Back to blogcybersecurity

The 2026 SME Cybersecurity Checklist

Wanzo Team·2026-03-01·4 min read

Cyber attacks hit small and medium businesses more than 65% of the time. Not because SMEs are careless — but because they're assumed to have weaker defences. This checklist tells you exactly what to have in place.

1. Identity & Access

Identity is the new perimeter. Most breaches start with a compromised account, not a compromised network.

  • Multi-factor authentication (MFA) on every cloud application — Microsoft 365, CRM, accounting, everything. This single control prevents the vast majority of account compromises.
  • No shared passwords — every user has their own credentials for every system.
  • Privileged access management — admin accounts are separate from daily-use accounts. Nobody logs into their email with domain admin credentials.
  • Offboarding process — when someone leaves, all accounts are disabled within 24 hours.

2. Endpoint Security

Every device that connects to your network or your cloud apps is a potential entry point.

  • Endpoint Detection & Response (EDR) on all devices — not just antivirus, but behavioural threat detection that catches zero-day attacks.
  • Mobile Device Management (MDM) — enforce encryption, PIN locks and remote wipe capability on all mobile devices that access company data.
  • Full disk encryption — if a laptop is lost or stolen, the data is unreadable.
  • USB control — consider blocking USB mass storage devices to prevent data exfiltration.

3. Email Security

Email remains the #1 attack vector. Phishing, malware, business email compromise (BEC) — they all arrive in the inbox.

  • Advanced anti-phishing — AI-powered detection that catches impersonation attempts standard filters miss.
  • DMARC, DKIM and SPF configured for your domain — prevents attackers sending emails that appear to come from your organisation.
  • Attachment sandboxing — suspicious attachments are detonated in a safe environment before delivery.
  • Link rewriting — URLs in emails are checked at the time of click, not just on delivery.

4. Patching

Unpatched software is the most exploited vulnerability class globally.

  • OS patches — Windows, macOS and Linux updates applied within 14 days of release.
  • Third-party software — browsers, PDF readers, Java, Zoom — all patched on the same cadence.
  • Critical patches — any patch marked "critical" or "actively exploited" applied within 72 hours.
  • Firmware updates — firewalls, switches, access points — all included in your patch cycle.

5. Backup & Recovery

Backups are your last line of defence against ransomware — but only if they actually work.

  • 3-2-1 rule — three copies of your data, on two different media types, with one offsite.
  • Tested quarterly — a backup that's never been tested is not a backup.
  • Offline copy — at least one backup that cannot be reached from the network (air-gapped or immutable storage).
  • Defined RTO/RPO — you know exactly how quickly you can recover and how much data you'd lose.

6. Network Security

Your network is the foundation. If it's compromised, everything on it is compromised.

  • Managed firewall — next-generation firewall with active threat intelligence, not a consumer-grade router.
  • VPN or ZTNA for remote access — no direct RDP exposure to the internet. Ever.
  • Network segmentation — guest Wi-Fi, IoT devices and POS systems on separate VLANs from your business network.
  • DNS filtering — block known malicious domains at the network level before a user can reach them.

7. User Training

Your people are both your biggest risk and your best defence.

  • Phishing simulations — quarterly simulated phishing campaigns to test and improve awareness.
  • Annual security training — mandatory for all staff, covering current threat landscape and company policies.
  • Incident reporting culture — make it easy and safe for staff to report suspicious activity without fear of blame.
  • Clear policies — acceptable use, password, remote working and BYOD policies documented and distributed.

8. Compliance

Compliance isn't the same as security — but it provides a useful baseline.

  • Cyber Essentials at minimum — the UK government's baseline security standard. Required for many government contracts.
  • GDPR data mapping — you know what personal data you hold, where it's stored, and who has access.
  • Consider ISO 27001 — if you handle sensitive client data or work in regulated industries.

How does your business measure up?

If you're ticking most of these boxes, you're in good shape. If not, don't panic — but do act. Wanzo offers a free security assessment that covers all of these areas. We'll tell you where you stand and exactly what to prioritise.

Need help with cybersecurity?

Talk to Wanzo. We'll give you honest advice — no commitment required.

Book a Discovery Callhello@wanzo.co.uk

No commitment. No sales pressure. Just honest advice.