Practical Cyber Security Checklist for SMEs

Cyber security is no longer just a concern for large corporations. In the UK, small and medium-sized enterprises (SMEs) are increasingly targeted by cyber criminals precisely because they are often less protected. From phishing emails to ransomware attacks, the risks are growing – but the good news is that strong cyber security doesn’t have to be complex or expensive.

This practical cyber security checklist, brought to you by the Public Sector Cyber Security Conference, is designed to help UK SMEs strengthen their defences, reduce risk, and build a more resilient organisation.

1. Secure Your Accounts with Strong Authentication

Passwords alone are no longer enough.

Ensure all employees use strong, unique passwords for work accounts
Implement multi-factor authentication (MFA) wherever possible, especially for email, cloud services, and remote access
Discourage password sharing and the reuse of personal passwords for work systems

Using a reputable password manager can help employees manage credentials securely and consistently.
“A password manager is like a secure vault that stores your login credentials for websites and apps. You only need to remember one primary password, and the manager takes care of the rest.” – National Cyber Security Centre, a previous partner of the Public Sector Cyber Security Conference

2. Keep Systems and Software Up to Date

Outdated software is one of the most common entry points for cyber attacks.

Enable automatic updates for operating systems, browsers, and applications
Regularly update routers, firewalls, and other network equipment
Remove or replace unsupported software that no longer receives security patches

Keeping systems updated is one of the simplest and most effective cyber security measures for small businesses.
A good example of this is how the 2017 WannaCry cyber attacks breached the NHS through old versions of Windows software. That attack was estimated to cost the NHS £92 million.

3. Back Up Your Data Regularly

Backups can be the difference between recovery and serious disruption.

Schedule regular, automated backups of critical data
Store backups securely, ideally with at least one offline or cloud-based copy
Periodically test backups to ensure data can be restored quickly

This is particularly important for protecting against ransomware attacks, which continue to affect UK SMEs. If you have a recent back-up, you can revert to that save point, drastically reducing the stakes of the criminal’s ransom.

4. Train Employees on Cyber Security Awareness

Human error remains a leading cause of cyber incidents.

Provide regular cyber security awareness training for all staff
Teach employees how to spot phishing emails, suspicious links, and social engineering attempts
Encourage a culture where staff feel confident reporting potential security issues

Cyber security is as much about behaviour and awareness as it is about technology.

This information was prepared for our yearly Public Sector Cyber Security Conference. You can find out more about next years event here:

5. Protect Email and Internet Use

Email is one of the most common breach points.

• Use spam filtering and email security tools
• Limit access to risky websites where appropriate
• Ensure staff only download software from trusted sources

Simple controls can significantly reduce exposure to malware and phishing attacks.

6. Control Access to Systems and Data

Not everyone needs access to everything.

• Apply the principle of least privilege, giving users only the access they need
• Remove access promptly when employees leave or change roles
• Separate admin accounts from standard user accounts

Access control reduces the potential impact of compromised accounts.

7. Secure Devices and Remote Working

With hybrid and remote working now common, device security is essential.

• Encrypt laptops, phones, and removable media
• Require secure connections, such as VPNs, for remote access
• Ensure lost or stolen devices can be remotely wiped

These steps help protect sensitive business data wherever staff are working.

8. Understand Your Legal and Compliance Responsibilities

UK businesses have clear obligations when it comes to data protection.

• Understand how GDPR applies to your organisation
• Know when and how to report incidents to the Information Commissioner’s Office (ICO)
• Consider achieving Cyber Essentials certification to demonstrate good cyber hygiene

Compliance supports both security and trust.

9. Have a Cyber Incident Response Plan

Preparation reduces panic and downtime.

• Define clear steps for responding to a cyber incident
• Assign responsibilities in advance
• Ensure staff know who to contact if something goes wrong

Even a simple plan can make a significant difference during an incident. Think of it like marking a fire exit route. Staff will know what their first response should be if there is a data breach.

Final Thoughts

Cyber security for UK SMEs doesn’t require specialist knowledge or large budgets. Just consistent, practical action. By following this checklist, small businesses can significantly reduce their cyber risk, protect customer data, and strengthen their overall resilience.

Cyber security is not a one-off task, but an ongoing process, and every step taken today makes your business safer tomorrow.

The Public Sector Cyber Security Conference returns next February, register your interest to hear from industry leaders across healthcare, local government and more. Find out more here.