The vast majority of cyber attacks target small and medium businesses. The reason is straightforward: attackers know SMEs have fewer resources dedicated to security, less mature processes, and in many cases, valuable data — client records, payment information, intellectual property — all accessible through perimeter defences that can be bypassed with relatively unsophisticated techniques. The NCSC's annual Cyber Security Breaches Survey consistently finds that around half of UK businesses have experienced a cyber breach or attack in the previous 12 months, with the average cost for SMEs running into thousands of pounds.

This checklist is designed to help you assess your cybersecurity posture quickly and honestly. Answer these 15 questions and you will know where your strengths and gaps lie — and where to focus your limited security budget.

The 15-Question Cybersecurity Audit

Access Control

  1. Do all employees use multi-factor authentication (MFA) for email, cloud services, and remote access?

MFA is the single most effective control you can implement. According to industry research, MFA blocks over 99% of automated credential theft attacks. If you are not using MFA across all cloud services, this is your highest priority gap. The NCSC recommends MFA as a foundational control, and the Cyber Essentials 2026 update now requires MFA for all cloud services, not just administrative accounts.

  1. Are privileged accounts (admin, IT, director-level) limited to staff who absolutely need them?

Privileged accounts are the primary target for attackers seeking to move laterally within your network. The principle of least privilege means each employee should have the minimum level of access needed to do their job — no more. Audit your admin accounts at least quarterly and remove access from anyone who no longer needs it.

  1. Do you revoke access within 24 hours when someone leaves the organisation?

Former employee accounts that remain active are a significant vulnerability. We have seen cases where former employees retained access to cloud services, social media accounts, and financial systems for months or years after departure. Automated de-provisioning integrated with your HR system is the gold standard. At minimum, have a documented offboarding checklist and assign clear responsibility for executing it.

Data Protection

  1. Do you know where all sensitive data is stored — cloud platforms, laptops, email accounts, file shares, and mobile devices?

You cannot protect data you cannot find. Conduct a data discovery exercise to identify where customer personal data, financial records, employee data, and business-confidential information resides. Many SMEs are surprised to discover sensitive data in ungoverned locations — personal OneDrive accounts, shared folders with overly permissive access, email inboxes containing passport scans.

  1. Is sensitive data encrypted at rest and in transit?

Encryption at rest protects data if a device is lost or stolen. Encryption in transit (TLS for web traffic, encrypted VPN connections for remote access) protects data as it travels across networks. Both should be standard. Most cloud services provide encryption at rest by default, but you should verify this and understand where you are responsible for enabling it.

  1. Do you have a data retention and disposal policy that is actually followed?

Holding data longer than necessary increases your breach exposure and creates UK GDPR compliance risk. A data retention policy defines how long each category of data is kept and when it should be securely deleted. The policy is only useful if it is enforced — our consultants recommend including data retention obligations in employee offboarding processes and conducting periodic data clean-up exercises.

Incident Response

  1. Do you have a documented incident response plan?

A documented plan ensures that when a breach occurs — and for most organisations, it is a question of when, not if — your team knows what to do without having to figure it out under pressure. The plan should cover detection, containment, eradication, recovery, and notification obligations.

  1. Would your team know who to call and what to do within the first hour of discovering a breach?

The first hour of a breach is critical. Actions taken — or not taken — in this window can determine whether the incident is contained or escalates. Key decisions include: who contains the compromised system, who assesses regulatory notification obligations, who communicates with customers, and who contacts legal counsel and cyber insurance providers.

  1. Have you tested your incident response plan with a tabletop exercise?

A plan that has never been tested is a plan that may fail. Tabletop exercises simulate a breach scenario and walk key stakeholders through the response process. Our consultants recommend conducting at least one tabletop exercise annually, involving IT, legal, communications, and senior management.

Third-Party Risk

  1. Do you assess the security of new vendors before giving them access to your systems or data?

Your cloud service providers, IT support company, payroll provider, and even your cleaning contractor may have access to your premises or systems. Each represents a potential entry point for attackers. A simple vendor security questionnaire covering their security controls, certifications, and incident history is a minimum requirement for critical vendors.

  1. Do you have security requirements in your vendor contracts?

Verbal assurances are not sufficient. Contracts should include: data protection obligations (aligned with UK GDPR Article 28 where applicable), incident notification timelines, the right to audit, data deletion requirements on termination, and liability provisions for security failures.

Governance

  1. Does someone in your organisation have clear responsibility for cybersecurity?

Cybersecurity cannot be everyone's job — it ends up being nobody's job. Assign clear ownership to a named individual, whether internal (an IT manager, operations director, or compliance officer) or external (a fractional vCISO). This person should have sufficient authority to implement security improvements and report to senior leadership.

  1. Are cybersecurity risks reported to the board or senior management?

Cybersecurity is a business risk, not just an IT issue. Senior management and the board need regular reporting on the organisation's security posture, key risks, and progress against remediation plans. Quarterly reporting is a good starting point.

  1. Do you have cyber insurance that covers ransomware and business interruption?

Cyber insurance is a critical safety net, but policies vary significantly in their coverage. Ensure your policy explicitly covers ransomware payments, forensic investigation costs, legal costs, regulatory fines (where insurable), business interruption losses, and notification costs. Review your policy annually and understand any exclusions or conditions, such as the requirement to maintain specified security controls.

  1. Do you conduct security awareness training for all employees at least annually?

Human error remains the leading cause of breaches. Regular security awareness training — covering phishing recognition, password hygiene, safe internet use, and reporting procedures — significantly reduces risk. Our clients typically include simulated phishing campaigns as part of their training programme to measure effectiveness and identify high-risk individuals for additional coaching.

What Your Score Means

  • 12–15 Yes: Strong posture. Focus on continuous improvement and maturing your programme.
  • 8–11 Yes: Moderate posture. Several important gaps to address. Prioritise MFA, patching, and incident response.
  • 4–7 Yes: Significant gaps. Your organisation is vulnerable to common attacks. Engage security leadership.
  • 0–3 Yes: Critical risk. Your organisation has minimal protection. This requires immediate attention.

A low score is not a judgement — it is a starting point. Every organisation can improve its cybersecurity posture with a structured, prioritised approach. The key is to start, to make consistent progress, and to avoid the paralysis that comes from trying to fix everything at once.

For many SMEs, the most cost-effective model is to engage a fractional vCISO who can provide the strategic direction, technical knowledge, and regulatory awareness that the organisation needs, at a fraction of the cost of a full-time hire. This is particularly effective when the alternative is to have no dedicated security leadership at all.

Where to Start If Your Score Is Low

If you answered "No" to more than half of these questions, do not try to fix everything at once. Focus on the highest-impact controls first:

  1. Enable MFA everywhere. Start with email and cloud services. This is the highest-return security investment you can make.
  2. Implement a patch management process. Ensure all devices receive critical security patches within 14 days (matching the updated Cyber Essentials requirement).
  3. Set up basic backups. Implement the 3-2-1 backup rule: three copies of data, on two different media types, with one copy offsite (including offline/immutable backups for ransomware protection).
  4. Assign cybersecurity responsibility. Even if it is a part-time role, having a named person accountable is essential.
  5. Create a simple incident response plan. One page covering who to call and what to do in the first hour.

Our team helps UK SMEs build practical, affordable cybersecurity programmes that protect their business without overcomplicating their operations. Whether you need a one-off gap assessment or ongoing vCISO support, our consultants bring deep experience across UK regulatory frameworks and SME operations.

Get your detailed compliance score →

Explore fractional vCISO services →