implementation.

Get in touch for a free, no obligation chat to see if we can help assess and improve your organisation’s security.

Real Feedback from Businesses That Trust Our Cybersecurity Expertise