Imagine a small business owner who runs a 25-person company providing financial services to firms and individuals. He knows cyber threats are “a thing,” and in fact, one of his customers required basic security controls before signing a contract. And so, he took advice from his network provider, a local IT reseller, and he purchased a bundle: antivirus software, a firewall appliance, and a cloud backup service.

From his perspective, everything seems covered:

• The antivirus dashboard shows green checkmarks.
• The firewall has flashing lights and a web interface that he never logs into.
• The backup system sends a weekly email saying, “Backup completed successfully.”

But here’s the reality:

He has no meaningful way to tell if any of this is actually protecting him.

A few subtle issues are happening behind the scenes:

• The antivirus hasn’t detected anything, not because threats aren’t present, but because it’s misconfigured and only running quick scans.
• The firewall rules were set up once by the reseller and never reviewed; several unnecessary ports are still open.
• Backups are completing, but no one has ever tested restoring them, so they may be incomplete or unusable.
• Staff occasionally click phishing emails, but those incidents go unnoticed because there’s no monitoring or reporting in place.
• He doesn’t have a clear idea of what data he is holding and what that data may reasonably be classified as, i.e. highly sensitive or sensitive, or not sensitive at all.  Neither does he really have an idea who has access to what, either at a user level or worse, at an administrator level.

One day, an employee unknowingly installs malware from a phishing link. The attacker gains access to the company’s systems and quietly exfiltrates sensitive client data over several weeks.

Throughout this entire period:

• No alerts reach any level of management in a way they understand.
• No KPI or metric tells them, “You are under attack”, or even “your defences are being exercised.”
• The tools continue to report “all good” because they are measuring activity (i.e., scans completed), not effectiveness (i.e., attacks prevented).
• He assumes that “no news is good news.” In reality, he’s operating in a visibility gap:
• He doesn’t know what “normal” vs “suspicious” looks like.
• He has no baseline metrics (i.e., number of blocked threats, phishing simulations, patch status).
• He lacks independent validation (like audits, vulnerability assessments, or even simple security reports translated into business terms).

So, when a client later informs him of a data breach traced back to his company, it’s a complete shock. From his perspective, he did everything right; he bought the tools. But he never had a way to measure whether those tools were correctly configured, actively working, or aligned to real threats.

This is a common SME problem: security is treated as a one-time purchase rather than an ongoing, measurable process. Without clear, understandable metrics or external validation, the owner is essentially flying blind, relying on reassuring dashboards instead of actual evidence of protection.

The question then becomes what can an SME do to protect itself from these issues.  The first problem is to recognise that they don’t have any in-house resource that can deal with these problems, and neither can they afford such a resource. At best, their IT systems are overseen by someone who has another primary function and hasn’t got much time to deal with IT issues, has no technical background, much less a cybersecurity background, and whose responsibility lies with liaising with their network provider. 

Now, let’s deal with the network provider that supplied the security tools.  These companies work to Ts&Cs that will concisely lay down what services they provide under any network maintenance contract.  Such contracts may include administration of the network, adding and taking away access rights, or they may just refer to routine maintenance and troubleshooting.  Whatever it is, an SME must have a clear understanding of what those Ts&Cs say.  You may be under the impression that they are covering things that they simply aren’t.  This is often the case with cybersecurity.  This is because they themselves don’t have a handle on how cybersecurity hangs together. They concentrate on supplying products such as firewalls and AV, and on how to install and configure such products.  They may also handle AV updates, and in that case, you need to be very clear about how they do that and how they assure you that it is done.

Be clear, I’m not denigrating these companies or the services they supply, simply pointing out that they work to strict service levels as laid down in the contract and will often not step outside of these.

To sum up, we are now at the point where we recognise that SMEs in general do not have a handle on how effective their security actually is, on where their sensitive data sits and how it’s accessed and handled.  They don’t have anyone on staff who has an understanding of cybersecurity, and there is a good chance that their network contract doesn’t include any sort of security monitoring and alerting.  The question now becomes, is there anything they can do about it?

Until quite recently, what we called protective monitoring, which is now more formally called Managed Detection and Response, along with Data Loss Prevention Systems, were very much out of reach of an SME on financial terms, and as such the majority of SMEs didn’t just not invest in them, they never really knew about them because the corporate level providers, never pitched to them because they knew they couldn’t afford it.

There are now systems on the market, AI-driven, that have managed to hit a price point that an SME can afford.  These systems may not be as comprehensive as you might find in a large company or central government department, but they do match the requirements for most SMEs.  You don’t need to understand AI; it’s built into the system and operates seamlessly.  What it does is to allow one operator to manage multiple clients at the same time, because the AI does the heavy lifting.  In this way, not only is the system itself affordable, but the managed service it supports also becomes affordable.

To maximise its cost effectiveness, it has additional capabilities such as vulnerability assessment, phishing simulations and cyber awareness training programmes, making it more attractive.  The whole package needs to emulate enterprise-grade protection without the cost and complexity of a full-blown Security Operations Centre (SOC).  Delivering it as a service reduces cost by cutting out the need for an in-house team.

In a nutshell, an SME would want this system because it delivers near enterprise-level cybersecurity protection, reduces business risk, improves compliance, and protects revenue without needing an internal cybersecurity department.  It provides peace of mind; you don’t have to worry about this, let someone else take the strain, while you focus on your business.

To help explain this easily, I have produced a very short video which you can find on the Features Section on my LinkedIn profile.   But if you don’t want to view that, what follows is an introduction to what the service offers.

• Continuous monitoring of endpoints, servers, and some cloud environments
• Rapid detection of ransomware, malware, insider threats, and advanced attacks
• Expert-led response
• Phishing simulations
• Cyber awareness training programme
• Dark web monitoring
• Auditing your data, identifying what is sensitive and what isn’t; providing file-level encryption and tracking data movements around your network and where it goes when sending it to outside agencies.

In short, it provides the business benefit of reduced risk of downtime, data loss, and reputational damage.

This service comes with vulnerability assessment built into it.  Such assessments are available elsewhere as both software and a service, but they would not be integrated into an overall protection, would come at additional cost, and would need to have a level of expertise to interpret the results.

Vulnerability assessments:

• Identify outdated software, misconfigurations, and exposed services
• Prioritise risks based on severity
• Provide remediation guidance

Most breaches happen because of known, unpatched vulnerabilities. Regular scanning helps prevent attacks before they happen. It is a proactive risk reduction instead of reactive damage control.

The system also offers built-in protection against human error (Phishing Simulation).

Over 80–90% of cyber breaches start with phishing. A phishing simulation programme:

• Test employee awareness safely
• Identifies high-risk users
• Reinforces learning through practical scenarios

It helps reduce successful phishing attacks and reduces the likelihood of credential compromise or ransomware infection.  Such simulations are an integral part of cyber awareness training.

The system also assists in building a security culture (CBEE Awareness Training Programme).  A structured awareness programme:

• Trains staff on cyber hygiene and data protection
• Covers password security, social engineering, safe browsing, and more.
• Assists compliance with regulations (GDPR, ISO 27001, Cyber Essentials, etc.)

Cybersecurity isn’t just technology, it’s behaviour. Training reduces internal risk significantly and turns employees from a security liability into a security asset.

A managed system such as this can also help with compliance & insurance requirements.  Many SMEs now face:

• Regulatory obligations
• Supply chain security requirements
• Cyber insurance conditions

Having a managed service, vulnerability management, and training demonstrates due diligence and can reduce insurance premiums or improve insurability.

These last 2 points are very important to an SME:  Cost Predictability & Simplicity.  As a managed service, everything is:

• Subscription-based
• Centralised under one provider
• Fully supported by trained personnel

No need to buy multiple tools, manage updates, or maintain in-house expertise.

In business terms, you are getting executive-level risk reduction with a simple value:

• Reduced likelihood of business interruption
• Reduced financial exposure
• Protection of brand and customer trust
• Clear reporting and measurable risk reduction

All through this article, I’ve talked about cost-effectiveness.  So, what does this service cost?  I’ll add the BBC caveat – other systems are available!!  We charge £15 per seat per month for the technical system and £15 per seat per month for the data leakage protection system. Discounts are available for clients who take both systems, and you get a lot for your money.  It’s a 30-day rolling contract, no long-term lock-in, simply 30 days’ notice to quit.  We also offer a totally free 14-day trial that is fully functional, so you can see the outputs from your own system, rather than look at demos with dummy data.