Actionable guidance: high-impact steps you can do this month
Start with the systems that, if compromised, would stop trading: email, finance, and admin access.
1) Upgrade MFA where it counts
* Turn on MFA everywhere; then prioritise phishing-resistant MFA for admins, finance users, and anyone approving payments.
* Avoid SMS codes where possible; they are better than nothing, but not the strongest option. Follow NCSC’s recommended MFA types. (Source: NCSC links above)
2) Fix the “shared admin” problem
* Give each admin their own named account; use least privilege (only the access they need).
* Keep one emergency “break glass” admin; lock it down with a strong recovery process and monitoring.
3) Reduce password risk quickly
* Use a reputable password manager (a secure vault that creates and stores unique passwords).
* Block known weak passwords; and stop password reuse across business tools.
4) Align to UK expectations without over-engineering
* Map actions to Cyber Essentials controls; especially access control and secure configuration. This also helps with supplier due diligence.
* Treat authentication as part of “appropriate security”; UK GDPR expects appropriate technical and organisational measures, and poor access controls regularly feature in breach lessons.
A realistic SME attack scenario (what “good enough” looks like until it is not)
A director receives a “SharePoint document” email. They sign in and approve an MFA prompt, assuming it is routine. The attacker immediately creates an inbox rule to hide bank details emails, resets the finance system password using the mailbox, and swaps supplier payment details. No malware required; just weak authentication choices and a busy day.
Quick checklist: 10-minute board-level test
* Do all email and finance accounts have MFA enabled?
* Do admins and finance users have phishing-resistant MFA?
* Are there any shared admin logins?
* Can staff spot and report suspicious MFA prompts?
* Is there a documented recovery process for lost phones and keys?
