Free resources · No registration

Start here.
Before the pressure is real.

Practical guides, checklists and briefings for UK SME owners, directors and operations leads. No registration, no email capture, no vendor pitch buried in the appendix. Read it, use it, share it.

Incident readiness Sector failure modes Board briefing Cyber Essentials Quick references

Checklist 8-min read · Owner and director level

"If we were hit tonight": incident readiness checklist

A pragmatic self-assessment for UK SME owners and directors. Know your gaps before an incident forces the question. Works across any sector. No technical background required.

This checklist is read-only. No sign-up. No email required. Work through each section and note where your honest answer is "no" or "I don't know."

▶ Access and identity

All email and cloud accounts have multi-factor authentication active, including shared inboxes
A process exists to remove access when someone leaves the organisation within 24 hours
Subcontractors, suppliers, and IT partners do not have broader access than their role requires
Shared logins are not in use across your key operational systems

▶ Backups and recovery

Backups run for all critical systems, including your finance platform, operational software, and key file stores
At least one backup copy is stored offline or in a separate account that an attacker could not reach if your main systems were compromised
You have tested a restore from backup within the last six months and confirmed data was recoverable
You know how long it would take to restore each critical system and whether that is acceptable

▶ Email and payment controls

Your email domain has DMARC, DKIM, and SPF configured to reduce spoofing and impersonation risk
Your finance or accounts team verifies any new or changed payment instruction via a second channel before processing it
Staff can recognise a business email compromise attempt and know who to report it to without delay
Email accounts are monitored for unexpected login locations or unusual forwarding rules

▶ Incident response readiness

A named person in your organisation owns the first response to a cyber incident, and that person knows it
You have a written first-hour guide covering what to do and who to contact if ransomware hits or an account is compromised
You know whether you have a reporting obligation to the ICO under UK GDPR and what your 72-hour window looks like in practice
Staff know not to power off compromised systems, delete logs, or reset accounts before getting specialist advice

▶ Governance and visibility

You can list all third parties that have active access to your systems, data or networks right now
A named person reviews cyber risk at board or leadership level at least quarterly
Your cyber insurance policy has been reviewed in the last 12 months and you understand what it does and does not cover
Governance documentation (acceptable use, access policy, IR procedure) reflects your actual current practices, not what you intended to set up two years ago

▶ Sector and regulatory exposure

You know which regulators or frameworks apply to your organisation (ICO, FCA, SRA, CQC, NHS, Cyber Essentials contract requirements) and whether you are meeting them
Buyer or client security questionnaires can be answered from real, current documentation rather than from optimistic memory
Any previous security incidents or near-misses have been reviewed to identify what gap they exposed
You have a plan for communicating a breach to clients, customers and regulators that does not involve writing it from scratch on the day

What to do with your results

Count your honest "no" or "I don't know" answers. Three or more in any single section means that area is a priority. If your incident response section has two or more gaps, that is where to start: the controls are most valuable when the response is rehearsed before the incident happens.

Book a readiness call to work through the gaps Incident response service details

Sector guide Applies to: transport, professional services, manufacturing, healthcare, other SMEs

Five failure modes that disrupt UK SMEs in operationally critical sectors

The specific tools change from firm to firm, but the underlying failure patterns are consistent. These are the five we encounter most often when we walk into a UK SME for the first time: not exotic zero-days, but predictable gaps that commodity attackers exploit reliably.

Business email compromise: the patient intercept

An attacker compromises or spoofs a mailbox and waits. They read correspondence, understand payment patterns, and submit a convincing instruction at the right moment. The fund transfer is made. Recovery is rare. This is the No. 1 cyber-enabled fraud category in the UK by financial loss.

Professional services Transport Manufacturing All sectors

Ransomware on operational systems: the week the business stopped

Ransomware does not care what your system is called. TMS, ERP, WMS, practice management software: if it is networked and the access controls are weak, it is a target. The average UK SME without a tested recovery plan takes three or more weeks to restore normal operations. Every day has a direct cost.

Transport Manufacturing Healthcare

Subcontractor and supplier access: the door you left open

Third parties are given access during a project and the access is never removed. Or a supplier's own systems are compromised, and the attacker uses that supplier's legitimate credentials to reach you. Supply chain compromise is now the vector in the majority of significant SME breaches in operationally complex sectors.

Transport Manufacturing Professional services

Client data exposure: the misconfiguration nobody spotted

A shared drive is set to "anyone with the link". A cloud storage bucket has the wrong default. A file containing client records is accessible from the internet. These exposures are often discovered by the ICO or a client before the firm itself notices. The notification obligation runs from when you become aware, not when the exposure began.

Professional services Healthcare Other SMEs

The untested backup: recovery assumed, never verified

Backups run every night. Nobody has tested whether they actually restore. When ransomware hits and the first restore attempt fails, the backup regime that was the entire recovery plan turns out to have been partial, slow, or encrypted alongside the primary data. This is the failure that turns a serious incident into a catastrophic one.

All sectors

The common thread

None of these five failure modes require a sophisticated attacker. They require predictable gaps to exist: weak access controls, untested restores, unreviewed supplier access, and an absence of any rehearsed first-hour response. The controls that address them are not complex. The gaps just have to be found and closed before the pressure is real.

Book a readiness call See your sector in detail

Board briefing For owners, directors and leadership teams

How to talk about cyber risk without the jargon theatre

Most board-level cyber conversations fail because they are framed around acronyms and vendor presentations rather than risk, trade-offs, and accountability. This briefing gives you the language to have a useful conversation at leadership level without needing a technical background.

Reframe 01

From "are we secure?" to "what could stop us operating?"

Security is not binary. The useful question at board level is not "are we secure?" but "what is the most likely way a cyber incident could disrupt operations, damage clients, or create a regulatory problem, and what would it cost us?"

Better board question "If we lost access to [key system] for five working days, what is the operational and financial impact, and do we have a tested plan for that scenario?"

Reframe 02

From "IT will handle it" to named accountability

Cyber risk is a business risk, not an IT problem. The board needs a named individual accountable for oversight of cyber risk: someone who reports on posture, owns the IR plan, and can brief the board annually without hiding behind technical language.

Better board question "Who in this organisation is accountable for our cyber resilience posture, and when did they last brief the board on it?"

Reframe 03

From compliance checkbox to evidence you can show

Buyers, insurers, and regulators do not want to hear that you believe you are compliant. They want documentation. The difference between a firm that survives scrutiny and one that does not is usually whether the governance documentation reflects current practice.

Better board question "If a client audit team or the ICO asked us to demonstrate our controls tomorrow, what documentation would we provide and is it current?"

Reframe 04

From "what did we spend on security?" to "what did we test?"

Spend without testing is not resilience. The most important metric is not the security budget: it is whether backups restore successfully, whether the incident response plan has been rehearsed, and whether staff can recognise and report the most common attack patterns.

Better board question "What have we actually tested in the last 12 months? Backup restores, phishing simulations, IR tabletop? When and what did we learn?"

Reframe 05

From "we haven't been hit" to "we haven't noticed yet"

The absence of a known incident is not evidence of strong controls. UK NCSC data consistently shows that the gap between initial compromise and detection in SMEs is measured in weeks, sometimes months. Not being aware of an incident is not the same as not having one.

Better board question "If an attacker had been in our systems for three months, what would they have been able to reach, and would we know about it?"

Reframe 06

From "cyber insurance will cover it" to understanding the policy

Cyber insurance policies contain exclusions, conditions, and sub-limits that most buyers do not read until they make a claim. Common conditions include having MFA active on email, documented IR procedures, and sometimes Cyber Essentials certification. Missing a condition can invalidate a claim.

Better board question "What conditions does our cyber insurance policy require us to maintain? Have we confirmed that we currently meet all of them?"

Book a board-level briefing session vCISO & executive resilience

Cyber Essentials Certification preparation · Two dedicated guides

Cyber Essentials: preparation and evidence resources

Cyber Essentials is increasingly required for government contracts, NHS supply chain, and cyber insurance at competitive premiums. These two guides cover the two most common failure points: not knowing where your gaps are before you apply, and submitting without the right evidence.

Pre-check checklist

Cyber Essentials pre-assessment checklist

Work through all five technical control areas before you submit. Find the gaps that cause failures before an assessor does. Covers firewalls, secure configuration, access control, malware protection, and patch management with evidence prompts for each.

Open checklist →

Failure guide

The seven most common Cyber Essentials evidence failures

Why applications pass technical controls but still fail certification. The most frequent causes of reassessment involve evidence quality, not missing controls: scope creep, undocumented exceptions, MFA gaps, and incomplete asset registers.

Read the guide →

Need support with certification?

Our Cyber Essentials service covers gap assessment, remediation, and submission across all five control areas. We handle the process. You handle operations.

Quick references Practical operational and compliance guidance

Three things UK SMEs frequently get wrong.

Short-form references on recurring questions from owners and operations leads. Each covers a specific gap that regularly appears in our readiness sessions.

Cyber insurance

What insurers actually ask for at renewal

Cyber insurers have tightened their conditions significantly since 2021. The most commonly required controls are MFA on email, tested backups, a documented IR procedure, and Cyber Essentials certification (some policies). Missing a stated condition can void a claim after an incident.

What to do: Pull out your policy and check the conditions section. List what is required. Confirm you currently meet each one with evidence. If you cannot confirm it, treat it as a gap.

UK GDPR

Your 72-hour breach notification window: what it actually means

The 72-hour clock starts when you become aware that a personal data breach has occurred, not when you have finished investigating it. You do not need to have all the answers before you notify the ICO: an incomplete notification submitted on time is better than a complete one submitted late.

What to do: Document your breach response procedure now, including who is responsible for the ICO notification, what information to include, and where to find it quickly. The first hour of an incident is not the time to draft this for the first time.

Access governance

Supplier access: what a register should contain and why it matters

A supplier access register is a simple list of all third parties with active access to your systems, data or networks, what they can access, why, and when access was last reviewed. Most SMEs cannot produce this quickly, which means they cannot identify exposure during an incident or respond to a buyer questionnaire accurately.

What to do: Create a spreadsheet with five columns: supplier name, what they can access, business reason, date access was granted, and date of last review. Review quarterly. Remove access when a contract ends the same week it ends.

Next step

Found the gaps. Want to close them?

A readiness call takes one focused hour. We walk through your posture, map your highest-priority exposures, and give you a realistic plan for what to close first. No tool pitches. No 40-page report.

Book a readiness call Explore our services See your sector

For UK SMEs with 20 to 500 staff. Remote-first, on-site available across the UK. NCSC-aligned. No commitment required.

Active incident?

If something is happening right now, do not start with a search engine.

Do not power off systems. Do not delete logs or emails. Do not attempt to reset or rebuild without advice. Call the advisory line first. Every decision in the first hour affects what you can recover, what the insurer will cover, and what you can tell clients and regulators.

📞 +44 (0)33 0122 4448 IR service details

Out-of-hours for active incidents. UK-based advisory.

Start here. Before the pressure is real.