5 FAQs About Cyber Security Risk Assessments

Written by Mark Riddell


Do I have to notify my current IT guy or company that you are running this assessment?

A: Yes! Your current IT company or person needs to be know we are conducting the assessment. In most cases, they will need to provide us with access to your systems such as servers and firewalls in order for us to carry out the assessment. We may have to speak with other vendors too for any managed services you have – a manged firewall or backup device, for example.

They SHOULD be supportive of this as it is in their interests that your business is secure. If they are against having the assessment done – you must ask questions why.

Remember, it’s YOUR reputation, YOUR money, YOUR business that’s on the line. THEIR mistake is YOUR nightmare. 


If you find a compromise, virus or security violation during the risk assessment, do you have to report me?

A:  No.  Please understand that EVERYTHING WE FIND AND DISCUSS DURING THIS ASSESSMENT WILL BE STRICTLY CONFIDENTIAL. We are not obligated to report any of our findings to anyone other than you directly.

You should know that according to UK laws, you may be required to tell your clients and/or patients if YOU have exposed their data, records and information to cybercriminals, and we would recommend you abide by the law. But we are not the police or the ICO. We are here to help you put a plan in place to prevent that disaster from happening.


How intrusive is the assessment? Do you have to install any software on my computer network during the assessment?

A: Our assessment is completely non-intrusive to your network. During our initial meeting, we will cover a number of different options for assessing your network against cyber attacks, which may or may not include specialised diagnostic software tools. We will discuss these options with you in person and will never do anything on your computer network without your complete agreement.

Either way, this assessment will provide you with verification from a qualified third party on whether or not your current IT person or provider is doing everything they should to keep your computer network not only up and running, but SAFE from cyber crime.


How long will this take? Will my system be down at all during the assessment?

A: Your time investment is minimal; one hour for the initial meeting, and one hour in a second meeting to go over our final report. The actual time that it will take us to conduct the assessment depends on the size and complexity of your IT systems.

Your computer network will not be slowed down or taken down by this assessment.


Are we too small to worry about getting hacked? We don’t have anything a hacker would want to steal.

A: WRONG. For starters, small businesses are the #1 target for cybercrime groups because of their inability (or unwillingness) to implement proper security protocols. You’re easy prey. Second, not all cyber attacks are about stealing your data. Ransomware attacks, like the recent WannaCry worm that affected the NHS, are about stealing what’s valuable to YOU and extorting money. Hackers corrupt ALL of your customer records, ALL of your work files and other data, then ask you to pay to get them back. If you don’t pay, they delete your files. If you DO pay, they delete your files anyway OR come back and demand MORE money because you’ve indicated you’re willing to pay. They’re called cyber criminals for a reason: they’re lawless scumbags who don’t follow the rules.

Can you honestly say your client records and ALL of the history, data and work files on your server are something not worth protecting?!?!

And finally, just like a real virus (common cold), malware spreads without anyone intentionally giving it to you. They are designed to be self-propagating, so claiming “nobody would want to attack us” is akin to saying, “I won’t catch a cold because nobody wants to give me one.” It doesn’t work that way.

Most of the attacks are 100% automated, using software programs designed to hammer millions of computers at once, working 24 hours a day, 365 days a year, to find security loopholes on ALL computers connected to the Internet. You’re under attack by highly organised, highly motivated TEAMS of sophisticated coders who attack en masse – not some lone hacker sitting at home selecting his victims. All it takes is to miss ONE critical software update and you’re toast. ONE employee clicking on the wrong link. ONE client or trusted vendor sending you an infected file.

Have A Question That Was Not Answered Here?

If you have any other questions you need answered, please call my office direct at 01738237001 or email mark.riddell@m3networks.co.uk