Security Foundations
Introducing the Service
"Are we secure enough?" is the question every business leader eventually asks - usually after a near-miss, a customer questionnaire, or a conversation with an insurance broker.
The honest answer for most small businesses is: "We don't know, and we're not sure how to find out."
This service answers that question. We assess your current security against what actually matters for a business your size, identify the gaps that present real risk, fix the quick wins, and help you build a proportionate security baseline you can maintain.
This isn't about achieving perfect security - that doesn't exist. It's about being secure enough for your situation: enough to protect your business, satisfy your customers, meet insurance requirements, and sleep at night.
What Problem Does This Solve?
Most security incidents happen because basic controls aren't in place or aren't working properly. Not sophisticated attacks - just the basics done badly.
If any of these sound familiar, this service can help:
"We don't really know what we've got"
Asset lists, tool dashboards, and spreadsheets all contradict each other. Things get missed. Nobody has a complete picture.
"Things were set up in a hurry and never reviewed"
Default settings, over-permissive access, open ports - configurations that made sense during rapid growth but were never tightened up.
"Patching happens... eventually"
Updates get done when someone remembers, but there's no schedule, no tracking, and no visibility of what's actually vulnerable.
"We have security tools but they're noisy"
Antivirus, email filtering, maybe some monitoring - but nobody's tuning the alerts or checking them regularly. Real problems hide in the noise.
"Passwords and MFA are a bit inconsistent"
Some systems have strong authentication, some don't. Staff reuse passwords. MFA is only on the "important" systems (but which ones are important?).
"We can't prove any of this to customers or insurers"
When someone asks for evidence of your security controls, it's a scramble. Sales cycles stall. Insurance premiums go up.
This service gives you clarity on where you stand, fixes the obvious gaps, and establishes a baseline you can point to when customers, insurers, or your own board ask: "Are we secure enough?"
Fit for Small Businesses
This service is designed for businesses that need solid security foundations without enterprise complexity. Typically that means:
20 to 200 employees - large enough to have real security risks, small enough that a dedicated security team isn't realistic
Growing and moving fast - configurations set up during rapid growth that haven't been reviewed
Using cloud services - email, file storage, and cloud infrastructure
Facing security questions - from customers, insurers, investors, or regulators
No dedicated security person - IT handles security along with everything else
We calibrate everything to your size and risk profile. A 50-person SaaS company doesn't need the same controls as a bank. We focus on what's proportionate and practical - the minimum viable security for your stage, not enterprise overkill.
Outcomes: What You Get
Clarity on where you stand
You know your security posture
A clear assessment of your current state against the controls that matter for a business your size
You know where the gaps are
Prioritised list of what's missing or misconfigured, ranked by risk and effort to fix
You can answer the "are we secure enough?" question
For yourself, your board, your customers, and your insurers
The basics done properly
Devices are managed and protected
Company laptops and phones are enrolled, encrypted, and have endpoint protection that actually works
Access is controlled
Multi-factor authentication everywhere it matters. Accounts are provisioned properly and removed when people leave.
Systems are configured securely
Default settings tightened up. Unnecessary access removed. Cloud services hardened.
Patching is happening
Visibility of what's vulnerable. Critical updates applied promptly. A process that works without constant attention.
You'd know if something bad happened
Logging in place for key systems. Alerts configured and tuned so they're useful, not noise.
Data is backed up and recoverable
Critical data backed up to a secure location. Tested regularly so you know it works.
Evidence you can point to
You can satisfy customer questionnaires
Evidence of your controls ready to share, mapped to what customers typically ask
You can meet insurance requirements
Controls aligned with what cyber insurers expect (MFA, patching, backups, endpoint protection)
You can demonstrate due diligence
If something does go wrong, you can show you had reasonable controls in place
Ongoing confidence
Someone's watching
Regular health checks on your security tools and configurations
You have someone to ask
Access to security expertise when questions come up or things change
You stay secure as you grow
Controls that flex with your business, not a point-in-time snapshot that goes stale
How It Works
The service has three phases. Use the stepper below to see each phase and what it includes.
Phase 1: Assessment and Quick Wins
We assess your current security against the controls that matter for a business your size, identify the gaps, and fix the obvious ones immediately.
Activities and what they mean in practice:
Baseline assessment - Review of ~20 key controls covering devices, access, configuration, patching, monitoring, and data protection. Scored by maturity and risk.
Quick-win remediation - Immediate fixes for critical gaps - typically enabling MFA where it's missing, addressing critical patches, and securing backup configurations.
Prioritised roadmap - A clear plan for what else needs fixing, ranked by risk and effort, so you know what to tackle first.
Typical duration: 2–4 weeks
Phase 2: Implementation and Hardening
We implement the controls needed to close your gaps and harden your environment.
Activities and what they mean in practice:
Device management - Enrolling company devices in management, enabling encryption, applying compliance policies, and getting visibility of unmanaged devices.
Endpoint protection - Deploying and tuning protection software on all devices so it catches real threats without drowning you in false alarms.
Secure configuration - Tightening settings across cloud services, operating systems, and applications - removing defaults, closing unnecessary access, applying security baselines.
Access controls - Ensuring MFA is in place where it matters, granting access based on need, and removing accounts when people leave.
Logging and monitoring - Setting up logging for key systems (sign-ins, admin actions, security events) and configuring alerts that are actually useful.
Backup and recovery - Ensuring critical data is backed up securely, protected from ransomware, and regularly tested to confirm it can be restored.
Attack surface review - Looking at your business from an attacker's perspective - what's visible, what's exposed, what could be targeted.
Staff awareness - Practical, role-appropriate training so your team knows what to watch for and what to do.
Typical duration: 2–3 months (depends on scope and starting point)
Phase 3: Ongoing Monitoring and Support
Once the baseline is established, we keep it working and help you maintain it.
Ongoing activities and cadence:
Tool and alert health check - Weekly: make sure your security tools are working and alerts are being handled.
Status report - Monthly: what's happened, what's changed, what needs attention.
Incident and change advisory - As needed: guidance when something happens or you're making changes.
Security questions - As needed: access to expertise when you need advice.
Minimum term: 12 months
What's Not Included
This service establishes and maintains your security foundations. Some things are out of scope. Where relevant, we indicate what to do instead.
Major architectural changes
If you need to redesign your network or rebuild your infrastructure, that's a separate project. We'll identify if it's needed and recommend a way forward.
Fixing application code
If your product has security vulnerabilities in the code, your developers need to fix them. We can advise on what's needed and help you prioritise.
24/7 incident response
We provide guidance during incidents within business hours. If you need round-the-clock response capability, you'll need a dedicated service.
Penetration testing
Formal penetration testing by specialist testers is separate. We can help you procure and manage it.
Compliance certifications
ISO 27001, SOC 2, and similar certifications are separate services. This service builds the foundations that make certification easier.
Data protection / DPO
GDPR compliance and Data Protection Officer responsibilities are covered by our DPO service, not this one.
Building a security operations centre
If you need full-time security monitoring, that's a bigger investment. We can advise on options and next steps.
What We Assess
The baseline assessment covers the controls that matter most for small businesses:
Asset visibility
Do you know what devices, systems, and services you have? Is there a single source of truth?
Device security
Are devices managed? Encrypted? Running endpoint protection? Kept up to date?
Access control
Is MFA in place? Is access granted appropriately? Are leavers removed promptly?
Cloud configuration
Are your cloud services (email, file storage, infrastructure) configured securely?
Patching
Do you know what's vulnerable? Are critical patches applied promptly?
Logging and monitoring
Are key events logged? Would you know if something bad happened?
Backup and recovery
Is critical data backed up? Is it protected from ransomware? Can you actually restore it?
Email security
Are you protected against phishing and business email compromise?
Network security
Is your network appropriately segmented? Are unnecessary services exposed?
Staff awareness
Do people know what to watch for? Would they report something suspicious?
We score each area by maturity and risk, giving you a clear picture of where you stand and where to focus.
Assumptions
You have an executive sponsor. Someone senior needs to own this - approve scope, make decisions, allocate resources. Without this, things stall.
You give us access to what we need. We need to see your systems, talk to your people, and review configurations. If we can't access something, we can't assess it.
We work remotely unless agreed otherwise. The service is delivered remotely. If on-site work is needed, we'll agree it in advance.
Implementation is collaborative. We configure and deploy, but some tasks need your team's involvement (approvals, access, testing).
Who Delivers the Service
Your security lead will be an experienced practitioner with recognised qualifications (typically CISSP or CISM) and hands-on experience implementing these controls across dozens of small business environments.
You get a named consultant who knows your environment - not a rotating cast of people who need briefing each time.
Term and Pricing
Phase 1: Assessment
2–4 weeks
Fixed fee
Phase 2: Implementation
2–3 months
Fixed fee (scoped based on assessment findings)
Phase 3: Ongoing support
12-month minimum
Monthly retainer
Phases 2 and 3 are priced based on the assessment findings - we need to understand your environment before we can scope the implementation work.
Combining with Other Services
This service establishes your security foundations. Other services build on top:
vCISO - if you need ongoing security leadership and governance, not just foundational controls.
ISO 27001 Implementation - if you need certification. This service gets your controls in place; ISO 27001 adds the management system and formal certification.
DPO as a Service - if you have data protection obligations. Security foundations and privacy compliance are related but distinct - you may need both.
For many small businesses, Security Foundations is the right starting point. It answers "are we secure enough?" and builds the baseline that other services depend on.
Last updated