Free resource
Cyber Security Checklist for UK Businesses
A practical, one-page checklist covering Microsoft 365 hardening, phishing defence, backup strategy and cyber resilience — the essentials every UK SME should have in place.
1. Identity & Access (Microsoft 365)
- Enforce MFA for every user, including admins and service accounts.
- Disable legacy authentication protocols (POP, IMAP, SMTP AUTH where unused).
- Use Conditional Access to block sign-ins from unexpected countries.
- Review Global Admins quarterly — aim for two, no more than four.
- Enable Self-Service Password Reset with strong verification.
2. Email & Phishing Defence
- Turn on Safe Links and Safe Attachments (Defender for Office 365).
- Publish SPF, DKIM and DMARC records — DMARC set to at least quarantine.
- Enable external sender warnings in Outlook.
- Run a phishing simulation and short training every quarter.
- Block auto-forwarding to external domains by default.
3. Device & Endpoint Security
- Full-disk encryption enabled on every laptop (BitLocker / FileVault).
- OS and browser updates applied within 14 days of release.
- Endpoint protection (Defender, or equivalent) active and reporting.
- Screen lock after ≤10 minutes; strong device passcodes.
- Mobile devices enrolled in Intune (or MDM equivalent).
4. Data, Backup & Recovery
- Independent third-party backup for Microsoft 365 (mail, OneDrive, SharePoint, Teams).
- Backups tested with a real restore at least twice a year.
- Retention meets your regulatory and contractual requirements.
- Critical shared drives have version history enabled.
- A written incident response and recovery plan exists.
5. Governance & Resilience
- Named owner for cyber security (internal or outsourced).
- Cyber insurance in place and renewed annually.
- Cyber Essentials certification current (or a plan to achieve it).
- Vendor access reviewed quarterly — remove ex-suppliers.
- Leavers offboarded within one business day (accounts disabled, tokens revoked).