Get started

Cybersecurity Compliance for UK SMEs — Where to Start

guide 9 min read Updated 2026-03-23

Cybersecurity Compliance for UK SMEs — Where to Start

If you’ve never done a formal cybersecurity assessment, the list of things you “should be doing” can feel overwhelming. Firewalls, patches, backups, policies, incident response, staff training, compliance frameworks — where do you actually start?

The answer is simpler than it sounds. Start by measuring where you stand, then implement the five controls that prevent the most common attacks. You don’t need a perfect system immediately. You need a documented, testable baseline that demonstrates you’ve thought about security and are taking reasonable steps to protect your data and your customers’ data.

This is what UK GDPR Article 32 requires: “appropriate technical and organisational measures.” Appropriate is defined by risk, not by a checklist. For most SMEs, “appropriate” means implementing the Cyber Essentials five controls and maintaining a documented incident response plan.

Why This Matters

43% of UK businesses experienced a cyber breach in 2025. 81% of the businesses that were breached were SMEs. The average cost to an SME of a breach is £8,460 — but that’s just the direct cost. Add lost time, reputational damage, customer churn, and potential ICO enforcement, and the real cost is often multiples higher.

But the majority of these breaches were preventable. Unpatched software, weak access controls, no multi-factor authentication, inadequate backup procedures — these aren’t sophisticated attacks. They’re basic exploitations of security gaps that have known fixes.

If your business processes personal data (which it does — employee records, customer contacts, analytics), a breach triggers mandatory notification to the ICO within 72 hours if you suspect personal data has been compromised. Demonstrating that you had “appropriate” security measures in place is your best defence against enforcement action.

Step 1: Assess Your Current Posture

Before you implement anything, measure where you stand. This is the step most SMEs skip, and it’s the most important one.

External assessment: Use free tools to scan your website and infrastructure. Check what’s publicly exposed: run a port scan on your public IP addresses, check your SSL/TLS certificate validity and configuration, verify your email authentication records (SPF, DKIM, DMARC), and identify what technology your website is running (CMS version, plugins, known vulnerabilities). Tools like SecurityHeaders, Mozilla Observatory, and MXToolbox are free and give you a realistic baseline of your external security posture.

Internal assessment: Document what you have in place now. Do you have a written cybersecurity policy? How do you manage user access — shared passwords, MFA on critical systems, anything documented? When was the last time you patched your CMS, server software, or applications? Do you have backups, and have you tested whether you can actually restore from them? Is there any documented process for what happens if something goes wrong?

You’ll find gaps — every SME does. That’s not a failure; it’s a starting point. Write down what you find. You’ll use this to prioritise what to fix first.

Step 2: Implement Multi-Factor Authentication

If you do only one thing, do this. Multi-factor authentication (MFA) is the single highest-impact security measure for SMEs. It’s not a silver bullet — it doesn’t protect against all threats — but it prevents the most common attack: compromised email and business account access.

Where to start: Email accounts. Every business-critical account — email, cloud services (Microsoft 365, Google Workspace, Dropbox), payment systems, banking portals, CMS admin panels, remote access tools — should require MFA. Start with email and critical admin accounts. Then work through everything else.

How it works: After entering a password, the user is prompted for a second factor — usually a code from their phone (generated by an authenticator app like Microsoft Authenticator, Google Authenticator, or Authy) or delivered via SMS. Email compromise is the #1 attack vector in 2025, and MFA stops it.

For cloud services: Microsoft 365, Google Workspace, and most managed services make MFA trivially easy to enable. It takes an afternoon to roll out across a small team.

For on-premise systems and applications: Depends on what you’re running. If you have a server, hosting provider, or VPN, ask your IT provider whether MFA can be enabled. If not, you’ve identified a system that needs replacing or upgrading.

Step 3: Secure Email

93% of cyberattacks start with phishing or email compromise. Email security is your front line.

Technical controls:

  • SPF (Sender Policy Framework): Tells email providers which servers are authorised to send mail from your domain. Prevents spoofers from sending emails that appear to come from you. Configure in your DNS records.
  • DKIM (DomainKeys Identified Mail): Cryptographically signs emails from your domain. Prevents tampering and spoofing. Configure in your DNS and email provider.
  • DMARC (Domain-based Message Authentication, Reporting and Conformance): Tells email providers what to do with emails that fail SPF/DKIM checks. Configure to reject or quarantine suspicious emails. Gives you reporting on spoofing attempts.

These are all configured in your DNS records. If you don’t manage your DNS directly, ask your email provider or IT support — they can often do this for you.

User training: Your staff are your security perimeter. Phishing emails are the delivery mechanism for most attacks. Train employees to: recognise suspicious emails (unexpected attachments, mismatched sender addresses, requests for passwords or sensitive information), verify unusual requests through another channel before responding, report suspicious emails rather than deleting them.

Email filtering: Most email providers (Microsoft 365, Google Workspace) have built-in spam and phishing filters. Make sure they’re enabled and configured to flag or block suspicious emails.

Step 4: Patch and Update

Unpatched software is one of the most commonly exploited security gaps. Vulnerability researchers constantly discover new security flaws, and vendors issue patches as soon as they’re discovered. If you’re not patching, you’re running with known exploitable vulnerabilities.

Operating systems: Windows, macOS, and Linux all issue monthly patches. Enable automatic updates if possible. If you can’t (because it would disrupt critical business processes), establish a monthly patching schedule and actually do it.

Web applications: CMS platforms (WordPress, Joomla, Drupal), e-commerce platforms, and business applications all need patching. WordPress security updates should be applied immediately — they patch known vulnerabilities. Schedule monthly update checks for other applications.

Plugins and extensions: If you use WordPress, Shopify, or other platforms with plugins, keep plugins updated. Abandoned plugins (not updated by their developer) are a common attack vector — consider removing them if the developer isn’t maintaining them.

Hosting and server software: Your hosting provider often handles server OS patches automatically. Ask them whether patches are applied automatically. If you manage your own servers, establish a monthly patching schedule.

Step 5: Control Access

Weak access controls are a consistent finding in SME audits. Shared passwords, admin access given to everyone, former employees retaining access, no documented user access review.

Practical steps:

  • Password policies: Every employee gets their own account. Passwords should be minimum 12 characters, no reuse, no obvious patterns. Use a password manager (Bitwarden, 1Password, LastPass) so employees don’t have to remember complex passwords.

  • Admin access: Only users who need admin access should have it. Separate admin accounts from regular user accounts (if you do admin work, use a regular user account for daily work and switch to admin when you need elevated privileges). Review admin access quarterly.

  • Former employees: Disable accounts immediately when someone leaves. Not “reset the password,” disable the account entirely. Remove them from any team access, email groups, or cloud storage access.

  • Access review: Annually (or quarterly for businesses with significant staff turnover), review who has access to what and whether they still need it.

Step 6: Test Your Backups

Most SMEs have backups — often automated through their hosting provider. But backup systems fail silently. You won’t know your backups are useless until you try to restore.

The 3-2-1 rule: 3 copies of your data, 2 different storage media, 1 offsite. A backup on the same server as the original data is worthless if the server fails. A backup not tested is a backup you can’t trust.

Practical steps:

  • Document your backup process: what’s being backed up, how often, where backups are stored, how to restore.
  • Test restoration quarterly. Restore a backup to a test environment, verify the data is complete, verify you can actually use the restored data. Document the test results.
  • For critical business data, maintain an offsite backup (cloud, external drive stored separately, or both).

Step 7: Write an Incident Response Plan

When something goes wrong, you need to know who’s responsible, what to do immediately, and how to recover. An incident response plan doesn’t need to be elaborate — it needs to be short, practical, and known by the people who need it.

What to include:

  1. Contact list: Who to notify if something goes wrong (IT support, hosting provider, management, legal, ICO if data is compromised).

  2. Initial response: What to do immediately if you suspect a breach or cyberattack. Contain the damage (disconnect affected systems, change passwords, secure accounts), don’t attempt remediation yourself unless you know what you’re doing (call your IT support), preserve evidence (don’t delete logs or emails).

  3. ICO notification: If personal data is or may be compromised, you must notify the ICO within 72 hours. Your incident response plan should include the decision process (is personal data involved? is risk to individuals low or high?) and the notification procedure.

  4. Recovery: How to restore from backup, how to verify systems are clean, how to communicate with affected customers if needed.

That’s it. One page, practical, known by key staff. A plan nobody reads is worse than useless.

Step 8: Work Toward Cyber Essentials

Once you’ve implemented the above — MFA, email security, patching, access controls, backups, incident plan — you’re meeting the baseline of Cyber Essentials controls. The certification itself costs £300–£600 and involves a questionnaire with an accredited assessor who verifies you’re meeting the five controls.

Cyber Essentials is not a box-tick exercise. It’s a baseline security standard that prevents the most common attacks. Organisations with Cyber Essentials are significantly less likely to suffer breaches, and cyber insurance premiums reflect this.

Certification is optional for most SMEs but increasingly expected by customers, partners, and insurers. If you’re looking to improve your compliance posture, grow your customer base, or reduce cyber insurance costs, Cyber Essentials is the logical next step.

How to Check It Worked

Three months after implementation:

  • MFA is active on email and all critical systems. Test it — log out and log back in to verify the MFA prompt appears.
  • Email authentication records are in place. Check your SPF, DKIM, DMARC records using free online tools (MXToolbox, DMARC Monitor). Verify they’re configured correctly.
  • Patching is on schedule. Check your CMS, server software, and applications for available updates. If months-old patches are pending, your patching process isn’t working.
  • Backups are being tested. Pull a monthly backup, restore it to a test environment, verify the data is usable.

What’s Next

Once you’ve implemented these seven steps, you have a baseline security posture that meets UK GDPR Article 32 and Cyber Essentials requirements. This is not “fully secure” — security is ongoing — but it’s the necessary foundation.

From here, you can:

  1. Pursue Cyber Essentials certification if you want a formal credential. We can help you prepare with Bartram Cyber.

  2. Monitor for emerging threats as the Cyber Security and Resilience Bill progresses through 2026.

  3. Strengthen other compliance areasGDPR compliance covers data subject rights and privacy policies; if you use AI systems, AI compliance covers transparency and risk assessment.

  4. Understand sector-specific guidanceProfessional services face distinct client data protection obligations.

If you want a full assessment of your cybersecurity readiness, Bartram Cyber combines automated scanning with a detailed questionnaire and delivers a risk report with a prioritised action plan.

Free newsletter

Get insights like this fortnightly

UK compliance rules are changing fast. Our newsletter covers what changed, what's coming, and what it means for your business.

Subscribe →

Free, fortnightly, no spam. Unsubscribe any time.

Want to check your compliance?

Find out where you stand — and get a prioritised action plan.

Screen your cybersecurity →

More from this hub

Common Cybersecurity Gaps in UK SME Infrastructure — What the Data Shows

What UK cybersecurity research shows about common SME vulnerabilities: breach rates, control gaps, and what fixes work.

Read article →

Cybersecurity Compliance for Professional Services — Protecting Client Data

Cybersecurity compliance for law firms, accountants, and consultancies. Protecting client data goes beyond IT — it's a client trust and compliance obligation.

Read article →

Preparing for Cyber Essentials Certification — A Step-by-Step Guide

How to prepare for Cyber Essentials certification: implement controls, choose an assessor, complete the assessment, get certified.

Read article →