Back to blog
Cyber SecurityManaged IT

Small Business Cybersecurity Services Checklist 2026

18 May 2026Zenith Systems11 min read

Cyber criminals are not targeting large enterprises exclusively. UK small businesses are frequently chosen as targets precisely because they are assumed to have fewer defences and less resource to respond. The NCSC's annual Cyber Security Breaches Survey consistently finds that around half of UK businesses report a cyber incident each year, and the majority are not large organisations.

For a business of 10 to 30 people, the challenge is not that good cybersecurity is unavailable. It is that the options are overwhelming, the terminology is confusing, and it is hard to know what is essential versus what is a nice-to-have. This guide cuts through that. It covers what a credible small business cybersecurity package should include, the minimum IT requirements for a 20-person UK team, and the practical steps that make the biggest difference to your hacking risk.

What a cybersecurity package should include

A proper cybersecurity package is not a single product. It is a set of overlapping controls that work together to reduce your exposure, detect threats earlier, and contain the damage if something does get through. Here is what each layer does and why it matters.

Email security

Email remains the most common entry point for attacks. Phishing, business email compromise, and malicious attachments account for the majority of incidents affecting small businesses.

A solid email security layer should include:

  • Anti-spam and anti-phishing filtering. Blocks known malicious senders and analyses email content and links before delivery.
  • Attachment sandboxing. Opens suspicious files in an isolated environment before they reach the recipient's inbox.
  • Impersonation protection. Detects emails that spoof your domain, your suppliers, or your senior staff.
  • DMARC, DKIM, and SPF configuration. Prevents your domain from being used to send fraudulent emails to others.

Many businesses using Microsoft 365 already have basic email protection included. For higher-risk environments, a dedicated email security gateway adds another layer of filtering on top.

Common pitfall: DMARC, DKIM, and SPF are widely overlooked by small businesses. Without them, your domain can be spoofed by attackers to target your clients and suppliers. Check your configuration before anything else.

Endpoint protection

Every laptop, desktop, and mobile device connected to your network is a potential entry point. Traditional antivirus is no longer sufficient on its own. Modern endpoint protection uses behavioural analysis to detect threats that signature-based tools miss.

Look for:

  • Endpoint detection and response (EDR). Monitors device behaviour in real time and can isolate a compromised device automatically.
  • Managed detection and response (MDR). Adds a human security team who reviews alerts and responds on your behalf, particularly valuable when you do not have in-house security expertise.
  • Centralised management and reporting. Every device's protection status should be visible in a single dashboard, not scattered across individual machines.
  • Mobile device management (MDM). Enforces security policies on smartphones and tablets, including the ability to remotely wipe a lost or stolen device.

Common pitfall: Deploying endpoint protection and then never checking it. Antivirus tools can silently stop updating or reporting without anyone noticing. Centralised monitoring catches this; individual installs on each machine do not.

DNS and web filtering

DNS filtering blocks connections to known malicious domains before a user's browser ever loads the page. It is a lightweight, high-impact control that stops many attacks at the network level rather than relying on the user to make the right decision.

Effective web filtering should block:

  • Malware distribution sites and command-and-control servers
  • Phishing pages, including newly registered domains (a common attacker technique)
  • Categories of content that fall outside your acceptable use policy

DNS filtering extends to remote workers when deployed as a cloud-based agent, which matters significantly for businesses with laptops leaving the office.

Firewall management

A properly configured firewall is a fundamental control. For a 20-person business, this typically means a next-generation firewall (NGFW) at the network perimeter, supplemented by host-based firewalls on individual devices.

Key requirements:

  • Inbound traffic is blocked by default, with explicit rules for permitted services only
  • Outbound traffic is filtered and logged
  • Remote access, if any, is via VPN rather than exposed RDP or SSH ports
  • Firewall rules are reviewed and documented at least annually
  • Firmware is kept up to date

Common pitfall: The ISP-supplied router that has never been reconfigured since installation. These devices typically have weak default passwords, no logging, and no inspection capability. They are not a substitute for a business-grade firewall.

Identity and access management

A compromised credential is one of the most common ways attackers get inside a business. Identity controls limit what an attacker can do once they have one.

A minimum identity stack includes:

  • Multi-factor authentication (MFA) on every account. No exceptions for cloud services, email, or admin access.
  • Single sign-on (SSO). Centralises authentication so you can enforce consistent policies and immediately revoke access when someone leaves.
  • Privileged access management. Admin accounts are separate from day-to-day accounts and are used only for administrative tasks.
  • Conditional access policies. Blocks sign-ins from unexpected locations or devices, even with valid credentials.
  • A joiners, movers, and leavers process. Accounts are created, updated, and removed promptly as your team changes.

Common pitfall: Everyone having local administrator rights on their machine. This is the default in many small business setups and dramatically increases the damage a piece of malware can do. Remove admin rights from standard user accounts wherever possible.

Security awareness training

Your team is your most variable control. A well-configured technical stack can be undermined by one person clicking a phishing link or responding to a fraudulent payment request. Regular training makes your people a meaningful part of your defence rather than a liability.

Much historical training teaches staff to look for things like poor spelling in phishing emails. In the age of AI, these emails are being tailored at scale so are much harder to spot. Always have an offline verification process in place to confirm identities or critical changes such as payment details.

Effective security awareness training includes:

  • Short, regular modules: monthly or quarterly is more effective than an annual all-day session
  • Simulated phishing tests with targeted follow-up training for those who click
  • Coverage of current threats, not just generic cybersecurity basics
  • Clear guidance on how to report suspicious emails or activity

Backup and recovery

Ransomware is the scenario where most small businesses find out whether their backups actually work. A robust backup strategy follows the 3-2-1 rule: three copies of data, on two different media types, with one copy off-site or in an isolated cloud environment.

For a 20-person business, this typically means:

  • Cloud productivity suite backup. Microsoft 365 and Google Workspace do not guarantee full data recovery. A third-party backup tool is required for email, SharePoint, and Teams data.
  • Endpoint backup. Local device data should be backed up to a centralised location, not just synced to OneDrive or Google Drive.
  • Immutable backups. At least one copy of your backup data should be stored in a format that cannot be modified or deleted by ransomware, even if your primary systems are compromised.
  • Regular restore tests. Schedule quarterly restore tests. A backup you have never tested is a backup you cannot rely on.

Common pitfall: Assuming that OneDrive sync is a backup. If ransomware encrypts your local files, synced copies in OneDrive may be overwritten before anyone notices. Backup and sync are different things.

Security monitoring

Security monitoring means having visibility into what is happening across your systems so that attacks are detected quickly rather than discovered after the fact. Small businesses rarely have the resource for a full security operations centre, but a managed monitoring service provides equivalent capability without the overhead.

Look for:

  • Log collection and analysis. Events from your endpoints, firewall, email system, and identity platform are centralised and reviewed for suspicious patterns.
  • Alert triage. Alerts are reviewed by experienced analysts, not just generated and emailed to someone who does not have time to read them.
  • Mean time to detect. Ask providers how quickly they typically identify a threat. Industry best practice is hours, not days.

Incident response

If an attack does succeed, how you respond in the first hours determines how much damage is done. Small businesses rarely have a plan, which means they improvise under pressure at the worst possible time.

A basic incident response capability includes:

  • A written plan that covers who does what, who to contact, and in what order
  • Clear criteria for isolating affected systems without destroying forensic evidence
  • Contact details for your IT provider, cyber insurer, and legal counsel
  • Awareness of your ICO reporting obligations: personal data breaches must be reported within 72 hours under UK GDPR
  • A post-incident review process so you learn from what happened

The minimum IT stack for a 20-person team

With the above controls in mind, here is what a practical, well-secured IT environment looks like for a UK business of around 20 people.

Productivity and identity platform. Microsoft 365 Business Premium covers a significant amount of the security stack in one licence: Defender for Business (EDR), Entra ID (SSO and conditional access), Intune (device management and MDM), and Defender for Office 365 (email security). For most 20-person businesses, this is the recommended foundation. Google Workspace with separate security add-ons is a viable alternative, but requires more assembly to reach the same baseline.

DNS filtering. A cloud-based DNS filtering service applies to all internet traffic from your network and devices, including those working remotely via an agent. This is a low-cost, high-impact control that many small businesses overlook.

Password manager. Every member of your team should have access to a business password manager, with company credentials stored in shared vaults and personal credentials kept separate. This is one of the most impactful, lowest-friction changes a small business can make.

Managed firewall. A next-generation firewall at your network perimeter, actively managed and monitored, with rules reviewed regularly. If your current device was provided by your ISP and has never been reconfigured, it is not sufficient.

Backup. Third-party cloud-to-cloud backup for your productivity suite, plus centralised device backup. At least one copy stored in an immutable or isolated environment, with quarterly restore tests built into your maintenance calendar.

MDR or managed monitoring. Endpoint protection with a managed response capability so that alerts are acted on rather than sitting in a dashboard nobody checks.

Security awareness training platform. Automated phishing simulations and short training modules, with reporting so you can identify which team members need additional support.

Practical steps to reduce your hacking risk

Beyond the technology stack, there are process-level steps that significantly reduce your exposure. These cost little but require consistent implementation.

Patch everything quickly. Most successful attacks exploit known vulnerabilities, not zero-days. A patching cadence of 14 days or less for critical and high-severity patches closes the majority of that exposure. Automate where you can; track what cannot be automated.

Audit accounts regularly. Former employees, temporary contractors, and test accounts accumulate over time. Run a quarterly review of all accounts across every system and remove anything that is no longer needed.

Separate your Wi-Fi networks. Guest devices and personal phones should be on a separate network segment from your business systems. A visitor connected to your guest Wi-Fi should have no path to your internal systems or data.

Review your cyber insurance. Many cyber insurance policies have minimum technical requirements. If your controls do not meet those requirements, a claim may be declined. Review your policy and confirm your security posture matches what you have declared.

Test your incident response plan. Run a tabletop exercise at least once a year. Walk through a realistic scenario, such as a ransomware infection or a compromised email account, and identify the gaps in your plan before an attacker does.

Cybersecurity checklist at a glance

Use this as a quick assessment of where your business stands today.

Email security

  • [ ] Anti-phishing and anti-spam filtering is active on all mailboxes
  • [ ] DMARC, DKIM, and SPF are configured correctly for your domain
  • [ ] Attachment sandboxing is in place
  • [ ] Users know how to report suspicious emails

Endpoint protection

  • [ ] EDR or managed antivirus is deployed on every device in scope
  • [ ] Device management (MDM) covers all laptops and mobile devices
  • [ ] Endpoint protection is centrally monitored and reporting
  • [ ] Local admin rights have been removed from standard user accounts

Network security

  • [ ] A next-generation firewall is in place at the network perimeter
  • [ ] DNS filtering is active for all devices, including remote workers
  • [ ] Guest Wi-Fi is on a separate network segment
  • [ ] Remote access uses VPN rather than exposed ports

Identity and access

  • [ ] MFA is enforced on every cloud service and business account
  • [ ] Admin accounts are separate from day-to-day accounts
  • [ ] A joiners, movers, and leavers process exists and is followed
  • [ ] Conditional access policies are configured

Security awareness

  • [ ] Regular security awareness training is in place for all staff
  • [ ] Simulated phishing tests run at least quarterly
  • [ ] Staff know who to contact if they suspect an incident

Backup and recovery

  • [ ] Microsoft 365 or Google Workspace data is backed up by a third-party tool
  • [ ] Endpoint data is backed up centrally and monitored
  • [ ] At least one backup copy is immutable or isolated from your main environment
  • [ ] Restore tests are completed at least quarterly

Monitoring and response

  • [ ] Security logs are collected and reviewed
  • [ ] An incident response plan exists in writing
  • [ ] ICO reporting obligations are understood and documented
  • [ ] Cyber insurance is in place and policy terms are understood

Getting the basics right matters more than the cutting edge

The most sophisticated threat actors are not the ones most small businesses face. The majority of attacks targeting 20-person companies are opportunistic: automated scanning for exposed services, credential stuffing against known usernames, and phishing at scale. These attacks succeed because the basics are not in place, not because the attacker is particularly skilled.

The controls above are not complex or expensive when implemented as part of a managed IT service. They are, however, almost impossible to maintain consistently when treated as a series of one-off projects.

If you want to understand how your current security posture compares to what we have outlined here, or you are looking for a provider who can manage it for you, explore our cybersecurity services or get in touch. We can also help you work towards Cyber Essentials or Cyber Essentials Plus certification, the UK government's baseline standard for small business cybersecurity and an increasingly common requirement for contracts with public sector and enterprise clients.