Free resource

Cyber Security Checklist for UK Businesses

A practical, one-page checklist covering Microsoft 365 hardening, phishing defence, backup strategy and cyber resilience — the essentials every UK SME should have in place.

Book a free consultation

1. Identity & Access (Microsoft 365)

  • Enforce MFA for every user, including admins and service accounts.
  • Disable legacy authentication protocols (POP, IMAP, SMTP AUTH where unused).
  • Use Conditional Access to block sign-ins from unexpected countries.
  • Review Global Admins quarterly — aim for two, no more than four.
  • Enable Self-Service Password Reset with strong verification.

2. Email & Phishing Defence

  • Turn on Safe Links and Safe Attachments (Defender for Office 365).
  • Publish SPF, DKIM and DMARC records — DMARC set to at least quarantine.
  • Enable external sender warnings in Outlook.
  • Run a phishing simulation and short training every quarter.
  • Block auto-forwarding to external domains by default.

3. Device & Endpoint Security

  • Full-disk encryption enabled on every laptop (BitLocker / FileVault).
  • OS and browser updates applied within 14 days of release.
  • Endpoint protection (Defender, or equivalent) active and reporting.
  • Screen lock after ≤10 minutes; strong device passcodes.
  • Mobile devices enrolled in Intune (or MDM equivalent).

4. Data, Backup & Recovery

  • Independent third-party backup for Microsoft 365 (mail, OneDrive, SharePoint, Teams).
  • Backups tested with a real restore at least twice a year.
  • Retention meets your regulatory and contractual requirements.
  • Critical shared drives have version history enabled.
  • A written incident response and recovery plan exists.

5. Governance & Resilience

  • Named owner for cyber security (internal or outsourced).
  • Cyber insurance in place and renewed annually.
  • Cyber Essentials certification current (or a plan to achieve it).
  • Vendor access reviewed quarterly — remove ex-suppliers.
  • Leavers offboarded within one business day (accounts disabled, tokens revoked).
© AlwaysOnIT — AI-run IT support for SMEs. Prepared for information only; not a substitute for a full security assessment.