Cyber Resilience Consultancy
P3M Works was selected by The University of West England to join their bank of Digital Consultants to provide cyber guidance and support to a select number of SME organisations through their Workforce of the Future support programme.
The University of West England (UWE), who were recently voted 24th out of 121 UK institutions in the Guardian League Table 2023, regularly engage with industry to provide specialist services to its business and winder community. These organisations are primarily based in the South West of England and vary in their scale, industry and product.
UWE wanted to provide expert cyber guidance to SMEs they were supporting, to raise their cyber hygiene levels and promote cyber security across the region. P3M Works helped UWE shape an effective cyber resilience and education package that could be scaled across SME organisations remotely or in person and achieve the following objectives:
Achieve baseline understanding of the supported organisation’s cyber risk by conducting a cyber review.
Mitigate the threats and vulnerabilities identified in the cyber review.
Equip the supported organisation with tools and techniques to maintain their cyber health.
Provide bespoke cyber training.
How Did We Help?
P3M Works worked with UWE to create a bespoke cyber resilience and education package that would bring targeted organisations to a baseline cyber security standard, which was aligned with IASME Cyber Essentials.
P3M Works deployed cyber consultants to the supported SME organisations with the initial objective of conducting a review of their current cyber security posture. During and after this initial objective, P3M Works would spend time with each SME organisation’s cyber security lead to ensure that the objectives we had identified remained relevant. Some organisations required specialist tailoring which is detailed in the below examples.
Example 1: School
P3M Works delivered cyber consultancy to a school that had recently suffered a cyber-attack. P3M Works tailored the consultancy objectives to better suit the school’s circumstances, this included conducting:
Cyber-attack recovery planning and tabletop exercises based on real world scenarios
Reviewing and producing policy
Producing materials for a cyber culture campaign
Example 2: Defence SME
A defence SME organisation required enhanced technical review and remediation of their IT/OT systems after the cyber review revealed several vulnerabilities in the configuration of assets and accounts. We also:
Produced bespoke training on how to use their chosen office suite and security software.
Produced policies that align with industry to enable compliance with partner organisations when winning new work.
Delivered a mini Information Security Management System so that the SME could keep track of all relevant information security knowledge.
Example 3: Professional Services Firm
This professional services SME had limited cyber security protection measures in place, however they were aware of this issue and had support from the firm’s leadership to enhance their cyber maturity. P3M Works spent time addressing processes and organisational culture to prep the company for technical changes such as the implementation of MFA and VPNs.
Advised on tools such as VPNs, firewalls, MDM and MFA methods to cover technical cyber risks.
Developed processes, including developing a bespoke Joiners, Movers and Leavers process to decrease the likelihood of information leakage due to employee movement.
SME organisations were of different sizes, maturities and cultures with regards to cyber security. Designing a flexible approach with the ability to tailor content and deliver this to fixed timescales was tricky but achievable.
SME organisations possessed different attitudes to cyber security and required complex behavioural change.
SME organisations often saw IT and Cyber security as interchangeable and possessed cultures of bypassing cyber protection mechanisms as they were seen as unnecessary and time consuming.
Treated each SME organisation individually and used the objectives to drive a bespoke experience that could be adopted and built on by each SME organisation, rather than a one size fits all approach.
Removed jargon and produced bespoke training and materials that could be accessed by the respective SME organisation’s employee base.
Delivered both onsite and remote support to suit the SME organisation’s cultures and realise the cyber objectives in the most effective way.
SME organisations were able to achieve Cyber Essentials if they chose to.
SME organisations gained confidence with cyber security controls and functions, which resulted in a more positive cyber security culture, rather than a culture of concern.
SME organisations understood their key vulnerabilities and their path to further organisational cyber maturity.