Cyber Security FAQ — 2025 & 2026.

At minimum, Cyber Essentials. It is a government-backed baseline that covers five controls: firewalls, secure configuration, user access control, malware protection, and patch management.

If you handle sensitive client data — legal files, patient records, financial data — Cyber Essentials Plus is the next step. It adds an independent technical audit to verify your controls actually work, not just that you ticked a box.

For regulated firms, CE+ is increasingly a client expectation and a prerequisite for certain contracts and insurance policies.

As a rule of thumb, 5–10% of your total IT spend is a sensible starting point. For a 50-person firm with modest IT infrastructure, that typically translates to £8,000–£20,000 annually for foundational security.

That budget should cover: endpoint protection, email security, backups, vulnerability scanning, and either in-house oversight or a managed security partner. Penetration testing and compliance work are additional, often project-based costs.

The cost of a single ransomware incident — downtime, recovery, potential ICO fine, reputational damage — far exceeds proactive investment. Most SMEs that experience a significant breach spend 3–5x their annual security budget on recovery.

For organisations under 100 users, a full-time security hire is rarely cost-effective. The challenge is that generalist IT staff are stretched across infrastructure, support, and projects — security becomes the task that gets deferred.

A pragmatic middle ground is to pair your existing IT team with a Managed Security Service Provider (MSSP). The MSSP handles specialist work — threat monitoring, vulnerability management, incident response — while your internal team retains control of day-to-day operations.

This gives you access to specialist expertise and extended coverage without the overhead of building a Security Operations Centre internally.

Business email compromise (BEC) and ransomware remain the two highest-impact threats in 2025–2026. The NCSC reports that phishing is still the root cause of the majority of successful attacks on UK organisations.

The trend we are seeing in client environments is AI-enhanced phishing — emails that reference real projects, real colleagues, and real deadlines. They are significantly harder to spot than the obvious scams of previous years.

Ransomware operators have also shifted tactics. Rather than encrypting data and demanding payment, many now exfiltrate sensitive files first and threaten to publish them — a "double extortion" model that makes backups alone insufficient protection.

No — secure by default is a misconception. Microsoft 365 is secure if configured correctly, but the default settings leave significant gaps. Common misconfigurations we find in new client environments include:

• Legacy authentication still enabled (bypasses modern MFA)
• Anonymous sharing links turned on for all files
• Basic authentication protocols active for older email clients
• Audit logging not fully enabled or not being reviewed
• Guest access policies too permissive

A Microsoft 365 security assessment is one of the highest-value, lowest-cost actions a firm can take. It typically reveals configuration issues that expose data without anyone realising.

A zero-day is a software flaw that is publicly known or actively exploited before the vendor has released a patch. They are concerning because there is no immediate fix — you cannot patch what does not yet have a patch.

For most SMEs, zero-days are not the primary risk. The majority of breaches exploit known vulnerabilities for which patches have been available for months — sometimes years. The NCSC consistently reports that unpatched systems are a far more common cause of compromise than zero-days.

That said, when a high-profile zero-day emerges (for example, a critical Windows or VPN vulnerability), your response matters. Having a vulnerability management process that can rapidly assess exposure and deploy compensating controls is the practical defence.

Most compromises go undetected for months. The average dwell time — the period between initial compromise and detection — is over 200 days for organisations without active monitoring.

Warning signs that often indicate a compromise include: unusual outbound network traffic, unexpected software installations, disabled antivirus, password changes you did not authorise, or unusual logins from unfamiliar locations or devices.

The only reliable way to detect compromise early is continuous monitoring — either through a Security Operations Centre (SOC) or a managed detection and response (MDR) service. Waiting for something to "go wrong" means the attacker has already had months to move through your environment.

Cyber Essentials is a self-assessment. You complete a questionnaire about your security controls, and an accredited body reviews your answers. It demonstrates intent and covers the fundamental technical controls.

Cyber Essentials Plus adds an independent technical audit. An assessor runs vulnerability scans, reviews your configurations, and verifies that your controls actually function as claimed. It is the standard most regulated firms and government suppliers are now expected to hold.

Both certifications are valid for 12 months and must be renewed annually. For firms handling client data, Plus is the sensible baseline. Self-assessment alone is increasingly viewed as insufficient by insurers and large clients.

ISO 27001 is an internationally recognised information security management standard. It is not mandatory for most UK firms, but it has become a commercial differentiator and is sometimes required by enterprise clients or tenders.

For SMEs, the decision usually comes down to: are you losing contracts because you cannot demonstrate formal security management? If yes, ISO 27001 is worth the investment. If not, Cyber Essentials Plus plus a strong set of internal policies may be sufficient.

The certification journey typically takes 6–12 months and requires ongoing internal audits and management review. It is a management system, not a one-off project. Many SMEs work with a consultant or partner to build the framework without hiring a full-time compliance manager.

Under UK GDPR and the Data Protection Act 2018, you must report a personal data breach to the ICO within 72 hours of becoming aware of it, unless it is unlikely to result in a risk to individuals' rights and freedoms.

The 72-hour clock starts when you have a "reasonable degree of certainty" that a breach has occurred — not when you have finished investigating. Delaying notification to gather more detail is a common mistake that the ICO penalises.

You must also notify affected individuals directly if the breach is likely to result in a high risk to their rights and freedoms. Having an incident response plan that includes pre-drafted notification templates and a clear decision tree for assessing risk levels is essential.

The UK Cyber Governance Code of Practice, published by the Department for Science, Innovation and Technology, sets out five principles for board-level cyber governance: risk management, cyber strategy, incident planning, supply chain security, and accountability.

It is currently voluntary but strongly encouraged for medium and large organisations. The government has indicated it may become mandatory for certain sectors or organisation sizes in the coming years.

Even if not legally required, adopting the Code demonstrates to clients, insurers, and regulators that your board takes cyber risk seriously. It is a useful framework for boards that lack security expertise and need a structured way to discharge their governance responsibilities.

MFA is one of the most effective controls available, but it is not invincible. Attackers have adapted to target MFA itself — through MFA fatigue (bombarding a user with approval prompts until they click "yes"), SIM swap attacks, and phishing kits that proxy real-time login sessions.

In 2025–2026, the best practice is to use phishing-resistant MFA where possible — FIDO2 security keys or passkeys, rather than SMS or app-based one-time codes. Microsoft, Google, and Apple all now support passkeys, and they are significantly harder to phish.

MFA should also be paired with conditional access policies that restrict logins by location, device compliance, and risk score. A login from an unknown device in an unusual geography should require additional verification or be blocked entirely.

The NCSC and NIST now recommend password policies focused on length over complexity. A memorable passphrase of 16+ characters — for example, "correct-horse-battery-staple" — is more secure and more usable than an 8-character password with symbols that users write on Post-it notes.

Key practical rules for 2026:

• Minimum 16 characters for user accounts, longer for privileged accounts
• No forced periodic resets — only change after suspected compromise
• Block known compromised passwords using a breached-password database
• Use a business password manager for all accounts
• Never reuse passwords across work and personal accounts

Passwords alone are insufficient. Every account should have MFA. Passwords are what you know; MFA is what you have. Together they provide meaningful protection.

Yes — this is one of the most common and most damaging access control failures we encounter. Offboarding is often rushed, incomplete, or handled by someone who does not know all the systems the employee had access to.

A robust offboarding process should include: disabling the user in your identity provider (which cuts access to SSO-enabled applications), revoking standalone application access, removing VPN and remote access, reclaiming hardware, and transferring or archiving data ownership.

We recommend a quarterly access review where line managers confirm that each of their team's accounts are still necessary. This catches not just former employees, but also contractors whose engagements have ended and colleagues who have moved to roles that no longer need certain privileges.

Continuously. The idea of an "annual penetration test" as your sole security check is outdated. New vulnerabilities are disclosed daily. A scan every 12 months leaves 364 days of unknown exposure.

Best practice in 2026 is:

• External vulnerability scanning: continuous or at least weekly
• Internal network scanning: at least monthly
• Cloud configuration scanning: continuous
• Web application scanning: weekly or on every deployment
• Penetration testing: annually or after significant infrastructure changes

The key is not just scanning — it is closing the loop. Scanning without remediation is theatre. Your vulnerability management programme must include prioritisation, assignment, tracking, and verification that fixes actually worked.

A vulnerability scan is automated. It uses tools to identify known weaknesses — missing patches, misconfigurations, default credentials — and produces a list of findings ranked by severity. It is broad, fast, and relatively inexpensive. It tells you what is broken.

A penetration test is manual and adversarial. A skilled tester attempts to exploit vulnerabilities, chain multiple weaknesses together, and demonstrate what an actual attacker could achieve. It is deeper, slower, and more expensive. It tells you what an attacker could do.

You need both. Vulnerability scanning provides continuous visibility at low cost. Penetration testing provides depth and validates your overall security posture from an attacker's perspective. Use scanning to find the gaps; use pen testing to understand the real-world impact.

CVSS scores alone are insufficient. A "critical" vulnerability on an internal test server that is not internet-facing and contains no sensitive data is lower priority than a "high" vulnerability on your public-facing VPN gateway.

Prioritisation should consider:

• Exposure: Is the system internet-facing or internal-only?
• Data sensitivity: Does it store or process personal, financial, or client data?
• Exploitability: Is there public exploit code available? Is it being actively exploited in the wild?
• Business impact: What happens if this system is compromised or goes offline?
• Compensating controls: Is the system behind a WAF, segmented from the rest of the network, or monitored by an SOC?

Risk-based prioritisation is the core of mature vulnerability management. It ensures your limited remediation capacity is applied where it matters most, rather than chasing every "critical" alert regardless of context.

The most effective security awareness programmes are brief, relevant, and frequent — not an annual 45-minute training video that everyone clicks through while checking email.

Practical approaches that work:

• Micro-learning: 2–3 minute modules delivered monthly, tied to real threats you have seen
• Simulated phishing with immediate, non-punitive feedback — teach, don't shame
• Report buttons in email clients that make it easy to flag suspicious messages
• Leadership modelling: executives who talk about security as a business enabler, not a blocker
• Reporting outcomes: tell staff when their report helped stop an attack

Culture beats compliance. Employees who feel security is there to help them, not catch them out, are far more likely to report suspicious activity promptly — which is often the difference between a contained incident and a major breach.

Yes — you need one. An incident response plan is a documented, rehearsed process for detecting, containing, eradicating, and recovering from a security incident. It assigns roles, sets communication protocols, and defines escalation paths.

Without a plan, the first hours of a breach are chaotic. Decisions are made under pressure by people who have never faced the situation before. Critical evidence is lost. Notifications are delayed. Recovery takes longer and costs more.

A practical IR plan for an SME should cover:

• Who makes the "go/no-go" decision to invoke the plan
• Who contacts the ICO, insurers, and legal counsel
• How to preserve forensic evidence without destroying it
• Pre-approved PR and client communication templates
• Contact details for your MSSP, IT provider, and incident response retainer (if you have one)

The plan should be tested at least annually through a tabletop exercise. Reading a plan in a crisis is not the same as having walked through it in a controlled setting.

Cyber insurance has become more complicated and more expensive in 2025–2026. Underwriters now require evidence of basic security controls — typically MFA, patching, backups, and endpoint protection — before quoting. Firms without these fundamentals may find cover unavailable or unaffordable.

Key coverage areas to look for:

• Incident response costs: forensic investigation, legal advice, notification expenses
• Business interruption: lost revenue during downtime
• Ransomware / extortion: ransom payments and negotiator fees (some policies now exclude this)
• Regulatory defence: ICO fines and legal costs
• Third-party liability: claims from clients or partners affected by your breach

Insurance is a safety net, not a security strategy. Underwriters are increasingly declining claims where the insured organisation failed to maintain the controls they declared on application. Treat the insurance application as an audit of your actual security posture.