18. Consider IT
Headcount in latest accounts: 25
HQ: Edinburgh
Date of certification: June 2024
Gaining B Corp status in 2024 put Consider IT “in a different category from our competition”, Stuart Gilbertson, MD of the Edinburgh-based IT support and cyber specialist, tells us below.
The process took “longer than we thought it would”, he acknowledged, however.
The 25-employee outfit also lost points on a question because it didn’t follow the “outdated security advice” it stipulated, Gilbertson adds.
Q&A with Consider IT MD Stuart Gilbertson
What was your main reason for becoming a B Corp?
We felt that becoming a B Corp put us in a different category from our competition. We aren’t just saying we do good, we are able to prove it. When you’re part of a client’s supply chain, it’s important to do whatever you can to build trust that we are genuinely the better option.
B Corp is perhaps best associated with consumer goods brands. Does it really make sense for an MSP or IT solutions provider to have it?
It might be associated with consumer brands, but the underlying requirements for high standards of social and environmental performance is important to us. How can we be trusted by our clients from a technical perspective if we can’t show we’re transparent and accountable around our social and environmental commitments.
What’s the main benefit of becoming a B Corp?
The sense of achievement that we are actively considering our impact in the world in a good way. Holding B Corp accreditation makes it easier for our potential clients to differentiate us.
How much time and money did it take?
It took a lot longer than we thought it would. The B Corp assessment was actually very in-depth and we were required to provide comprehensive evidence for all of our claims. We started work in August 2023, making sure that the business reflected the ethos of what B Corp stands for. We started the heavy lifting early 2024 and it wasn’t until March 2024 we finally made it.
What was the hardest aspect of becoming a B Corp?
Auditing everything we do, from our legal frameworks to our supply chain to make sure we did meet the requirements of the accreditation. We had to purposefully go through everything to make sure we were compliant. That was tough.
Do you have any constructive criticism of the process?
One of their governance questions asks if passwords are changed periodically. We lost points on that question because that’s outdated security advice and best practice is not to force rotation of passwords. Current best practice is to:
- Use strong, unique passwords
- Have MFA enforced everywhere
- Change passwords only on evidence of compromise
- Monitor for credential leaks
- If possible, go passwordless – i.e. FIDO2 passkeys, hardware tokens, or fingerprint/face ID
Countdown continues on next page…
