Recently I have noticed that more and more IT companies in Australia seem to be promoting "free cybersecurity assessments" for businesses on their website. I was always taught to be wary of "free" extras from salesman, so I'd like to share 3 points with you about this trend.
1. Free assessments aren't free
In Australia, we have a minimum wage, so whoever is responsible for completing your assessment is going to be costing that company money. That means that the company is going to expect a return on that person's time, which leads us to the next point...
2. Where's the real sale?
As mentioned, a lot of Managed Service Provider IT companies promote a "free assessment" as part of their sales process. While it's great that IT security is getting attention up front, it's a little bit like getting a real estate sales person to appraise your house: Their real job is to sell your house. If you are looking to use that company for IT support as well, this might be ok, but otherwise you should be prepared for the real sales pitch.
3. Level of expertise
Similar to point #2, there are a lot of IT companies offering security assessments as part of a larger suite of services that they offer (a sort of "one stop shop" for IT services). The question here is, who is going to be handling the assessment? If it's a free assessment, it could be that minimum wage technician from point 1. If you are only looking for a set of security templates to follow, a quick Google will allow you to do this kind of assessment yourself. Just like any professional service, value adding for cybersecurity takes skill and experience.
Just like with most things, you are likely to "get what you pay for" with a cybersecurity assessment. That doesn't mean that you need to spend thousands getting all the bells and whistles that you don't need, but it might mean that you need to look beyond a $0 price tag to get value here.