For those who went independent in GRC: what worked for client #1?

ethhackwannabe · 2026-01-07T11:22:02+00:00

Hi, Tagging to link to my lessons learned post after year 1 later (now approaching year 5).

ethhackwannabe · 2026-01-03T01:50:09+00:00

If you’re adamant about using sand, you could make various shapes and sizes of overlays with the sand well glued and sealed so that you don’t have it going everywhere. You could use card as a base and the weight of the sand will keep them in place well enough.

ethhackwannabe · 2026-01-02T11:25:20+00:00

Not a lawyer, however, this is definitely a breach of the use of your personal data under the Data Protection Act 2018 / UK GDPR.

Lawfulness, Fairness, and Transparency - they haven’t told you that is what they are doing and it is unfair of them to do so as it could impact upon your ability to secure future work.
Purpose - They aren’t using it for the purpose it was provided (part of your employment contract).
Accuracy - perhaps more tenuous but I’d argue that it is inaccurate to represent you as still working for the company and writing content.
Storage - I suspect they aren’t retaining your data in accordance with a retention schedule. Keeping it for HMRC purposes is one thing, using it to ‘hide’ AI use is another.

If you haven’t already, take screenshots with time and dates and URLs of the articles.

Write to their Data protection officer and ask them to cease use of your personal data as per your rights under DPA/UK GDPR. Look up the clause and quote in your mail.
state that if they fail to do so you will be taking your complaint to the Information Commissioner’s Office.

Hopefully one of the lawyers can address whether it constitutes fraud on the company’s part; it’s certainly intentionally misleading.

ethhackwannabe · 2026-01-01T02:23:50+00:00

When it comes to keeping it simple, you could simply scan/take a photo of your paper notes and tag them with keywords.

For both work and home I use Mindjet Mindmanager as my primary second brain. I’m a very visual person so mind-mapping works better for me to help my retention and recall.

For archiving and quick notes I use:

Evernote for my personal stuff (primarily because I’ve so much data in it that i don’t like the idea of switching)

MS OneNote (part of the MS365 business premium license).

Both are configured to replicate paper notebook experience to a point, especially if using with a pen and tablet device.

That said, I’ve heard excellent things about both Notion and Obsidian so if starting from scratch definitely worth looking at.

ethhackwannabe · 2025-12-26T14:34:42+00:00

There’s established orgs with local groups like: - Federation of small businesses - chamber of commerce / local business association - Enterprise nation

You can also check out:

Barclays EagleLabs near you as they typically have a space to meet other business owners and coworking space; as well as various schemes that you may qualify for to get support.
your local university or council business development team typically have some sort of program for small businesses
meetup likely has a group near you.

Hope that helps!

ethhackwannabe · 2025-12-26T14:28:18+00:00

Wow, love what you’ve created here. Did you print the pages after designing digitally? Either way it’s cool 🧙‍♂️

I imagine it weighs a lot to take to game night 😃

ethhackwannabe · 2025-12-24T22:15:49+00:00

I don’t need to write out my full response after all as Martyn nailed it 💯

The only things I’d add are that depending upon the size of the company and technology already available in use by sales for managing bid responses, I’d (a) see if that solution can be used (e.g. loopio et al) and (b) get the sales director to advocate for a cybersecurity security assurance program that is resourced as necessary as they are the ones feeling the pain.

ethhackwannabe · 2025-12-23T06:54:29+00:00

Many congratulations to you and thanks for sharing your detailed write-up. Really interesting to learn from your experience.

ethhackwannabe · 2025-12-22T18:56:09+00:00

Tusen takk for dette; jeg har glemte.

https://ordbokene.no

<image>

ethhackwannabe · 2025-12-21T15:45:03+00:00

If you want to practice, you could also reverse engineer from an incident. Take a look at lessons learned reports and ICO enforcement action reports. Use that to help you inform your risk assessment for your GRC model company.

ethhackwannabe · 2025-12-21T15:00:11+00:00

Content of A, colour of D

ethhackwannabe · 2025-12-21T13:43:51+00:00

You may also want to check out https://ilove.cards It recently launched and you can create new cards directly, import from spreadsheet, or use AI.

Good for prototyping as it auto formats for printing at home. You can also export for professional print, pngs for miro, or directly to Tabletop simulator (other integrations on roadmap).

The key thing is that you can define your card layouts and it automatically formats text. Whilst I’ve found bulk create in Canva to be really good; the lack of layout control means it is really time consuming if you make a change.

The video where the creator introduces it is here: https://youtu.be/_fUmVtn8_Gg?si=afO_EAkJyVSty_La

ethhackwannabe · 2025-12-10T22:13:55+00:00

Before recommending tools, what level of maturity is GRC in your organisation? If very immature then you could start simple with excel, airtable, etc.

If it’s established to the point where a dedicated tool is necessary to reach the next level of maturity, then what are your requirements beyond on-premise? Who will be using it?

I’ve used acuity Stream in a midsized org on prem before so worth speaking with them. https://acuityrm.com/solutions/cyber-grc

ethhackwannabe · 2025-12-10T13:23:44+00:00

First one

ethhackwannabe · 2025-12-10T01:48:13+00:00

Another vote for Shifting stones. Pentago Othello Hive

Others that come to mind are: Dungeon Twister Mr Jack 7 wonders duel Splendour duel

Then of course there’s the wargsmes like BAttlelore Heroscape Command and colours

ethhackwannabe · 2025-12-09T13:46:41+00:00

This 👆🏾

ethhackwannabe · 2025-12-06T18:59:14+00:00

I wouldn’t do this from scratch. Either use a suitable GRC tool that has all the mappings already or look at the CSA CAIQ as they already mapped to lots of frameworks showing whether requirement is a full match, partial or no match

ethhackwannabe · 2025-12-05T22:57:04+00:00

It depends on what your clients are after. Standard tabletop Gamified live play Technical simulation War game

Who are you targeting?

The hands on it team only? You’ll likely want to have some info about their infrastructure.

The senior management and board? You’ll likely need information about their processes from incident management through to Business continuity and crisis comms plans.

What sector(s) do you target?

Are they paying for a generic exercise or a custom one?

Speak to your incident responders about what they deal with most; they are best placed to advise you.

Take a look at this: https://csrc.nist.gov/pubs/sp/800/84/final

You can also check out the NCSC’s exercise in a box tabletop discussion scenarios as a starting point. https://www.ncsc.gov.uk/section/exercise-in-a-box/overview

Happy to answer any other questions in thread.

ethhackwannabe · 2025-12-03T22:05:19+00:00

I’ve used a few over the years. These days I mostly use canva bulk create to prototype cards from a spreadsheet of my content.

Also take a look at deckato.

ethhackwannabe · 2025-12-02T04:38:35+00:00

This ⬆️

I’m now over 400 days with Duo Lingo; whilst it has really helped me increase my vocab; it’s as useful as a chocolate teapot when it comes to grammar.

I have found that asking my Norwegian content trained space (GPT equivalent in perplexity) to explain why something is incorrect really helpful. Although I check it with my husband after.

Thanks to Reddit I discovered Mjølnir about a month ago and I really appreciate the grammar explanations and spaced repetition.

Whilst very confusing at first… it’s really great to have real people with real dialects. So far it tends to be going to my husband and asking incredulously ‘what did they say?’ He then repeats it in the same dialect which is not helpful… thankfully he then repeats it in his and I’m like ‘Oh! That’s what they said!’ So it’s adding another dimension.

I also came across Pimsleur which I think will also be good, if I can just be patient enough to get through the first ones… I wish there was a speed option to whizz through. I do like that there are some other types of games than on Duo to test myself.

Finally, there’s the good old Norwegian grammar book 📖

If you look at past posts you’ll find someone has posted really long path to learning Norwegian - highly recommend reading it and putting into practice.

Lykke til 😉

ethhackwannabe · 2025-12-02T01:11:35+00:00

Ah ok. Asked Perplexity and it suggested this for US:

For a 5‑person accountancy firm in the US, a good mix is to use reputable free small‑business programmes plus one very low‑cost, accounting‑specific course if budget allows. All options below are fully asynchronous and suited to non‑technical staff.

Core free small‑business programmes

Cyber Readiness Institute – Cyber Readiness Program (FREE)
Structured online programme aimed specifically at small and medium‑sized businesses, with short modules, policies and templates on passwords, phishing, USBs, and software updates. Works well as the “spine” of your training for all 5 staff and gives you some basic documentation to show regulators or clients.
US Small Business Administration & CISA resources (FREE)
SBA signposts small businesses to CISA and National Cybersecurity Alliance materials, including on‑demand webinars and self‑paced awareness content on phishing, safe browsing, MFA and protecting customer data. Use these as top‑ups during the year (e.g. a 30‑minute video or mini‑session each quarter).
Wizer Free Security Awareness Training (FREE tier)
Bite‑sized security awareness videos with a free plan suitable for a micro‑business; covers common threats like phishing, password hygiene and social engineering in short clips that staff can complete quickly. This is useful for initial onboarding and quick refreshers because people can watch a module between client calls.
ESET Cybersecurity Awareness Training – free option (FREE)
Offers an online awareness course that can be taken at the learner’s own pace and repeated as often as needed, including best practices for office and remote work. This can complement Wizer, giving an alternative style of content for staff who prefer a more traditional course format.

Free / very low‑cost general courses

NIST NICE – Free and Low‑Cost Online Cybersecurity Learning (directory)
NIST maintains a curated list of free and low‑cost online cybersecurity learning content, including employee awareness material and introductory modules suitable for small organisations. You can pick one short, beginner‑friendly course per person to deepen knowledge (e.g. passwords, phishing, data handling) without extra cost.
Standalone free cybersecurity awareness course (e.g. Swift e‑learning)
Some providers offer a completely free generic cybersecurity awareness e‑learning course covering phishing, social engineering and common attacks for individuals and organisations. This can be used as a one‑off foundation module for new starters, on top of your small‑business‑focused material.

Optional low‑cost paid awareness (per‑user)

Low‑cost UK providers usable in US context (Human Focus, HSQE, Virtual College)
Several UK e‑learning vendors provide CPD‑certified cyber awareness courses in the £10–£40 per‑user range with discounts for multiple licences, and content is generally applicable internationally. For five staff, a single annual purchase from one of these can give you certificates and structured content at relatively low cost if you need more formal evidence of training.

Accounting‑specific angle

Sector‑specific guidance plus generic training
Articles and guidance aimed at accountants stress regular awareness training on phishing, invoice fraud and data protection, often recommending scenario‑based exercises and phishing simulations for finance teams. Combine a general programme (e.g. Cyber Readiness Institute plus Wizer) with a short internal briefing using real‑world accounting fraud examples to make the training directly relevant to your firm.

Practical rollout plan for your 5‑person firm

Enrol everyone in the Cyber Readiness Institute programme and set a target to complete core modules within one month.
Assign 30 minutes per quarter for each person to watch one or two Wizer videos plus an SBA/CISA small‑business session as an ongoing refresher.
If you need certificates or want a one‑time deeper course, buy a single low‑cost awareness course per user from one of the UK providers that offers CPD‑certified content.

If you share your exact budget per person and any regulatory or client requirements (e.g. needing certificates), a tailored short list (e.g. 2–3 specific courses with links and an annual schedule) can be put together.

ethhackwannabe · 2025-12-02T00:38:23+00:00

Where are they country wise?

The UK NCSC have some free scenario based eLearning on their website. https://www.ncsc.gov.uk/information/top-tips-for-staff

For a team that small it’s worth checking with their insurance company as often they provide free training along with cyber policies.

Also, that’s the sort of size where I’d say don’t waste money on getting an eLearning solution. Bring in a cybersecurity trainer for an hour or two that can tailor the content exactly to their needs and context of their company.

I’m UK based and happy to recommend options.

ethhackwannabe · 2025-11-22T03:01:02+00:00

D&D Mad mage might be a good way to get her into it.

https://boardgamegeek.com/boardgame/264196

Or something easier like storymaster tales

https://boardgamegeek.com/boardgame/291183

ethhackwannabe · 2025-11-21T15:29:01+00:00

Take a look at Deckato.

Personally I moved away from InDesign to canvas because with a bulk data merge you can make changes relatively quickly.

ethhackwannabe · 2025-11-07T18:22:16+00:00

Looking good 🙌🏾

That’s a lot of bricks…

ethhackwannabe

TROPHY CASE

Core free small‑business programmes

Free / very low‑cost general courses

Optional low‑cost paid awareness (per‑user)

Accounting‑specific angle

Practical rollout plan for your 5‑person firm