Service

Practical IT security for small businesses.

Sleep easier knowing the wire-transfer scam can't get past MFA, your endpoints are protected, your backups are tested, and you have a written security baseline you can actually point to when a client (or insurer) asks.

Book a call How engagements work

// service.it-security

IT security for small business UK

Practical, proportionate security, MFA, endpoint protection, monitoring, backup, and written security baselines for UK SMBs.

Network engineer connecting wires in a server cabinet

Security that’s proportionate to your business

There’s a security industry built on selling enterprise-grade products to businesses that don’t need them, and another built on telling SMBs they’re fine because they have antivirus. Both are wrong. What most UK SMBs actually need is a sensible, layered set of controls, most of them already paid for inside their existing Microsoft 365 licences, properly configured by someone who’s done it before.

That’s what I do. I’m not selling you a security product line. I’m taking what you’ve got, working out what genuinely protects your business and your clients, and putting it in place. The result is a security posture that holds up against the threats SMBs actually face, phishing, account compromise, ransomware delivered through a single careless click, without the compliance overhead of an enterprise programme that isn’t right for your size.

What sensible security looks like for an SMB

The biggest single uplift in security for a typical SMB is identity: MFA on every account, conditional access policies that block sign-ins from unexpected geographies and devices, and admin accounts properly separated from day-to-day accounts. That alone closes the door on the bulk of automated attacks.

Layer on Defender for Endpoint (a proper EDR rather than legacy antivirus), Defender for Office 365 (anti-phishing, safe links, safe attachments), a 3-2-1 backup that’s actually tested, and a written security baseline so you’ve got something to point at when a client asks, and you’ve got security that’s proportionate, sustainable, and meaningful.

I document everything. When the work is done, you should be able to read a clear summary of what’s been set up, what each control is for, where the residual risks sit, and what would need to change to harden things further. No mystery. No reliance on me being the only person who understands it.

When something goes wrong

Most of the security incidents I deal with for SMBs follow a pattern: someone clicks a phishing link, an account gets compromised, and the attacker either uses it for further phishing or for invoice fraud. Speed of response matters more than anything else. Account locked, sessions revoked, MFA reset, mailbox forwarding rules audited, recent activity reviewed, the first hour is where the real damage gets prevented.

If you’re an active client, that response is built into the retainer. If you’re not, get in touch immediately and I’ll help, and we’ll have a proper conversation afterwards about what put you in that position and what stops it happening again.

What's included

The shape of the engagement.

Identity and access (MFA, conditional access)

Multi-factor authentication across the business, conditional access policies, properly configured admin roles, and identity protection that catches account compromise early.

Endpoint protection

Microsoft Defender for Endpoint or equivalent, properly configured, properly monitored, with policies that match how your team actually works.

Email and collaboration security

Defender for Office 365, anti-phishing policies, safe links, safe attachments, and the email hygiene that stops 80% of attacks before they reach a user.

Backup and recovery

A 3-2-1 backup approach, three copies, two media types, one offsite, tested regularly so it works when you actually need it.

Written security baseline

A documented baseline of how your security is set up, what each control does, and where the residual risks sit, the kind of document you can actually share with a client who's asking.

Incident response

When something does happen, a phishing click, a compromised account, a suspicious file, fast, clear-headed response. I've seen enough of these to know what matters in the first hour.

When we faced a cyber attack, Initiate provided swift and expert support, helping us secure our systems and restore operations with minimal disruption. They continue to provide reliable IT support, host our emails and websites, and ensure seamless file sharing with Microsoft 365. Their proactive approach and expertise make them an invaluable technology partner—highly recommended!

Alan, Auxilium Recruitment

Cyber attack response and recovery

FAQ

Common questions about this service.

Are you offering Cyber Essentials certification?

Not currently. Cyber Essentials is a separate, more specialised offering and I don't currently hold the certification authority. What I do offer is the underlying security work that meets the spirit of Cyber Essentials, and if you do need formal certification, I'll work alongside a CE-certified body to get you there.

How is this different from "we have antivirus and we're fine"?

Antivirus is one control out of many. Modern security for an SMB needs identity (MFA, conditional access), endpoint (Defender for Endpoint, not just signature-based AV), email (anti-phishing, safe links), backup (a tested 3-2-1 setup), and a baseline you can actually point to. The good news is most of this is achievable inside the Microsoft 365 licences you're probably already paying for.

We had an incident, can you help right now?

Yes. If something has just happened, suspicious email opened, account taken over, ransomware popup, get in touch immediately. Phone is fastest. The first hour matters; the next 24 hours matter; everything else can be sorted afterwards.

Do you do penetration testing?

I bring in a trusted specialist for proper pen testing because doing that work well requires a different kind of practice than I run. I'll scope and project-manage the engagement, but the testing itself is done by a dedicated pen test partner.

How much does this typically cost?

For most SMBs, the right answer is "less than you'd think", most security wins for a sub-50-person business come from configuring tools you're already paying for (Microsoft Defender, conditional access, backup) rather than buying new ones. A scoping conversation and a short audit usually identify a clear, costed plan inside two weeks.

Related services

Often paired with...

Managed IT Services

One expert who knows your whole stack, on call when it matters.

Microsoft 365 & SharePoint

Find the right document in three clicks. Even the legacy ones.

Hosted Desktop & Cloud

Work the same way from any laptop, anywhere. No slow VPN.

Start a conversation

Tired of IT that treats you like a ticket number?

Two ways to start. Book a 30-minute call (no prep, no sales pitch), or send a quick description of where your IT is at, and I'll reply within a day with a written take on whether it's something I can help with.

Book a 30-minute call Send a quick description How engagements work

// or talk to me directly
0333 358 0114
hello@initiateit.co.uk