0
          of UK businesses identified a cyber breach or attack in 2025/26
          0
          of businesses experienced phishing, the most common attack type
          0
          of businesses reported a basic technical cyber security skills gap
          0
          less likely to make a cyber insurance claim with Cyber Essentials certification

          01

          SMEs are not too small to be attacked

          Attackers do not choose targets like a salesperson chooses prospects. A lot of attacks start with scanning, stolen credentials, reused passwords and fake Microsoft 365 sign-in pages.

          That makes a 25-person accountancy firm, a small manufacturer or a primary school a realistic target. The attacker is looking for an easy path: a user without MFA, an exposed remote-access service, a firewall rule nobody remembers creating or a backup repository ransomware can reach.

          Breaches and attacks by business size

          Percentage of UK businesses that identified a cyber breach or attack in the last 12 months, 2025/26.

          All businesses
          Small businesses
          Medium businesses
          Large businesses
          0%25%50%75%

          Source: GOV.UK Cyber Security Breaches Survey 2025/26.

          The useful question is not ‘Are we a target?’

          Ask whether an attacker can find an easy path into your email, files, VPN, firewall or backup. That is the level where most SMEs need to look first.

          02

          What attackers actually do

          The attack does not usually start with someone smashing through a firewall. It starts with something smaller and duller.

          They steal a loginA user lands on a fake Microsoft 365 sign-in page. The next step is often mailbox rules, supplier impersonation, invoice changes or a reset on another system.
          They find an old doorOld VPN users, exposed Remote Desktop, stale firewall objects and forgotten admin accounts survive because every clean-up job feels risky.
          They hit a supplierYour payroll provider, finance platform, cloud storage, IT supplier and line-of-business systems all form part of your risk where they hold data or retain access.

          The breach types businesses reported most often

          Percentage of all UK businesses reporting each type of breach or attack in 2025/26.

          Phishing
          Impersonation
          Malware
          Account takeover
          Ransomware

          Source: GOV.UK Cyber Security Breaches Survey 2025/26.

          What stops this: MFA, Conditional Access, user training, alerting for risky sign-ins, mailbox-rule monitoring, patching, proper admin separation and a regular review of access that should no longer exist.

          03

          The mistakes we keep seeing

          Most cyber gaps are not exotic. They are admin gaps. They come from staff changes, rushed projects, old suppliers, untested assumptions and nobody owning the boring checks.

          MFA is only partly enabled

          A few users have MFA. Admins are missed. Break-glass accounts are not documented. Older mail protocols are still enabled. This gives everyone false confidence.

          Offboarding stops too early

          The account is disabled in one place, but not everywhere. Entra ID, mailbox delegation, shared mailboxes, VPN access, SaaS apps and local admin rights all need checking.

          Backups are assumed, not tested

          A backup job marked successful is not the same as a restore. For critical systems, someone needs to prove data can be recovered.

          Firewalls are set and forgotten

          Rules get added during emergencies and never removed. Firmware falls behind. VPN accounts remain active. Logs are ignored until something breaks.

          No one owns the full picture

          One person knows the firewall password. Another knows the backup product. A third person manages the Microsoft 365 tenant. Nobody has a clear, current record.

          The skills gap is real

          Nearly half of UK businesses reported a basic technical cyber security skills gap in 2025. IT has become too broad to manage by memory and goodwill.

          Source for the skills-gap figure: GOV.UK Cyber Security Skills in the UK Labour Market 2025.

          04

          What we check first

          A useful cyber review does not start with a product demo. It starts with identity, backups, devices, firewall rules and admin rights. Those are the places where real failures usually live.

          Microsoft 365 and Entra IDMFA, Conditional Access, legacy protocols, admin roles, mailbox forwarding, risky sign-ins, shared mailbox access and stale accounts.
          Backup and recoveryWhat is backed up, where it is stored, who can delete it, when it last ran and whether a restore has actually been tested.
          Firewall and remote accessFortinet, Sophos and other firewall setups, including firmware, rules, VPN users, exposed services and logging.
          Endpoint protectionDevice patching, antivirus, Huntress or managed detection coverage, local admin rights and unmanaged devices.
          Cyber Essentials readinessYour setup mapped against the five Cyber Essentials controls before you pay for certification and discover problems late.
          School-specific controlsFiltering and monitoring, MIS access, staff offboarding, guest networks, BYOD and evidence against DfE standards.

          For schools, the DfE cyber security standard sits alongside Cyber Essentials. It covers the governance, processes and strategy that a technical certification alone does not cover. Read the DfE cyber security standard.

          05

          The controls every SME needs

          You do not need every cyber product on the market. You need the basic controls working properly, and you need someone to keep checking them.

          Control First thing to confirm Evidence we expect to see
          Identity and MFA MFA covers Microsoft 365, VPN, admin accounts and systems holding business data. Named Conditional Access policies, admin-role review and a current leavers process.
          Backup and recovery Backups are separate from production and cannot be removed with one compromised admin account. Successful restore records, recovery ownership and a defined test frequency.
          Patching Operating systems, browsers, remote-access tools and business apps have a clear update process. Patch reports, exceptions list and a plan for unsupported systems.
          Endpoint protection Every live device is covered, including remote laptops and any servers still in scope. Coverage report, alert ownership and removal of stale devices.
          Firewall and remote access Remote access is MFA-protected, unwanted exposure is removed and firmware is current. Rule review, VPN-user list, firmware record and named change owner.

          The usual weak point is patch management

          In the 2025/26 survey, 34% of businesses had a policy to apply security updates within 14 days. That means patching is often still handled as a background task rather than a defined control.

          Source: GOV.UK Cyber Security Breaches Survey 2025/26: education institutions findings, which includes comparative business control data.

          06

          Cyber Essentials is worth doing, but it is not the finish line

          Cyber Essentials is useful because it forces the basics into a checklist. It covers boundary firewalls and internet gateways, secure configuration, user access control, malware protection and security update management.

          Why it matters

          The NCSC reports that organisations with Cyber Essentials certification are 92% less likely to make a cyber insurance claim than those without it. That does not mean certification makes you untouchable. It means the basic controls are worth doing properly.

          Use it as a baseline

          It is a clear way to identify old devices, unsupported software, weak configuration and uncontrolled admin access.

          Do not leave it on a shelf

          The tenant, users, devices, apps and suppliers keep changing after certification. The controls need maintaining between annual assessments.

          See how Remedian supports Cyber Essentials certification or read the NCSC Cyber Essentials overview.

          07

          Penetration testing is not always the first job

          Some businesses ask for a penetration test when they still have no MFA, no tested backup and old admin accounts everywhere. That is the wrong order.

          When penetration testing makes sense

          You hold sensitive client, financial, legal or pupil data; have public-facing systems; need evidence for a contract; or have made a material change after a migration, merger, site move or provider change.

          When the basic work comes first

          You need to deal with missing MFA, untested backup recovery, stale accounts, patching gaps or exposed remote access. A testing report is only useful when someone owns the fixes.

          A sensible order

          • Fix identity, MFA, backups, patching and exposed remote access.
          • Agree the scope: external systems, internal systems, web applications, wireless, cloud or a mix.
          • Test with agreed limits and no surprise disruption.
          • Assign actions, owners and dates before the report gets filed away.

          View Remedian penetration testing.

          08

          Microsoft 365 is where a lot of SME risk now lives

          For many organisations, Microsoft 365 is the business. Email, files, Teams, SharePoint, OneDrive, calendars and customer documents all sit there. If an attacker gets into the tenant, they do not need to touch your server.

          The checks are specific: Entra ID, Conditional Access, MFA methods, admin roles, risky sign-ins, external sharing, mailbox forwarding, legacy authentication and, where licensing allows it, device compliance through Intune.

          Business Basic or StandardGood productivity licences. They do not, by themselves, create a security model for devices, identities or access.
          Business PremiumOften gives organisations more practical control through Intune and stronger identity and device-management options.
          School licensingA3 and education tenants need clear admin separation, sensible staff and pupil access rules, device controls and leaver checks.

          The useful question

          Do not ask whether you have Microsoft 365 security. Ask who checks it, how often they check it and what evidence exists when something is changed.

          09

          The risk changes by sector

          The controls are similar. The priority changes depending on what your organisation does.

          Professional services

          For accountants, solicitors and insolvency practices, the risk is client data, mailbox compromise, invoice fraud and reputational damage. MFA and mailbox monitoring matter because email is where much of the client trust lives.

          IT support for accountants · IT support for solicitors · Insolvency IT support

          Manufacturing

          The risk is downtime. If ERP, shared files, production systems or supplier access break, the business feels it immediately. Segment office and production networks where possible, protect production data and limit supplier remote access.

          Schools and education

          Schools have safeguarding, MIS data, filtering and monitoring, guest networks, BYOD and pupil data to manage. Among schools identifying a breach in 2025/26, phishing affected 90% of primary schools and 96% of secondary schools.

          IT support for schools · Smoothwall Monitor · DfE standards

          Small businesses with 10 to 50 staff

          The risk is lack of ownership. Someone knows the firewall password. Someone else knows the backup product. Nobody has the whole picture. A documented baseline and regular review is more useful than another dashboard.

          Small business IT support · Managed IT support

          School phishing figure: GOV.UK Cyber Security Breaches Survey 2025/26: education institutions findings.

          10

          Where to start

          Do this in the right order. Buying another product before fixing the basics just gives you more alerts to ignore.

          01. Turn on MFA everywhereStart with Microsoft 365, VPN, admin accounts and anything holding business data.
          02. Check old accountsReview leavers, shared mailboxes, mailbox delegation, VPN users and local admin rights.
          03. Test a backup restoreRestore a file, folder or system. A green tick does not prove recovery.
          04. Review the firewallCheck rules, firmware, VPN settings, exposed services and who can log in.
          05. Patch devices and serversInclude third-party applications, browsers and remote-access tools, not only Windows Updates.
          06. Use Cyber Essentials as a checklistCertification is useful, but the preparation is where businesses find the real gaps.

          Do not try to fix everything in one week

          Set a clear order, assign owners and deal with the paths an attacker can use first. That is how you reduce risk without turning cyber security into a permanent side project for the person who knows the most about IT.

          Ask Remedian to check your cyber security basics

          If you want a practical view of your current cyber position, send the form. We will start with Microsoft 365 and Entra ID access, backups, old accounts, devices, firewall exposure, monitoring and the gaps that create avoidable risk.

          • We will tell you what is already fine and what needs attention.
          • We will prioritise the practical fixes rather than lead with another product.
          • We can support one-off remediation work or ongoing managed security checks.
          • For schools, we can map the work to Cyber Essentials and DfE digital standards.

          Ask for a cyber review

          Or call 0330 66 00 281 and ask for the cyber security team.

          12

          Cyber security for SMEs: FAQs

          What should an SME fix first for cyber security?+
          Start with MFA for Microsoft 365 and remote access, then review old accounts, test a backup restore, review firewall exposure and remove unnecessary admin rights. Those checks catch a large share of avoidable risk.
          Is Cyber Essentials worth it?+
          Yes. Cyber Essentials gives you a practical baseline across firewalls, secure configuration, user access control, malware protection and security updates. It needs maintaining, so it is a baseline rather than a once-a-year finish line.
          Do small businesses need penetration testing?+
          Not always as the first step. Fix obvious identity, backup, patching and remote-access gaps first. Penetration testing becomes more useful when you have public-facing systems, sensitive data, a customer requirement or a material change to the environment.
          How often should backups be tested?+
          For business-critical data and systems, we recommend testing restores at least monthly and after material changes. A backup job showing as successful does not prove the data can be restored when you need it.
          Can Remedian help schools with cyber security?+
          Yes. We support schools with Microsoft 365 and identity security, filtering and monitoring, backup checks, firewall review, staff offboarding and evidence against DfE digital and technology standards.
          What happens during a cyber security review?+
          We review the practical controls first: Microsoft 365 and Entra ID, MFA, admin roles, backup and recovery, endpoint coverage, patching, firewall rules, remote access and the accounts that should no longer be live. You receive a prioritised view of what needs fixing first.

          Our Services

          Computer Not Working?

          We Can Help You Get Back to Work with Expert Computer Repairs Manchester. Contact Us!

          secure-server

          Secure Backup

          A Secure Backup Solution from Remedian I.T. keeps your personal and business data secure and encrypted; both on and offsite to get your business back up and running with the minimum of downtime.

          wifi-router

          Broadband & WiFi

          In our interconnected world your business needs to be online 24/7. Our managed broadband and WiFi will provide quick, quality connection to get the job done. Speak to our sales team to get connected.

          monitor-screen

          Connection Monitoring

          By monitoring your internet connection, we can detect any problems and respond to them before they become major issues, keeping you connected and working towards your goals.

          cctv-camera (1)

          Phone and CCTV Systems

          Digital phone systems provide you with premium features and flexible plans that grow with your business, from single handsets to full office installations. Ask us about an HD CCTV system and access control to monitor your premises and keep your offices as secure as your data.

          it-department

          Hardware

          Providing best value is what we are all about. When it comes to advice, supply and installation of new hardware we make sure you get the best options for your business. We can even arrange finance to help you spread the cost and manage your budgets.

          online-support

          Remote Support

          Our helpdesk team are on hand, from Monday to Friday 8:30am – 5:00pm, to provide free, friendly remote support to make sure you can get your IT back on track in no time.

          Testimonials

          As a long-term client of Remedian, Ashworth Electrical Services have nothing but the highest praise for their assistance in managing our IT systems.
          The service Remedian provide is professional and efficient. The staff are always helpful and friendly.
          Remedian have been our IT support providers now for almost 6 years. During that time they have demonstrated a high level of customer service and value for money support and IT equipment.
          Remedian have helped us grow into the company we are today. The standard of service and expertise Remedian provide us with is second to none, whether it is remote helpdesk support or onsite maintenance.
          The Remedian team have provided weekly on-site technician services and have also provided strategic direction in relation to the Trust's infrastructure which has been invaluable. When issues arise the Remedian team are fast to respond and are proactive in recommending solutions to mitigate any potential issues.