Cyber Security for SMEs
Cyber Security & Cyber Essentials for SMEs in Sussex & Kent
Understand your risks, align to a clear baseline, and avoid becoming the "weak link" in your customers' supply chain.
The National Cyber Security Centre (NCSC) has made one point repeatedly clear: for small businesses, a cyber incident is no longer a question of if - it's when.
Attackers increasingly use SMEs as stepping-stones to larger targets. Your business may feel small, but the data and access you hold aren't. And insurers, customers, and suppliers know it - which is why security questionnaires and baseline checks are now routine.
Yet most 10-25 seat SMEs still operate without the fundamentals in place.
Typical red flags:
No multi-factor authentication (MFA) for key accounts.
Admin accounts mixed with everyday accounts.
Inconsistent or outdated antivirus tools.
Patching not enforced across all endpoints.
Backups assumed but never tested.
Shadow IT (unapproved tools and SaaS applications in use across the estate).
No visibility of who has access to what.
These aren't technical problems - they're business risks. They affect contracts, insurance, customer trust, staff productivity, and incident recovery. If a customer asked you tomorrow for a Cyber Essentials readiness statement, could you confidently provide one?
You don't need the full certification to benefit from its structure - you need alignment with the core principles. A CE-aligned environment typically includes:
Strong identity controls.
Mandatory MFA.
Role-based access.
Admin account separation.
Single sign-on (where applicable).
Clear offboarding process.
Secure devices.
Every device enrolled into Microsoft Intune (Mobile Device Management (MDM)).
Encryption enabled (BitLocker/FileVault).
Compliance and configuration policies enforced.
Standardised builds to remove drift.
Modern malware protection.
Endpoint Detection & Response (EDR) via SentinelOne.
24/7 Security Operations Centre (SOC) monitoring.
No mixing of different antivirus tools.
Patch and update discipline.
Operating system and application patching enforced automatically.
No unmanaged endpoints.
Monitoring and reporting via NinjaOne (RMM).
Reliable, tested backup.
Third-party Microsoft 365 backup.
Server backup (where needed).
Routine restore testing.
Retention policies that meet insurance expectations.
This is what your business should look like before even thinking about suppliers, customers, or compliance reviews. It's also the foundation of how we operate.
Step 1
Free Security Triage Call
A short, structured call to understand your high-level security posture.
A verbal RAG (red/amber/green) rating across CE-style domains.
Key gaps identified at a high level - the goal is clarity on your current posture, not a full written report.
A check on whether your organisation fits our operating model.
Clarity on whether a full review is recommended.
Step 2
Paid Security Baseline Review
A deeper, evidence-based assessment that maps your business to the core domains of Cyber Essentials.
A written baseline report.
RAG status for each control category.
The top 5-10 risks, ranked by severity.
A remediation roadmap split into Now, Next + Later.
A readout session with your leadership team.
100% of the review fee credited against onboarding if you join our all-inclusive service.
This is not a certification service - it's a practical operational assessment aligned with the principles of Cyber Essentials.
The Baseline Review covers the areas insurers and supply chains care about most:
1
Identity & Access
MFA coverage.
Password policies.
Admin segragation.
Single sign-on (SSO).
Guest access controls.
2
Devices
Inventory accuracy.
Managed vs unmanaged devices.
Encryption.
Compliance policies.
Secure configuration.
3
Malware Protection
EDR deployment.
SOC responses.
Legacy AV tools.
Excluded devices or exceptions.
4
Patching & Updates
Operating system updates.
App patching.
Monitoring coverage.
Missing or stalled updates.
5
Backup & Recovery
Backup coverage.
Retention.
Restore testing evidence.
Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
6
SaaS & Shadow IT
Unapproved applications.
Data sprawl.
Supplier/system risks.
7
Basic Incident Readiness
Who does what if something happens?
How quickly users regain access.
Evidence of recovery tests.
This is not something you dip in and out of. It's embedded into daily IT operations.
Everything required for a baseline is included in the core service. You don't pay extra to be safe.
Owner Managed SMEs
Take the first step
If you’re a 10–25 seat SME in Sussex or Kent and want your IT to be secure, stable, and predictable, the next step is simple.
