Do we really need a CISO?
Almost certainly not, for a typical SME. A “virtual CISO” (fractional — a few hours a month) is plenty for most businesses under ~100 staff.
FAQ
Almost certainly not, for a typical SME. A “virtual CISO” (fractional — a few hours a month) is plenty for most businesses under ~100 staff.
It's a sensible floor — not a ceiling. Achievable, defensible, and increasingly required. But it doesn't address backup testing, incident response, AI use, supplier security, or training.
Less often than people think, if you have MFA. NCSC moved away from forced rotation. Current advice: long passwords, unique per account, password manager, MFA on top.
Most SMEs should at least restrict them. Disable unknown USB mass-storage; allow through an approval process.
Company devices are easier to secure. If you do BYOD, you must have MDM and a clear policy. Many SMEs end up with company laptops, BYOD phones with MDM.
Probably not on its own. Modern threats bypass signature-based antivirus. The current category is EDR. Microsoft Defender for Business (bundled with M365 Business Premium) is good enough for most SMEs.
No. They sync files; they don't back them up. If ransomware encrypts the originals, the encrypted versions sync to the cloud. Use a dedicated 3-2-1 backup tool that covers M365.
No. Creates data-protection, security, and continuity problems.
For most businesses at that scale, yes — with caveats. The biggest value is usually the incident-response retainer bundled in.
Almost never as an employee. What you need is: someone in the business who owns IT decisions and a reliable MSP for execution.
Business Standard is the core productivity suite. Business Premium adds the security tooling almost every SME should have. Enterprise tiers are for >300 users or specific compliance needs.
Better than nothing, much worse than an authenticator app. SMS is vulnerable to SIM-swap attacks.