For many SMEs, cyber security stays slightly abstract until someone asks a direct question.

It might be a customer during procurement. It might be a supplier as part of onboarding. It might be an insurer, or simply an internal decision-maker who wants reassurance that the basics are actually under control.

That is usually the moment cyber security becomes commercially real.

For owner-managed SMEs where Microsoft 365 is central to day-to-day operations, the issue is usually not enterprise-scale complexity but whether the baseline is clear, maintained and easy to explain when someone asks.

At that point, the question is rarely whether the business owns some tools. The real question is whether it can show that a maintained baseline exists, what is covered, who owns it, how it is evidenced, and how it is kept in shape over time.

If you are working through that question now, our Cyber Security & Cyber Essentials hub gives the wider picture. This article focuses on the practical middle ground: what “good enough” tends to look like for an SME when someone asks for proof.

Why SMEs are increasingly being asked to show security, not just say they take it seriously

A few years ago, many smaller businesses could get by with broad reassurance. Today, that is less and less convincing.

That shift is not theoretical: the UK government's Cyber Security Breaches Survey 2025 found that 43% of businesses identified a cyber breach or attack in the last 12 months, which helps explain why broad reassurance is giving way to more specific questions about controls, ownership and evidence.

Customers want confidence that suppliers are not introducing unnecessary risk. Larger firms are under pressure to understand their own supply chain. Suppliers are being asked to demonstrate more before access is granted. Insurers want clearer answers around core controls. Internally, owners and operations leads are increasingly aware that “we think we’re covered” is not the same as actually knowing.

None of this means every SME needs enterprise-scale complexity. It does mean that basic cyber security is no longer just a private internal matter. It is part of how a business is assessed commercially.

That is why the conversation has shifted from “do you have something in place?” to “can you show what is in place?”

The three situations where this usually becomes real

Customer procurement

A customer may ask what controls you have around user access, devices, backup, or admin accounts before they onboard you.

They are not usually looking for a dramatic story or a long technical explanation. They want to know whether your environment is governed, whether there is a clear baseline, and whether the answer depends on one person’s memory.

This is where smaller businesses often feel the gap between owning tools and being able to explain their security posture clearly.

Supplier onboarding

Sometimes the pressure comes the other way round. A supplier, platform, or larger partner may want reassurance before they give your business access to systems, data, or shared workflows.

That is often where security expectations become part of supply-chain participation, not just internal IT hygiene. If this is a current issue for your business, read The Hidden Cost of Failing Supplier Security Questionnaires for the narrower questionnaire angle.

Insurance or reassurance requests

In other cases, the trigger is an insurer, a renewal conversation, or an internal request for reassurance.

Questions around MFA, endpoint protection, backup, offboarding, and access control can sound simple on the surface. In practice, they expose whether the business has a known baseline or just a collection of partial measures.

A calm answer is not “we probably have that covered somewhere”. A calm answer is a clear, scoped, evidenced one.

Having tools is not the same as having a maintained baseline

This is the point many SMEs miss.

Using Microsoft 365 does not automatically mean identities, devices, admin roles, backup, and access are governed properly. Having MFA on some accounts is not the same as knowing where it is enforced, what exceptions exist, and who reviews those exceptions. Having antivirus on some machines is not the same as being confident that all in-scope devices are protected and monitored consistently. Having backup somewhere is not the same as knowing what is covered, who checks it, and how you would evidence it if asked.

Tools matter. But tools on their own do not answer the real question.

The real question is whether the environment is controlled as a baseline.

That means the business can explain, without improvising, what is in scope, who owns it, what evidence exists, and how the baseline is maintained over time. If you want a picture of what that looks like in everyday operations, see What a Cyber Essentials-Aligned IT Environment Looks Like Day-to-Day.

What a defensible cyber security baseline looks like for an SME

For an SME, “defensible” does not mean perfect. It means the business can give a credible, structured answer when someone asks.

Scope

What is actually covered?

That includes users, laptops, desktops, mobiles, Microsoft 365 identities, admin accounts, backup arrangements, and any exceptions. A business cannot defend a baseline it has never properly defined.

If the answer is vague — “most devices”, “main accounts”, “our core team” — that usually points to a scope problem.

Ownership

Who owns the baseline?

Not in a vague sense, but operationally. Who is responsible for access control? Who reviews leavers and role changes? Who owns device standards? Who approves exceptions? Who checks whether baseline controls are still being applied?

Without clear ownership, controls often exist in theory but drift in practice.

Evidence

Could the business show what is in place if asked?

That might mean being able to point to settings, device coverage, review records, documented exceptions, backup visibility, or admin-account controls. Evidence does not need to be over-engineered, but it does need to exist.

For the more specific evidence-readiness side of this, link through to Cyber Essentials Questionnaire: Evidence Checklist for SMEs.

Maintenance

Is the baseline being maintained, or was it simply configured once?

This is where many environments weaken. A setting gets applied, but new devices arrive outside the process. MFA is enabled, but exceptions grow informally. Offboarding works most of the time, until someone leaves quickly. Backups are assumed to be fine because no one has challenged the assumption recently.

A defensible baseline is not a one-off project. It is a maintained operating discipline.

The baseline areas people usually look at first

When customers, suppliers, insurers, or internal stakeholders ask questions, they usually start with a few predictable areas.

Identity and access

They want confidence that user accounts are controlled sensibly, access is appropriate, and MFA is enforced where it should be.

In SME terms, “good enough” usually means access is not ad hoc, joiners and leavers are handled properly, shared accounts are not normalised, and exceptions are visible rather than informal.

Friction usually appears where access has grown organically over time.

Devices

It is common to be asked, directly or indirectly, whether business devices are actually under control.

That does not require a technical essay. It does require clarity on which devices are in scope, whether they are managed consistently, and whether unsupported or unmanaged devices are creating weak points.

The usual problem is partial coverage: company devices are governed one way, everything else is dealt with case by case.

Patching

Patching is rarely exciting, but it is one of the first things that exposes whether a baseline is real.

A defensible answer is not simply “updates are on”. It is that patching is part of the operating model, responsibility is clear, and there is visibility over whether it is actually happening.

Malware protection

External parties will often expect that endpoint protection is present and applied consistently.

Again, the issue is not whether a licence exists somewhere. The issue is whether protected coverage is known, exceptions are limited, and the business is not relying on assumptions.

Backup

Backup is one of the clearest examples of the gap between ownership and assumption.

Many SMEs say they have backup, but fewer can explain exactly what is covered, how it is checked, who reviews it, and what would happen if they needed to rely on it.

That difference matters when someone asks for reassurance.

Admin control

Admin access is a small category with disproportionate importance.

A business with weak admin discipline may still appear “secure enough” at a glance, right up until someone asks who has elevated access, how that is controlled, and whether old privileges have been removed properly.

That is often where maturity becomes visible very quickly.

Why Microsoft 365 does not remove the need for governance

Microsoft 365 is central for many SMEs, but it is not a substitute for governance.

It does not remove the need to define scope. It does not remove the need to control access. It does not remove the need to manage devices properly. It does not remove the need to evidence baseline settings. It does not remove the need to review admin access, handle leavers well, or maintain the environment over time.

In practice, Microsoft 365 often makes the need for structure more obvious, not less.

That is because businesses can easily assume the platform itself has “handled security”, when the real issue is whether their own identities, devices, permissions, exceptions, and operating habits are governed properly within it.

For owner-managed SMEs, that is usually the important shift: moving from platform confidence to baseline clarity.

Where smaller businesses usually get stuck

Most smaller businesses do not fail because they ignored cyber security completely. They get stuck because the environment is only partly structured.

Common friction points include assumptions instead of evidence, partial coverage across users or devices, informal exceptions that were never revisited, unclear ownership between internal staff and external providers, unmanaged devices that sit outside the baseline, weak leaver controls, and settings that exist “somewhere” without anyone being clear on scope.

None of that is unusual. It is what happens when the environment grows faster than the discipline around it.

The important thing is to recognise the pattern early and deal with it calmly, before a customer, supplier, insurer, or internal stakeholder exposes the gaps for you.

What “good enough” looks like when someone asks for proof

For an SME, a defensible answer is usually a simple one.

There is a known baseline. The business knows what is in scope. Ownership is clear. Core controls are visible. Evidence exists. Exceptions are limited and understood. Maintenance is part of routine operations, not an occasional reaction.

That does not make the business invulnerable. It does make the answer more credible.

Instead of saying, “We use Microsoft 365 and have a few tools in place,” the business can say, in effect: we know what is covered, we know who owns it, and we can show how the baseline is being maintained.

That is a much stronger position in procurement, supplier conversations, insurer reassurance, and internal decision-making alike.

Start with clarity, not assumptions

If this article has highlighted anything, it should be this: the first step is usually not buying more tools.

It is also not jumping straight into a managed-service quote.

The sensible first step is understanding the current baseline clearly: what is in scope, where ownership sits, what evidence exists, and where maintenance is strong or inconsistent.

That is exactly what the diagnostic path is for: a Security Triage Call is a fit-and-gaps clarifier that helps you understand your current baseline before making wider IT decisions - not a free audit and not a generic quote request.

Book a Security Triage Call

Download CE-baseline Checklist

Learn about the Security Baseline Review

FAQs

What cyber security should an SME have?

An SME usually needs a clear baseline across identity and access, devices, patching, malware protection, backup, and admin control. The important question is not just which tools exist, but whether scope, ownership, evidence, and maintenance are clear.

What do customers expect from an SME’s cyber security?

Most customers are looking for reassurance that your environment is governed sensibly and that your answers do not depend on guesswork. They want to know whether the basics are controlled, visible, and maintained.

Does Microsoft 365 cover all of our cyber security needs?

No. Microsoft 365 can be a strong foundation, but it does not replace governance. You still need to define scope, control access, manage devices, evidence settings, and maintain the environment over time.

What makes a cyber security baseline defensible?

A defensible baseline has four clear qualities: scope, ownership, evidence, and maintenance. It means the business can explain what is covered, who is responsible, how it can be shown, and how it is kept current.

Do SMEs need Cyber Essentials certification or just a maintained baseline?

That depends on the commercial context. Some businesses need certification because a customer, contract, or sector expects it. Others first need a clearer maintained baseline before certification becomes the right conversation. In either case, the sensible starting point is to understand the current position properly through a Security Triage Call.