Frequently Asked Questions

If you’re not sure where to start, that’s completely normal. Most small businesses feel the same way.

‍

The best first step is a Security Audit. It gives you a clear, practical view of your current risks and shows you what matters most without asking you to commit to anything beyond that. From there, you can decide what to fix yourself and where you’d like help.

Most customers start by booking a Security Audit. We review your key systems, devices, and accounts, then walk you through the findings and recommended next steps.

‍

If you’re unsure whether an audit is the right place to begin, you can also book a short call with our team. We’ll talk through your situation and help you choose the right next step with confidence.

Yes. BrightShield is designed for small businesses of all sizes, including solo operators and teams of just a few people.

‍

Smaller teams often have the same risks as larger businesses but less time and fewer resources to deal with them. BrightShield helps you focus on what matters most without adding unnecessary complexity.

BrightShield is a guided service, supported by smart tools where they make sense.

‍

Rather than handing you software and expecting you to figure it out, we combine automated checks with expert review, clear explanations, and practical guidance. You always know what’s happening and why and you’re never left to interpret security data on your own.

Getting started is simple and fast. Once you book a Security Audit, we’ll send a short questionnaire and schedule a brief call to clarify a few details.

‍

In most cases, audits are completed within a few days, and you’ll receive your results and walkthrough shortly after.

No. BrightShield works alongside your existing IT provider or MSP.

‍

We focus on security visibility, guidance, and ongoing awareness, helping identify risks, prioritise fixes, and improve security habits. If you have an IT partner, we’re happy to collaborate or provide clear recommendations they can help implement.

BrightShield combines clear security insights, practical guidance, and ongoing protection to help small businesses stay secure without complexity.

‍

Depending on the services you use, this can include:

‍

• security audits to understand your risks
• guidance and support to fix key issues
• ongoing monitoring for important changes and new threats
• essential policies and everyday security practices

‍

Rather than selling tools, BrightShield focuses on helping you understand what matters most and take the right actions at the right time.

Most security tools give you data and expect you to interpret it yourself.

‍

BrightShield takes a different approach. We combine automated checks with expert review and clear explanations, so you understand:

• what the issue is
• why it matters
• what to do next

‍

Instead of another dashboard to manage, BrightShield acts as a guide, helping you make confident decisions without needing security expertise.

No. BrightShield doesn’t replace antivirus, firewalls, or other security tools you already use.

‍

Instead, we check that essential protections like antivirus, encryption, and firewalls are in place and configured sensibly. BrightShield helps make sure these basics don’t drift into an unsafe state and highlights when something needs attention.

Yes, and having an IT provider is not required.

‍

Many BrightShield customers don’t have an IT provider at all. We’re designed to support small businesses directly by providing clear security insights, practical recommendations, and guidance on what to do next, without assuming you have in-house IT expertise.

‍

If you do have an IT provider, BrightShield works alongside them. We help identify risks, prioritise fixes, and explain what matters most, making it easier for your IT partner to implement changes if needed.

‍

Either way, BrightShield adapts to your setup, whether you manage IT yourself or work with a provider.

BrightShield helps you understand and improve your security and privacy posture in a practical way. We support businesses operating under regulations such as:

‍

• GDPR (EU & UK)
• Australian Privacy Act
• New Zealand Privacy Act
• CCPA and CPRA (California)

‍

BrightShield doesn’t replace legal advice, but it helps you put sensible security measures, policies, and processes in place that support privacy and compliance requirements. Support for additional regulations continues to expand. You can view the full list of current and upcoming privacy regulations BrightShield supports.

Yes. BrightShield works with both Microsoft 365 and Google Workspace.

‍

We review and monitor key security settings, user access, and email configuration to help reduce the risk of unauthorised access, impersonation, and misconfiguration.

‍

Most businesses use one platform, and BrightShield is designed to support it fully. If you use both, we can usually accommodate this, just get in touch so we can confirm the right setup.

Yes. BrightShield supports security checks for devices running Microsoft Windows and Apple macOS.

‍

We help you keep devices protected by checking for essential safeguards, basic security settings, and issues that could increase risk if left unattended.

No. BrightShield is designed to be lightweight and non-disruptive.

‍

Our checks and monitoring focus on configuration, posture, and signals, not intrusive scanning or heavy software that impacts performance. For your team, day-to-day work continues as normal, with alerts and guidance only when something needs attention.

Yes. BrightShield is designed to grow with your business.

‍

As your team expands, systems change, or new tools are added, BrightShield can adapt the scope of monitoring and guidance. Larger or more complex environments may require additional setup or tailored pricing, but the core approach remains the same.

BrightShield treats your data with the same care and security standards we help our customers achieve.

‍

We use secure, reputable cloud infrastructure and follow industry best practices to protect information at every stage. This includes strong access controls, encryption where appropriate, and strict limits on who can access customer data.

‍

Security isn’t just something we deliver. It’s built into how BrightShield operates every day.

No. BrightShield does not read, store, or access the content of your emails or files.

‍

We focus on reviewing and monitoring security and configuration settings, not your data itself. This allows us to help improve your security posture without touching the actual content of your communications or documents.

BrightShield only collects the information needed to assess and monitor your security posture.

‍

This typically includes things like:

‍

• security settings and configuration states
• account and access information
• device and system status signals

‍

We avoid collecting personal or business content wherever possible, and we don’t collect data that isn’t needed to deliver the service.

Access to customer data is strictly limited to authorised BrightShield team members who need it to deliver or support the service.

‍

We use role-based access controls and follow the principle of least privilege, meaning access is limited to only what’s necessary.

BrightShield does not sell or share your data for marketing or unrelated purposes.

‍

Like most modern services, we rely on a small number of trusted service providers to operate our platform securely, such as cloud hosting and monitoring services. These providers are carefully selected, follow strong security and privacy standards, and are only given access to the minimum information needed to support the service.

‍

We remain responsible for your data at all times and take care to ensure it’s handled securely and appropriately.

Customer data is stored securely using trusted cloud services designed to meet high security and availability standards.

‍

We take care to ensure data is handled responsibly and in line with applicable privacy and data protection expectations for the regions we operate in.

Yes. If you stop using BrightShield, you can request that your data be removed in line with our data retention and deletion policies.

‍

We aim to make this process clear and straightforward, without unnecessary friction.

Yes. BrightShield follows recognised security and privacy best practices and continuously improves how we protect customer data.

‍

We also apply the same principles internally that we recommend to our customers, security and privacy are part of our everyday operations, not an afterthought.

BrightShield pricing is designed to be simple and predictable. We offer a mix of one-off services and ongoing subscriptions, depending on what you need.

‍

Many businesses start with a one-off Security Audit, then choose to add implementation support, ongoing monitoring, or a bundled package that spreads the cost across a subscription.

One-off services:

• Security Audit
• Security Foundations

‍

Ongoing subscription:

• Security Watch

‍

This approach lets you start with clarity, put essential protections in place, and then add ongoing monitoring to keep your business protected as things change.

Yes. We offer a small number of optional bundles that combine the Security Audit, Security Foundations, and Security Watch into simple, end-to-end packages.

‍
Bundles are designed to give you a clear path from understanding your risks, to putting essential protections in place, to staying protected over time, while spreading the cost across a predictable subscription.

‍
This gives you a clear, end-to-end security path while making budgeting simpler.

‍
If you’d like to explore the available bundle options and see which one fits your business, you can book a short call with us to talk it through.

There’s no long-term commitment for our one-off services, including the Security Audit and Security Foundations.

‍

Our Security Watch subscription service is billed monthly by default. We also offer discounted pricing for annual or multi-year subscriptions.

‍

We’re happy to talk through the options and help you choose what works best for your business.

Yes. Our subscriptions are designed to be flexible.

‍

If you’re on a monthly plan, you can cancel or change your subscription at any time.
If you’re on an annual or multi-year plan, changes can still be made, and we’ll talk through the options with you so they’re handled fairly.

‍

If your needs change at any point, we’ll work with you to adjust your plan so it continues to fit your business.

If your team grows, systems change, or your environment becomes more complex, we’ll review the scope together.

‍

This may involve adjusting pricing or coverage, but we’ll always discuss it with you first. Our goal is to keep things fair, transparent, and aligned with the level of support your business needs.

BrightShield provides clear guidance and practical support, not a ticket-driven helpdesk.

‍

We help you understand what’s going on, what matters most, and what to do next. Whether that’s something you can handle yourself or something you may want help with.

You can contact us directly by email or book a call with our team.

‍

We keep communication simple and responsive, and you’ll always be able to talk to someone who understands your business and your setup.

If we identify a serious or high-risk issue, we’ll clearly explain:

‍

• what the issue is
• why it matters
• how urgent it is
• what your options are

‍

We won’t panic you or overwhelm you. We’ll help you understand the situation and decide the best next step.

Yes. That’s a core part of BrightShield.

‍

We’re clear about what you can realistically handle yourself and where extra help might be worthwhile. You’re always in control of the decision. We simply give you the clarity to choose confidently.

BrightShield isn’t a 24/7 emergency response service, but we do take urgent security issues seriously.

‍

If something critical comes up, we’ll help you understand the situation quickly and guide you on the appropriate next steps, including when to involve specialist incident response support if needed.

Our audit gives you a complete review of your cybersecurity including your cloud accounts, email settings, devices, access controls, and past breach exposure. We look at how your systems are configured, where risks exist, and which issues matter most for your business.

‍

You’ll receive a clear, prioritised action plan that shows what to address first, along with a guided walkthrough of your results.

We look at the key systems, accounts, and settings your business relies on every day. This includes:

‍

• Your business website
  We check whether it’s set up securely, using safe connections, and not exposing anything publicly that shouldn’t be.
• Your email security and delivery settings
  We make sure your email is properly protected against impersonation and spoofing, and that messages are set up to reach inboxes reliably.
• Your domain name and DNS settings
  We check how your domain name is registered, whether it’s protected, and whether the technical records behind it are set up safely.
• Your main cloud platforms
  This includes tools like Microsoft 365 or Google Workspace. We review user accounts, admin access, sharing settings, login security, and anything that could allow unauthorised access.
• Your cloud-based business apps that store important data
  We focus on tools that hold sensitive or business-critical information, such as accounting systems like Xero, file storage tools like Dropbox or Google Drive, and other platforms where important data lives. We review who has access, how securely it’s shared, and whether login protection is strong.
• Your laptops, desktops, and other devices
  We look at whether they’re protected with encryption, up-to-date software, basic security settings, and other essentials that keep attackers out.
• Exposure from past data breaches
  We check if any of your email addresses or accounts appear in known data leaks, which may put your business at risk.
• Public file-sharing risks
  We look for documents or folders that may be accidentally shared with “anyone with the link” or publicly accessible online.
• Connected apps and integrations
  We review apps connected to your main platforms to see if any have more access than they need or are no longer in use.
• Inactive or leftover accounts
  We check for accounts belonging to former staff, contractors, or old tools that may still have access to your systems without you realising.

‍

If you use additional tools or industry-specific systems, we can include those in your review as well.

The audit tells you what needs to be fixed, why it matters, and guidance on what the outcome should be, but it doesn’t include detailed implementation steps.

‍

Many small businesses prefer to make the improvements themselves, while others choose to use our optional Security Foundations service, where we work with you to implement the recommended changes. Either way, you’ll know exactly what needs to be done.

You can absolutely handle the fixes yourself. The audit is designed to make your priorities clear and achievable, even without a security background.

‍

If you’d like support, our Security Foundations service provides hands-on help to implement the recommendations and set up stronger security foundations.

You can schedule your audit for a time that suits you. Once it begins, most audits are completed within a few business days. After the review is finished, we’ll book your guided walkthrough so you can go through the results and next steps with full clarity.

No. The audit is designed to be completely non-disruptive. We don’t make changes to your systems, and we don’t need to run anything that affects your day-to-day operations.

‍

For parts of the audit that require visibility into your settings, we review them together during a short screen-sharing session. You stay in full control of what’s shown, and nothing is changed on your side.

‍

Everything else is handled separately by our team in the background, so your work can continue uninterrupted.

We’ve designed the process to be quick, simple, and easy for small teams. Here’s how it works:

‍

1. A short, 5-minute questionnaire
   We start with a few quick questions about your systems, how your team works, and what is most important to your business. This helps us tailor the audit to your business from the start.
2. A 15-minute clarification call
   We confirm your answers, discuss any areas you want us to prioritise, and outline what we’ll review. No technical preparation is needed.
3. Configuration review via secure screen-share
   Instead of asking for admin access or new accounts, we guide you through a short screen-share session so we can review key settings together. You stay fully in control of what’s shown, and it avoids any disruption to your systems.
4. We complete the rest of the security review
   Once we’ve gathered what we need, our team checks your cloud accounts, email setup, devices, website, domain settings, and business apps. Most audits are completed within a few business days, and this part is completely hands-off for you.
5. You receive your prioritised findings
   Your results are presented in a clear, easy-to-understand report that highlights your biggest risks, what matters most, and what to tackle first.
6. A guided walkthrough of your results
   We take you through the findings step by step, explain why each issue matters, and answer any questions so you can move forward with confidence.
7. Optional help with implementation
   You can make the improvements yourself, or choose our Security Foundations service if you’d like hands-on support putting the recommendations in place.

Yes. The audit is designed for small businesses of any size, including sole traders and teams without technical expertise.

‍

You’ll get clear guidance that makes sense for your scale, your tools, and your day-to-day work.

Every business is different, so your audit focuses on the systems you use, how your team works, and the risks most relevant to your environment.

‍

There are no generic checklists. Your recommendations reflect your context, your setup, and your security goals.

Once the audit is complete, you’ll receive a clear, prioritised report that shows your biggest risks and what to focus on first. We then take you through a guided review, where we walk through the findings together, explain why each issue matters, and answer any questions you have.

‍

After that, you can:

‍

• Make the improvements yourself, using the priorities outlined in your report, or
• Choose our optional Security Foundations service if you’d like hands-on support with implementing the recommendations.

‍

Either way, you’ll finish with a clear understanding of your security position and a practical plan to strengthen it.

‍

In most cases, you won’t need to create new accounts or grant full administrator access. For many parts of the audit, we can review your configuration together during a short screen-sharing session, where you stay in full control and we guide you through what to open.

‍

For areas where we don’t need sensitive information, you can provide temporary or limited access if you prefer, but this is entirely optional.

‍

Our goal is to keep the process simple, secure, and convenient. You choose the approach that works best for you, and we make sure everything is reviewed without disrupting your day-to-day work.

Security Foundations focuses on fixing the issues identified in your Security Audit and putting the essential protections in place. This includes improving the setup of your website, email, domain, and cloud platforms; securing accounts, devices, and business apps; and building the policies and day-to-day practices your business needs to stay safe.

The Security Audit shows you where your risks are and what to focus on. Security Foundations is where we help you fix those issues, improve your systems, and set up the core security measures every small business needs.

‍

Think of it as the step that turns your audit findings into real, lasting protection.

Yes. The audit gives us a clear picture of your current security posture and ensures that the work we do in Security Foundations is tailored to your systems, your risks, and how your business operates.

We work with you to improve the key settings, access controls, configurations, and practices highlighted in your audit. You stay in control throughout the process, and we guide you through what needs to change and why, without technical complexity or disruption.

Security Foundations focuses on strengthening the systems your business uses every day. Based on your audit results, we help you fix unsafe settings, reduce unnecessary access, and put safer defaults in place across your core tools. This typically includes:

‍

Your business website
We address issues like missing security certificates, unsafe configuration settings, and accidental exposure of information. Our goal is to ensure your website is using secure connections and isn’t leaking anything publicly that shouldn’t be visible.

‍

Email security and delivery settings
We help you correct the settings that protect your email from impersonation and spoofing. This includes improving the way your messages are verified, fixing deliverability problems, and ensuring attackers can’t easily pretend to be you.

‍

Domain and DNS configuration
We review the key records behind your domain name to make sure they’re safe, current, and set up properly. We also help you secure your domain registration details so no one can hijack, redirect, or tamper with it.

‍

Your main cloud platforms
For tools like Microsoft 365 or Google Workspace, we help you:

‍

• tighten sharing settings
• remove risky or unnecessary access
• improve admin privileges
• strengthen login protection
• correct unsafe or outdated configurations

‍

These improvements significantly reduce the chance of someone gaining unauthorised access.

‍

Cloud-based business apps that store important data
If you use tools like Xero, Dropbox, Google Drive, or similar apps, we help ensure:

‍

• access is limited to the right people
• sharing links aren’t open too widely
• login protection is strong
• old or unused connections are removed

‍

This reduces the risk of accidental data exposure or unauthorised access.

‍

Laptops, desktops, and mobile devices
We help ensure your devices use safer settings, are running up-to-date software, and have basic protections like encryption enabled. These improvements make your devices far harder to compromise.

‍

Exposure from past data breaches
If any of your accounts or email addresses have been part of known leaks, we help you take the right steps to secure them and prevent attackers from using old credentials to break in.

‍

Public file-sharing and visibility risks
We help you lock down shared folders and files that may have been set to “anyone with the link” or otherwise exposed. This is one of the most common, and preventable, risks we see.

‍

Connected apps and integrations
We review the apps connected to your core platforms and remove outdated, unused, or overly permissive integrations. This reduces hidden pathways attackers could use to gain access.

‍

Inactive or leftover accounts
We help you identify and remove accounts belonging to former staff, contractors, or old tools that still have access to your systems — a frequent source of security risk in small businesses.

‍

Overall, the improvements you receive depend on your audit results and the systems you use, but the goal is always the same: a safer, cleaner, more secure setup that reduces your real-world risk.

Very little. Most of the work is done by our team behind the scenes. When we need to review or update settings together, we use brief, guided screen-sharing sessions so you remain fully in control without needing technical knowledge.

Most improvements are completed through short, guided screen-sharing sessions where you control what is shown and nothing is changed without your approval. For some tasks, you may choose to provide limited, temporary access, but this is completely optional.

Yes. We guide you through improving login security, reducing unnecessary permissions, removing old accounts, and enabling multi-factor authentication for the accounts that matter most.

We help you create or refine practical, ready-to-use policies such as:

‍

• Acceptable Use
• Password & Authentication
• Remote Work
• Device Security
• Basic Data Protection Practices

‍

Every policy can be tailored to your business and is written in approachable, plain language.

Yes. We help you establish simple, secure processes for:

‍

• onboarding new staff
• removing access when people leave
• reviewing vendors and supply chain risks
• verifying payment or banking changes to prevent fraud

‍

These everyday practices significantly reduce your exposure to common attacks.

Yes. We help you set up straightforward verification steps for payment changes, invoice alterations, and new supplier requests. These simple measures will stop the majority of financial fraud attempts targeting small businesses.

‍

For ongoing protection, our Security Watch service can keep you informed about new scam tactics and alert you when something changes, helping those safeguards stay effective over time.

We help you put the foundational pieces in place: key contacts, basic response workflows, essential recovery steps, and guidance on what to do if something goes wrong. This gives your business a more resilient starting point without needing a full enterprise plan.

Most businesses complete the foundational work within a few weeks, depending on the number of systems involved and how quickly screen-sharing sessions can be scheduled. We work at your pace and keep the process as smooth and efficient as possible.

You’ll have direct support from our team throughout. We guide you through each improvement, answer questions along the way, and make sure every change is clear, safe, and aligned with your business.

Once your core systems, accounts, and processes are in good shape, you can choose to subscribe to our cost-effective Security Watch service, where we alert you to new risks, emerging threats, and important changes that need attention.

‍

Or you can simply maintain the improvements yourself with confidence.

Security Watch provides ongoing monitoring of your key systems, devices, and accounts, along with alerts when something needs attention. You’ll also receive updates on new scams and vulnerabilities that could affect your business, with practical guidance to help your team respond and stay protected as things change.

• Security Audit shows you where your risks are.
• Security Foundations helps you fix those risks and put essential protections in place.
• ‍Security Watch then keeps an eye on things over time so new issues are caught early, before they become problems.

Security Watch is an ongoing subscription. It continuously monitors your systems, devices, and accounts, alerting you to new risks as they appear and keeping you informed about emerging threats.

‍

This differs from the Security Audit and Security Foundations, which are one-off services that identify and fix your current risks.

Completing the Security Audit first is important. It gives us a clear understanding of your systems, your setup, and your current level of risk. Security Watch is designed to monitor an environment that has already been assessed, so we know exactly what to track and what matters for your business.

‍

You don’t have to purchase Security Foundations, but Security Watch works best when your systems already meet a safe, stable baseline. The service assumes you’re starting from a secure foundation that can then be monitored over time.

‍

There are two ways to get there:

‍

• Use Security Foundations to help you put the essential protections in place,
  or
• Fix the issues yourself using the recommendations in your audit report.

‍

Either approach is fine. The key is that major risks are addressed before monitoring begins, so Security Watch can focus on new changes and emerging threats, rather than repeatedly flagging the same underlying issues.

‍

A simple way to think about it:

‍

• Understand your risks → Security Audit
• Put the essential protections in place → Security Foundations (or fix them yourself using the audit guidance)
• Keep everything safe over time → Security Watch

‍

This sequence ensures you get the most value from ongoing monitoring.

Security Watch focuses on the areas where small businesses face the most risk. This includes:

‍

Cloud and email security

• Key settings in Microsoft 365 or Google Workspace
• Email authentication and deliverability health
• Configuration changes that reduce security

‍

Devices and updates

• Outdated software or missing updates
• Security features being disabled or drifting out of a safe state

‍

Accounts and access

• New accounts being added
• Permission changes
• Signs of account exposure

‍

Website and domain health

• SSL certificate status
• Domain registration expiry
• Changes in important DNS records

‍

‍Data exposure and breaches

• Alerts if your business accounts appear in known breaches
• Warnings about leaked or compromised credentials

‍

Configuration risks

• Important security settings being disabled or changed
• Files or folders being shared more widely than intended

‍

Emerging threats

• New scams and phishing tactics
• Critical vulnerabilities relevant to your systems
• Clear “what to do next” guidance

‍

Together, these checks help you spot issues early and stay ahead of new threats without needing to monitor anything yourself.

Checks run regularly throughout the week, giving you consistent visibility across your environment. If something important changes or a new threat appears, you’ll be notified promptly.

You’ll receive clear, easy-to-understand alerts by email (and via your dashboard if applicable). Each alert explains what happened, why it matters, and what to do next.

We notify you quickly with a clear explanation of the issue, the potential impact, and practical steps you can take to fix it. If you need more help, our team is available to guide you.

Security Watch highlights risks and provides clear guidance, but it doesn’t include hands-on remediation. If you’d like help fixing an issue, our Security Foundations service, or a one-off support session, can assist with implementation.

We focus on threats that are relevant to your business, including new phishing scams, payment-fraud tactics, impersonation attempts, and vulnerabilities in the software and services you use.

No. Our aim is to cut through the noise, not overwhelm you with constant alerts. We only notify you about vulnerabilities that affect the tools, devices, or apps your business actually uses. That means you get clear, relevant updates without needing to sift through technical news or worry about issues that don’t apply to you.

‍

If you ever hear about a vulnerability in the news and you're unsure whether it impacts your business, you can always reach out to our team. We’ll clarify the risk and let you know if any action is needed.

Monitoring typically requires limited, read-only access to certain security-related settings in your cloud platforms. You stay in control the whole time, and nothing is changed without your approval.

No. Monitoring is lightweight and passive. It doesn’t affect performance, change your data, or interrupt your team’s day-to-day work

We notify you as soon as we detect an important change or risk. Alerts are designed to be timely, clear, and actionable.

Some issues can wait, but others, such as account exposure or critical vulnerabilities, should be addressed quickly. We make the urgency clear so you know which alerts to prioritise.

‍

We focus on clarity, not alarm, so you can act confidently without second-guessing.

Absolutely. Security Watch is designed for small businesses without dedicated IT staff. It keeps you protected without adding extra work.

Security Watch keeps you informed about new phishing tactics, payment scams, and impersonation attempts targeting small businesses. When something relevant emerges, you’re alerted early and given clear, practical guidance on what to look out for and how to respond.

‍

By combining timely alerts with plain-language explanations, Security Watch helps your people spot suspicious activity sooner and reduces the chance that scams turn into real-world losses.

‍