Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

Flashcards · 12 cards

FAQ

The 12 questions every owner asks. Click any card to flip.

FAQ #1 of 12

Do we really need a CISO?

Click to flip →

Almost certainly not, for a typical SME. A “virtual CISO” (fractional — a few hours a month) is plenty for most businesses under ~100 staff.
Open full page → Click to flip back

FAQ #2 of 12

Is Cyber Essentials enough?

Click to flip →

It's a sensible floor — not a ceiling. Achievable, defensible, and increasingly required. But it doesn't address backup testing, incident response, AI use, supplier security, or training.
Open full page → Click to flip back

FAQ #3 of 12

How often should we change passwords?

Click to flip →

Less often than people think, if you have MFA. NCSC moved away from forced rotation. Current advice: long passwords, unique per account, password manager, MFA on top.
Open full page → Click to flip back

FAQ #4 of 12

Should we ban USB sticks?

Click to flip →

Most SMEs should at least restrict them. Disable unknown USB mass-storage; allow through an approval process.
Open full page → Click to flip back

FAQ #5 of 12

BYOD or company devices?

Click to flip →

Company devices are easier to secure. If you do BYOD, you must have MDM and a clear policy. Many SMEs end up with company laptops, BYOD phones with MDM.
Open full page → Click to flip back

FAQ #6 of 12

Is our antivirus enough?

Click to flip →

Probably not on its own. Modern threats bypass signature-based antivirus. The current category is EDR. Microsoft Defender for Business (bundled with M365 Business Premium) is good enough for most SMEs.
Open full page → Click to flip back

FAQ #7 of 12

Can we just back up to OneDrive / SharePoint?

Click to flip →

No. They sync files; they don't back them up. If ransomware encrypts the originals, the encrypted versions sync to the cloud. Use a dedicated 3-2-1 backup tool that covers M365.
Open full page → Click to flip back

FAQ #8 of 12

Should we let staff use personal Gmail or Dropbox for work?

Click to flip →

No. Creates data-protection, security, and continuity problems.
Open full page → Click to flip back

FAQ #9 of 12

Is cyber insurance worth it for a £2m turnover business?

Click to flip →

For most businesses at that scale, yes — with caveats. The biggest value is usually the incident-response retainer bundled in.
Open full page → Click to flip back

FAQ #10 of 12

When does a 5-person business need a ‘real’ IT person?

Click to flip →

Almost never as an employee. What you need is: someone in the business who owns IT decisions and a reliable MSP for execution.
Open full page → Click to flip back

FAQ #11 of 12

What's the difference between Microsoft 365 Business Standard, Premium, and Enterprise?

Click to flip →

Business Standard is the core productivity suite. Business Premium adds the security tooling almost every SME should have. Enterprise tiers are for >300 users or specific compliance needs.
Open full page → Click to flip back

FAQ #12 of 12

Is two-factor by text message OK?

Click to flip →

Better than nothing, much worse than an authenticator app. SMS is vulnerable to SIM-swap attacks.
Open full page → Click to flip back