Cyber security does not have to be overwhelmingly complex or expensive. For most Hertfordshire SMEs, the biggest security gains come from implementing a relatively small number of well-understood controls consistently. This checklist covers the essentials every Watford and Hertfordshire business should have in place by the end of the year.
Why Cyber Security Matters for Hertfordshire SMEs
The assumption that attackers only target large organisations is one of the most dangerous misconceptions in business security. Small and medium-sized businesses are now primary targets for many cyber attack campaigns. The reasoning is simple: SMEs hold valuable data, process payments, and often have weaker defences than larger organisations with dedicated security teams.
Fifty percent of UK businesses experienced a cyber security breach in the past year (NCSC, 2024). The average cost of a breach for a small business, including downtime, recovery, regulatory notification, and reputational damage, now exceeds £10,000. For businesses handling personal data under UK GDPR, enforcement action from the ICO adds further financial and reputational risk.
The positive news is that most successful attacks exploit basic, preventable weaknesses. The controls in this checklist, implemented properly, would prevent the large majority of attacks targeting Hertfordshire businesses today.
The Cyber Security Checklist for Hertfordshire SMEs
1. Enable Multi-Factor Authentication on All Accounts
Multi-factor authentication (MFA) adds a second verification step to logins. Even when an attacker has a valid password, they cannot access the account without also having access to your phone or authentication app. MFA should be enabled on Microsoft 365 and email, banking and financial platforms, invoicing and payroll systems, VPN and remote access tools, and your domain registrar and website hosting. Enabling MFA on Microsoft 365 blocks 99.9 percent of automated account compromise attempts (Microsoft, 2023).
2. Keep Software and Operating Systems Updated
Unpatched software is the most common entry point for ransomware. When a vulnerability is discovered in Windows or widely used software, attackers move to exploit it within days. Confirm that Windows updates apply promptly on all devices, third-party software is updated regularly, and any on-premise servers are maintained. If keeping up with patches is a challenge, this is one of the core benefits of managed IT support, it is handled automatically.
3. Use a Password Manager
Password reuse affects most organisations. When one account is compromised, all accounts using the same password are at risk. Every business account should have a unique, strong password. A password manager. Bitwarden, 1Password, or Microsoft's built-in manager, generates and stores strong passwords so your team needs to remember only one master credential.
4. Back Up Your Data and Test Your Restores
If ransomware encrypts your files and you have a clean, tested backup, you can recover without paying. If you do not, you face paying criminals or losing your data permanently. Follow the 3-2-1 rule: three copies of your data, on two different media types, with one copy offsite or in the cloud. Test your restores regularly, many businesses discover their backups are broken only when they need them most.
5. Train Your Team on Phishing
Phishing emails, messages impersonating trusted contacts or organisations, start the majority of cyber incidents. No technical control eliminates phishing entirely, which is why staff training is essential. Key topics include how to identify suspicious emails, what to do if you click something suspicious, and how to verify unexpected payment requests by calling the person directly. Regular phishing simulations are one of the most effective training tools available.
6. Secure Your Network and Wi-Fi
Your office network is the environment within which all your devices operate. A poorly secured network allows attackers to intercept traffic or spread malware between machines. Essentials include a business-grade firewall, separate guest Wi-Fi networks so visitors cannot access internal systems, strong Wi-Fi passwords changed regularly, and MFA on any VPN or remote access solution.
7. Limit Access to Sensitive Data
Not everyone needs access to everything. Limiting permissions, called the principle of least privilege, reduces the damage from both accidental and deliberate misuse. Review accounts and permissions regularly: disable departed employees' accounts immediately, confirm admin-level access is held only by those who genuinely need it, and audit who can access financial systems and customer data.
8. Write an Incident Response Plan
When a cyber incident occurs, having a documented plan dramatically reduces the damage. Your plan should cover who to call immediately (your IT provider, your solicitor, potentially your insurer), how to isolate affected systems, what to communicate to clients and staff, and how to document the incident. UK GDPR requires businesses to report personal data breaches to the ICO within 72 hours, without a plan, this is very difficult to meet.
9. Consider Cyber Essentials Certification
Cyber Essentials is the UK government-backed certification scheme that confirms a business has the basic controls needed to defend against common attacks. Certification demonstrates to clients, insurers, and procurement teams that security is taken seriously. Many public sector contracts now require it, and an increasing number of larger private sector organisations ask for it from their supply chain.
10. Work With a Trusted IT Partner
Cyber security is an ongoing programme, not a one-time project. Working with a managed IT provider like IT Support Watford means your controls are continuously monitored, updated, and adapted as threats evolve. We help Hertfordshire businesses implement these controls, achieve Cyber Essentials certification, and build a security posture that genuinely protects their operations. Contact us today for a free cyber security assessment.