Digital
Cyber risks for SMEs: the 7-point checklist
Concrete steps that help small and mid-sized businesses reduce their digital attack surface.
Cyber incidents often hit SMEs when they least expect it. The good news: many risks can be reduced with a few structured measures. This 7-point checklist prioritizes the most important topics, whether you have cyber insurance or not.
1. Secure access (use MFA everywhere)
Multi-factor authentication is the most effective protection against account takeovers. Email, admin access, and cloud services should use MFA by default.
Set clear password rules and regularly disable outdated accounts.
- MFA for email, admin, cloud tools
- Introduce a password manager
- Review inactive accounts monthly
2. Backups with recovery testing
Backups only help if they work when needed. Test restores at least quarterly.
Ideally follow the 3-2-1 rule: three copies, two media, one offline copy.
- Implement a 3-2-1 strategy
- Document test recoveries
- Assign a clear backup owner
3. Patch and update discipline
Known vulnerabilities are the number one entry point. Regular updates significantly reduce risk.
Prioritize systems with external access and business-critical data.
- Enable automatic updates
- Review critical systems weekly
- Replace or isolate legacy software
4. Train phishing resilience
Social engineering remains the most effective attack method. Ongoing awareness beats one-off training.
Phishing simulations help identify blind spots.
- Quarterly awareness sessions
- Phishing tests with review
- Define clear reporting paths
5. A one-page incident plan
In an incident, speed matters. A short, clear emergency plan helps you make decisions without chaos.
Define responsibilities, external contacts, and escalation levels.
- Keep the plan accessible (intranet or print)
- External contacts (IT, insurer, legal)
- Document roles and responsibilities
6. Review vendors and cloud providers
SMEs often rely on third parties. Review their security standards and contract clauses, especially for sensitive data.
In a claim, it must be clear who is responsible for what.
- Review SLAs and data protection clauses
- Know where data is stored
- Minimize vendor access rights
7. Integrate cyber insurance effectively
Cyber insurance doesn’t replace security, but it can cover costs such as forensics, business interruption, or crisis communications.
Compare terms carefully, especially deductibles and exclusions.
- Check business interruption coverage
- Understand sub-limits and waiting periods
- Are incident-response services included?
Quick check (7 points)
Conclusion
SMEs don’t need to perfect everything, but they should work in a structured way. These seven points reduce risk significantly and provide clarity for the moment it matters.