The Cyber Security Checklist Every Edinburgh SME Needs in 2026
TL;DR – The 5 areas every Edinburgh SME must cover
- Only 40% of UK businesses have multi-factor authentication enabled (DSIT, 2025)
- Only 22% have a formal incident response plan – the most common gap
- Scottish SMEs lose an average of £5,584 per year to cyber attacks
- Only 3% of UK businesses hold Cyber Essentials certification
- This checklist covers all 5 NCSC Cyber Essentials control areas plus Edinburgh-specific regulatory items
Forty-three percent of UK businesses experienced a cyber breach or attack in the last 12 months (DSIT Cyber Security Breaches Survey 2025, gov.uk). Yet only 22% have a formal incident response plan. Only 40% have enabled multi-factor authentication. When a Scottish SME gets hit, the average cost is £5,584 per year in losses.
This cyber security checklist Edinburgh resource explains what you need to know. This checklist gives Edinburgh business owners a single page to work through – 25 items across 5 control areas, mapped to the NCSC’s Cyber Essentials framework. It takes about 20 minutes. Most gaps you find can be closed the same day, for free.
For a full explanation of why each control matters and which regulations apply to your sector, see our Complete Cyber Security Guide for Edinburgh Businesses.
What Is Section 1: Firewalls and Network Protection?
Firewalls control what traffic is allowed in and out of your network, according to the DSIT Cyber Security Breaches Survey (2025). Without them, attackers can probe your systems directly. Most Edinburgh businesses have a basic firewall through their router, but few have checked whether it’s configured correctly or whether remote workers are protected when they’re off-site.
43% of UK businesses experienced a cyber security breach or attack in the 12 months to early 2025, and only 12% are aware of the Cyber Essentials scheme – down from 16% in 2022. The scheme’s five technical controls, including firewalls, address the vulnerabilities present in the vast majority of successful attacks. (DSIT Cyber Security Breaches Survey 2025, gov.uk)
- [ ] A firewall is enabled on your router or network gateway
- [ ] The firewall’s default admin password has been changed from the manufacturer default
- [ ] Remote workers connect via a VPN or use a managed device with a software firewall enabled
- [ ] Unnecessary ports and services are blocked (your IT provider can confirm this)
- [ ] Firewall rules have been reviewed in the past 12 months
For Edinburgh regulated sector firms (FCA, SRA, NHS DSPT): Your regulatory framework requires you to document your network boundary controls and demonstrate them on request. A basic router firewall may not be sufficient – check your sector obligations before assuming you’re covered.
See our Phishing Protection Guide for context on how attackers exploit these gaps.
For guidance on the most common way attackers get through – read our Phishing Protection Guide for Edinburgh Businesses.
What Is Section 2: Malware Protection?
The DSIT Cyber Security Breaches Survey (2025) found that Malware – including ransomware – is affecting a growing number of UK businesses each year. In 2025, ransomware affected approximately 19,000 UK organisations, double the prior year’s figure (DSIT Cyber Security Breaches Survey 2025, gov.uk). Anti-malware software blocks the most common delivery methods, but only when it’s up to date and running on every device your staff use.
- [ ] Anti-malware or antivirus software is installed on all computers and laptops, including personal devices used for work
- [ ] Anti-malware definitions update automatically – you haven’t disabled auto-update
- [ ] Email and web filtering is enabled (Microsoft 365 Defender or Google Workspace Advanced Protection)
- [ ] Macros in Microsoft Office are disabled by default for documents arriving from external sources
- [ ] You have a process for handling suspicious email attachments before opening them
Practical note: Microsoft 365 Business Premium includes Defender, which covers most malware threats for Microsoft environments. If you’re on Basic or Standard, you may have a gap here worth checking before your next renewal.
What Is Section 3: User Access Control?
The DSIT Cyber Security Breaches Survey (2025) shows that Only 40% of UK businesses have enabled multi-factor authentication – the single most effective access control available (DSIT, 2025). When a staff member’s password is stolen through phishing, MFA is the only barrier between the attacker and your systems. This section also covers admin privilege, which is where attackers cause the most damage once they’re inside.
- [ ] Multi-factor authentication (MFA) is enabled on all email accounts (Microsoft 365 or Google Workspace)
- [ ] MFA is enabled on all business-critical applications: accounting software, CRM, cloud storage, banking
- [ ] Staff accounts have only the access they need – no one has admin rights unless their role requires it
- [ ] A separate admin account is used for IT administration tasks, not the same account used for email and documents
- [ ] A leaver process exists: departed employees’ accounts are disabled within 24 hours of leaving
Realistic standard: If you tick nothing else on this entire list, tick MFA for email. It prevents the most common attack progression: stolen password → email account compromise → full business breach. It takes about 10 minutes to enable in Microsoft 365 admin settings.
What Is Section 4: Patch Management and Software Updates?
Unpatched software is one of the two most common entry points for attackers – the other being phishing (the DSIT Cyber Security Breaches Survey, 2025). The NCSC recommends applying high-severity patches within 14 days of release (NCSC Small Business Guide, ncsc.gov.uk). Most Edinburgh SMEs have automatic updates enabled on Windows but miss business applications, browsers, and network equipment.
- [ ] Automatic updates are enabled for Windows or macOS on all business computers
- [ ] Automatic updates are enabled for all browsers (Chrome, Edge, Firefox, Safari)
- [ ] Microsoft 365 or Google Workspace apps update automatically – you haven’t disabled this setting
- [ ] Business applications (accounting, CRM, case management) are on a current supported version
- [ ] Network equipment (router, switches, VPN gateway) firmware is checked for updates at least annually
Easy wins: Windows Update, browser auto-update, and Microsoft 365 auto-update are all enabled by default – but they get turned off. Check Settings > Windows Update on one device right now to confirm yours is on.
What Is Section 5: Secure Configuration and Incident Preparedness?
The NCSC (2025) reports that Only 22% of UK businesses have a formal cyber security incident response plan – the most common gap in the entire NCSC framework (DSIT, 2025). A documented plan means the difference between a contained incident and a chaotic breach that takes weeks to recover from. Without one, your team won’t know who calls whom, or what to turn off first.
The average cyber breach costs a UK micro or small business £1,510 – up 93% from £780 in 2023. For Scottish SMEs specifically, the average annual loss from cyber attacks is £5,584, and Scottish businesses collectively lost £386 million to cyber attacks in 2024 (Vodafone Business research / CyberScotland, April 2025). Documented security controls and a tested incident plan materially reduce recovery time and cost.
- [ ] Default passwords have been changed on all routers, printers, smart devices, and software accounts
- [ ] You know where your data is: which cloud services hold what client or employee data
- [ ] A cyber security incident response plan exists and at least two people know what it says
- [ ] Backups are taken regularly (at least daily for critical data) and stored separately from the main system
- [ ] Backup restore has been tested in the past 6 months – you know data recovery actually works
For a template and step-by-step guidance, see our guide to building a Cyber Incident Response Plan for Edinburgh businesses.
Are There Edinburgh-Specific Items Beyond the NCSC Baseline?
According to FCA supervisory guidance (2025), edinburgh’s concentration of financial services, legal practices, and healthcare organisations means many SMEs face compliance obligations that go beyond the NCSC standard. FCA-regulated firms had an operational resilience deadline of 31 March 2025. Law firms have SRA obligations. Any organisation handling NHS data needs NHS DSPT compliance. These items sit on top of the core 25 – they’re not alternatives.
52% of UK SME employees have received no cyber security training whatsoever, according to Vodafone Business research published in April 2025 (CyberScotland). For Edinburgh firms in regulated sectors – financial services, legal, and healthcare – untrained staff represent both a security vulnerability and a compliance gap. The FCA, SRA, and NHS DSPT all require documented evidence of staff security awareness.
Financial Services (FCA-Regulated Firms)
- [ ] Operational resilience impact tolerances are documented and tested (FCA PS21/3 – hard implementation deadline was 31 March 2025)
- [ ] Third-party and supplier cyber risk is assessed at least annually
- [ ] Cyber incident notification process to the FCA is documented and staff know their responsibilities
Law Firms (SRA Code of Conduct)
- [ ] Cyber security is included in your firm’s risk register
- [ ] Client money protection measures are in place, including dual authorisation for payments over a set threshold
- [ ] Cyber Essentials certification in Scotland – eligible Scottish law firms may access a Scottish Enterprise grant worth up to £1,000
Healthcare and NHS Data Processors
- [ ] NHS DSPT self-assessment is completed or in progress (Version 8 deadline: 30 June 2026)
- [ ] Data Processing Agreements are in place with all NHS client organisations
For full regulatory detail covering FCA, SRA, and DSPT requirements, our Complete Cyber Security Guide for Edinburgh Businesses has a dedicated sector section.
Quick Comparison
| Security Control | Cost | Breach Prevention Impact | Priority |
|---|---|---|---|
| MFA on all accounts | Free (M365) | Blocks 99.9% of credential attacks | Critical |
| Email filtering + SPF/DKIM | Included in M365 | Reduces phishing by 70% | Critical |
| Endpoint detection (EDR) | From $5/user/month | Detects lateral movement | High |
| Staff security training | From $3/user/month | Reduces click-through by 65% | High |
What Should You Do With Your Checklist Score?
If you ticked 20 or more items, you’re ahead of most Edinburgh SMEs, according to industry incident response (2025). A score of 15 – 19 means you have material gaps worth addressing in the next 30 days. Below 15: focus on MFA, backups, and an incident plan first – these three controls close the gaps present in the vast majority of successful attacks.
Score guide:
- 20 – 25 ticks: Strong baseline. Consider Cyber Essentials certification in Scotland to formalise what you have. It’s the UK Government’s recognised standard and takes 1 – 2 days to complete.
- 15 – 19 ticks: Material gaps. Prioritise MFA first, then backup restore testing, then a written incident plan.
- 10 – 14 ticks: Significant exposure. Start with MFA and patching – both are free and fast to implement.
- Below 10: Talk to an IT specialist before a breach makes that conversation urgent.
Free next steps:
- NCSC Small Business Guide: ncsc.gov.uk/collection/small-business-guide – free, covers all 5 control areas
- NCSC Exercise in a Box: exerciseinabox.service.ncsc.gov.uk – free phishing simulation for your team
- Cyber Essentials readiness checker: iasme.co.uk – free self-assessment before formal certification
- See our full guide to Free Cyber Security Resources for Scottish Businesses
Frequently Asked Questions
How long does it take to go through this cyber security checklist?
Most Edinburgh businesses can complete the checklist in 20 – 30 minutes. Some items – like checking whether your firewall admin password has been changed – require a few minutes of investigation. Others, like confirming your backup restore works, may need to be scheduled separately. The point isn’t to complete it in one sitting. It’s to identify gaps, mark anything uncertain, and address items in order of risk.
Which checklist items matter most for Edinburgh financial services firms?
FCA-regulated firms should prioritise access control (MFA on all accounts), third-party supplier risk assessment, and documented operational resilience measures. The FCA’s PS21/3 requirements had a hard implementation deadline of 31 March 2025. Cyber Essentials certification is increasingly expected as a baseline by large financial counterparties. Our Phishing Protection Guide for Edinburgh Businesses covers the attack vector that triggers most FCA notification requirements.
What is Cyber Essentials and should my Edinburgh business get certified?
Cyber Essentials is the UK Government’s baseline cyber security certification, covering all 5 control areas in this checklist. Only 3% of UK businesses are currently certified (GOV.UK, 2025). For Edinburgh businesses bidding on UK government contracts over £25,000, certification is required. It also reduces cyber insurance premiums and demonstrates due diligence to regulated clients. Our guide explains How to Get Cyber Essentials Certified in Scotland, including Scottish Enterprise grant eligibility.
How often should I review my cyber security checklist?
Review the full checklist at least annually. Run a targeted review after: a staff member leaves (access control section), a near-miss or security incident, a significant technology change such as a cloud migration or new office, and whenever a new regulatory requirement comes into effect. The DSIT Cyber Security Breaches Survey publishes every April – use that as a standing prompt to check whether your controls still meet current guidance.
My business is too small to be targeted – do I really need this?
Small businesses aren’t less targeted – they’re targeted more, because they typically have fewer defences. Attackers don’t choose targets by size; they choose by opportunity. A law firm with 8 staff holds the same valuable client data as one with 80. A financial adviser’s client records are worth exactly the same to an attacker regardless of the firm’s revenue. The average Scottish SME lost £5,584 to cyber attacks in 2024 (Vodafone Business / CyberScotland, April 2025).
What’s the difference between this checklist and an IT audit?
This checklist is a self-assessment – it tells you where you likely have gaps without requiring technical expertise. An IT audit is a formal, independent assessment that verifies whether controls are actually in place and working. Think of this checklist as a RAG status report you can produce in 30 minutes. An IT audit produces verified, documented evidence – relevant when you need to demonstrate compliance to a regulator, insurer, or large client. See our guide to a Cyber Security Audit Edinburgh businesses can commission.
What Happens Next
The DSIT Cyber Security Breaches Survey (2025) found that most breaches affecting Edinburgh SMEs exploit basic gaps: missing MFA, unpatched software, no backup restore test, no incident plan. None of those require significant budget. The first 15 items on this checklist can be addressed with free tools and an afternoon of effort.
If your score was below 15, or if you’re in a regulated sector and unsure whether your controls meet FCA, SRA, or NHS DSPT requirements, a structured assessment is a practical next step – before an incident makes it an urgent one.
Explore our Free Cyber Security Resources for Scottish Businesses if you want to keep building on what you’ve started here.
Book a Free 30-Minute Security Review
Not sure how your checklist results translate into risk? Virtually Pro offers a no-obligation 30-minute review for Edinburgh SMEs – we’ll look at your score, your sector obligations, and give you a plain-English priority list.
Krzysztof Wiselka is the founder of Virtually Pro Ltd, an Edinburgh IT consultancy specialising in cyber security, cloud infrastructure, and managed IT services for businesses in financial services, legal, and healthcare. Virtually Pro is Cyber Essentials certified and based at 83 Princess Street, Edinburgh EH2 2ER.