Flashcards · 25 cards
Risks
25 plain-English digital risks every SME owner should be able to answer. Click any card to flip.
Risk 01 · Business-critical system audit
Do you know what technology your business actually depends on?
Click to flip →
What to do:
• Print this question and stick it on the wall: “If our IT person quit on Friday, what's the first thing that would break by Tuesday?” Ask three people separately.
• Open your last bank statement. Every IT-related direct debit you can't match to a system is a system you didn't know you depend on.
• Open Microsoft 365 admin (or Google Workspace) → Active users. Cross-check every account against payroll.
Risk 02 · Hidden business risk in legacy systems
Could one old system stop your business trading?
Click to flip →
What to do:
• Walk the office. Find the “if this PC dies, we stop” machine. Photograph the serial-number sticker.
• List the five systems you'd notice in under an hour if they went down. Next to each: when was it last patched?
• Check the operating system on your most critical server. Windows Server 2012 R2 is already out of support; Server 2016's extended support ends October 2027. Plan now.
Risk 03 · Legacy technology modernisation
Are you relying on software nobody understands anymore?
Click to flip →
What to do:
• Open the app. Help → About. Note the version. Now Google: “[product name] [version] end of life.”
• Find the original developer or vendor (LinkedIn is fine). One short message: “Do you still support this?”
• If the app uses a database, look for a default
sa, admin, or root account with a weak password.Risk 04 · Spreadsheet risk review
Are old spreadsheets quietly running your business?
Click to flip →
What to do:
• Open Documents/Desktop. Sort by “Date modified.” Anything called Master, Live, FINAL_v3_real that's been touched today is probably running something.
• For each, ask: “If this file vanished now, how long would it take to rebuild?”
• Use Review → Protect Sheet on at least the formula cells. Costs nothing.
Risk 05 · Access control and accountability
Are ex-employees or old suppliers still able to access your systems?
Click to flip →
What to do:
• Microsoft 365: Admin Center → Users → Active users. Cross-check every name against payroll.
• Look at your most important shared inboxes. Who has “send as” or delegate access?
• Send one email to every external supplier with access: “Tell me which accounts your team has, and when each was last used.”
Risk 06 · Password and account safety
Could one weak password expose your company?
Click to flip →
What to do:
• Turn on MFA for every admin account in Microsoft 365 / Google Workspace. Admins only, today.
• Run your director-level email addresses through haveibeenpwned.com.
• Get a real password manager — 1Password, Bitwarden, or Dashlane all have business tiers under £5/user/month.
Risk 07 · Protecting business data
Could a simple mistake delete or corrupt important data?
Click to flip →
What to do:
• Turn on Version History on shared folders.
• On accounts and finance folders, restrict the Delete permission to two named people.
• Check your Microsoft 365 retention policy. Default is around 30 days.
Risk 08 · Data protection and compliance readiness
Do you know where your sensitive data is stored?
Click to flip →
What to do:
• Draw four boxes on paper: Customer, Employee, Financial, Supplier. For each: where it lives, who reads, who deletes.
• Look at three random staff laptops. Customer lists on a laptop are data leaving the building each evening.
• Look at your office Wi-Fi router. List every connected device.
Risk 09 · Manufacturing system resilience
Could one old PC stop your production line?
Click to flip →
What to do:
• Find every Windows PC on the line. Note the OS. Anything older than Windows 10 / Server 2019 is a problem hiding in plain sight.
• Ask the line manager: “Which of these, if it died, stops production?”
• Ask: “Are factory systems on the same network as the office?” If you don't know, the answer is almost always “yes.”
Risk 10 · Backup and recovery confidence
Are your backups real, or just assumed?
Click to flip →
What to do:
• Pick a non-critical file. Delete it. Try to restore from backup. Time how long it takes. That's your real recovery time.
• Email your IT supplier: “Send me the dated screenshot of the most recent successful end-to-end restore test.”
• Check whether your Microsoft 365 data is in any backup. Microsoft's shared-responsibility model says it's your job.
Risk 11 · Cyber incident readiness
Would you survive a ransomware attack?
Click to flip →
What to do:
• Write a one-page “if everything is down” plan. Put it in three places that are not on the network.
• Add to your phone: IT supplier's emergency number, cyber insurer's claim line, ICO (0303 123 1113).
• Check your cyber insurance — most include an incident response provider. Find their hotline.
Risk 12 · Monitoring and early warning systems
Would you know quickly if something was wrong?
Click to flip →
What to do:
• Sign up to UptimeRobot (free tier).
• Add calendar reminders for domain expiry, SSL expiry, IT contract end date — with 90-day warnings.
• Ask your IT supplier: “Where do alerts go, and who reads them?”
Risk 13 · Independent review of IT suppliers
Are you paying for IT support but still carrying serious risk?
Click to flip →
What to do:
• Reread the SLA. Search for security and backup. If they aren't there, that work isn't their job.
• Email your supplier: “What three risks are you actively managing for me?” Specific answers (e.g. “your Server 2016 is approaching end of life in 2027, here's our plan”) mean they're running your risk. Vague answers mean tickets.
• Find out who legally owns your domain name, DNS, and Microsoft 365 / Google global admin account.
Risk 14 · Staff-built systems and AI-created tools
Are staff building business-critical tools without you knowing?
Click to flip →
What to do:
• Microsoft 365 admin centre → Reports → Power Platform Apps and SharePoint sites created in the last year.
• Ask three staff: “What tool have you built this year that you think the team now relies on?”
• Start a tools register. Name, owner, what it does, what data it touches, what happens if the owner leaves.
Risk 15 · Safe and productive AI adoption
Is AI creating hidden risk inside your business?
Click to flip →
What to do:
• Send one email to all staff: “What AI tools are you using for work, and what data have you put in?”
• For each AI tool, check its data retention setting. Free tiers usually do train on your input by default.
• Write a single A4 page: “What's OK and not OK to put into AI.”
Risk 16 · Website and portal risk review
Are your customer portals and websites safe?
Click to flip →
What to do:
• Open your website. Click the padlock in the browser. Check the certificate name, issuer, and expiry.
• Paste your URL into securityheaders.com. Aim for at least a B grade.
• List every domain your business owns: registrar, expiry, login owner.
Risk 17 · Change control for growing businesses
Are changes being made safely, or just made?
Click to flip →
What to do:
• Ask your IT supplier for “the last five changes you made.”
• On business-critical spreadsheets, turn on Version History.
• Set a 24-hour rule: no live change to a business-critical system goes in on a Friday afternoon.
Risk 18 · Customer trust and security assurance
Can you prove to customers that their data is safe?
Click to flip →
What to do:
• Look up Cyber Essentials. The questionnaire is free to read.
• Find your most demanding customer's data-protection clause. Could you evidence it tomorrow?
• List the policies you could produce in five minutes: data protection, acceptable use, password, incident response, AI.
Risk 19 · IT spend and risk prioritisation
Is your IT spend actually reducing risk?
Click to flip →
What to do:
• Print your last three IT invoices. Beside each line item, write: what business risk does this reduce?
• Ask your IT supplier for a categorised invoice.
• See the budget priorities page for a sequenced spending plan at different budget levels.
Risk 20 · Practical digital risk roadmap
What should you fix first?
Click to flip →
What to do:
• List your top five worries. For each: Could this stop us trading? Could the fix be in within 30 days?
• For each remaining risk, write the smallest next action.
• Put names against each action. No name = no action.
Risk 21 · Phishing & social engineering
Can your staff spot a phishing email when it matters?
Click to flip →
What to do:
• Add the Microsoft 365 or Google Report Phishing button to staff inboxes.
• Forward suspicious emails to report@phishing.gov.uk.
• Run one phishing simulation a quarter. Use it to train, not blame.
Risk 22 · Mobile and remote work security
Are phones, tablets and home laptops your weakest link?
Click to flip →
What to do:
• Enable Mobile Device Management for any device that accesses work data.
• Require passcode and biometric on every device. Require encryption.
• Test the remote-wipe flow once a year.
Risk 23 · Malware and endpoint protection
Is your antivirus actually protecting you?
Click to flip →
What to do:
• If you have M365 Business Premium, you already have Defender for Business. Cancel duplicate antivirus.
• Make sure protection is on every device, including home / BYOD.
• Either have your IT supplier read the alerts, or set them to email a named person.
Risk 24 · Patching & vulnerability management
Are you running months-old, patched-everywhere-else software?
Click to flip →
What to do:
• Set Windows Update / macOS Update to automatic on all laptops.
• For servers and network kit, agree a patching cadence with your IT supplier in writing.
• List software past End-of-Life (Windows 7, Server 2012 R2 already out; Server 2016 by October 2027). Replace, segment, or accept the risk with a date.
Risk 25 · Staff training & security culture
Does your team know what to do when something feels wrong?
Click to flip →
What to do:
• Roll out the free NCSC Top Tips for Staff.
• Run one tabletop exercise a year using NCSC Exercise in a Box.
• Make reporting easy and praise the people who do it — even on false alarms.