Contents
You often hear that there is no such thing as a 100% secure environment, and that is fair, but it is not a reason to stop trying. The sensible goal is an environment that is as secure as it reasonably can be. The difficulty is that security has so many moving parts, and there are rarely enough hours in the week or pounds in the budget to cover everything you would like to.
Smaller and mid-sized businesses feel this most sharply. Leaner teams and tighter budgets turn “doing more with less” into a genuine slog. Getting the basics right is how an organisation of any size makes sure the fundamentals are actually in order, so it is worth being clear about where to begin.
Know what you have
You cannot securely manage a device that nobody knows exists, so an accurate picture of your assets has to come first.
Most organisations have a decent handle on their laptops and their main servers. The gaps tend to appear around the less obvious kit: a forgotten appliance, a one-off piece of hardware bought for a particular team, the sort of thing that gradually drifts out of date and, over months and years, becomes a way in for an attacker. An up-to-date asset inventory is unglamorous, but it underpins almost everything else.
Know what you are running
Software needs the same treatment. Patching has been a headache for decades. Tools like Microsoft’s WSUS and various third party patch management products have made a real dent in it, yet most patch policies still have holes.
In practice, most businesses keep the operating system on most machines updated most of the time, and the common applications used across the company are usually in reasonable shape. Things slip with the niche systems and specialist software that only one team touches, which is exactly where an attacker is happy to look.
This is one of the quieter benefits of penetration testing: assurance. A report listing vulnerabilities and misconfigurations is obviously useful, but even a clean report with very few findings has value, because it tells you the team has things under control. Testing on a regular basis is how you find out whether your assets and software are being managed properly, or if something has slipped through.
Train your people
Social engineering is one of the most common routes to compromise. In the UK Government’s Cyber Security Breaches Survey 2025/2026, phishing was the most common and most disruptive type of attack by a wide margin, affecting 85% of businesses that suffered a breach. Staff who can recognise phishing, and who know what a well crafted, targeted attempt looks like, are a genuine first line of defence.
The hard part is that training is often treated as a chore, one more video to squeeze into an already full day. A focused approach helps. Directors, executive assistants and other gatekeepers are the people most likely to be singled out in spear phishing and whaling attacks, so giving them extra attention lifts the security of the whole organisation.
Social engineering is not only about email, either. Physical security matters just as much, and while it was once waved away, attitudes are steadily shifting. Tailored training for the individuals most likely to be targeted, sometimes called VIP or executive security awareness, is a practical way to raise everyone’s protection.
Get senior management on board
One of the toughest barriers in any security conversation is internal: persuading the organisation to take the subject seriously in the first place.
In some businesses, senior management still file cyber security under “nice to have” rather than a basic cost of operating today. Part of the problem is that the return on investment is hard to point at, penetration testing included. You are paying to reduce a risk, and a good outcome looks like nothing happening.
A word of caution on the statistics you might reach for here. You will have seen the widely quoted claim that “60% of small businesses close within six months of a cyber attack”. It is best left alone: the National Cyber Security Alliance, to whom it is usually attributed, confirmed in 2022 that it never produced the figure and that its origin cannot be verified. Use properly sourced numbers instead. The UK Government’s survey found that 43% of businesses reported a breach or attack in the last year, and that the financial and reputational costs of the most disruptive incidents have been climbing. Figures like those carry weight precisely because they come from a government publication rather than a vendor.
There is an upside worth putting in front of the board too. Regular penetration testing tends to open doors rather than only close risks. It is a common requirement for compliance, and it increasingly appears in the supplier due diligence questionnaires that decide who wins the contract. Seen that way, testing is not purely a safeguard. It can be a way to win business.
Where to start
The fundamentals are not glamorous, but they are what actually holds up:
- Keep an accurate inventory of your devices and software, including the niche kit that tends to get forgotten.
- Patch consistently, and use regular penetration testing to check that nothing has slipped.
- Train the people most likely to be targeted, and treat physical security as part of the picture.
- Get senior management genuinely engaged, using credible figures rather than scare stats.
Almost all of this overlaps with Cyber Essentials, the UK scheme built around exactly these controls, so working through the basics also moves you toward certification. When you want to know how your defences stand up to a real attacker rather than a checklist, a penetration test is the clearest way to find out.