Cyber Security

Cyber security done properly

Practical, layered cyber security for UK SMEs. Beyond ticking the Cyber Essentials box and into actually staying safe when the threat lands. Senior-led, threat-informed, and built around the risk you actually carry.

Talk to us about security

Real security work. Not a sales pitch dressed up as a service.

Defence in depth, not a single product

One control fails. Two controls catch it. Real security stacks layers: endpoint, identity, email, network, monitoring, and response. We build all of them, not just the one that's easy to sell.

Threat modelling that matches your risk

A solicitor handling case data has a different threat model from a marketing agency. We design controls around what your business actually carries, not a generic checklist that gets you nowhere.

Response readiness, not just prevention

Everyone gets breached eventually. The question is whether you have a plan, a contact list, and a documented runbook ready when it happens. We build incident response capability before you need it.

Who cyber security work is for

We work with UK SMEs that have moved past the "what is two-factor authentication?" stage and want a proper grown-up posture. Usually that's because a customer is asking for it, a regulator is asking for it, or you've watched a peer get hit and decided you'd rather not.

You're Cyber Essentials certified but feel it's not enough

Cyber Essentials is a baseline. If you're handling sensitive data or working with serious clients, you need controls past the baseline. We build what should sit on top.

You handle sensitive client data and need to prove it's safe

Legal, advisory, research, healthcare-adjacent. Clients increasingly want evidence that their data isn't being held by someone who's never thought about it. We give you something defensible.

You've had a near-miss (or worse)

A phishing attempt that almost worked. A user who clicked. A supplier who got breached. The right time to fix this was last year. The next-best time is now, and we can help you do it without panic.

You're growing fast and security hasn't kept up

The setup that was fine at 10 staff is a liability at 40. New starters, more devices, more SaaS, more data, more risk. We help you scale the security alongside the business, not after it.

You need a security baseline before going through procurement

Big-customer onboarding now routinely includes a security questionnaire. We help you fill it out honestly because the underlying posture is actually there, not because you're guessing.

The layers that actually matter.

Endpoint protection and EDR

Modern endpoint detection and response across Windows and Mac. Behaviour-based, centrally managed, and tuned for your environment rather than left on defaults.

Identity and access hardening

MFA enforcement, conditional access, privilege review, break-glass account provisioning, and joiner-leaver discipline. Identity is the new perimeter.

Email security and anti-phishing

SPF, DKIM, DMARC properly set up. Safe-attachment and safe-link policies. Impersonation protection. Phishing simulation if you want it. Most breaches still start in email.

Backup and recovery

Proper third-party backup with retention, restore testing, and recovery runbooks. The single best ransomware insurance you can buy. See our backup and disaster recovery page for the full picture.

Patch and vulnerability management

Automated patching for OS and applications, with policy that matches your tolerance for change. Vulnerability scanning across endpoints and externally facing services.

Security monitoring and alerting

EDR alerts triaged, identity sign-ins monitored, suspicious behaviour escalated. We see things at 3am, so you don't have to.

Incident response planning

A written incident response plan, a contact tree, and a runbook for the first 24 hours. So that when something goes wrong, you're following a plan, not improvising.

Cyber Essentials and Cyber Essentials Plus prep

If you want the formal certification, we'll get you ready, run you through the assessment, and pass on the first attempt. See Cyber Essentials for that service in detail.

Security work that's been used in anger

We've designed and run security across multiple agencies inside a publicly listed group, where the data being handled was sensitive enough to make a breach a board-level event. We hold ourselves to the same security baseline we recommend to clients, and we've been close enough to real incidents to know what holds up and what doesn't. Security is not a sales category for us. It's the part of the job that, done well, you never get praised for.

How cyber security engagements work

Most security work falls into three patterns. A posture review is a one-off audit: we look at what you've got, model the risk, and write you a prioritised plan. Remediation is a scoped project that closes the gaps the review identified. Managed security is retained ongoing: tooling, monitoring, response, and continuous improvement. Most clients do all three in sequence, but you don't have to. We can also embed security work inside a fractional CTO engagement when the security strategy needs to sit alongside broader tech leadership.

Simple as it should be

01

We assess what you have

A posture review against your actual risk model. Endpoints, identity, email, network, data, processes. We tell you what's strong, what's weak, and where the real exposure is.

02

We plan the work

A prioritised plan with budget and timeline. Quick wins first, structural fixes next, longer-term posture last. You see exactly what you'll be paying for and why.

03

We deliver and document

The controls go in. The documentation goes with them. The runbooks are written. You either keep us on for ongoing management, or you walk away with everything you need.

23+
Years of senior tech leadership
24/7
Security monitoring, always on
11
Years across a multi-agency PLC
5.0
EndorseHQ rating (we're quite pleased)

Frequently asked questions

Do we need cyber security if we already have Cyber Essentials?

Cyber Essentials is a baseline, not a finish line. It confirms you have five basic controls in place. It does not give you endpoint detection, security monitoring, an incident response plan, or any of the controls that actually catch a real attacker. Most businesses we work with start with Cyber Essentials and then build proper security on top of it.

What's the difference between an MSP and a cyber security consultant?

Most MSPs run a security stack as part of their managed offering. A cyber security consultant brings a deeper layer: threat modelling, architecture review, incident response planning, and the harder questions about where your real risk sits. We do both, which means we can build the security in rather than bolt it on.

Should we have an EDR or is antivirus enough?

Traditional antivirus catches known malware by signature. EDR (endpoint detection and response) watches behaviour: what processes are running, what they touch, what they call out to. Modern attacks bypass signature-based AV routinely, so EDR is the practical baseline for anything beyond a very small team. Cost has come down enough that there's no real reason to be on AV alone.

How much does proper cyber security cost for a small business?

Depends on size, complexity, and risk appetite. As a rough guide, a small UK business (10-30 users) on a sensible security stack (EDR, identity hardening, email protection, backup, monitoring) is typically £25-50 per user per month for the tooling, plus admin time. We always do a posture review before recommending spend, because the answer differs by business.

What's the first thing to do if we think we've been breached?

Don't power machines off. Disconnect them from the network instead, so volatile evidence (memory, active sessions, attacker tooling) is preserved. Stop using affected accounts. Notify your insurer if you have cyber cover. Then call us, or whoever your incident responder is. If you don't have one named in advance, you'll lose hours in the first day finding one, which is exactly the time that matters most.

Get the posture sorted

Have a conversation about where you actually are, and where you'd like to be. No hard sell, no scaremongering. Just a straight conversation.