Security Advisor

Price: £2,000 per month (excl. VAT)

For most SMEs, security has only a peripheral role in strategic decisions, or no role at all. Yet a large fraction of SMEs still suffer from attacks and security issues. What's more, the infrastructure and process decisions businesses make in their early stages can shape their risk profile for years to come. Security is too important for businesses to handle purely informally, but a full-time security professional is not financially practical for most SMEs.

Strategic Security Guidance

Would your business benefit from recurring security guidance from professionals who know how to think like attackers? We offer recurring consulting services for your business in which we'll periodically meet with a company's team to provide security advice and leadership. Our Security Advisor service focuses on practical security rather than fixed lists of compliance checkboxes. Our consultations let us understand how computer systems and human processes, as well as your priorities as a business, interact. For most organisations, improving security is not primarily a matter of implementing highly complex controls. More often, the limiting factor is that nobody within the organisation has a clear view of how the overall attack surface fits together. Our role as a Security Advisor is to help provide that perspective. The most dangerous threats are rarely constrained to a single attack surface, and effective defence requires understanding how technical systems and human factors interact.

Why Would SMEs Need Security Guidance?

It might not be obvious why an SME would benefit from a security leadership retainer service of any kind; after all, SMEs frequently have relatively similar security needs. For those who think of security purely in terms of configuring Microsoft 365, it may seem like a typical SME has no genuine security decisions to make - only standards to comply with, and for their MSP to implement.

The truth is that every SME makes significant security decisions, even if their staff never touches their software configuration, because the very act of choosing providers is a security decision. One of the biggest risks many SMEs face is choosing the wrong providers. The MSP who stalls a company for months due to a failed migration; the IT company that can't help them with even basic data recovery; the provider who is bound by partnership agreements to a specific vendor even when another option would be better; the web developer who pushes SEO-killing placeholder text to production websites. All of these represent both a direct threat to an SME - work delayed, operations impeded, reputation damaged - as well as a potential source of insecurity against third-party attackers.

SMEs who choose a low-quality digital vendor over a competent competitor aren't unwise in general. Rather, they - along with high-quality digital companies - are both victims of a market that as yet has limited clear quality signals. Doing due diligence on a potential digital supplier remains challenging for many companies. Assessing whether contracting a given supplier will be a wise decision for an SME requires both technical knowledge and the ability to investigate the company in question. Those form a skillset that SME leadership frequently lacks, but Shellhex can provide.

Consolidating Security Ownership

Another source of structural security weaknesses among many SMEs is that SMEs are unlikely to possess a single, coherent owner of security policy within their organisation, meaning that their security posture is in practice determined by multiple decision makers who are not necessarily coordinated and who may not be prioritising security. As a Security Advisor, we offer to act as the owners of your security posture, within your organisation. This takes the burden off other actors, such as MSPs, who end up as de facto security leaders yet who may not have the authority to manage your security properly, or who may not desire the responsibility of doing so.

To see why a single owner with a bird's-eye view matters, consider a common situation. An SME commissions a marketing and customer-communications system through its website. The developer building it needs the system to send mail from the company's address, so they add an SPF record authorising the new sending service - correctly, since otherwise that mail is flagged as spam. Separately, and just as correctly, the company's MSP hardens its email against impersonation with a strict DMARC policy, telling the world to reject any mail claiming to come from the company that isn't authenticated under its own domain - exactly how you stop attackers spoofing your address in phishing campaigns.

Neither supplier has erred, yet together they break something. The marketing mail authenticates under the sending platform's domain, not the company's, so under the new DMARC policy it no longer aligns and silently stops arriving - no error, just customer emails vanishing, which to the business looks like a broken marketing system rather than two suppliers working at cross purposes. The proper fix, authenticating that mail under the company's own domain, is split between both parties: the developer must enable it on the sending platform and supply the details, and the MSP must publish them in the company's DNS. If the MSP tries to solve it unilaterally, their only lever is to weaken the DMARC policy it just deployed, reopening the domain to the spoofing it set out to prevent.

How Our Advisory Process Works

As your Security Advisor, we offer quarterly meetings for analysis of your security posture and risks, along with free consultation on security questions, incident response advice, and overall guidance on your security strategy as your business's needs demand. We will act as a retainer consultant for your business's security needs as your business operates and changes. Additionally, this service includes access to Risk Assessment services as part of our recurring security posture reviews. It further includes a 10% discount on all our security testing.

In a typical meeting, we will go to your premises (or you can come to ours, if that would be preferable). We will have reviewed information you'll send us beforehand about your business's security and operations. During the meeting, we'll have an interactive discussion where we work together to combine our own security expertise with your domain expertise in what your business does. At the end, we'll have developed a shared perspective on what your organisation's security strategy should be, and can further assist you if needed in making the perspective we'll have built into reality.

What This Service Is Not

Our approach to security guidance is based on our experience with adversarial simulation. We are not a managed service provider, IT company, or security operations centre, and we do not offer 24/7 monitoring and management of your systems. What we offer instead is to guide you in how you design and modify your systems so that they are in the best place they can be. This emphasis on proactive rather than reactive security enables you to get ahead of attackers rather than be stuck one step behind. By providing continuing guidance on the design of your systems - cloud and software-as-a-service setup, access control strategies, security policies and processes, staff training systems, vendor choice - you will be off to the right start and not be shooting yourself in the foot with faulty security foundations.