Frequently Asked Questions

BrightShield is built for small and growing businesses that don’t have a dedicated security team and don’t want to become cybersecurity experts just to stay safe.

We’re a good fit if you:

• know security matters but aren’t sure where to start
• want clear, practical guidance instead of technical jargon
• need protection that fits a small team and a realistic budget

If security feels hard to navigate or easy to put off, BrightShield is designed to make it clear, manageable, and achievable.

If you’re not sure where to start, that’s completely normal. Most small businesses feel the same way.

The best first step is a Security Audit. It gives you a clear, practical view of your current risks and shows you what matters most without asking you to commit to anything beyond that. From there, you can decide what to fix yourself and where you’d like help.

Most customers start by booking a Security Audit. We review your key systems, devices, and accounts, then walk you through the findings and recommended next steps.

If you’re unsure whether an audit is the right place to begin, you can also book a short call with our team. We’ll talk through your situation and help you choose the right next step with confidence.

Yes. BrightShield is designed for small businesses of all sizes, including solo operators and teams of just a few people.

Smaller teams often have the same risks as larger businesses but less time and fewer resources to deal with them. BrightShield helps you focus on what matters most without adding unnecessary complexity.

BrightShield is a guided service, supported by smart tools where they make sense.

Rather than handing you software and expecting you to figure it out, we combine automated checks with expert review, clear explanations, and practical guidance. You always know what’s happening and why and you’re never left to interpret security data on your own.

Getting started is simple and fast. Once you book a Security Audit, we’ll send a short questionnaire and schedule a brief call to clarify a few details.

In most cases, audits are completed within a few days, and you’ll receive your results and walkthrough shortly after.

No. BrightShield complements your existing IT provider rather than replacing them.

We focus on security visibility, clear guidance, and ongoing awareness. If you already have an IT partner, we’re happy to collaborate with them or provide clear, prioritised recommendations they can help implement.

No. Many BrightShield customers don’t have an IT provider at all.

We’re designed to work directly with small businesses. We help you understand your risks, prioritise what matters, and guide you through practical improvements in plain language. If you handle IT yourself, we’ll meet you where you are.

‍

BrightShield combines clear security insights, practical guidance, and ongoing protection to help small businesses stay secure without complexity.

Depending on the services you use, this can include:

• security audits to understand your risks
• guidance and support to fix key issues
• ongoing monitoring for important changes and new threats
• essential policies and everyday security practices

Rather than selling tools, BrightShield focuses on helping you understand what matters most and take the right actions at the right time.

Most security tools give you data and expect you to interpret it yourself.

BrightShield takes a different approach. We combine automated checks with expert review and clear explanations, so you understand:

• what the issue is
• why it matters
• what to do next

Instead of another dashboard to manage, BrightShield acts as a guide, helping you make confident decisions without needing security expertise.

No. BrightShield doesn’t replace antivirus, firewalls, or other security tools you already use.

Instead, we check that essential protections like antivirus, encryption, and firewalls are in place and configured sensibly. BrightShield helps make sure these basics don’t drift into an unsafe state and highlights when something needs attention.

Yes, and having an IT provider is not required.

Many BrightShield customers don’t have an IT provider at all. We’re designed to support small businesses directly by providing clear security insights, practical recommendations, and guidance on what to do next, without assuming you have in-house IT expertise.

If you do have an IT provider, BrightShield works alongside them. We help identify risks, prioritise fixes, and explain what matters most, making it easier for your IT partner to implement changes if needed.

Either way, BrightShield adapts to your setup, whether you manage IT yourself or work with a provider.

BrightShield helps you understand and improve your security and privacy posture in a practical way. We support businesses operating under regulations such as:

• GDPR (EU & UK)
• Australian Privacy Act
• New Zealand Privacy Act
• CCPA and CPRA (California)

BrightShield doesn’t replace legal advice, but it helps you put sensible security measures, policies, and processes in place that support privacy and compliance requirements. Support for additional regulations continues to expand. You can view the full list of current and upcoming privacy regulations BrightShield supports.

Yes. BrightShield works with both Microsoft 365 and Google Workspace.

We review and monitor key security settings, user access, and email configuration to help reduce the risk of unauthorised access, impersonation, and misconfiguration.

Most businesses use one platform, and BrightShield is designed to support it fully. If you use both, we can usually accommodate this, just get in touch so we can confirm the right setup.

Yes. BrightShield supports security checks for devices running Microsoft Windows and Apple macOS.

We help you keep devices protected by checking for essential safeguards, basic security settings, and issues that could increase risk if left unattended.

No. BrightShield is designed to be lightweight and non-disruptive.

Our checks and monitoring focus on configuration, posture, and signals, not intrusive scanning or heavy software that impacts performance. For your team, day-to-day work continues as normal, with alerts and guidance only when something needs attention.

Yes. BrightShield is designed to grow with your business.

As your team expands, systems change, or new tools are added, BrightShield can adapt the scope of monitoring and guidance. Larger or more complex environments may require additional setup or tailored pricing, but the core approach remains the same.

BrightShield treats your data with the same care and security standards we help our customers achieve.

We use secure, reputable cloud infrastructure and follow industry best practices to protect information at every stage. This includes strong access controls, encryption where appropriate, and strict limits on who can access customer data.

Security isn’t just something we deliver. It’s built into how BrightShield operates every day.

No. BrightShield does not read, store, or access the content of your emails or files.

We focus on reviewing and monitoring security and configuration settings, not your data itself. This allows us to help improve your security posture without touching the actual content of your communications or documents.

BrightShield only collects the information needed to assess and monitor your security posture.

This typically includes things like:

• security settings and configuration states
• account and access information
• device and system status signals

We avoid collecting personal or business content wherever possible, and we don’t collect data that isn’t needed to deliver the service.

Access to customer data is strictly limited to authorised BrightShield team members who need it to deliver or support the service.

We use role-based access controls and follow the principle of least privilege, meaning access is limited to only what’s necessary.

BrightShield does not sell or share your data for marketing or unrelated purposes.

Like most modern services, we rely on a small number of trusted service providers to operate our platform securely, such as cloud hosting and monitoring services. These providers are carefully selected, follow strong security and privacy standards, and are only given access to the minimum information needed to support the service.

We remain responsible for your data at all times and take care to ensure it’s handled securely and appropriately.

Customer data is stored securely using trusted cloud services designed to meet high security and availability standards.

We take care to ensure data is handled responsibly and in line with applicable privacy and data protection expectations for the regions we operate in.

Yes. If you stop using BrightShield, you can request that your data be removed in line with our data retention and deletion policies.

We aim to make this process clear and straightforward, without unnecessary friction.

Yes. BrightShield follows recognised security and privacy best practices and continuously improves how we protect customer data.

We also apply the same principles internally that we recommend to our customers, security and privacy are part of our everyday operations, not an afterthought.

BrightShield pricing is designed to be simple and predictable. We offer a mix of one-off services and ongoing subscriptions, depending on what you need.

Many businesses start with a one-off Security Audit, then choose to add implementation support, ongoing monitoring, or a bundled package that spreads the cost across a subscription.

One-off services:

• Security Audit
• Security Foundations

Ongoing subscription:

• Security Watch

This approach lets you start with clarity, put essential protections in place, and then add ongoing monitoring to keep your business protected as things change.

Yes. We offer a small number of optional bundles that combine the Security Audit, Security Foundations, and Security Watch into simple, end-to-end packages.
Bundles are designed to give you a clear path from understanding your risks, to putting essential protections in place, to staying protected over time, while spreading the cost across a predictable subscription.
This gives you a clear, end-to-end security path while making budgeting simpler.
If you’d like to explore the available bundle options and see which one fits your business, you can book a short call with us to talk it through.

There’s no long-term commitment for our one-off services, including the Security Audit and Security Foundations.

Our Security Watch subscription service is billed monthly by default. We also offer discounted pricing for annual or multi-year subscriptions.

We’re happy to talk through the options and help you choose what works best for your business.

Yes. Our subscriptions are designed to be flexible.

If you’re on a monthly plan, you can cancel or change your subscription at any time.
If you’re on an annual or multi-year plan, changes can still be made, and we’ll talk through the options with you so they’re handled fairly.

If your needs change at any point, we’ll work with you to adjust your plan so it continues to fit your business.

Yes. We offer special pricing for registered non-profit organisations.

We know non-profits vary widely in size and funding, so we handle this on a case-by-case basis to ensure pricing is fair and sustainable. Contact us and we’ll be happy to talk it through.

BrightShield provides clear guidance and practical support, not a ticket-driven helpdesk.

We help you understand what’s going on, what matters most, and what to do next. Whether that’s something you can handle yourself or something you may want help with.

You can contact us directly by email or book a call with our team.

We keep communication simple and responsive, and you’ll always be able to talk to someone who understands your business and your setup.

If we identify a serious or high-risk issue, we’ll clearly explain:

• what the issue is
• why it matters
• how urgent it is
• what your options are

We won’t panic you or overwhelm you. We’ll help you understand the situation and decide the best next step.

Yes. That’s a core part of BrightShield.

We’re clear about what you can realistically handle yourself and where extra help might be worthwhile. You’re always in control of the decision. We simply give you the clarity to choose confidently.

BrightShield isn’t a 24/7 emergency response service, but we do take urgent security issues seriously.

If something critical comes up, we’ll help you understand the situation quickly and guide you on the appropriate next steps, including when to involve specialist incident response support if needed.

Our audit gives you a complete review of your cybersecurity including your cloud accounts, email settings, devices, access controls, and past breach exposure. We look at how your systems are configured, where risks exist, and which issues matter most for your business.

You’ll receive a clear, prioritised action plan that shows what to address first, along with a guided walkthrough of your results.

We look at the key systems, accounts, and settings your business relies on every day. This includes:

• Your business website
  We check whether it’s set up securely, using safe connections, and not exposing anything publicly that shouldn’t be.
• Your email security and delivery settings
  We make sure your email is properly protected against impersonation and spoofing, and that messages are set up to reach inboxes reliably.
• Your domain name and DNS settings
  We check how your domain name is registered, whether it’s protected, and whether the technical records behind it are set up safely.
• Your main cloud platforms
  This includes tools like Microsoft 365 or Google Workspace. We review user accounts, admin access, sharing settings, login security, and anything that could allow unauthorised access.
• Your cloud-based business apps that store important data
  We focus on tools that hold sensitive or business-critical information, such as accounting systems like Xero, file storage tools like Dropbox or Google Drive, and other platforms where important data lives. We review who has access, how securely it’s shared, and whether login protection is strong.
• Your laptops, desktops, and other devices
  We look at whether they’re protected with encryption, up-to-date software, basic security settings, and other essentials that keep attackers out.
• Exposure from past data breaches
  We check if any of your email addresses or accounts appear in known data leaks, which may put your business at risk.
• Public file-sharing risks
  We look for documents or folders that may be accidentally shared with “anyone with the link” or publicly accessible online.
• Connected apps and integrations
  We review apps connected to your main platforms to see if any have more access than they need or are no longer in use.
• Inactive or leftover accounts
  We check for accounts belonging to former staff, contractors, or old tools that may still have access to your systems without you realising.

If you use additional tools or industry-specific systems, we can include those in your review as well.

The audit tells you what needs to be fixed, why it matters, and guidance on what the outcome should be, but it doesn’t include detailed implementation steps.

Many small businesses prefer to make the improvements themselves, while others choose to use our optional Security Foundations service, where we work with you to implement the recommended changes. Either way, you’ll know exactly what needs to be done.

You can absolutely handle the fixes yourself. The audit is designed to make your priorities clear and achievable, even without a security background.

If you’d like support, our Security Foundations service provides hands-on help to implement the recommendations and set up stronger security foundations.

You can schedule your audit for a time that suits you. Once it begins, most audits are completed within a few business days. After the review is finished, we’ll book your guided walkthrough so you can go through the results and next steps with full clarity.

No. The audit is designed to be completely non-disruptive. We don’t make changes to your systems, and we don’t need to run anything that affects your day-to-day operations.

For parts of the audit that require visibility into your settings, we review them together during a short screen-sharing session. You stay in full control of what’s shown, and nothing is changed on your side.

Everything else is handled separately by our team in the background, so your work can continue uninterrupted.

We’ve designed the process to be quick, simple, and easy for small teams. Here’s how it works:

1. Complete a short questionnaire (about 10 minutes)
   We start with a few quick questions about your systems, how your team works, and what is most important to your business. This helps us tailor the audit to your business from the start.
2. A quick clarification and scheduling call (15 minutes)
   We’ll schedule a short call to confirm your answers, discuss any areas you’d like us to prioritise, and agree on timing for the audit. No technical preparation is needed.
3. Configuration review via secure screen-share
   Instead of asking for admin access or new accounts, we guide you through a short screen-share session so we can review key settings together. You stay fully in control of what’s shown, and it avoids any disruption to your systems.
4. We complete the rest of the security review
   Once we’ve gathered what we need, our team checks your cloud accounts, email setup, devices, website, domain settings, and business apps. Most audits are completed within a few business days, and this part is completely hands-off for you.
5. You receive your prioritised findings
   Your results are presented in a clear, easy-to-understand report that highlights your biggest risks, what matters most, and what to tackle first.
6. A guided walkthrough of your results
   We take you through the findings step by step, explain why each issue matters, and answer any questions so you can move forward with confidence.
7. Optional help with implementation
   You can make the improvements yourself, or choose our Security Foundations service if you’d like hands-on support putting the recommendations in place.

Yes. The audit is designed for small businesses of any size, including sole traders and teams without technical expertise.

You’ll get clear guidance that makes sense for your scale, your tools, and your day-to-day work.

Every business is different, so your audit focuses on the systems you use, how your team works, and the risks most relevant to your environment.

There are no generic checklists. Your recommendations reflect your context, your setup, and your security goals.

Once the audit is complete, you’ll receive a clear, prioritised report that shows your biggest risks and what to focus on first. We then take you through a guided review, where we walk through the findings together, explain why each issue matters, and answer any questions you have.

After that, you can:

• Make the improvements yourself, using the priorities outlined in your report, or
• Choose our optional Security Foundations service if you’d like hands-on support with implementing the recommendations.

Either way, you’ll finish with a clear understanding of your security position and a practical plan to strengthen it.

In most cases, you won’t need to create new accounts or grant full administrator access. For many parts of the audit, we can review your configuration together during a short screen-sharing session, where you stay in full control and we guide you through what to open.

For areas where we don’t need sensitive information, you can provide temporary or limited access if you prefer, but this is entirely optional.

Our goal is to keep the process simple, secure, and convenient. You choose the approach that works best for you, and we make sure everything is reviewed without disrupting your day-to-day work.

Security Foundations is a hands-on service focused on fixing the most important security gaps and putting essential protections in place across your business.

This typically includes securing your website, email, domains, cloud platforms, accounts, devices, and business applications, as well as establishing practical policies and everyday practices that reduce real-world risk.

The exact work depends on your systems and starting point, but the goal is always the same: a stronger, cleaner, more defensible security baseline.

The Security Audit helps you understand where your risks are and what matters most.

Security Foundations is where we fix those issues. We implement the agreed changes, secure your systems, and put the right protections in place so the improvements are real and lasting.

Think of it as the step that turns insight into action.

No. You can start directly with Security Foundations.

If you’ve already completed a BrightShield Security Audit, we use that to guide the work. If not, we include the necessary review as part of the engagement so we can prioritise and fix the right things.

We implement the changes needed to address the issues identified, focusing on the settings, access, configurations, and practices that matter most.

Changes are carried out carefully and explained clearly, without unnecessary technical detail or disruption. Where needed, we work through updates together using guided screen-sharing so you remain fully in control.

Security Foundations focuses on strengthening the systems your business uses every day.  Based on your systems and starting point, we fix unsafe settings, reduce unnecessary access, and put safer defaults in place across your core tools.

The specific improvements depend on your environment, but typically include work across the areas below.

Business websites
We secure your business website and address common configuration and exposure issues. This may include fixing missing or incorrect security certificates, tightening unsafe configuration settings, and reducing accidental exposure of information.

The goal is to ensure your website uses secure connections and isn’t publicly exposing anything that shouldn’t be visible.

Email security and delivery settings
We fix the settings that protect your email from impersonation and spoofing, and improve how your messages are verified and delivered. This includes correcting authentication and trust settings, addressing deliverability problems, and reducing the risk of attackers pretending to be you or your business.

Domain and DNS configuration
We review and secure the key records behind your domain name to ensure they’re safe, current, and configured properly. We also help secure your domain registration details so it can’t be hijacked, redirected, or tampered with.

Core cloud platforms
For platforms such as Microsoft 365 or Google Workspace, we implement practical security improvements such as:

• tightening sharing settings
• removing risky or unnecessary access
• improving admin privileges
• strengthening login protection
• correcting unsafe or outdated configurations

These changes significantly reduce the likelihood of unauthorised access.

Cloud-based business apps that store important data
For cloud apps that store or process important data, we improve security by:

• limiting access to the right people
• reducing overly broad sharing links
• strengthening login protection
• removing old or unused connections

This helps prevent accidental data exposure and unauthorised access through connected tools.

Laptops, desktops, and mobile devices
We secure work devices by improving settings, ensuring software is up to date, and enabling baseline protections such as encryption where appropriate.

These improvements make devices far harder to compromise if they’re lost, stolen, or targeted.

Exposure from past data breaches
If any of your accounts or email addresses have appeared in known data breaches, we help you take the right steps to secure them and prevent attackers from reusing old credentials.

Public file-sharing and visibility risks
We identify and lock down shared folders and files that may have been exposed through overly permissive sharing settings, such as "anyone with the link".

This is one of the most common and easily preventable risks we see in small businesses.

Connected apps and integrations
We review apps and integrations connected to your core platforms and remove those that are outdated, unused, or overly permissive.

This reduces hidden access paths that attackers often exploit.

Inactive or leftover accounts
We help identify and remove accounts belonging to former staff, contractors, or old tools that still have access to your systems. This is a frequent and often overlooked source of risk.

Other improvements
In addition to system-level improvements, Security Foundations also includes practical policies, processes, and foundational incident readiness, which are covered in other sections of this FAQ.

Overall, the exact improvements depend on your systems and starting point, but the goal is always the same: a safer, cleaner, more secure setup that reduces real-world risk without adding unnecessary complexity.

Very little. Most of the work is handled by us. We’ll need some initial context and access, plus brief walkthroughs where required. We aim to minimise disruption and fit around your day-to-day operations.

Most improvements are completed through short, guided screen-sharing sessions where you remain in control and nothing is changed without your approval.

For some tasks, you may choose to provide limited, temporary access, but this is always optional and agreed in advance.

Yes. We help strengthen login security by reducing unnecessary permissions, removing old or unused accounts, and enabling multi-factor authentication for the accounts that matter most.

We help you create or refine practical, ready-to-use policies such as:

• Acceptable Use
• Password & Authentication
• Remote Work
• Device Security
• Basic data protection practices

Everything is written in clear, approachable language and tailored to how your business actually operates.

Yes. We help put simple, secure processes in place for:

• onboarding new staff
• removing access when people leave
• reviewing connected apps and vendors
• verifying payment or banking changes to reduce fraud risk

These everyday improvements significantly reduce exposure to common attacks.

Yes. We help establish straightforward verification steps for payment changes, invoice updates, and new supplier requests. These measures stop the majority of financial fraud attempts targeting small businesses.

For ongoing protection, our Security Watch service can keep you informed about new scam tactics and alert you when something changes, helping those safeguards stay effective over time.

We help put the foundational pieces in place, including key contacts, basic response steps, and essential recovery guidance.

This gives your business a more resilient starting point without requiring a full enterprise incident response plan.

For most businesses, the foundational work can be completed within a few weeks, depending on the number of systems involved and how quickly sessions can be scheduled.

We work at a practical pace and keep the process efficient and contained.

Once your core systems, accounts, and processes are in good shape, you’ll have a clear, defensible baseline you can rely on.

From there, you can either manage things yourself with confidence or subscribe to Security Watch for ongoing support as your business evolves.

Security Watch provides ongoing monitoring of your key systems, devices, and accounts, along with alerts when something needs attention. You’ll also receive updates on new scams and vulnerabilities that could affect your business, with practical guidance to help your team respond and stay protected as things change.

• Security Audit shows you where your risks are.
• Security Foundations helps you fix those risks and put essential protections in place.
• ‍Security Watch then keeps an eye on things over time so new issues are caught early, before they become problems.

Security Watch is an ongoing subscription. It continuously monitors your systems, devices, and accounts, alerting you to new risks as they appear and keeping you informed about emerging threats.

This differs from the Security Audit and Security Foundations, which are one-off services that identify and fix your current risks.

Completing the Security Audit first is important. It gives us a clear understanding of your systems, your setup, and your current level of risk. Security Watch is designed to monitor an environment that has already been assessed, so we know exactly what to track and what matters for your business.

You don’t have to purchase Security Foundations, but Security Watch works best when your systems already meet a safe, stable baseline. The service assumes you’re starting from a secure foundation that can then be monitored over time.

There are two ways to get there:

• Use Security Foundations to help you put the essential protections in place,
  or
• Fix the issues yourself using the recommendations in your audit report.

Either approach is fine. The key is that major risks are addressed before monitoring begins, so Security Watch can focus on new changes and emerging threats, rather than repeatedly flagging the same underlying issues.

A simple way to think about it:

• Understand your risks → Security Audit
• Put the essential protections in place → Security Foundations (or fix them yourself using the audit guidance)
• Keep everything safe over time → Security Watch

This sequence ensures you get the most value from ongoing monitoring.

Security Watch focuses on the areas where small businesses face the most risk. This includes:

Cloud and email security

• Key settings in Microsoft 365 or Google Workspace
• Email authentication and deliverability health
• Configuration changes that reduce security

Devices and updates

• Outdated software or missing updates
• Security features being disabled or drifting out of a safe state

Accounts and access

• New accounts being added
• Permission changes
• Signs of account exposure

Website and domain health

• SSL certificate status
• Domain registration expiry
• Changes in important DNS records

‍Data exposure and breaches

• Alerts if your business accounts appear in known breaches
• Warnings about leaked or compromised credentials

Configuration risks

• Important security settings being disabled or changed
• Files or folders being shared more widely than intended

Emerging threats

• New scams and phishing tactics
• Critical vulnerabilities relevant to your systems
• Clear “what to do next” guidance

Together, these checks help you spot issues early and stay ahead of new threats without needing to monitor anything yourself.

Checks run regularly throughout the week, giving you consistent visibility across your environment. If something important changes or a new threat appears, you’ll be notified promptly.

You’ll receive clear, easy-to-understand alerts by email (and via your dashboard if applicable). Each alert explains what happened, why it matters, and what to do next.

We notify you quickly with a clear explanation of the issue, the potential impact, and practical steps you can take to fix it. If you need more help, our team is available to guide you.

Security Watch highlights risks and provides clear guidance, but it doesn’t include hands-on remediation. If you’d like help fixing an issue, our Security Foundations service, or a one-off support session, can assist with implementation.

We focus on threats that are relevant to your business, including new phishing scams, payment-fraud tactics, impersonation attempts, and vulnerabilities in the software and services you use.

No. Our aim is to cut through the noise, not overwhelm you with constant alerts. We only notify you about vulnerabilities that affect the tools, devices, or apps your business actually uses. That means you get clear, relevant updates without needing to sift through technical news or worry about issues that don’t apply to you.

If you ever hear about a vulnerability in the news and you're unsure whether it impacts your business, you can always reach out to our team. We’ll clarify the risk and let you know if any action is needed.

Monitoring typically requires limited, read-only access to certain security-related settings in your cloud platforms. You stay in control the whole time, and nothing is changed without your approval.

No. Monitoring is lightweight and passive. It doesn’t affect performance, change your data, or interrupt your team’s day-to-day work

We notify you as soon as we detect an important change or risk. Alerts are designed to be timely, clear, and actionable.

Some issues can wait, but others, such as account exposure or critical vulnerabilities, should be addressed quickly. We make the urgency clear so you know which alerts to prioritise.

We focus on clarity, not alarm, so you can act confidently without second-guessing.

Absolutely. Security Watch is designed for small businesses without dedicated IT staff. It keeps you protected without adding extra work.

Security Watch keeps you informed about new phishing tactics, payment scams, and impersonation attempts targeting small businesses. When something relevant emerges, you’re alerted early and given clear, practical guidance on what to look out for and how to respond.

By combining timely alerts with plain-language explanations, Security Watch helps your people spot suspicious activity sooner and reduces the chance that scams turn into real-world losses.

‍