Most cyber attacks against small businesses are not sophisticated. They are automated scripts scanning the internet for easy targets — default passwords, unpatched software, employees who click phishing links. The attackers do not know or care who you are. They just want the path of least resistance.
After 22 years in enterprise technology — including building security infrastructure for organisations processing millions of transactions — I can tell you that the controls which protect a 50-person company are not dramatically different from those protecting a 5,000-person company. They are simpler, cheaper, and faster to implement. But they still need to be done deliberately.
Here is the checklist I use when assessing SME security posture. Ten items. No jargon. If you can tick all ten, you are ahead of 90% of UK small businesses.
Why SMEs are the primary target
There is a persistent myth that attackers only go after large enterprises. The data says the opposite. Small businesses are targeted precisely because they lack dedicated security staff, use consumer-grade tools, and often assume they are too small to be worth attacking. That assumption is the vulnerability.
The most common attack vectors against SMEs are phishing emails, ransomware, and credential stuffing — where attackers use stolen username-password combinations from other breaches to log into your systems. None of these require the attacker to specifically target your business. They cast a wide net, and businesses without basic protections get caught.
The financial impact is not trivial. The average cost of a cyber attack for a UK small business is approximately £8,460 according to recent government data. For many SMEs, that is the difference between a profitable quarter and a crisis.
The 10-point checklist
These are listed in order of impact. If you can only do five, do the first five. Each one meaningfully reduces your attack surface.
1. Enable multi-factor authentication everywhere. MFA on email, cloud storage, banking, accounting software, and any system that holds customer data. SMS-based MFA is acceptable. App-based (like Microsoft Authenticator or Google Authenticator) is better. Hardware keys are best, but overkill for most SMEs. The point is that stolen passwords alone should never be enough to access your systems.
2. Keep software patched and updated. Enable automatic updates on all operating systems, browsers, and business applications. Most ransomware exploits known vulnerabilities that already have patches available. The window between a patch release and an exploit being weaponised is now measured in days, not months. Delaying updates because they are inconvenient is one of the most expensive mistakes an SME can make.
3. Implement automated backups with offline copies.The 3-2-1 rule: three copies of your data, on two different media types, with one copy stored offsite or offline. Cloud backups are convenient, but if ransomware encrypts your local files and your cloud sync replicates the damage, you have three copies of encrypted garbage. Test your restores quarterly. A backup you have never tested is not a backup — it is a hope.
4. Run phishing awareness training.Your staff are your largest attack surface. A single clicked link in a convincing phishing email can bypass every technical control you have. Run short, regular training sessions — 15 minutes monthly is more effective than a 2-hour annual session. Send simulated phishing emails and track who clicks. No shame, just coaching. The goal is muscle memory, not perfection.
5. Enforce the principle of least privilege.Every user account should have the minimum access required to do its job. Your office manager does not need admin access to your cloud infrastructure. Your developer does not need access to payroll. Review access quarterly and revoke anything that is no longer needed. When an employee leaves, disable their accounts the same day — not next week.
6. Encrypt sensitive data in transit and at rest.Use HTTPS on your website (free via Let’s Encrypt). Ensure your email provider supports TLS. Encrypt laptop hard drives using BitLocker (Windows) or FileVault (Mac) — both are built in and free. If a laptop is stolen from a car, encryption is the difference between a lost device and a data breach notification to the ICO.
7. Create an incident response plan. Write down, in plain English, what happens if you are breached. Who do you call? Who decides whether to pay a ransom? How do you notify customers? How do you notify the ICO within 72 hours as required by UK GDPR? This does not need to be a 50-page document. Two pages covering roles, contacts, and first steps will put you ahead of most SMEs who discover their incident response plan during the incident.
8. Assess vendor security.Your security is only as strong as your weakest vendor. If your accountant stores your financial data on an unencrypted laptop, your own encryption is irrelevant. For any vendor handling sensitive data, ask: do they have Cyber Essentials? Where is data stored? How is it encrypted? What happens to your data if you leave? You do not need to audit them — just ask the questions.
9. Use a password manager for the whole team.Shared passwords in spreadsheets, sticky notes, or email threads are still common. A business password manager (1Password, Bitwarden, or Keeper) costs £3-5 per user per month and eliminates password reuse, the single biggest credential vulnerability. It also makes offboarding instant — revoke the user, and every shared credential they accessed can be rotated.
10. Deploy endpoint protection on every device.Built-in protections like Windows Defender have improved dramatically but are not sufficient alone for business use. A managed endpoint protection solution provides centralised visibility, threat detection, and remote wipe capability. For SMEs, solutions like Microsoft Defender for Business or CrowdStrike Falcon Go cost £2-5 per device per month and are straightforward to deploy.
What Cyber Essentials gives you
Cyber Essentials is a UK government-backed certification scheme that validates five basic technical controls: boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management. The self-assessment version (Cyber Essentials) costs approximately £300-500. The audited version (Cyber Essentials Plus) involves a hands-on technical verification and costs £1,500-3,000.
Beyond the security benefit, certification is increasingly required for UK government contracts and is becoming a de facto standard in supply chain requirements. If you sell to larger businesses or the public sector, certification is a competitive advantage, not just a compliance exercise.
When to get a professional audit
This checklist handles the fundamentals, but there are situations where professional assessment is essential. If your business handles payment card data, personal health records, or financial data subject to FCA regulation, the stakes of getting it wrong justify expert review. Similarly, if you have experienced a breach or near-miss, an external assessment identifies what your internal view missed.
A structured cyber assessment walks through your infrastructure, policies, and practices against a framework like NCSC’s 10 Steps or ISO 27001 controls. You get a prioritised action plan — not a 200-page report you will never read, but a ranked list of what to fix first and what it will cost.
Common mistakes I see repeatedly
The most dangerous pattern is partial implementation. MFA on email but not on cloud storage. Backups running but never tested. An incident response plan written three years ago with phone numbers for people who no longer work there. Security is not a project with a finish line — it is an ongoing discipline, like financial accounting.
Another common mistake is over-investing in expensive tools while neglecting fundamentals. I have seen businesses spend £10,000 on a next-generation firewall while their staff reuses the same password across every system. Start with the checklist. Get the basics right. Then invest in advanced tooling if your risk profile demands it.
Getting started today
Pick three items from this checklist that you know are not done. Schedule them this week. MFA can be enabled in an afternoon. A password manager can be rolled out in a day. Automatic updates can be configured in an hour. None of this requires a security team or a large budget. It requires intent.
If you want a structured assessment of where you stand and what to prioritise, SelectWise offers a cyber assessment designed specifically for SMEs. If you are looking at your broader technology posture — not just security, but infrastructure, tools, and strategy — our tech health check covers the full picture.