DefendVista

Secure. Compliant. AI-Ready.

Guide. Other UK SMEs

Skip to content
Prepared beats reactive  Incident Response Activation & Advisory for UK SMEs
Security Advisory & Incident Intake+44 (0)33 0122 4448
Download IR checklist Book a readiness call
Guide · 10-minute read · Owner-led UK SMEs

High-dependency operations
without the big-enterprise budget

If a small number of systems keep your business running and downtime genuinely hurts, you do not need an enterprise security programme. You need a disciplined set of priorities: close the most common attack paths, make recovery predictable, and build evidence that you are actually in control. This guide shows you how.

Practical orientation Owner and director level Budget-aware No tool pitch
Read the guide Other SMEs industry page →

This guide is read-only and a practical orientation. It is not a full audit. If you suspect a live incident, follow your incident path first before reading guides.

01

You do not need perfect. You need predictable.

Most owner-led SMEs arrive at cyber security via one of two bad routes. The first is doing nothing, usually until something goes wrong. The second is buying a collection of tools and hoping that the spend translates into protection. Neither produces the thing that actually matters: a resilience posture you can demonstrate, recover from, and maintain without a dedicated security team.

The practical path is different from both. It starts not with tools but with three questions: what keeps this business running, what would stop it, and how quickly could we recover if the worst happened? The answers define the priorities. The controls follow from the priorities, not the other way around.

What "high dependency" means in practice

If losing email, identity, finance tools, your line-of-business application, or cloud file storage for 24 to 72 hours would cause real operational damage, customer impact, or regulatory exposure, you are a high-dependency operation regardless of headcount. A ten-person professional services firm with everything in Microsoft 365 and one accounting system is as dependent as a 200-person manufacturer with an ERP. The category is about fragility, not size.

The goal is not a passing grade on an audit. It is the ability to answer three questions with evidence rather than opinion: what are your three highest-priority risks right now, what controls are in place to address them, and what is your recovery plan if those controls fail? Organisations that can answer these three questions consistently are considerably more resilient than those that cannot, regardless of the scale of their security budget.

02

The four attack types that break owner-led SMEs.

The specific tools and systems differ enormously across SMEs. The underlying patterns that attackers exploit are far more consistent. These four attack types account for the overwhelming majority of significant cyber incidents in UK owner-led businesses.

  • 1. Identity compromise: the master key

    A stolen password or a bypassed MFA prompt gives an attacker access to everything that password unlocks: email, cloud storage, finance systems, admin consoles. For most SMEs, a single compromised account is enough to reach everything the business runs on. The attacker does not need to be technically sophisticated. They need your credentials, and those are cheaply available on criminal marketplaces for accounts that have been breached elsewhere and reused.

    The damage is compounded when admin accounts are used for daily work, when passwords are shared between colleagues, or when MFA has been switched off because someone found it inconvenient. Each of these decisions converts identity compromise from a recoverable incident into a full business crisis.

    Most common entry pointFast damage path
  • 2. Business email compromise: fraud without malware

    BEC does not require the attacker to install anything. They either compromise a legitimate mailbox or spoof a domain convincingly enough to deceive a recipient. Once inside a conversation thread, they watch, learn, and wait. Payment patterns, supplier relationships, pending invoices, and the personal styles of key individuals are all collected over days or weeks. The fraudulent instruction, when it arrives, looks entirely legitimate because it is based on real intelligence from real correspondence.

    The financial losses from BEC are significant and largely unrecoverable once a transfer has been processed. Beyond direct fraud, BEC also enables client deception, data exposure through forwarding rules, and reputational damage when clients discover their supplier's email account was reading their correspondence for weeks. No malware scanner catches any of this.

    Primary fraud vectorUnrecoverable losses
  • 3. Ransomware and destructive outage: the recovery test

    Ransomware encrypts files and demands payment. Destructive attacks delete or corrupt data without demanding anything. In both cases, the operational question is the same: can you restore your critical systems, from clean backups, within a timeframe that does not destroy the business? For most UK SMEs that have not tested their restores, the honest answer to this question turns out to be "we are not sure, and finding out during an incident is the worst possible time."

    The ransomware decision tree is also harder than it sounds. Whether to pay, how to engage with the attacker's communication, what to tell clients and regulators while systems are down, how to verify that backups are clean before restoring, when to involve insurers, and how to document the incident for subsequent regulatory or legal purposes: all of these decisions happen under pressure, simultaneously, in the first 24 to 48 hours. Having a written playbook for this scenario is not optional if you have any dependency on digital systems.

    Maximum operational impactRecovery time unknown
  • 4. Third-party and vendor exposure: the door you left open

    Your IT support provider, your SaaS vendors, your payroll platform, your CRM supplier, and any partner with remote access to your systems all represent entry points that you do not fully control. A compromise at any of them can reach you through what appears to be a legitimate, trusted connection. This is supply chain compromise, and it is now the vector behind a significant and growing proportion of SME incidents in the UK.

    The exposure is compounded by two common patterns: access granted during a project that was never removed when the project ended, and SaaS tools adopted by individual teams without central visibility or review. Both leave standing access points that the business is unaware of. You cannot protect what you cannot see.

    Hidden exposureGrowing vector
03

The minimum viable resilience stack.

The goal here is not an exhaustive control framework. It is the smallest set of controls that addresses most of the practical risk for a high-dependency SME with limited security resource. These four areas, done properly and maintained actively, would prevent or substantially limit the impact of the majority of SME cyber incidents.

Identity: start here, before everything else

  • MFA enforced on every account, including finance, admin, and any cloud platform. Authenticator app, not SMS where possible. Not optional for any role.
  • Separate admin accounts for administrative tasks. Nobody should be doing daily email and admin panel changes from the same account.
  • No shared logins. If shared accounts are unavoidable in a specific context, those credentials are tracked, rotated on a schedule, and removed when the shared context ends.
  • Conditional access policies where your platform supports them: block logins from unexpected locations, flag risky sign-in events, require re-authentication after a period of inactivity.
  • Leaver process that covers SaaS. When someone leaves, their access is removed from every cloud tool they used, not just email and the main systems. The gap between "email disabled" and "all access removed" is where most SME leaver breaches occur.

Email: close the fraud highway

  • SPF, DKIM, and DMARC configured correctly on your domain. These reduce spoofing and impersonation, and their absence makes it easier for attackers to send convincing emails that appear to come from your domain. Many SMEs have SPF configured but DMARC absent or in monitoring-only mode, which provides little protection.
  • Block automatic external forwarding. Many BEC attacks set up forwarding rules to exfiltrate email silently. If your email platform allows users to set up automatic forwarding to personal accounts, that capability should be disabled at admin level or subject to an alert.
  • No email-only payment instruction changes. Any new or changed payment instruction received by email should be verified via a second channel using a contact number already in your records, not one from the email. This single policy prevents the majority of invoice fraud and payment diversion attacks.
  • Short, targeted awareness. Not a two-hour annual training course. Regular, brief, specific awareness of the patterns that actually target your type of business, with a clear and blame-free reporting route for anything that looks wrong.

Endpoints and patching: reduce the attack surface

  • Patching cadence for operating systems, browsers, and the top ten most commonly exploited applications. Unpatched systems are the most common initial access vector after phishing. A patch schedule that runs monthly and covers the highest-risk applications addresses the large majority of commodity exploit attempts.
  • Endpoint detection and response (EDR) or AV that is correctly configured and actively monitored, not just installed. A security tool that generates alerts nobody reviews provides no protection. Know what your endpoint security generates and who receives the alerts.
  • Remove local admin rights from standard user accounts where operationally feasible. Local admin is not needed for most roles. Where it is required, it should be time-limited or controlled through a privileged access management process.
  • Application controls for the highest-risk environments: block execution from user temp directories and downloads folders, where ransomware most commonly attempts to run.

Backups and recovery: the control that everything else depends on

  • Isolated backups that a ransomware event cannot reach through the same credentials used in your main environment. An always-online backup target connected with admin credentials that are also used elsewhere is not a safe backup. It is a second copy of the data that will be encrypted alongside the primary.
  • Tested restores, not assumed ones. A backup you have never successfully restored from is a belief, not a control. Test restores quarterly for critical systems and document the result: what was tested, when, whether it succeeded, and how long it took.
  • Defined RTO and RPO for your top five systems. Recovery Time Objective (how long you can be down) and Recovery Point Objective (how much data loss is acceptable) do not need to be sophisticated, but they must be written down and aligned with what your backup regime actually provides.
  • Recovery runbook. A written document covering who makes the decision to restore, who executes the restore, which systems come back in which order, and who communicates with clients and suppliers while systems are down. If this document only exists in the head of your IT person, it is not a runbook.
04

How to prioritise with limited time: the 30-30-30 rule.

Most owner-led SMEs have a finite and already-committed budget, no dedicated security resource, and competing operational demands on the time of anyone who could work on this. The question is not how to do everything. It is how to allocate limited effort to the areas that produce the most risk reduction.

A practical allocation framework
  • 30% on prevention: close the easy attack paths. MFA, email controls, patching cadence, and removing unnecessary access. These are the controls that stop the most common attack types before they achieve anything.
  • 30% on detection: know when something has gone wrong. Basic logging and alerting for high-risk events: failed login attempts, new mail forwarding rules, admin account activity outside normal hours, large data movements. You do not need a SIEM. You need alerts on the events that matter.
  • 30% on recovery: make restoring to normal operations a routine, tested capability rather than an improvised emergency. This is the area most consistently under-invested in SME security budgets, and the one that determines the actual cost of an incident when prevention fails.
  • 10% on governance: document decisions, maintain evidence, and ensure that someone at leadership level owns cyber risk explicitly and visibly. This is not bureaucracy. It is what separates a business that can answer a buyer questionnaire confidently from one that cannot.

The allocation is a starting point, not a fixed rule. If your prevention controls are already strong but you have never tested a restore, shift more effort toward recovery. If detection is completely absent, prioritise that. The point is to make a deliberate decision about allocation rather than spending reactively on whatever was last in a vendor conversation.

05

A quarterly roadmap: what disciplined looks like over a year.

A year of consistent, sequenced effort produces a meaningfully more resilient posture than the same number of hours spent reactively on whatever problem is most visible at a given moment. The sequence matters: identity controls provide the platform that everything else depends on, so they come first. Backups come second because they are the last line of defence if everything else fails. Endpoint discipline comes third because it reduces the probability of reaching the point where backups are needed. Governance and evidence come fourth because they make the first three demonstrable.

Q1

Stabilise identity and payment controls

MFA enforced on all accounts including finance and admin. Admin accounts separated from daily-use accounts. A leaver process that covers SaaS tools, not just email. A documented policy that no payment instruction change is processed on the basis of email alone, with a named owner for enforcing it. Access review: who currently has what, and what needs to be removed. By the end of Q1, your identity posture should be demonstrably stronger than it was on day one.

Highest leverageAddresses two of four attack types
Q2

Backups you can actually restore from

Review what your current backup regime actually covers for your top five systems. Identify any gaps: systems not backed up, backups that share credentials with production, or backup targets that ransomware could reach. Move at least one backup copy to an isolated target. Define RTO and RPO for your critical systems, in writing. Execute and document a restore test for each critical system. Write the first version of your recovery runbook, even if it is short. By the end of Q2, you should know what you can restore and how long it takes.

Resilience baselineMost commonly neglected
Q3

Patching discipline and endpoint controls

Establish a patch cadence for OS, browsers, and the highest-risk applications. Verify that your endpoint security (EDR or AV) is correctly configured and that someone receives and reviews its alerts. Remove local admin rights from standard user accounts where feasible. Review what automatic external email forwarding is currently permitted and close it down at admin level. By the end of Q3, you should have a documented patching schedule with evidence of completion and confidence that your endpoint security is actively working.

Reduces ransomware probability
Q4

Incident readiness and evidence pack

Write a first-hour incident playbook covering your actual team structure: who is notified, who decides, who contacts the insurer, who talks to clients, and in what sequence. Run a tabletop exercise using a realistic scenario for your business, such as email account compromised on a Friday evening, or key operational system encrypted. Build your evidence index: access to your documentation, tested backup evidence, patch records, and policy documents in one place. By the end of Q4, a buyer security questionnaire should be answerable from current documentation, not assembled under time pressure.

Buyer and regulator ready
06

Four mistakes that repeatedly undermine SME security investments.

These are not exotic failures. They appear in the majority of owner-led businesses that have made a genuine effort to improve their security posture but have not yet achieved a resilient one. Recognising them early saves considerable time and money.

Buying tools before making decisions

A security product sale happens. Licences are purchased. The tool is installed. Three months later, the alerts are muted because they are too noisy, the policies are set to monitor-only rather than block, and nobody is reviewing the dashboard. The budget has been spent, the risk has not changed.

Instead: identify your top three risks first. Then choose controls that specifically address those risks. A tool purchased to solve a clearly defined problem is configured, maintained, and reviewed. A tool purchased because it sounded comprehensive usually is not.

Backups that share credentials with production

The backup runs every night to a target that is authenticated with the same admin credentials used in the main environment. Ransomware that compromises those credentials can reach both. The backup is encrypted alongside the primary data. The "last line of defence" turns out to be as vulnerable as everything it was supposed to protect.

Instead: at minimum, one backup copy should be isolated from the production environment in a way that the production admin credentials cannot reach it. This can be a separate cloud account, an offline copy, or an immutable backup target. Test it.

"We will handle it if it happens"

This is the most expensive sentence in SME incident response. When a ransomware event hits at 11pm on a Thursday, capable people improvise under pressure: devices get powered off prematurely, logs are deleted, passwords are reset before sessions are revoked, the insurer is not notified within the required window, and the ICO clock starts running without anyone knowing it. Each improvised decision raises the cost and limits the options.

Instead: a short, written playbook covering the first 60 minutes of an incident for the two or three most likely scenarios. Not a 40-page framework. A laminated card with the decision sequence, key contacts, and the three things not to do under any circumstances.

Ignoring supplier and vendor access

The IT support firm has remote access. The payroll provider accesses your HR system. The CRM vendor has a support login that was set up during implementation. The subcontractor who did a project eighteen months ago still has a portal login. None of these are reviewed quarterly. Some are not documented at all. Any of them can be the entry point if the supplier is compromised or if former contractor credentials are exploited.

Instead: a supplier access register. A spreadsheet with five columns: supplier name, what they can access, business reason, date access was granted, and date of last review. Reviewed quarterly. Access removed when contracts end, not months later.

07

The evidence pack: what to build so buyers and regulators get a confident answer.

The practical value of a security posture is tested in three situations: when a buyer sends a security questionnaire, when an insurer asks for evidence at renewal, and when something goes wrong and a regulator or client asks what controls were in place. In all three situations, the outcome depends not on whether you had good intentions but on whether you have current, accurate documentation that reflects what you actually do.

An evidence pack for a high-dependency SME does not need to be large. It needs to be real and current. The components that answer most of the questions asked in a buyer questionnaire or insurer review are:

  • Asset and system inventory. What systems you run, what data they hold, and who is responsible for each. Not exhaustive: a one-page summary of your five to ten most critical systems is sufficient for most purposes.
  • Access standards. How access to systems is granted, reviewed, and removed. Evidence that MFA is enforced and that the last access review happened within the last quarter.
  • Supplier access register. Who has access to your systems from outside, with business justification and last-review date for each.
  • Backup evidence. Documentation of your backup configuration and a record of your most recent successful restore test for each critical system, with the date, the system tested, and the outcome.
  • Patch records. Evidence that patches are applied on a regular schedule, even if that evidence is a simple spreadsheet or a screenshot from your patch management tool showing completion status.
  • Incident response procedure. Your first-hour playbook for the scenarios most likely to affect your business. With a named owner, a current contact list, and evidence that it has been reviewed or rehearsed within the last twelve months.
  • GDPR/data protection documentation. Records of processing, retention periods, and processor list if you process personal data. Relevant for almost every UK SME. See the GDPR for owner-led SMEs guide for detail on each component.
The fastest way to build this

A readiness call takes one hour. We walk through your current posture against these areas, identify the gaps, and give you a prioritised sequence for closing them. The output is a concrete next step, not a 40-page report. If you want to build the evidence pack with support, our governance and compliance service covers all seven components with a review cycle designed for owner-led businesses.

Book a readiness call Governance service IR self-assessment