Under the Spotlight: Shift Key Cyber's Dawn O’Connor answers our questions

"My name is Dawn O’Connor and I am one of the Co-Founders of Shift Key Cyber. As a Co-Founder, I wear many hats within the business, but I primarily work with customers to reduce their risks and increase their cyber resilience."

"Shift Key Cyber is a Cyber Security Consultancy focusing on Governance, Risk, and Compliance. We help customers through a variety of services such as Cyber Essentials certification, gap assessments, supply chain reviews, and ISO 27001 implementations. We help them manage risk and build resilience within their organisations."

"Customers generally come to us because they want to improve their cyber security but may be unsure where to start. During that initial conversation, our first step is to understand two things: 1 - Why do you want to improve? 2- What are your business drivers? "Asking these questions helps us determine what service are the most appropriate, and where we can provide the best value."

"In my opinion, the biggest cyber threats companies are facing right now is that they often don't have visibility or an understanding of what they are trying to protect. If you do not know what data or assets you have within your business, you can’t apply controls to put the appropriate protection in place."

"Cyber Essentials is a great fit for companies that already have some controls in place and also for those that have next to little or nothing set up. By applying Cyber Essentials controls, organisations can greatly reduce their risk of being breached and experiencing a cyber incident. "Cyber Essentials offers protection against commodity-based attacks (these are attacks which utilise publicly available tools and techniques). Chris Ensor from the National Cyber Security Centre recently urged all organisations to make Cyber Essentials a foundational part of their cyber resilience. The Cyber Essentials Impact Survey published in October 2024 found 85% of companies with Cyber Essentials report a better understanding of cyber risks and that 92% fewer insurance claims are made by businesses and organisations with the CE controls in place."

"Yes, there is a perception that cyber security is a complex topic, but actually it can be quite easy for organisations to take small, actionable steps that can increase their resilience and help stay protected. Organisations such as the Cyber Resilience Centres are a trusted source of information that businesses can utilise to implement controls to help build that resilience. Every business is different, and cyber security should be adapted depending on those particular requirements."

"As a Cyber Security Consultant, I would say top, but I’m probably a little biased! However, businesses do not know what they do not know and so may not realise it should be a priority for them. Naturally a lot of small company’s focus on profit to stay in business, and so security is generally not high on the agenda. I would suggest that security should be embedded and treated as business as usual, otherwise it can become a check box exercise on an increasing to-do list, rather than being a continuous and evolving process. "For a business with nothing in place, they can begin strengthening their security by taking small actionable steps. Whether that's by contacting the EMCRC or implementing Cyber Essentials. Doing something is better than doing nothing and I would urge them to start today."

"A lot of companies think it doesn’t apply to them because they aren’t a target for an attack and I also think there is a perception it is expensive and beyond their budget. A lot of small businesses are wholly focussed on the bottom line. "I think it's important that they are taken on a journey and they are shown that it does not need to be expensive. Having security controls in place actually benefits the business. Take CE for example. By implementing 5 controls you can gives confidence to your customers and the business also receives cyber insurance as part of the certification."

"It does move at quite a pace but being involved with organisations such as NCSC and EMCRC helps all parties stay informed. Because there is a lot if information out there, I truly believe it is important to use information from these credible sources."

"I think the main benefit is the EMCRC is a trusted place for business to go to. Their services are delivered in a non-commercial manner and act as a vehicle to help organisations implement the basics and understand why they need to protect their business and assets. "The cyber health assessment is a great idea so that businesses have a benchmark of their current state - this helps them look at what they may want to do to create a more resilient future state. The relationships the EMCRC have with the wider community such as academia and businesses provide an extension of trusted services if organisations would like to further develop their cyber security plan."