What good looks like.
If you're wondering what the destination is, this is it. Not a checklist. Not a test. A short description of what a well-set-up SME looks like from a technology perspective.
A well-set-up SME typically has:
- ·MFA on everything
- ·Tested backups
- ·A short incident plan
- ·An IT supplier who can answer hard questions
- ·Cyber Essentials certification or equivalent
- ·A basic set of policies that people have actually read
- ·Someone — not necessarily a specialist — who's responsible for keeping an eye on all of it
That's it.
Most of this site exists to help you understand each of those in plain English, decide whether you're there yet, and know what to ask for if you're not.
A note on where you probably already are
If you're an established SME with an IT manager or a half-decent MSP, you almost certainly have most of this in some form. The gap is usually not the controls themselves — it's being able to see them, point at the evidence, and know that the parts you can't see are working.
Reading the topics below in any order is fine. There's no “you must read this first.” The structure of the site is by theme, not by sequence.
If you want a sequence anyway
The budget priorities page sequences the basics by spend — what you'd do for £0, £1k, £3k, £10k or £30k a year. That's as close to a recommended order as the site gets.