Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

Flashcards · 25 cards

Risks

25 plain-English digital risks every SME owner should be able to answer. Click any card to flip.

Risk 01 · Business-critical system audit

Do you know what technology your business actually depends on?

Click to flip →

Many SMEs rely on hidden systems: old databases, spreadsheets, Access files, internal websites, macros, scripts, file shares, and tools built years ago by someone who has since left. The business has quietly grown around them, and your Managed Service Provider (MSP) may not have full visibility either.

What to do:
• Print this question and stick it on the wall: “If our IT person quit on Friday, what's the first thing that would break by Tuesday?” Ask three people separately.
• Open your last bank statement. Every IT-related direct debit you can't match to a system is a system you didn't know you depend on.
• Open Microsoft 365 admin (or Google Workspace) → Active users. Cross-check every account against payroll.
Open full page → Click to flip back

Risk 02 · Hidden business risk in legacy systems

Could one old system stop your business trading?

Click to flip →

A lot of SMEs have systems that “just work” — until they don't. The danger is rarely visible because the business has grown around them. Unsupported operating systems are a common pattern: Windows Server 2012 R2 is fully out of support, and Server 2016 is approaching end of extended support in October 2027. An unpatched server is a ticking clock.

What to do:
• Walk the office. Find the “if this PC dies, we stop” machine. Photograph the serial-number sticker.
• List the five systems you'd notice in under an hour if they went down. Next to each: when was it last patched?
• Check the operating system on your most critical server. Windows Server 2012 R2 is already out of support; Server 2016's extended support ends October 2027. Plan now.
Open full page → Click to flip back

Risk 03 · Legacy technology modernisation

Are you relying on software nobody understands anymore?

Click to flip →

Long-established SMEs often have systems that scare people — because no one wants to be the one who touches them. Meanwhile they're holding the business back.

What to do:
• Open the app. Help → About. Note the version. Now Google: “[product name] [version] end of life.”
• Find the original developer or vendor (LinkedIn is fine). One short message: “Do you still support this?”
• If the app uses a database, look for a default sa, admin, or root account with a weak password.
Open full page → Click to flip back

Risk 04 · Spreadsheet risk review

Are old spreadsheets quietly running your business?

Click to flip →

Spreadsheets are useful, but they often become unofficial business systems — without owners, without testing, without backup.

What to do:
• Open Documents/Desktop. Sort by “Date modified.” Anything called Master, Live, FINAL_v3_real that's been touched today is probably running something.
• For each, ask: “If this file vanished now, how long would it take to rebuild?”
• Use Review → Protect Sheet on at least the formula cells. Costs nothing.
Open full page → Click to flip back

Risk 05 · Access control and accountability

Are ex-employees or old suppliers still able to access your systems?

Click to flip →

Many companies have employees, suppliers, consultants, or old accounts with far more access than they need — sometimes long after they've left.

What to do:
• Microsoft 365: Admin Center → Users → Active users. Cross-check every name against payroll.
• Look at your most important shared inboxes. Who has “send as” or delegate access?
• Send one email to every external supplier with access: “Tell me which accounts your team has, and when each was last used.”
Open full page → Click to flip back

Risk 06 · Password and account safety

Could one weak password expose your company?

Click to flip →

This isn't about technical password policy. It's about whether one weak login could unlock the whole business.

What to do:
• Turn on MFA for every admin account in Microsoft 365 / Google Workspace. Admins only, today.
• Run your director-level email addresses through haveibeenpwned.com.
• Get a real password manager — 1Password, Bitwarden, or Dashlane all have business tiers under £5/user/month.
Open full page → Click to flip back

Risk 07 · Protecting business data

Could a simple mistake delete or corrupt important data?

Click to flip →

This is the heart of cybersecurity for most SMEs — and it isn't always about hackers. Sometimes it's an employee with a USB stick.

What to do:
• Turn on Version History on shared folders.
• On accounts and finance folders, restrict the Delete permission to two named people.
• Check your Microsoft 365 retention policy. Default is around 30 days.
Open full page → Click to flip back

Risk 08 · Data protection and compliance readiness

Do you know where your sensitive data is stored?

Click to flip →

This matters because it affects fines, insurance, client contracts, and reputation. UK GDPR Article 30 requires most businesses to keep a Record of Processing Activities (ROPA) — a list of what personal data you process, why, and for how long. If you take card payments, PCI DSS applies on top of GDPR.

What to do:
• Draw four boxes on paper: Customer, Employee, Financial, Supplier. For each: where it lives, who reads, who deletes.
• Look at three random staff laptops. Customer lists on a laptop are data leaving the building each evening.
• Look at your office Wi-Fi router. List every connected device.
Open full page → Click to flip back

Risk 09 · Manufacturing system resilience

Could one old PC stop your production line?

Click to flip →

For manufacturers and operational businesses, the real concern isn't abstract cyber risk. It's downtime, missed orders, production errors.

What to do:
• Find every Windows PC on the line. Note the OS. Anything older than Windows 10 / Server 2019 is a problem hiding in plain sight.
• Ask the line manager: “Which of these, if it died, stops production?”
• Ask: “Are factory systems on the same network as the office?” If you don't know, the answer is almost always “yes.”
Open full page → Click to flip back

Risk 10 · Backup and recovery confidence

Are your backups real, or just assumed?

Click to flip →

Many SMEs believe they have backups, but no one has ever tested restoring from them. Behind the green dashboard sit the questions that actually matter: how long it would take to recover (your RTO), how much recent work you'd lose (your RPO), whether the backups themselves can be locked or deleted by ransomware (whether they're immutable), whether you can rebuild a server from scratch (a bare-metal restore), and whether you're actually backing up the right things at all — Microsoft's shared responsibility model means your Microsoft 365 data is your problem, not theirs.

What to do:
• Pick a non-critical file. Delete it. Try to restore from backup. Time how long it takes. That's your real recovery time.
• Email your IT supplier: “Send me the dated screenshot of the most recent successful end-to-end restore test.”
• Check whether your Microsoft 365 data is in any backup. Microsoft's shared-responsibility model says it's your job.
Open full page → Click to flip back

Risk 11 · Cyber incident readiness

Would you survive a ransomware attack?

Click to flip →

Owners need to know the likely impact and who picks up the phone. Two things to know up front: paying the ransom is not a quick fix (modern groups often leak the data anyway), and payment to a sanctioned entity is a strict-liability criminal offence under UK OFSI rules — get legal advice before paying anything.

What to do:
• Write a one-page “if everything is down” plan. Put it in three places that are not on the network.
• Add to your phone: IT supplier's emergency number, cyber insurer's claim line, ICO (0303 123 1113).
• Check your cyber insurance — most include an incident response provider. Find their hotline.
Open full page → Click to flip back

Risk 12 · Monitoring and early warning systems

Would you know quickly if something was wrong?

Click to flip →

Many SMEs only discover problems after customers complain or data has already gone. Average detection time across all sectors is measured in weeks, sometimes months — mostly because nobody's reading the right logs.

What to do:
• Sign up to UptimeRobot (free tier).
• Add calendar reminders for domain expiry, SSL expiry, IT contract end date — with 90-day warnings.
• Ask your IT supplier: “Where do alerts go, and who reads them?”
Open full page → Click to flip back

Risk 13 · Independent review of IT suppliers

Are you paying for IT support but still carrying serious risk?

Click to flip →

An SME can believe “the IT company has it covered” when in reality no one is challenging the quality of the setup.

What to do:
• Reread the SLA. Search for security and backup. If they aren't there, that work isn't their job.
• Email your supplier: “What three risks are you actively managing for me?” Specific answers (e.g. “your Server 2016 is approaching end of life in 2027, here's our plan”) mean they're running your risk. Vague answers mean tickets.
• Find out who legally owns your domain name, DNS, and Microsoft 365 / Google global admin account.
Open full page → Click to flip back

Risk 14 · Staff-built systems and AI-created tools

Are staff building business-critical tools without you knowing?

Click to flip →

AI and low-code make it easy for non-technical staff to create apps the business now depends on.

What to do:
• Microsoft 365 admin centre → Reports → Power Platform Apps and SharePoint sites created in the last year.
• Ask three staff: “What tool have you built this year that you think the team now relies on?”
• Start a tools register. Name, owner, what it does, what data it touches, what happens if the owner leaves.
Open full page → Click to flip back

Risk 15 · Safe and productive AI adoption

Is AI creating hidden risk inside your business?

Click to flip →

AI is useful. Unmanaged AI use creates data, security, legal, and quality risks — sometimes all at once. There's also a growing regulatory layer: the EU AI Act phases in through 2025–2027 and applies to any UK business selling AI services into the EU. The UK's own AI regulation is more sector-specific but tightening. Most SME use of AI is low-risk; if you're using AI in hiring, lending, healthcare, or anything safety-related, get advice.

What to do:
• Send one email to all staff: “What AI tools are you using for work, and what data have you put in?”
• For each AI tool, check its data retention setting. Free tiers usually do train on your input by default.
• Write a single A4 page: “What's OK and not OK to put into AI.”
Open full page → Click to flip back

Risk 16 · Website and portal risk review

Are your customer portals and websites safe?

Click to flip →

A hacked website or insecure customer portal causes lost trust, lost sales, and legal problems.

What to do:
• Open your website. Click the padlock in the browser. Check the certificate name, issuer, and expiry.
• Paste your URL into securityheaders.com. Aim for at least a B grade.
• List every domain your business owns: registrar, expiry, login owner.
Open full page → Click to flip back

Risk 17 · Change control for growing businesses

Are changes being made safely, or just made?

Click to flip →

Many SMEs make changes informally: someone edits a live system, updates a spreadsheet, tweaks a database, or installs something directly — with no record and no way back. A formal CI/CD pipeline (the automated process for testing and releasing changes) is overkill for most SMEs — but the principles aren't.

What to do:
• Ask your IT supplier for “the last five changes you made.”
• On business-critical spreadsheets, turn on Version History.
• Set a 24-hour rule: no live change to a business-critical system goes in on a Friday afternoon.
Open full page → Click to flip back

Risk 18 · Customer trust and security assurance

Can you prove to customers that their data is safe?

Click to flip →

Larger customers increasingly ask SMEs for evidence of cybersecurity and data protection.

What to do:
• Look up Cyber Essentials. The questionnaire is free to read.
• Find your most demanding customer's data-protection clause. Could you evidence it tomorrow?
• List the policies you could produce in five minutes: data protection, acceptable use, password, incident response, AI.
Open full page → Click to flip back

Risk 19 · IT spend and risk prioritisation

Is your IT spend actually reducing risk?

Click to flip →

Many SMEs spend plenty on IT but still have serious gaps. Money is being spent — it's just not being spent on the right things.

What to do:
• Print your last three IT invoices. Beside each line item, write: what business risk does this reduce?
• Ask your IT supplier for a categorised invoice.
• See the budget priorities page for a sequenced spending plan at different budget levels.
Open full page → Click to flip back

Risk 20 · Practical digital risk roadmap

What should you fix first?

Click to flip →

SMEs don't need a 200-page technical report. They need prioritisation. See the dedicated budget priorities page for a sequenced spending plan at different budget levels.

What to do:
• List your top five worries. For each: Could this stop us trading? Could the fix be in within 30 days?
• For each remaining risk, write the smallest next action.
• Put names against each action. No name = no action.
Open full page → Click to flip back

Risk 21 · Phishing & social engineering

Can your staff spot a phishing email when it matters?

Click to flip →

Phishing is the most common way attackers get into SMEs.

What to do:
• Add the Microsoft 365 or Google Report Phishing button to staff inboxes.
• Forward suspicious emails to report@phishing.gov.uk.
• Run one phishing simulation a quarter. Use it to train, not blame.
Open full page → Click to flip back

Risk 22 · Mobile and remote work security

Are phones, tablets and home laptops your weakest link?

Click to flip →

Most SME data leaves the office every day on phones and laptops.

What to do:
• Enable Mobile Device Management for any device that accesses work data.
• Require passcode and biometric on every device. Require encryption.
• Test the remote-wipe flow once a year.
Open full page → Click to flip back

Risk 23 · Malware and endpoint protection

Is your antivirus actually protecting you?

Click to flip →

Legacy antivirus catches known viruses by signature. Modern threats bypass that.

What to do:
• If you have M365 Business Premium, you already have Defender for Business. Cancel duplicate antivirus.
• Make sure protection is on every device, including home / BYOD.
• Either have your IT supplier read the alerts, or set them to email a named person.
Open full page → Click to flip back

Risk 24 · Patching & vulnerability management

Are you running months-old, patched-everywhere-else software?

Click to flip →

Most ransomware uses vulnerabilities patched months earlier.

What to do:
• Set Windows Update / macOS Update to automatic on all laptops.
• For servers and network kit, agree a patching cadence with your IT supplier in writing.
• List software past End-of-Life (Windows 7, Server 2012 R2 already out; Server 2016 by October 2027). Replace, segment, or accept the risk with a date.
Open full page → Click to flip back

Risk 25 · Staff training & security culture

Does your team know what to do when something feels wrong?

Click to flip →

A trained, alert team is a better defence than most tools.

What to do:
• Roll out the free NCSC Top Tips for Staff.
• Run one tabletop exercise a year using NCSC Exercise in a Box.
• Make reporting easy and praise the people who do it — even on false alarms.
Open full page → Click to flip back