Risks

Many SMEs rely on hidden systems: old databases, spreadsheets, Access files, internal websites, macros, scripts, file shares, and tools built years ago by someone who has since left.

What to do:
• Print this question and stick it on the wall: “If our IT person quit on Friday, what's the first thing that would break by Tuesday?” Ask three people separately.
• Open your last bank statement. Every IT-related direct debit you can't match to a system is a system you didn't know you depend on.
• Open Microsoft 365 admin → Active users. Cross-check every account against payroll.

A lot of SMEs have systems that “just work” — until they don't.

What to do:
• Walk the office. Find the “if this PC dies, we stop” machine. Photograph the serial-number sticker.
• List the five systems you'd notice in under an hour if they went down. Next to each: when was it last patched?
• Check the operating system on your most critical server. Windows Server 2012 R2 / 2016 / earlier are out of support.

Long-established SMEs often have systems that scare people — because no one wants to be the one who touches them.

What to do:
• Open the app. Help → About. Note the version. Now Google: “[product name] [version] end of life.”
• Find the original developer or vendor (LinkedIn is fine). One short message: “Do you still support this?”
• If the app uses a database, look for a default sa, admin, or root account with a weak password.

Spreadsheets are useful, but they often become unofficial business systems — without owners, without testing, without backup.

What to do:
• Open Documents/Desktop. Sort by “Date modified.” Anything called Master, Live, FINAL_v3_real that's been touched today is probably running something.
• For each, ask: “If this file vanished now, how long would it take to rebuild?”
• Use Review → Protect Sheet on at least the formula cells. Costs nothing.

Many companies have employees, suppliers, consultants, or old accounts with far more access than they need — sometimes long after they've left.

What to do:
• Microsoft 365: Admin Center → Users → Active users. Cross-check every name against payroll.
• Look at your most important shared inboxes. Who has “send as” or delegate access?
• Send one email to every external supplier with access: “Tell me which accounts your team has, and when each was last used.”

This isn't about technical password policy. It's about whether one weak login could unlock the whole business.

What to do:
• Turn on MFA for every admin account in Microsoft 365 / Google Workspace. Admins only, today.
• Run your director-level email addresses through haveibeenpwned.com.
• Get a real password manager — 1Password, Bitwarden, or Dashlane all have business tiers under £5/user/month.

This is the heart of cybersecurity for most SMEs — and it isn't always about hackers.

What to do:
• Turn on Version History on shared folders. Restoring becomes one click.
• On accounts and finance folders, restrict the Delete permission to two named people.
• Check your Microsoft 365 retention policy. Default is around 30 days; longer if your business needs it.

This matters because it affects fines, insurance, client contracts, and reputation.

What to do:
• Draw four boxes on paper: Customer, Employee, Financial, Supplier. For each: where it lives, who reads, who deletes.
• Look at three random staff laptops. Customer lists on a laptop are data leaving the building each evening.
• Look at your office Wi-Fi router. List every connected device.

For manufacturers and operational businesses, the real concern is downtime, missed orders, production errors.

What to do:
• Find every Windows PC on the line. Note the OS. Anything older than Windows 10 / Server 2019 is a problem.
• Ask the line manager: “Which of these, if it died, stops production?”
• Ask: “Are factory systems on the same network as the office?” If you don't know, the answer is almost always “yes.”

Many SMEs believe they have backups, but no one has ever tested restoring from them.

What to do:
• Pick a non-critical file. Delete it. Try to restore. Time how long it takes.
• Email your IT supplier: “Send me the dated screenshot of the most recent successful end-to-end restore test.”
• Check whether your Microsoft 365 data is in any backup. Microsoft's shared-responsibility model says it's your job.

Owners need to know the likely impact and who picks up the phone.

What to do:
• Write a one-page “if everything is down” plan. Put it in three places that are not on the network.
• Add to your phone: IT supplier's emergency number, cyber insurer's claim line, ICO (0303 123 1113).
• Check your cyber insurance — most include an incident response provider. Find their hotline.

Many SMEs only discover problems after customers complain or data has already gone.

What to do:
• Sign up to UptimeRobot (free tier).
• Add calendar reminders for domain expiry, SSL expiry, IT contract end date — with 90-day warnings.
• Ask your IT supplier: “Where do alerts go, and who reads them?”

An SME can believe “the IT company has it covered” when in reality no one is challenging the quality.

What to do:
• Reread the SLA. Search for security and backup. If they aren't there, that work isn't their job.
• Email your supplier: “What three risks are you actively managing for me?”
• Find out who legally owns your domain name, DNS, and master Microsoft 365 / Google admin.

AI and low-code make it easy for non-technical staff to create apps the business now depends on.

What to do:
• Microsoft 365 admin centre → Reports → Power Platform Apps and SharePoint sites created in the last year.
• Ask three staff: “What tool have you built this year that you think the team now relies on?”
• Start a tools register. Name, owner, what it does, what data it touches, what happens if the owner leaves.

AI is useful. Unmanaged AI use creates data, security, legal, and quality risks — sometimes all at once.

What to do:
• Send one email to all staff: “What AI tools, what data?”
• For each AI tool, check its data retention setting. Free tiers usually do train on your input.
• Write a single A4 page: “What's OK and not OK to put into AI.”

A hacked website or insecure customer portal causes lost trust, lost sales, and legal problems.

What to do:
• Open your website. Click the padlock. Check certificate name, issuer, expiry.
• Paste your URL into securityheaders.com. Aim for at least a B grade.
• List every domain your business owns: registrar, expiry, login owner.

Many SMEs make changes informally with no record and no way back.

What to do:
• Ask your IT supplier for “the last five changes you made.”
• On business-critical spreadsheets, turn on Version History.
• Set a 24-hour rule: no live change to a business-critical system goes in on a Friday afternoon.

Larger customers increasingly ask SMEs for evidence of cybersecurity and data protection.

What to do:
• Look up Cyber Essentials. The questionnaire is free.
• Find your most demanding customer's data-protection clause. Could you evidence it tomorrow?
• List the policies you could produce in five minutes: data protection, acceptable use, password, incident response, AI.

Many SMEs spend plenty on IT but still have serious gaps.

What to do:
• Print your last three IT invoices. Beside each line item, write: what business risk does this reduce?
• Ask your IT supplier for a categorised invoice.
• Look at your IT contract renewal date. Within 90 days = peak negotiating leverage.

SMEs don't need a 200-page technical report. They need prioritisation.

What to do:
• List your top five worries. For each: Could this stop us trading? Could the fix be in within 30 days?
• For each remaining risk, write the smallest next action.
• Put names against each action. No name = no action.

Phishing is the most common way attackers get into SMEs.

What to do:
• Add the Microsoft 365 or Google Report Phishing button to staff inboxes.
• Forward suspicious emails to report@phishing.gov.uk.
• Run one phishing simulation a quarter. Use it to train, not blame.

Most SME data leaves the office every day on phones and laptops.

What to do:
• Enable Mobile Device Management for any device that accesses work data.
• Require passcode and biometric on every device. Require encryption.
• Test the remote-wipe flow once a year.

Legacy antivirus catches known viruses by signature. Modern threats bypass that.

What to do:
• If you have M365 Business Premium, you already have Defender for Business. Cancel duplicate antivirus.
• Make sure protection is on every device, including home / BYOD.
• Either have your IT supplier read the alerts, or set them to email a named person.

Most ransomware uses vulnerabilities patched months earlier. Patching is the most effective single security activity.

What to do:
• Set Windows Update / macOS Update to automatic on all laptops.
• For servers and network kit, agree a patching cadence with your IT supplier in writing.
• List software past End-of-Life (Windows 7, Server 2012 R2 / 2016 in many cases). Replace, segment, or accept the risk with a date.

A trained, alert team is a better defence than most tools.

What to do:
• Roll out the free NCSC Top Tips for Staff.
• Run one tabletop exercise a year using NCSC Exercise in a Box.
• Make reporting easy and praise the people who do it — even on false alarms.