ukncsa.orgNational Cyber Security Association

UKNCSA Articles

How Can the SME Get Secured Against Cyber Attacks?

How Can the SME Get Secured Against Cyber Attacks? The need for cyber protection has never been greater.

Many businesses close after being hit a data breach incident. Yet how can small and medium sized businesses get that protection at a reasonable cost?
  • Over 50% of all small businesses suffered a breach within the last year
  • Average cost to small businesses $200,000
  • Of those hit: 60% of them go out of business within six months
  • 43% of cyber attacks are aimed at small businesses
  • Only 14% are prepared to for cyber defence

These grim statistics reveal the true cost of cyber crime: destroying small businesses, disrupting families, causing real problems to real people.

In the larger company sohisticated protection is managed by the Chief Information Security Officer (CISO). The role is very extensive, requiring a high degree of expertise. The role also brings a great deal of value to organisations that invest in appointing a CISO.

How Can the SME Afford That Level of Protection?

Instead of paying high salaries, plus the recruitment costs and then on-going expensive training, a better alternative is to hire a fully qualified and experienced CISO on a shared-basis.

Details of service: Virtual CISO Services

The CISO will use his expertise while helping several clients. This is sometimes called a fractional CISO or more often now, a Virtual CISO. This term reflects that much of the work, after the initial getting-to-know period can be performed remotely. This is a little different from an Interim CISO who is expected to work full-time but as a temporary appointment. The Virtual CISO, on the other hand, can be the best long term solution.

Rather than an hourly rate, work is usually specified and an appropriate monthly amount is agreed to complete the work. The vCISO concentrates on building the cyber protection and making the improvements, whether working on site or remotely, including keeping the management and Board of Directors up-to-date on progress.

Having a professional CISO working for the company is a business differentiator which the client company should capitalize on by letting their customers and suppliers know.

A Virtual CISO (vCISO) helps organizations to protect their infrastructure, data, people and customers. The vCISO will work closely with the existing management and technical teams to build the client organisation’s cyber security programme.

The vCISO can really help when a company is struggling to comply with regulations and implement security by providing sound guidance and direction that makes measurable impact the results of the client’s cyber security program.

Benefits of Using a Virtual CISO

There are, in fact, many benefits of hiring a vCISO over the traditional full-time in house CISO. Firstly, of course, it’s the cost. A Virtual CISO will typically cost between 30 percent and 40 percent of a full-time CISO. In addition you will not normally pay for any training costs.
Having a professional CISO working for the company is a business differentiator which the client company should capitalize on by letting their customers and suppliers know.

The benefits go much further than just cost. Virtual CISOs, because they are fully trained and up-to-date, can hit the ground running. They are very much use to adapting to new situations and can apply the many lessons they have learned from multiple engagements. A full-time hired CISO may have only seen one or two large corporate situations and will take much longer to “settle-in”.

The Virtual CISO will usually operate more efficiently because he/she is not hampered by office politics, the job is to get results. Finally, if the vCISO works in a team then the client company has the expertise of the whole team, not just the single CISO appointed to them.

The UK National Cyber Security Association service:

The UKNCSA Virtual CISO Services are available and we pride themselves on:
  • Expert knowledgeable and qualified consultants
  • Cost-effective services tailored to your business needs
  • Building long term relationships with our member-clients

Details of service: Virtual CISO Services

Typical Working Methods

When we begin working with you, we want to quickly understand your business objectives, its culture and environment. It is vital to fully understand the business's methods and to build trust relationships with key personnel. This is central to ensuring a successful cyber security programme.

To accomplish this a typical engagement will involve being on-site during the first two to three weeks. Thereafter continue with a mixture of remote working and site visits depending on your preference and requirements.

We make use of the Unified Cyber Security Framework to ensure that all fundamental areas are properly protected. Following the UCSF enables us to methodically and efficiently apply controls to the major domains while building up information for the cyber risk assessment.

The efficient work flow includes:
  • Ensure all fundamental security operations
  • Prepare a cyber risk assessment based on your specific business assets
  • Map out the optimum cyber security strategy with key stakeholders
  • Prepare a Gap Analysis report and establish the Cyber Security Road Map
  • Build out the Governance, Risk and Compliance (GRC) programme
  • Look to consolidate and get best value from contractors and vendors
  • Build a Cyber Awareness Training Strategy
  • Incident Response Procedures
  • Business Continuity Plan
  • Third Part Management

This list is not exhaustive and will depend very much on the individual client company. While our templates and methodologies make our work efficient, we implement them in a very adaptable and customised fashion.

Other Circumstances Appropriate to Using a vCISO

As well as the situation described above where a CISO is shared there other situations where a vCISO could provide valuable servcies.

1) Board Advisor
Your company may have a cyber security lead who has been with the organisation for many years and understands the business very well. However, there is often a communications gap between that role and the top executive. A vCISO can fill the gap by and provide understanding to the board members and communicate business objectives to the cyber lead. This helps build the cyber security culture of the organisation.

2) Coach and Mentor to a Newly Established CISO.
If your company has selected an employee as the cyber lead, someone who is enthusiastic about securing the company, but who lacks the training and experience, then a Virtual CISO could be the ideal solution to provide the initial leadership that is lacking. This may be the case with a “Start-up” or “Scaling-up” company.

3) Part-time Deputy or Assistant to the CISO.
Supporting an over-stretched CISO. There are times, when an additional experienced CISO needs to be added to the team. In this case a vCISO may be the best choice to provide that extra expertise. This may be as an interim arrangement or as a permanent “best solution”. The vCISO may take on a specific specific function such as third part contract management or business continuity planning. Or possibly the board relationship management while full-time CISO handles other duties.


As more and more companies realise the importance of having a CISO role, there will be an increasing requirement for fractional or Virtual CISO service providers. This is a practical solution to many circumstances that do not warrant a full-time CISO.

Details of service: Virtual CISO Services

Author: David R. Bird.
MSc Cyber Security, CISSP.
Contact: Please use the form below.

In order to get the Weekly Cyber Bulletin and news of the
new articles in your email ... Sign up for free membership.



First Name: 
Last Name:
Email Address:

A confirmation email will be sent to this address

Company Name:

Membership Type:

Your Requirements:

How many flags do you see in the image above? 

Obviously, we need to communicate with you about your membership; to advise you of changes and improvements to the services. Tick to approve.
YES, send me the UKNCSA Weekly Bulletin.

UKNCSA™ is the National Cyber Security Association™ for the UK.
UKNCSA is administered by UKNCSA Ltd (a non-profit organisation).
Company Reg.11995004
Reg Office. 101 Avondale Road, London N153SR.
Sharing helps our association.