Skip to main content

Cyber security doesn’t have to be complicated. For small and medium businesses, the most effective approach is to start with simple, high impact actions, then build towards recognised standards and more mature ways of managing cyber risk. 

You do not need to do everything at once. Each step builds on the last, helping you improve protection, resilience, and confidence over time. 

Step 1 - Start with quick wins: Cyber Action Toolkit

If you’re not sure where to start, the Cyber Action Toolkit is the best place to begin. 

The Toolkit provides clear, bite-sized actions that focus on the most common cyber risks faced by smaller organisations. It is designed to help you make meaningful improvements without needing specialist knowledge. 

The Toolkit: 

  • Guides you through actions across three levels:  
    • Foundation – essential protections every organisation should have 
    • Improver – additional steps to strengthen your security 
    • Enhanced – further improvements for higher risk environments 
  • Focuses on practical areas such as:  
    • Securing accounts and passwords 
    • Protecting devices and software 
    • Safeguarding data 
    • Improving preparedness for incidents 
  • Links to trusted guidance where more detail is needed 

Outcome: Immediate, practical improvements that reduce common cyber risks and help you build confidence in your security basics. 

Step 2 - Establish a baseline: Cyber Essentials (CE)

Once you have the basics in place, Cyber Essentials helps you implement and demonstrate a recognised baseline level of cyber security. 

Cyber Essentials is a UK government-backed scheme that focuses on protecting organisations from the most common cyber attacks. It is widely recognised by customers, suppliers, and procurement teams. 

Cyber Essentials covers five key technical controls: 

  • Firewalls and internet gateways 
  • Secure configuration 
  • User access controls 
  • Malware protection 
  • Security update management 

Achieving Cyber Essentials can help you: 

  • Reduce your exposure to common attacks 
  • Demonstrate that you take cyber security seriously 
  • Meet customer, supplier, or contract requirements 
  • Build trust with partners and stakeholders 

Outcome: A recognised baseline that strengthens security and demonstrates good cyber hygiene. 

Step 3 - Increase confidence: Cyber Essentials Plus (CE+)

Cyber Essentials Plus provides a higher level of assurance than Cyber Essentials. 

Instead of self-assessment, CE+ involves independent technical examination to confirm that key security controls are working effectively in practice. 

Cyber Essentials Plus may be appropriate if: 

  • You handle sensitive or personal data 
  • You provide IT or digital services to others 
  • Customers or partners require stronger assurance 
  • You want greater confidence in your technical controls 

Outcome: Stronger, evidencebased assurance that builds confidence with customers, partners, and insurers. 

Step 4 - Build skills and awareness: Staff training

Technology alone is not enough. Many cyber incidents involve human error, such as phishing emails, weak passwords, or accidental data sharing. 

Basic cyber awareness training can help staff: 

  • Recognise phishing and scam attempts 
  • Use passwords, MFA and passkeys correctly 
  • Handle data more securely 
  • Understand their role in protecting the organisation 

Good training does not need to be complex or time consuming. Even short, regular awareness activities can significantly reduce risk. 

Outcome: More confident staff who are less likely to fall victim to common attacks. 

Step 5 - Practice your response: Exercise-in-a-Box

Knowing what to do during a cyber incident is just as important as preventing one. 

Exercise-in-a-Box is a free tool that helps organisations practise how they would respond to realistic cyber scenarios, such as ransomware or data breaches. 

It allows you to: 

  • Walk through a simulated incident 
  • Test decision-making and communication 
  • Identify gaps in plans, roles, or knowledge 
  • Improve confidence without causing disruption 

Exercises can be run with technical staff, management teams, or both, and do not require specialist expertise. 

Outcome: Improved preparedness and faster, more confident response when incidents occur. 

Step 6 - Mature your cyber programme

As your organisation grows, your cyber security approach should grow with it. 

Beyond baseline controls, organisations should aim to continuously improve how they: 

  • Manage cyber risk and governance 
  • Detect and respond to incidents 
  • Recover from disruption 
  • Manage suppliers and third parties 

One way to structure this improvement is to align your approach with recognised frameworks, such as: 

While these frameworks are often used by larger or regulated organisations, they can also help smaller businesses build stronger resilience and tell a clearer story to customers, partners, and regulators. 

Outcome: Greater resilience, improved credibility, and a clearer long-term cyber security strategy.