The Cybersecurity Baseline Every Business Should Have in Place

Most businesses that experience a serious cyber incident did not lack sophisticated security tools. They lacked the basics. Unpatched systems, weak credentials, no working backups, and unrestricted access are responsible for the majority of successful attacks. Getting the fundamentals right is not a starting point before the real security work begins. It is the real security work for most organisations.

This guide covers the controls that form a credible cybersecurity baseline for a small or mid-size business. None of them require specialised hardware or large budgets. All of them materially reduce the likelihood and impact of a security incident.

Why baseline security is where most incidents start

Attackers follow the path of least resistance. For SMEs, that path is almost always through controls that were never implemented, not through controls that were defeated. Phishing succeeds because MFA was not in place. Ransomware spreads because systems were unpatched. Data is exfiltrated because access controls were too broad. Recovery fails because backups were never tested.

The Verizon Data Breach Investigations Report has consistently found that the overwhelming majority of successful attacks exploit known vulnerabilities, stolen credentials, or phishing rather than advanced techniques. This means the most effective investment for most organisations is not sophisticated detection tooling. It is making sure the basics are in place and maintained.

The baseline controls

Multi-factor authentication

MFA is the single highest-value control for most businesses. It means that a stolen password alone is not sufficient to access an account. Enable it on email, remote access, cloud services, and any system accessible from outside the network. Authenticator apps are significantly more secure than SMS-based codes. MFA should be mandatory, not optional, for any account with access to sensitive data or administrative functions.

Patch management

Operating systems, applications, and firmware should be patched on a defined cycle. Critical security patches, particularly for internet-facing systems, should be applied within 72 hours of release. Most ransomware campaigns exploit vulnerabilities for which patches have been available for months. A documented patch management process, even a simple one, closes the gap between a patch being available and being applied.

Endpoint protection

Every device that accesses business systems should have modern endpoint protection in place. This means more than legacy antivirus. Current endpoint detection and response tools identify and contain threats that signature-based tools miss. Ensure coverage extends to laptops used remotely, not just devices on the office network. Unmanaged personal devices accessing company email or files represent a significant and often overlooked exposure.

Access control and least privilege

Users should only have access to the systems and data their role requires. Administrator accounts should not be used for day-to-day work. Privileged access should be audited regularly and revoked when no longer needed. Stale accounts from former employees, contractors, or test accounts are a common entry point. A quarterly review of who has access to what takes less time than the incident it prevents.

Backup and tested recovery

Backups are only useful if they work and can be restored quickly enough to matter. Follow the 3-2-1 rule: three copies of data, on two different media types, with one stored offsite or in a separate cloud account not connected to the primary environment. Test restores at least quarterly. Ransomware frequently targets backup systems specifically, so air-gapped or immutable backups should be part of the design for any organisation handling sensitive data.

Network segmentation

Flat networks allow an attacker who gains access to one system to move freely to others. Basic segmentation, separating guest Wi-Fi from the corporate network, isolating operational technology from IT systems and restricting server-to-server communication, limits the blast radius of a compromise. This does not require complex infrastructure. VLAN configuration on a managed switch is sufficient for most SME environments.

Email security

Email is the primary delivery mechanism for phishing, malware, and business email compromise. At a minimum, configure SPF, DKIM, and DMARC records to prevent domain spoofing. Use a mail gateway or filtering service that inspects attachments and links before delivery. Train staff to recognise phishing, but do not rely on training alone. Technical controls catch what awareness misses.

Incident response plan

An incident response plan does not need to be long. It needs to answer three questions: who decides when an incident is serious enough to escalate, who gets called when it is, and what do we do in the first four hours. Organisations without a plan make worse decisions under pressure, take longer to contain incidents, and often make them worse by taking the wrong initial action. Write it down before you need it.

Frameworks that map to this baseline

If your organisation operates in a regulated sector or is considering cyber insurance, two frameworks are worth understanding in relation to this baseline.

Cyber Essentials (UK) covers five technical controls: firewalls, secure configuration, access control, malware protection, and patch management. Certification is relatively straightforward for organisations that have the basics in place and provides a useful third-party validation of your security posture. Many public sector contracts and some insurers require it.

ISO 27001 goes significantly further, requiring a full information security management system. It is appropriate for organisations with regulatory obligations, large client bases, or significant data handling responsibilities. The baseline controls described here form a subset of what ISO 27001 requires. See our ISO 27001 guide for SMEs for a more detailed walkthrough.

NIS2 applies to organisations in critical sectors across the EU and imposes mandatory incident reporting and minimum security measure requirements. The baseline controls in this article align closely with what NIS2 requires at the foundational level. Our NIS2 guide covers the full scope of obligations.

Where to start if you are starting from scratch

Trying to implement everything at once rarely works. Prioritise in this order:

• MFA on email and remote access:this week
• Patch management process:define, document, and execute within the month
• Backup testing:confirm backups exist and can be restored
• Access review:remove stale accounts and excess privileges
• Endpoint protection:verify coverage across all devices
• Email security configuration:SPF, DKIM, DMARC
• Incident response plan:one page, written down

A security assessment gives you a clear view of where you stand against this baseline, what the gaps are, and what the priority order should be for your specific environment. It is a faster and more reliable starting point than trying to self-assess.