Actionable SME cyber security best practices you can implement without a big budget
Start with the controls that cut the most common loss events quickly.
1. Lock down email accounts first with MFA
* Enable MFA for Microsoft 365, Google Workspace, accounting platforms, payroll, and remote access.
* Remove shared admin accounts; use named accounts and least privilege.
* This aligns with NCSC Cyber Essentials access control expectations. (Source:)
2. Fix payment and supplier change processes
* For any bank detail change, require a call-back to a known number, not the one in the email.
* Add a two-person approval for payments over a sensible threshold.
3. Make phishing reporting simple and fast
* Train staff to forward suspicious emails internally and to NCSC reporting routes.
* Encourage reporting even when someone clicked; speed matters more than blame.
4. Patch and protect endpoints like you mean it
* Turn on automatic updates for operating systems and key apps.
* Ensure malware protection is active and centrally visible via your MSP.
* These are core Cyber Essentials controls and are achievable for most SMEs within weeks.
5. Backups that survive ransomware
* Keep at least one backup copy offline or immutable.
* Test restoring a key folder or system monthly; treat it like a fire drill.
Authority and evidence: what “good” looks like in the UK
UK SMEs can anchor decisions in two practical reference points:
* Cyber Essentials gives a clear baseline for firewalls, secure configuration, security update management, user access control, and malware protection. It is widely recognised in UK supply chains.
* The ICO security principle under UK GDPR expects “appropriate technical and organisational measures”. Training, access control, patching, and incident readiness are not optional if you process personal data.
Run a 30-minute “risk reality check” this week: list your top 5 systems (email, finance, customer data, endpoints, backups), then score each against Cyber Essentials. Where the score is weakest, start with MFA and phishing reporting first.
