Cyber security does not have to be complicated or expensive. For most Lincoln SMEs, the biggest security wins come from implementing a relatively small number of well-known controls consistently. This checklist covers the essentials that every Lincoln business should have in place before the end of this year.
Why Cyber Security Matters for Lincoln SMEs
The perception that cyber criminals only target large organisations is one of the most dangerous myths in business. In reality, small and medium-sized businesses are now the primary target of many cyber attack campaigns. The reasons are simple: SMEs hold valuable data, process payments, and often have weaker defences than larger organisations.
The UK's Cyber Security Breaches Survey found that 39% of UK businesses experienced a cyber attack in the past year. The average cost of a breach for a small business — including downtime, recovery, legal fees, and reputational damage — now exceeds £8,000. For businesses that process personal data, GDPR enforcement action adds a further financial and reputational risk.
The good news is that most successful cyber attacks exploit basic, preventable vulnerabilities. The controls in this checklist, if implemented properly, would prevent the vast majority of attacks targeting Lincoln businesses today.
The Cyber Security Checklist for Lincoln SMEs
1. Enable Multi-Factor Authentication on All Accounts
Multi-factor authentication (MFA) — sometimes called two-factor authentication or 2FA — adds a second verification step to account logins. Even if an attacker steals your password, they cannot access your account without also having your phone or authentication app.
MFA should be enabled on: Microsoft 365 and email, banking and financial platforms, your accounts payable and invoicing systems, any HR or payroll systems, VPN and remote access, and your domain registrar and website hosting.
Enabling MFA on Microsoft 365 alone blocks 99.9% of automated account compromise attacks, according to Microsoft's own data.
2. Keep Software and Operating Systems Updated
Unpatched software is one of the most common entry points for ransomware and other malware. When a vulnerability is discovered in Windows, Microsoft Office, or other widely used software, attackers move quickly to exploit it — often within days of the patch being released.
Ensure that: Windows updates are applied promptly on all devices, third-party software (web browsers, Adobe, Java, etc.) is updated regularly, any on-premise servers are patched and maintained, and your antivirus and endpoint protection software is current.
If keeping up with patches is a challenge, this is one of the core benefits of managed IT support — patch management is handled automatically.
3. Use Strong, Unique Passwords and a Password Manager
Password reuse is epidemic. Many people use the same password across multiple accounts, meaning that when one account is compromised, all accounts are at risk. Attackers routinely purchase lists of stolen credentials and test them against email, banking, and other platforms.
Every account should have a unique, strong password. A password manager makes this practical — tools like Bitwarden, 1Password, or Microsoft's built-in password manager generate and store strong passwords so your team only needs to remember one master password.
4. Back Up Your Data — and Test Your Restores
Ransomware encrypts your files and demands payment for the decryption key. If you have a clean, tested backup that ransomware cannot reach, you can recover without paying. If you do not, you face either paying criminals or losing your data permanently.
Your backup strategy should follow the 3-2-1 rule: three copies of your data, on two different types of media, with one copy offsite (or in the cloud). Critically, test your backups regularly by actually restoring files — many businesses discover their backups are broken only when they need them most.
5. Train Your Team to Recognise Phishing
Phishing emails — messages that impersonate trusted organisations or colleagues to trick recipients into clicking malicious links or revealing credentials — are the starting point for the majority of cyber attacks. No technical control eliminates phishing entirely, which is why staff training is essential.
Key training topics include: how to identify suspicious emails, what to do if you click something suspicious, how to verify unexpected requests for money transfers or sensitive information (phone the person to confirm), and how to report suspected phishing to your IT team.
Regular phishing simulations — sending fake phishing emails to your own team to test and reinforce awareness — are one of the most effective training tools available.
6. Secure Your Network and Wi-Fi
Your office network is the environment within which all your devices operate. A poorly secured network can allow attackers to intercept traffic, access shared files, or spread malware between devices.
Essentials include: a business-grade firewall, separate guest Wi-Fi networks (so visitors cannot access your internal systems), strong Wi-Fi passwords, and regular review of who has access to your network.
If you use remote access or VPN, ensure it is configured securely and requires MFA.
7. Control Who Has Access to What
Not everyone in your business needs access to everything. Limiting access to sensitive data and systems — a principle called least privilege — reduces the potential damage of both accidental and deliberate data misuse.
Review user accounts and permissions regularly: ensure departed employees' accounts are disabled immediately, ensure admin-level accounts are only held by those who genuinely need them, and audit who has access to sensitive files, financial systems, and customer data.
8. Have an Incident Response Plan
When — not if — a cyber incident occurs, having a documented response plan dramatically reduces the damage. Your incident response plan should cover: who to call immediately (your IT provider, relevant leadership, potentially your insurer and solicitor), how to isolate affected systems to prevent spread, what to communicate to clients and staff, and how to document the incident for regulatory reporting purposes.
GDPR requires businesses to report personal data breaches to the ICO within 72 hours. Without a plan, this timeline is very difficult to meet.
9. Consider Cyber Essentials Certification
Cyber Essentials is the UK government-backed scheme that certifies businesses have the basic controls in place to protect against the most common cyber attacks. Certification demonstrates to clients, insurers, and procurement teams that you take security seriously. Many public sector contracts now require it.
The self-assessment certification covers: firewalls, secure configuration, user access control, malware protection, and patch management — essentially a structured version of this checklist. Certification typically costs between £300 and £1,000 depending on your organisation size.
10. Work with a Trusted IT Partner
Cyber security is not a one-time project — it is an ongoing programme. Working with a managed IT provider like IT Support Lincoln means your security controls are continuously monitored, updated, and improved as threats evolve.
We help Lincoln businesses across all industries implement these controls, achieve Cyber Essentials certification, and build a security posture that genuinely protects them. Contact us today for a free cyber security assessment.