Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Supply Chain Security

Cyber Security as Business Protection – Protect, Detect and Recover

This is another foray into cyber risk management and strategy for SMEs.  I make no apologies for covering it again because it should be a vital part of any SMEs business planning.   In a nutshell it’s the business process of identifying and addressing digital threats to protect operations, revenue, and reputation. Rather than just a technical IT task, it is a strategic function focused on ensuring business continuity and managing potential financial losses. 

A strong cybersecurity risk management strategy for SMEs should focus on reducing the highest risks first while staying practical and affordable. Most SMEs do not need enterprise-scale security programs, they need disciplined fundamentals, clear ownership, and resilience.

Core Principles

  1. Protect what matters most
  2. Customer data
  3. Financial systems
  4. Email accounts
  5. Intellectual property
  6. Operational systems
  • Assume attacks will happen
  • Focus on prevention and recovery.
  • Design for resilience, not perfect security.
  • Keep it simple and repeatable
  • Overly complex controls fail in SMEs due to limited staff and budget.

Recommended Cybersecurity Risk Management Framework

A practical SME strategy can follow five pillars inspired by the National Institute of Standards and Technology Cybersecurity Framework:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Alternatively, for those attempting or having achieved Cyber Essentials, one of the most effective ways to secure a business is to follow the UK government’s National Cyber Security Centre (NCSC) recommendations. These five steps are designed to be cost-effective and provide protection against the majority of common cyber-attacks. 

  • Secure your data with back-ups.
  • Protect with strong authentication (MFA).
  • Keep devices and software up to date.
  • Guard against malware.
  • Train staff on cyber awareness, phishing in particular.

But beware, the latest iteration of CE requires CEOs/MDs to sign a certification that they will ensure that the standard is maintained throughout the year and not just at point of achieving the standard.  That is a game changer which requires some form of monitoring to be put in place to ensure that the standard continues to be met.

No two businesses are the same.  They all have certain threats and vulnerabilities in common, and adherence to the NCSC guidelines and/or Cyber Essentials will set you on the right path, many of you will either have gone down that route or will be actively discussing it internally.  But there will still be differences, perhaps only nuances, that can drive a hole through your defences, and that is why you need a risk management strategy to ensure you have built robust defences.

Identify Your Risks

  1. The first stop is to create an Asset Inventory:

Document:

  • Devices
  • Servers
  • Cloud services
  • SaaS platforms
  • User accounts
  • Critical data
  • Vendors

Even a spreadsheet is enough initially.

  • Classify Critical Assets

Rank systems by business impact:

  • High: payroll, CRM, finance, production
  • Medium: internal collaboration
  • Low: public marketing systems
  • Identify Likely Threats

For SMEs, the biggest risks are usually:

  • Phishing
  • Business email compromise
  • Ransomware
  • Weak passwords
  • Insider mistakes
  • Third-party/vendor compromise
  • Unpatched software
  • Cloud misconfiguration

Protect the Business

  1. Multi-Factor Authentication (MFA)

This is one of the highest-value controls and you need MFA for:

  • Email
  • VPN
  • Admin accounts
  • Cloud apps
  • Banking systems

Use authenticator apps or hardware keys where possible.

  • Strong Identity & Access Management

You need to apply:

  • Least privilege access
  • Separate admin accounts
  • Role-based permissions
  • Immediate removal of leavers

Review access at least quarterly.

  • Endpoint Protection

Deploy modern endpoint security on all company devices:

  • Antivirus/EDR
  • Device encryption
  • Automatic updates
  • Screen lock policies

Focus first on laptops because they are commonly targeted.

  • Patch Management

Set strict update timelines:

  • Critical vulnerabilities: 24–72 hours
  • High-risk patches: within 1 week
  • Routine updates: monthly

Automate updates whenever possible but you will still need some form of monitoring patch management to ensure that you have this under control.

  • Email Security

Since email is the number one attack vector:

  • Anti-phishing filters
  • DMARC, DKIM, SPF (these require DNS entries and will need to be monitored)
  • Attachment sandboxing if affordable
  • User reporting button for suspicious emails
  • Backup Strategy

Use the 3-2-1 rule:

  • 3 copies of data
  • 2 different storage types
  • 1 offline/immutable copy – don’t rely on on-line backups, they may make restoring quicker, but they can be encrypted in a ransomware scenario, just like the rest of your systems.

Test restores regularly.  Recovery in a disaster or ransomware situation depends on this.

  • Secure Cloud Usage

For cloud platforms like Microsoft 365 or Google Workspace:

  • Disable legacy authentication
  • Enforce MFA
  • Monitor sharing permissions
  • Limit external access
  • Audit administrator activity

Detect Threats Early

  1. Centralised Logging

This is often a particularly difficult thing for SMEs because they don’t have any on staff cyber security personnel and often their IT support company doesn’t offer this service.  However, it is still important to collect logs from:

  • Email systems
  • Firewalls
  • Endpoints
  • Cloud platforms

A managed service is often the way forward.

  • Monitoring & Alerts

This is another issue that is very hard for SMEs, for the same reasons as log collection.  You need to receive alerts on:

  • Failed login spikes
  • Impossible travel logins
  • Admin privilege changes
  • Large file downloads
  • Suspicious mailbox rules

A managed service is often the only way to achieve this.

  • Vulnerability Scanning

You should aim to run monthly scans internally and externally.

Prioritise:

  • Internet-facing systems
  • Critical vulnerabilities
  • Unsupported software

There are a variety of scanning tools available to purchase however you need to have someone who can interpret the results, identify critical issues and eliminate false positives.  Once again, a managed service maybe the answer for many SMEs.

Incident Response Plan

Every SME should have a documented response process which includes:

  • Who makes decisions
  • Who contacts customers
  • Legal/compliance steps
  • Cyber insurance contacts
  • IT recovery procedures
  1. Create Playbooks For:
  • Ransomware
  • Phishing compromise
  • Lost/stolen device
  • Data breach
  • Vendor compromise

Run tabletop exercises twice yearly.

Recovery & Business Continuity

  1. Define Recovery Objectives

Set:

  • RTO (Recovery Time Objective)
  • RPO (Recovery Point Objective)

Examples are below and show the amount of time the business can survive with the loss of each system, but this will be determined by business priorities:

SystemMax DowntimeMax Data Loss
Email4 hours1 hour
Payroll24 hours4 hours
CRM8 hours2 hours
  1. Business Continuity Planning

Prepare for:

  • Cloud outages
  • Cyberattacks
  • Staff unavailability
  • Power/network failures

Document manual fallback procedures to keep the business running whilst you recover from the crisis.⸻

Governance & Leadership

  1. Assign Ownership

Even small companies need accountability:

  • Security lead
  • Executive sponsor
  • Incident coordinator

Security without ownership fails.

  • Establish Policies

Minimum essential policies:

  • Acceptable use
  • Password policy
  • Data handling
  • Remote work
  • Vendor management
  • Incident reporting

Keep them concise and enforceable and importantly, rolled out so that staff know where to find them and what they contain.

Human Risk Management

Most SME breaches involve human error.

  1. Security Awareness Training

Train employees on:

  • Phishing
  • Social engineering
  • Password hygiene
  • Safe file sharing
  • AI/deepfake scams
  • Reporting suspicious activity

Short monthly sessions work better than annual training.

Phishing Simulations

Measure:

  • Click rates
  • Reporting rates
  • Repeat offenders

Use results for coaching, not punishment.

Third-Party & Supply Chain Risk

SMEs increasingly rely on vendors.

  1. Vet Critical Suppliers

Review:

  • Security certifications
  • MFA usage
  • Breach history
  • Data protection controls

Prioritise vendors with access to:

  • Financial data
  • Customer data
  • Internal systems

Compliance Considerations

Depending on industry/location, SMEs may need alignment with:

  • International Organisation for Standardization ISO 27001
  • National Cyber Security Centre Cyber Essentials
  • GDPR/Data Protection Laws
  • PCI DSS

For UK SMEs, Cyber Essentials is an excellent baseline.

Recommended SME Security Stack

A practical modern stack often includes:

  • MFA platform
  • Endpoint detection & response (EDR)
  • Password manager
  • Secure email gateway
  • Cloud backup
  • Mobile device management (MDM)
  • Firewall with IDS/IPS
  • Security awareness platform

For those considering Cyber Essentials for the first time, or for renewal, some form of monitoring is required to ensure that that standard is maintained throughout the life cycle.

Budget Prioritisation (Highest ROI First)

For SMEs budget is always limited and must be prioritised.  This is a general guide and may change dependent upon business priorities:

  • MFA everywhere
  • Backups
  • Endpoint protection
  • Email security
  • Patch management
  • Security awareness training
  • Logging/monitoring
  • Vulnerability scanning
  • Managed security services
  • Advanced zero-trust controls

In order to decide your budget, you need to work out your priorities and again, this will depend on what the company does.  A suggested 12 month roadmap, for someone starting from scratch, is:

Months 1–3

  • Asset inventory
  • MFA rollout
  • Backup improvements
  • Patch automation
  • Security policies

Months 4–6

  • Endpoint protection
  • Vulnerability scanning
  • Staff awareness training
  • Incident response planning

Months 7–9

  • Logging and monitoring
  • Vendor risk reviews
  • Phishing simulations
  • Access reviews

Months 10–12

  • Tabletop exercises
  • Business continuity testing
  • External security assessment
  • Cyber insurance review

Metrics SMEs Should Track

I talked about measuring your security stance and your compliance.  Some useful KPIs might be:

  • MFA adoption %
  • Patch compliance %
  • Phishing click rate
  • Mean time to detect/respond
  • Backup recovery success
  • Number of critical vulnerabilities
  • Security training completion

Common SME Mistakes

Turning now to some common mistakes.  I don’t want to dwell on these too much as they are self-evident, but you should avoid:

  • Treating cybersecurity as only an IT problem
  • Buying too many disconnected tools
  • Ignoring backups
  • Giving staff admin rights
  • Failing to test recovery
  • Depending entirely on one IT provider
  • No incident response process

I hope that this provides some guidance but I’m fully aware that it contains issues that will appear as a bit of a ‘black art’ to some people.  Get advice from cyber security professionals, don’t think that because someone knows about IT, they have the nuances of security covered, they often don’t.  Remember that some cyber security solutions are procedural not technical. 

Policy, Process and then Technology

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top