It's a job that's now in Nuttall's job description and in person he seems unfazed by the scale of what he's taken on. The fundamental problem is that SMEs need to start by assessing the strength of their current security to stand up to today's attacks but that sort of consultancy is pricey. Official advice, meanwhile, tends to be fragmented and partial. Getting beyond the most obvious level of advice can be difficult without paying the sort of money SMEs don't necessarily have.
"We are trying to emphasise the very basic steps that people can take because that is where the gap seems to be," says Nuttall who notes that SMEs in London with fewer than 20 employees make up as much as 45 percent of its GDP.
"The amount of under-reporting [of cyberattacks] is shocking," suggests Nuttall. "Where we see losses are in social engineering attacks, some quite basic, particularly invoice fraud."
The model of services offered by the LDSC is based on that pioneered by the Stirling-based Scottish Business Resilience Centre (SBRC) which covers an overlapping set of assessments:
A digital footprint report that looks at the publically-available information on a company and its senior employees that could be used by cybercriminals to launch social engineering attacks.
A simple security assessment looking for common problems such as patching state, whether systems are using default passwords, network and web server vulnerabilities, obsolete equipment and weaknesses in Wi-Fi access.
Remediation advice that will support the SME with its chosen IT supplier to close gaps that were found in the security assessment. Advice on achieving ongoing security is built into this element.
Advice and templates on policy development for controlling how staff can securely use systems in terms of passwords and behaviour.
A plan to pass on threat data from sources such as the National Fraud Intelligence Bureau (NFIB) and CERT UK as SME-friendly alerts. This might be sector-specific.
A defining personality of all of these services is that they use student engineers supplied by universities such as London's Royal Holloway to carry out the technical assessments, which also explains the modest price tag of around £350 per tester, per day, running up to more comprehensive assessments for up to £3,500. This might sound pricey compared to hiring an electrician or plumber in the capital but professional pen testing companies won't get out of bed for under £5,000 or more per test it is definitely at the affordable end of the spectrum.
"It needs to use as little technical language as possible and to be specific," observes Nuttall on the advice the LDSC seeks to hand out as part of its services who is at pains to underline that the LDSC is not trying to compete with established pen-testing. "A lot of it focusses on basic IT infrastructure hardening."
Sign up for CIO Asia eNewsletters.