As long as I’ve been in this industry, clients have always had a thing about benchmarking, particularly those in the higher echelons, who are naturally driven by maturity, budgets, and the frequency of cyber breaches in their industry.  It’s often how they decide their spend.  Fair enough.  In the SME world it’s perhaps not that formalised but is still a thing.  An SME owner wants to know what other people are doing to try and gauge what they should be doing.

I talked, in a post last week, about conformational bias, which is a posh way of talking about the herd mentality and benchmarking falls loosely into that bracket.  What we’re actually talking about is the need for reassurance, deflecting plain discomfort, around the proposal to spend money on something that often seems a little esoteric to many.

Of course, not every situation, or every company is the same.  Their cyber maturity and risk appetite will often drive different approaches to a similar problem.  One company might have a heavy focus on data protection.  For example, an accountancy firm, a solicitors, even an estate agency, might assess that a serious data breach involving the Information Commissioner, could, potentially, put them out of business and they would therefore make this a number one risk.  On the other hand, a manufacturing company may consider this a risk, but of less importance than say, their designs for their next improvement to their product line.

So how good is a benchmark?  Well, it’s a guide, but that’s all it is, and you might think that if you’re close-ish to that guide, and you have an understanding about why you’re not closer, then that is probably OK.  What I’m saying is, don’t take an industry benchmark to be gospel, it isn’t, and basing decisions on what is essentially anecdotal evidence, isn’t, in my opinion, a very good basis for making that decision.

This is where building relationships with suppliers is essential for an SME.  Trust must be established, especially when dipping your toe in to the murky depths of cyber security.  Let’s face it, most people don’t understand it and people don’t trust what they don’t understand.  Finding a cyber security company that is happy to work with SMEs is not easy, especially one that isn’t wedded to technology as being the only answer to a problem.  Process and procedure can be just as effective as technology in certain circumstances and of course, is much much cheaper.  And let’s not forget cyber awareness training, still the cheapest quick win any SME can take to offset the risk of a data breach or scam.

All this is easy to say, but just how do you find a cyber security company you can trust?  I vaguely remember hearing the saying that you have to kiss a lot of frogs before you find your prince.  But in this case, you can’t afford to do that.  Time is not on your side but in doing your due diligence, you still need to be cautious.

What are you looking for?  I would suggest:

• Proven track record.  Look into the past of the ownership of the company, not just the employees. 

• Their approach.  Do they lead with technology?  If they do, walk away.  Do they take a risk managed approach?  That’s what you’re looking for.
• Do they talk in jargon, trying to baffle you with science?  If they do, walk away.  This subject can be explained without getting into technicalities.  You want something that addresses threats to your business, and they should demonstrate they understand that.
• Do they talk about the FUD factor. Fear, uncertainty and doubt. What they’re trying to do is to scare you into buying. Giving you the facts is one thing, FUD is completely different.
• Have they taken the time to fully understand what your business is about, what it is that drives your revenue, what is important to you and what is not so important?
• Do they see you as a long term partner or a quick revenue win?  Can be difficult to assess but it is crucial to building the trust I talked about earlier.

Of course, this is not an exhaustive list of criteria, and you’ll almost certainly have things you want to add, and maybe things you will discard.  But whatever route you take to build that trust, it is essential to your protection and peace of mind in what is becoming a very dangerous online world.