Cybersecurity Questions,
Answered

Yes. Small and medium businesses are increasingly targeted precisely because attackers assume they have weaker defences. 43% of cyber attacks target small businesses, and the average cost of a breach for an SMB is around £15,000—enough to threaten many businesses. The good news is that basic security measures are affordable and dramatically reduce your risk.

For SMBs, the vast majority of breaches start with either phishing emails (fake emails that trick employees into revealing credentials or downloading malware) or compromised passwords (through reuse, weak passwords, or credential stuffing). This is why we focus heavily on email security and identity management—protecting these two vectors stops most attacks before they start.

Start with the basics: enable multi-factor authentication (MFA) on all accounts, especially email and admin accounts. Use a password manager to eliminate password reuse. Configure your Microsoft 365 or Google Workspace with security best practices. These three steps alone will protect you from the majority of common attacks. Our Cloud Security Setup service handles all of this for you.

You can make meaningful improvements within days. Enabling MFA takes hours, not weeks. A proper cloud security configuration typically takes 1-2 weeks. Setting up security monitoring takes 2-4 weeks. The key is to start—perfect security doesn't exist, but "much better than yesterday" is achievable quickly.

Phishing is when attackers send deceptive emails pretending to be someone trustworthy (your bank, Microsoft, a colleague) to trick you into clicking a malicious link or providing credentials. It's effective because it exploits human psychology rather than technical vulnerabilities—even security-aware people occasionally click when they're busy, tired, or the email is particularly convincing.

Layer your defences: use email filtering to block obvious phishing attempts before they reach inboxes, enable MFA so stolen passwords alone aren't enough, train staff to recognise suspicious emails, and have a clear process for reporting potential phishing. Our monitoring service includes phishing email analysis—when someone reports a suspicious email, we investigate and respond.

Phishing simulations can be useful when done right—they identify who might need additional training and keep security top of mind. However, they should be educational, not punitive. Shaming people for clicking doesn't improve security; it just discourages reporting. We offer GoPhish-based simulations as an add-on service, focused on learning rather than blame.

Report it immediately—even if they clicked or entered credentials. Quick reporting allows you to reset passwords, revoke sessions, and investigate before attackers can do damage. Never punish people for reporting; you want to encourage disclosure. Have a clear, simple reporting process (a dedicated email address or Slack channel works well).

Multi-factor authentication (MFA) requires a second form of verification beyond your password—typically a code from an app or a push notification to your phone. It's crucial because even if an attacker steals your password (through phishing, data breaches, or guessing), they still can't access your account without the second factor. MFA stops the vast majority of account takeover attacks.

Authenticator apps (like Microsoft Authenticator or Google Authenticator) are a good baseline. Hardware security keys (like YubiKey) are even more secure for high-value accounts. SMS codes are better than nothing but less secure—attackers can sometimes intercept them through SIM swapping. Avoid email-based codes as they don't provide real additional security if your email is compromised.

Absolutely. Password managers solve the fundamental problem: humans can't remember unique, strong passwords for dozens of accounts, so they reuse passwords—which is extremely dangerous. A password manager generates and stores unique passwords for every account, and you only need to remember one master password. It's one of the highest-impact security improvements you can make.

Conditional access policies let you add security requirements based on context—for example, requiring MFA when logging in from outside the office, blocking logins from high-risk countries, or requiring compliant devices for accessing sensitive data. If you use Microsoft 365 Business Premium or Enterprise, conditional access is included and should be configured. It adds significant protection against account compromise.

They're secure by default for basic functionality, but not optimally configured for business security. Many important security features are disabled by default or require manual configuration. For example, MFA isn't enforced, audit logging may be limited, external sharing might be too permissive, and admin accounts often lack additional protection. Proper configuration can dramatically improve your security posture.

It depends on your license tier. Business Basic and Standard include basic security. Business Premium adds significant security features including Defender for Business, Intune device management, and conditional access. Enterprise E3 and E5 licenses include progressively more security capabilities. We've created a detailed licensing guide that explains what each tier includes and where Prism can help.

Microsoft Defender has improved dramatically and is now competitive with commercial alternatives—especially Defender for Business included in M365 Business Premium. For most SMBs, Defender is sufficient and has the advantage of tight integration with the Microsoft ecosystem. Third-party solutions may still make sense for specific requirements or if you have existing investments.

Use the principle of least privilege: give people access only to what they need for their job. Create security groups for different roles/departments. Review permissions regularly—especially when people change roles or leave. Disable or remove accounts promptly when employees depart. Your cloud platform's admin centre has tools for this, but it requires ongoing attention.

A SIEM (Security Information and Event Management) collects and analyses logs from across your environment to detect threats. Traditional SIEMs were expensive and complex, designed for large enterprises. Modern solutions like Wazuh (which we deploy) provide similar capabilities at a fraction of the cost. If you have more than a handful of employees, centralised logging and monitoring is worthwhile—it's how you detect breaches that get past your defences.

SIEM focuses on collecting and correlating logs from many sources. XDR (Extended Detection and Response) goes further by integrating detection, investigation, and response capabilities across endpoints, cloud, and network. Wazuh, which we deploy, functions as both SIEM and XDR—providing comprehensive visibility and response capabilities. The terminology matters less than the capability: can you see what's happening and respond to threats?

Critical alerts should be investigated within hours, not days. The longer an attacker is in your environment, the more damage they can do. This is why automated alerting and triage matters—you can't respond quickly if you're manually reviewing logs. Our managed monitoring includes automated alert triage so you're not drowning in false positives, and we escalate real threats promptly.

Don't panic, but act quickly. Isolate affected systems if possible (disconnect from network but don't power off—you may destroy evidence). Preserve logs and evidence. Reset credentials for affected accounts. Contact your security provider or incident response team. Consider whether you have regulatory reporting obligations (e.g., ICO notification for personal data breaches). Document everything.

Both are security certifications, but they differ in approach. SOC 2 is a report from an auditor about your security controls over a period, common in North America. ISO 27001 is a certification that your information security management system meets international standards, more common in Europe and globally. Both demonstrate security maturity to customers. Which you need often depends on your customers' requirements.

Cyber Essentials is a UK government-backed certification covering basic security controls. It's required for many government contracts and increasingly requested by larger businesses from their suppliers. Even if not required, it's a useful framework—achieving Cyber Essentials means you've addressed the fundamentals. We can help you prepare for certification.

GDPR requires "appropriate technical and organisational measures" to protect personal data, but doesn't prescribe specific technologies. In practice, this means implementing reasonable security: access controls, encryption, monitoring, incident response procedures, and staff training. You also need to report certain breaches to the ICO within 72 hours. Good security practices generally satisfy GDPR requirements.

Cyber insurance is increasingly valuable as it can cover breach response costs, legal fees, regulatory fines, and business interruption. However, insurers are becoming more demanding about security requirements—you may need to demonstrate MFA, backup procedures, and security awareness training to get coverage. Insurance is a complement to security, not a replacement.

We're built specifically for SMBs, using enterprise-grade open-source tools to deliver capabilities typically reserved for large enterprises—without the enterprise price tag. We focus on practical security that addresses real risks (email, identity) rather than selling complex solutions you don't need. We're UK-based, so we understand UK compliance requirements and operate in your timezone.

Open-source tools like Wazuh, n8n, and Velociraptor provide enterprise-grade capabilities without licensing costs. They're transparent (you can see exactly how they work), avoid vendor lock-in, and are maintained by active communities. We contribute back to these projects when we can. For SMBs, this means better security at a lower cost.

Yes. If you've already invested in security tools (EDR, SIEM, Microsoft E5 security features), we can manage them for you. Many organisations buy security products but lack the expertise to configure and monitor them effectively. Our consulting service includes managed tool takeover—we make your existing investments work harder.

Start with a conversation. We'll discuss your current setup, concerns, and goals. From there, we can recommend the right approach—whether that's a one-time cloud security setup, ongoing monitoring, or consulting support. There's no obligation, and we'll be honest if we don't think we're the right fit for your needs.