Published:
For most owner-managed SMEs, cyber risk is not caused by one missing tool.
The bigger issue is drift.
A new laptop is added quickly. A user changes role. A contractor gets access. A cloud app is introduced. An old admin account remains active. A backup job stops working. A software update is delayed. A personal phone keeps accessing company email.
Individually, these things can look minor. Over time, they make the environment unclear.
A maintained cyber security baseline reduces this avoidable exposure by making the fundamentals visible, owned, reviewed and enforced.
It does not guarantee protection. No baseline can remove risk completely.
But for SMEs using Microsoft 365, it creates a practical operating standard across the areas that matter most: identity, devices, patching, malware protection, backup, access control and cloud services.
Why “baseline” matters more than another security tool
A cyber security baseline is the minimum set of conditions that should remain true across the business.
It answers questions such as:
Which users exist?
Which devices can access business data?
Which cloud services are in scope?
Is MFA enabled where available?
Are devices supported and patched?
Is malware protection active?
Is admin access limited?
Is backup coverage defined?
Has recovery been tested?
Are leavers removed properly?
Is evidence available when someone asks?
The National Cyber Security Centre’s Cyber Essentials framework centres on five technical control areas: secure configuration, user access control, malware protection, security update management and firewalls.
Those control areas are useful because they make baseline security concrete. They move the conversation away from “Are we secure?” and towards “Are the right conditions true, and are they maintained?”
That distinction matters.
A one-off setup can look good on day one. But SMEs change constantly. Staff join and leave. Devices age. Microsoft 365 settings change. Suppliers come and go. Software needs updating. Backups need checking.
A maintained baseline treats security as an operational discipline, not a project that was completed once.
Threat pattern 1 — phishing and credential theft
The UK Cyber Security Breaches Survey 2025/26 found that phishing affected 38% of businesses overall and 88% of businesses that had identified a breach or attack.
For SMEs, phishing matters because staff accounts are often the route into everything else.
A Microsoft 365 account may provide access to email, Teams, SharePoint, OneDrive, finance conversations, customer data, supplier correspondence and password resets for other services.
A maintained baseline reduces exposure by ensuring that account protection is not left to chance.
The relevant baseline conditions include:
MFA coverage across Microsoft 365 and other cloud services where available
secure email settings
staff awareness of common attack patterns
account monitoring
reduced administrator exposure
clear joiner and leaver processes
This does not make phishing disappear. People can still be targeted.
But it makes it harder for one stolen password or one mistaken click to become a wider business compromise.
The baseline question is: do you know that every active account is protected appropriately, or are you assuming?
Threat pattern 2 — impersonation and payment redirection
The same GOV.UK survey found that impersonation affected 12% of businesses overall.
Impersonation is dangerous because it blends into normal communication. A message appears to come from a director, supplier, customer or colleague. The request looks familiar. The pressure feels routine.
The business exposure is not just the email. It is the process around the email.
Payment redirection, fake supplier changes and fraudulent urgent requests can succeed when mailbox security, access control and finance verification are weak.
A maintained baseline reduces this exposure through:
Known and controlled user accounts.
Secure mailbox configuration.
Email authentication and anti-spoofing controls.
Clear payment-change processes.
Finance verification outside the original email thread.
Prompt leaver account removal.
Limited access to finance mailboxes and shared documents.
This is where cyber security becomes operational governance.
The business needs to know who can access what, which accounts are active, and how sensitive changes are approved.
The baseline question is: could a convincing email bypass both technical controls and business process?
Threat pattern 3 — ransomware disruption
Ransomware affected 1% of businesses overall in the GOV.UK 2025/26 survey, but its impact can be disproportionate.
For an SME, ransomware is not only about data theft. It is about disruption.
Staff may lose access to files. Systems may need rebuilding. Customers may ask questions. Suppliers may lose confidence. Recovery may depend on whether backup coverage was properly defined and tested.
A maintained baseline reduces ransomware exposure through:
Supported operating systems and applications.
Patch management.
Endpoint protection.
Limited privileged access.
Backup coverage.
Restore testing.
Monitoring of unusual activity.
Removal of unsupported systems.
Backup is especially important, but it should not be assumed. The Backup & Business Continuity hub explains this in more detail, including why Microsoft 365 data protection and recovery need a defined position.
Microsoft’s shared-responsibility model makes clear that customers retain responsibility for their data, identities, endpoints, accounts and access management. Microsoft also states that Microsoft 365 customers are responsible for data management and protection, including recovery from customer-side incidents such as ransomware or mistaken deletion.
The baseline question is: if files, mailboxes or systems became unavailable, do you know what could be restored, how quickly, and from where?
Threat pattern 4 — unmanaged and secondary devices
Unmanaged devices are a common source of drift in SMEs.
Examples include:
Director laptops not built to standard.
Personal devices accessing Microsoft 365.
Old laptops kept in use.
Phones without clear controls.
Contractor machines.
Spare devices used during busy periods.
Devices outside warranty or vendor support.
The problem is not the device itself. The problem is that it may access business data without the same baseline controls as everything else.
A maintained baseline requires:
A known device inventory.
Supported devices.
Device compliance policies.
Managed access to Microsoft 365.
Malware protection.
Patch status visibility.
No long-term unmanaged devices in scope.
Replacement planning for unsupported equipment.
This is especially important where Microsoft 365 is the central identity and collaboration platform. A laptop is not just a laptop if it can access email, files, Teams and business applications.
The baseline question is: can unmanaged or unsupported devices still access business data?
Threat pattern 5 — cloud scope ambiguity
Many SMEs now run on a mix of Microsoft 365 and other cloud services.
That might include accounting software, CRM systems, HR platforms, supplier portals, file-sharing tools, booking platforms, industry applications and remote-access services.
The risk is ambiguity.
If nobody owns the full cloud scope, access can become unclear. Users stay active. Suppliers retain accounts. MFA is not enabled. Data is stored in places nobody reviews. Backup assumptions go untested.
A maintained baseline brings cloud services into scope by requiring clarity across:
All cloud services that store or process business data.
Named ownership for each service.
MFA where available.
Joiner and leaver updates.
Supplier and contractor access reviews.
Least-privilege access.
Backup and recovery decisions.
Evidence of review.
IASME’s April 2026 Cyber Essentials update reinforces this direction. Cloud services must be included in scope where relevant, MFA is mandatory for cloud services where available, and the board or director declaration strengthens the expectation of ongoing compliance.
The baseline question is: do you know which cloud services hold business data and who has access to each one?
Threat-to-control summary table
Threat pattern | Exposure | Maintained baseline controls |
|---|---|---|
Phishing and credential theft | Compromised staff accounts leading to email, file or system access | MFA, secure email settings, account monitoring, staff awareness, reduced admin exposure |
Impersonation and payment redirection | Fraudulent payment changes or supplier requests | Access control, mailbox security, email authentication, finance verification, leaver controls |
Ransomware disruption | Downtime, inaccessible files, recovery pressure | Supported software, patching, endpoint protection, backup, restore testing, privileged access discipline |
Unmanaged and secondary devices | Business data accessed from uncontrolled devices | Device inventory, compliance, Microsoft 365 access controls, supported devices, no long-term unmanaged devices |
Cloud scope ambiguity | Unknown services, unclear ownership, supplier access and weak MFA coverage | Cloud service inventory, MFA, named owners, joiner/leaver updates, supplier access review |
Why maintenance beats one-off setup
The baseline only works if it is maintained.
That is because SME IT environments move.
A business may start with a reasonable setup and still drift over time because:
Staff join.
Staff leave.
Users change roles.
New SaaS tools are introduced.
New laptops and phones are added.
Old devices remain active.
Software becomes unsupported.
Admin accounts are forgotten.
Suppliers retain access.
Backup jobs stop working.
Microsoft 365 settings change.
Patches fail or are postponed.
None of these require bad intent. They are normal operational changes.
But without review, they create exposure.
This is why “set and forget” security is not enough. A maintained and reviewed baseline makes security part of day-to-day IT operations. It gives the business a rhythm for checking whether the right conditions are still true.
For owner-managed SMEs, that rhythm is often missing when IT is treated as reactive support only.
Reactive support fixes tickets. Baseline-led operations reduce drift.
Where Infinite Cloud IT starts
Infinite Cloud IT works with owner-managed SMEs in Sussex and Kent that use Microsoft 365 as their core identity and collaboration platform.
The starting point is diagnostic.
A Security Triage Call gives a high-level view of the business, the Microsoft 365 environment, visible concerns and whether there is a fit for a baseline-led approach.
Where a deeper look is needed, the Security Baseline Review produces a written, prioritised roadmap across users, devices, Microsoft 365, patching, malware protection, backup, access control and evidence.
For the right-fit business, the longer-term model is an all-inclusive managed IT service where security, backup, monitoring, device management and business-hours support are built into one operating model.
The aim is not to bolt security on as an optional extra.
The aim is to make baseline security part of how IT is run every day.
A maintained baseline is a business control
A maintained cyber security baseline is not a guarantee.
It is not a claim that risk disappears.
It is a business control that reduces avoidable exposure by making the fundamentals clear, owned, reviewed and enforced.
For SMEs in 2026, that matters because the visible threat patterns are not mysterious. Phishing, impersonation, ransomware disruption, unmanaged devices and cloud ambiguity all exploit gaps in basic operational discipline.
The practical response is to know the estate, control access, maintain devices, patch systems, protect accounts, define backup and review evidence.
That is what a baseline is for.
Cyber Security
Top 10 Cybersecurity Risks Facing Small Businesses in 2026
Backup & Disaster Recovery
How a Maintained Cyber Security Baseline Reduces SME Exposure in 2026
Managed IT Services
When More SMEs Are Changing How They Choose an MSP in 2026
Cyber Security
Common Microsoft 365 Security Weaknesses in SMEs (and How to Close Them)
Managed IT Services
