Practical actions SMEs can take today; high impact, low fuss
These steps map well to Cyber Essentials controls and common SME cyber security best practices; they are designed to reduce blast radius fast.
1) Lock down identities; start with admin accounts
* Turn on MFA (multi-factor authentication) for email, finance systems, remote access, and admin portals; prefer phishing-resistant options where available. 3
* Remove shared admin logins; use named accounts and least privilege.
* Review forwarding rules and mailbox permissions; attackers use these for silent interception.
2) Reduce ransomware impact; assume one device will fail
* Ensure backups are working and recoverable; test a restore of a key folder or system monthly. 2
* Patch operating systems, browsers, VPNs, and firewalls; prioritise internet-facing services.
* Confirm endpoint protection is deployed on all laptops and servers, including “spare” devices.
3) Strengthen payment and supplier processes
* Add two-person approval for new payees and bank detail changes.
* Train staff to verify supplier changes via a known phone number; not the number in the email.
* Keep an incident contact list handy; bank, IT provider, insurer, key suppliers.
Mini checklist you can reuse in board packs
* MFA on all admin and finance access
* Backups tested; restore proven
* Patching up to date for internet-facing services
* Two-person approval for bank detail changes
* Logging and alerts enabled for admin activity
Compliance for SMEs; UK GDPR security measures still apply
If an incident exposes personal data, UK GDPR expects “appropriate technical and organisational measures” based on risk. The ICO’s security guidance supports practical steps like access control, MFA, patching, and backups. Good hygiene is not only risk mitigation; it is evidence of sensible governance. 4
