Cyber Security FAQs
Straightforward answers to the questions UK businesses ask most about cyber security, compliance, and managed IT.
How Much Does Cyber Essentials Certification Cost?
Cyber Essentials costs £300-500 for assessment. Learn the full cost breakdown including preparation, and why most businesses need help to pass first t...
ComplianceWhat Is the Difference Between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is self-assessed. CE Plus is independently verified. Learn which one you need and why defence contracts typically require Plus.
ComplianceWhy Do Companies Fail Cyber Essentials Plus?
Most CE Plus failures come from the same few issues. Patching gaps, MFA not everywhere, and forgotten devices. Here's what catches people out.
DefenceWhat Is DEFCON 658 and Does It Apply to My Business?
DEFCON 658 is the MOD's cyber security requirement for defence suppliers. If you're in the defence supply chain, it probably applies to you.
Microsoft 365Does Microsoft 365 Backup My Data Automatically?
No. Microsoft 365 doesn't backup your data the way you think. Here's what Microsoft actually protects and why you need separate backup.
Incident ResponseWhat Should I Do If My Business Is Hit by Ransomware?
If you've been hit by ransomware, here's what to do immediately. Isolate, don't pay, assess backups, get help. Step-by-step guide.
ComplianceHow Much Does ISO 27001 Certification Cost for SMEs?
ISO 27001 costs £10,000-40,000+ for SMEs depending on size and starting point. Here's where that money goes and how to budget realistically.
Email SecurityWhat Is DMARC and Do I Need It?
DMARC stops criminals sending emails that look like they're from your domain. Yes, you need it. Here's why and how it works.
Cyber SecurityWhat Cyber Security Does a Small Business Need?
The essential cyber security every small business needs. No fluff, just what actually matters: MFA, patching, backup, email security, and awareness.
Microsoft 365Is Microsoft 365 Secure Enough for My Business?
Microsoft 365 can be secure, but it depends entirely on how it's configured. Out of the box, it's not. Here's what you need to enable.
Incident ResponseWhat Happens If I Have a Data Breach?
Had a data breach? You may have 72 hours to report to the ICO. Here's what you need to do and when, step by step.
Managed ServicesHow Much Does Managed IT Support Cost Per User?
Managed IT support costs £30-100+ per user per month in the UK. Here's what affects the price and what you should expect to be included.
ComplianceDo I Need Cyber Essentials for Government Contracts?
Yes, Cyber Essentials is required for most government contracts involving sensitive data or IT. Here's when you need it and which level.
Incident ResponseHow Do I Protect My Business from Phishing?
Phishing protection needs layers: email security, MFA, training, and verification processes. Here's what actually works.
Backup & RecoveryWhat Is Immutable Backup and Why Does It Matter?
Immutable backup can't be changed or deleted, even by administrators. It's your last line of defence against ransomware. Here's how it works.
ComplianceWhat Is the Difference Between ISO 27001 and Cyber Essentials?
ISO 27001 is a management system covering all of information security. Cyber Essentials is a technical baseline. Different purposes—you may need both.
DefenceWhat Cyber Security Do I Need for MOD Contracts?
MOD contracts require Cyber Essentials Plus minimum. Higher sensitivity work needs more. Here's what you need to know before bidding.
Incident ResponseHow Do I Know If My Business Has Been Hacked?
Unusual logins, slow systems, strange emails from your accounts—these could be signs of compromise. Here's what to look for and what to do.
ComplianceHow Long Does Cyber Essentials Certification Take?
Cyber Essentials takes 2-4 weeks if prepared, 6-8 weeks if you need to fix things first. CE Plus adds 1-2 weeks for technical testing.
ComplianceHow Do I Prepare for Cyber Essentials Plus Assessment?
Prepare for CE Plus with this checklist. Patching, MFA, firewall config, device management, and scope definition. Pass first time.
Microsoft 365What Is the Difference Between Microsoft 365 Business Basic and Premium?
Business Premium includes security features that Basic doesn't—Defender, Intune, Conditional Access. For most businesses, Premium is worth it.
ComplianceDo Subcontractors Need Cyber Essentials Plus for Defence Work?
Yes. DEFCON 658 flows down through the supply chain. If you're handling defence work—even as a subcontractor—you need Cyber Essentials Plus.
Cyber SecurityWhat Is the Difference Between Antivirus and EDR?
Antivirus catches known malware. EDR detects suspicious behaviour and responds to threats. For business use, EDR is now the standard.
Cyber SecurityWhat Is the Difference Between MSP and MSSP?
MSP handles your IT. MSSP handles your security. Many organisations need both—or an MSP that does security properly.
ComplianceHow Long Does ISO 27001 Certification Take?
ISO 27001 certification typically takes 6-18 months. Here's what affects the timeline and how to move faster without cutting corners.
Backup & RecoveryWhat Is the 3-2-1 Backup Rule?
The 3-2-1 backup rule: 3 copies of your data, on 2 different media types, with 1 copy offsite. Here's why it works and how to implement it.
Cyber SecurityHow Much Should I Spend on Cyber Security?
Most SMEs should spend 5-10% of IT budget on security. But the right answer depends on your risk, industry, and what you're protecting.
Email SecurityWhat Is Business Email Compromise (BEC)?
BEC attacks impersonate executives or suppliers to trick staff into transferring money or data. No malware needed—just convincing emails and urgency.
Cyber SecurityDo I Need a Penetration Test?
Pen testing is valuable but not always the priority. Fix the basics first, then test. Here's when penetration testing makes sense for your business.
Cyber SecurityHow Do I Switch IT Support Providers?
Switching IT providers doesn't have to be painful. Here's how to plan the transition, what to watch for, and how to avoid common problems.
ComplianceIs ISO 27001 Worth It for Small Businesses?
ISO 27001 is valuable if your customers require it or you want structured security. It's not worth it as a vanity exercise. Here's how to decide.
Cyber SecurityHow Do I Stop My Domain Being Spoofed?
Stop attackers sending emails as your domain. Implement SPF, DKIM, and DMARC properly. Here's how email authentication works and what to configure.
Cyber SecurityWhat Is Vulnerability Scanning?
Vulnerability scanning automatically finds security weaknesses in your systems—missing patches, misconfigurations, known flaws. Here's how it works.
Cyber SecurityWhat Is a vCISO (Virtual CISO)?
A vCISO provides strategic security leadership without full-time cost. Security strategy, risk management, compliance oversight, board reporting—part-...
Cyber SecurityWhat Is NIS2 and Does It Apply to My Business?
NIS2 expands cyber security requirements for essential and important entities. Here's what it covers, who it applies to, and what you need to do.
Cyber SecurityHow Do I Stop Employees Leaking Data to ChatGPT and AI Tools?
Employees are pasting sensitive data into ChatGPT and AI tools. Here's how to prevent AI data leakage with policy, training, and technical controls.
Cyber SecurityIs Microsoft Copilot Safe for My Business?
Microsoft Copilot has enterprise data protection, but security depends on your configuration. Here's what you need to know before rollout.
Cyber SecurityWhat Is Data Loss Prevention (DLP)?
DLP prevents sensitive data leaving your organisation. It detects, monitors, and blocks data in emails, files, and cloud apps. Here's how it works.
Incident ResponseHow Do I Protect Against AI-Powered Phishing and Deepfake Attacks?
AI makes phishing more convincing and enables voice/video deepfakes. Here's how to protect against AI-powered social engineering in 2026.
Cyber SecurityHow Do I Create an AI Acceptable Use Policy?
Your business needs an AI acceptable use policy. Here's what to include, how to enforce it, and a practical framework you can adapt.
Cyber SecurityWhat Is Shadow AI and Why Is It a Security Risk?
Shadow AI is employees using unauthorised AI tools at work. It's everywhere, it's leaking your data, and you probably don't know the extent. Here's wh...
Cyber SecurityHow Do I Create an AI Acceptable Use Policy?
Your organisation needs an AI acceptable use policy now. Here's what to include, common mistakes, and how to make it actually work.
Cyber SecurityWhy Is Cyber Insurance So Expensive and Hard to Get?
Cyber insurance premiums have soared and requirements have tightened. Here's why, what insurers now require, and how to get better coverage.
Cyber SecurityHow Do I Protect My Business from Supply Chain Cyber Attacks?
Supply chain attacks target your vendors to reach you. SolarWinds, MOVEit, 3CX—the pattern is clear. Here's how to manage third-party cyber risk.
Cyber SecurityWhat Is Zero Trust Security and Do I Need It?
Zero Trust means "never trust, always verify." Here's what it actually means for your business, where to start, and how to implement it practically.
Cyber SecurityWhat Security Do I Need for Cyber Insurance in 2026?
Cyber insurers now require MFA, EDR, backups, and more before they'll cover you. Here's what you need to get coverage and avoid claim denials.
Incident ResponseHow Do Hackers Bypass MFA and How Do I Prevent It?
MFA isn't bulletproof. Attackers use fatigue attacks, token theft, and social engineering to bypass it. Here's how to strengthen your MFA security.
Cyber SecurityHow Do I Protect My Business from Supply Chain Attacks?
Supply chain attacks target your vendors to reach you. SolarWinds, MOVEit, and countless others show the risk. Here's how to assess and manage supplie...
Cyber SecurityWhat Is Zero Trust Security and Do I Need It?
Zero Trust means never trust, always verify. No implicit trust for users, devices, or networks. Here's what it means practically and how to implement ...
Cyber SecurityHow Do I Report Cyber Risk to the Board?
Boards need cyber risk reporting they can understand and act on. Here's how to translate security into business language that drives decisions.
Incident ResponseWhat Is QR Code Phishing (Quishing) and How Do I Stop It?
QR code phishing bypasses email security by hiding malicious links in images. Here's how quishing works and how to protect your organisation.
Cyber SecurityHow Are Attackers Bypassing MFA and What Can I Do?
MFA isn't bulletproof. Attackers use phishing, fatigue attacks, and token theft to bypass it. Here's how modern identity attacks work and how to defen...
Cyber SecurityHow Do I Find and Control Shadow IT and SaaS Sprawl?
Employees are using hundreds of unauthorised SaaS apps. Shadow IT creates security blind spots. Here's how to discover, assess, and control it.
Cyber SecurityHow Do I Report Cyber Security Risk to the Board?
Boards need cyber risk reporting they can understand and act on. Here's how to present security metrics, risks, and investments to non-technical direc...
Cyber SecurityDo I Need an Incident Response Retainer?
An incident response retainer means expert help is ready before you need it. Here's when a retainer makes sense and what it should include.
Cyber SecurityWhat Are the Biggest Cloud Security Mistakes?
Most cloud breaches stem from misconfiguration, not sophisticated attacks. Public storage, excessive permissions, missing MFA—here are the mistakes to...
Cyber SecurityHow Do I Protect Against Insider Threats?
Insider threats cause 60% of data breaches. Whether malicious or accidental, employees with access can cause massive damage. Here's how to protect you...
Microsoft 365What Is Conditional Access in Microsoft 365?
Conditional Access controls who can access what, from where, and how. It's the foundation of Zero Trust in Microsoft 365. Here's how it works.
Cyber SecurityHow Do I Secure Remote and Hybrid Workers?
Securing remote workers requires identity-centric security, device management, and secure access. Here's how to protect a distributed workforce in 202...
Cyber SecurityWhat Is a Cyber Security Tabletop Exercise?
A tabletop exercise tests your incident response in a safe environment. Gather your team, simulate a scenario, and find gaps before a real attack does...
Cyber SecurityWhat Are Passkeys and Should My Business Use Them?
Passkeys replace passwords with phishing-resistant authentication. They're more secure and easier to use. Here's what businesses need to know.
Incident ResponseHow Are Hackers Using AI to Attack Businesses?
Criminals are using AI for phishing, malware, vulnerability discovery, and social engineering at scale. Here's what the AI-powered threat landscape lo...
Cyber SecurityHow Do I Run a Cyber Security Tabletop Exercise?
Tabletop exercises test your incident response without real risk. Here's how to plan, run, and learn from cyber security simulations.
Cyber SecurityWhat Is Attack Surface Management (ASM)?
Attack surface management continuously discovers and monitors your external exposure. You can't secure what you don't know about. Here's how ASM works...
Cyber SecurityWhat Is Privileged Access Management (PAM)?
PAM controls admin access to critical systems. Just-in-time access, session recording, credential vaulting—here's why PAM matters and how to implement...
Cyber SecurityWhat Is the UK Cyber Security and Resilience Bill?
The UK Cyber Security and Resilience Bill updates cyber regulations for 2025-2026. Here's what it means for UK businesses and how to prepare.
Cyber SecurityWhat Is SIEM and Does My Business Need It?
SIEM collects logs from everywhere, detects threats, and enables investigation. Here's what SIEM does, what it costs, and whether you need it.
Cyber SecurityWhat Is DORA and Does It Apply to My Financial Services Business?
DORA is the EU's Digital Operational Resilience Act for financial services. ICT risk management, incident reporting, resilience testing—here's what yo...
Cyber SecurityHow Do I Secure Remote and Hybrid Workers?
Remote work is permanent. Here's how to secure staff working from home, coffee shops, and everywhere else—without killing productivity.
Incident ResponseShould I Pay a Ransomware Demand?
Paying ransomware is rarely recommended. It funds criminals, doesn't guarantee recovery, and may have legal implications. Here's how to think through ...
Cyber SecurityWhat Is Shadow AI and Why Should I Care?
Shadow AI is employees using unauthorised AI tools for work. It's shadow IT 2.0, with bigger data risks. Here's how to find and manage it.
Cyber SecurityHow Do I Choose a Cyber Security Provider?
Choosing an MSSP or cyber security partner? Here's what to look for, questions to ask, and red flags to avoid.
Cyber SecurityHow Do I Respond to Customer Security Questionnaires?
Enterprise customers send security questionnaires before buying. Here's how to respond efficiently, what they're looking for, and how to pass.
Cyber SecurityWhat Are Passkeys and Should I Use Them?
Passkeys replace passwords with cryptographic authentication. They're phishing-resistant, easier to use, and more secure. Here's what you need to know...
Cyber SecurityWhat Is SIEM and Do I Need It?
SIEM collects and analyses security logs to detect threats. It's powerful but expensive. Here's when you need SIEM and when you don't.
Incident ResponseAre Hackers Using AI to Create Malware?
Yes, attackers use AI to create malware, phishing, and exploits faster than ever. Here's what's changed and how to defend against AI-powered threats.
Cyber SecurityHow Do I Secure Microsoft Teams?
Teams is powerful but needs proper security configuration. External access, guest policies, data protection—here's how to secure Teams properly.
Cyber SecurityWhat Is the Cyber Assessment Framework (CAF)?
CAF is the NCSC framework for assessing cyber resilience of critical national infrastructure. 14 principles, regulatory assessment, and how to prepare...
Incident ResponseHow Much Does a Data Breach Cost a UK Business?
The average UK data breach costs £3.4 million. SMEs face £8,500-£25,000 for smaller incidents. Here's the full cost breakdown.
Cyber SecurityWhat Is the EU AI Act and Does It Affect My Business?
The EU AI Act regulates artificial intelligence by risk level. High-risk AI has strict requirements. Here's what UK businesses need to know.
Cyber SecurityWhat Is Infostealer Malware and Why Is It So Dangerous?
Infostealers harvest passwords, cookies, and session tokens from infected devices. They're fuelling ransomware and account takeover. Here's how they w...
Cyber SecurityWhat Is Privileged Access Management (PAM)?
Privileged accounts are attackers' top target. PAM controls, monitors, and secures admin access. Here's what it is and when you need it.
Cyber SecurityHow Do I Prepare for a Cyber Security Audit?
Cyber security audits are stressful if you're unprepared. Here's how to get ready—documentation, evidence, and what auditors actually look for.
Backup & RecoveryHow Much Does Business Backup Cost?
Business backup costs £3-15 per user per month depending on what you're protecting. Here's what affects the price and what you should expect.
ComplianceHow Do I Get Cyber Essentials Plus for Defence Contracts?
Defence contracts require CE Plus. Here's how to get certified efficiently, what defence-specific requirements to consider, and common pitfalls to avo...
ComplianceIs Cyber Essentials Worth It for Small Businesses?
Cyber Essentials costs £300-2,000. Is it worth it for your small business? Here's when it makes sense and when it doesn't.
Cyber SecurityDo I Need a Data Protection Officer (DPO)?
UK GDPR requires a DPO in specific circumstances. Here's when you legally need one, when it's good practice anyway, and your options.
ComplianceWhat Happens If I Fail Cyber Essentials Plus?
Failed your CE Plus assessment? Here's what happens, how to remediate, and how to pass on your next attempt without wasting more money.
Cyber SecurityHow Do I Know If My Business Is Secure?
You can't know you're secure without testing. Here's how to assess your security posture—from quick self-checks to professional assessments.
Managed ServicesWhat Should Be Included in Managed IT Support?
Don't get caught by "extras." Here's what should be included in managed IT support as standard, and what's legitimately additional.
Microsoft 365How Do I Set Up MFA in Microsoft 365?
Enable MFA in Microsoft 365 using Security Defaults or Conditional Access. Here's how to do it properly without breaking things.
Microsoft 365How Do I Protect Against Phishing in Microsoft 365?
Microsoft 365 has powerful anti-phishing features—but you need to enable them. Here's how to configure Defender for Office 365 for real protection.
Email SecurityWhat Is the Difference Between SPF, DKIM, and DMARC?
SPF, DKIM, and DMARC work together to stop email spoofing. Here's what each does, how they're different, and why you need all three.
Cyber SecurityWhat Questions Should I Ask My IT Support Provider?
Evaluating IT providers? Here are the questions that reveal whether they'll actually protect your business—and the answers you should expect.
Cyber SecurityDoes My Business Need Security Awareness Training?
90% of breaches involve human error. Security awareness training reduces that risk. Here's whether you need it, what works, and what doesn't.
Cyber SecurityDo I Need an Incident Response Plan?
When a breach happens, chaos without a plan costs money and makes things worse. Here's why you need an incident response plan and what it should inclu...
Cyber SecurityWhat Are the Biggest Cloud Security Risks?
Misconfigured cloud services cause most cloud breaches. Storage left public, excessive permissions, missing MFA—here's what goes wrong and how to prev...
Cyber SecurityWhat Cyber Security Checks Should I Do After an Acquisition?
Acquired a company? You've inherited their security posture—and their vulnerabilities. Here's what to check and how to integrate safely.
Cyber SecurityHow Do I Prepare for Cyber Insurance Renewal?
Cyber insurance renewals are tough. Insurers ask detailed security questions. Here's how to prepare, what evidence you need, and how to get better ter...
Can't find what you're looking for?
Our team is here to help with any cyber security questions you have.
Get in Touch