May 2026. National threat levels stay high. For SMEs, the gain is not another platform — it is consistent execution of baseline controls, as NCSC guidance emphasises.
Where SMEs stall
- No central view of accounts and admin rights.
- Backups exist but restores are rarely tested.
- Patches deferred without risk-based decisions.
- Vendors onboarded without security clauses.
Baselines that matter in 2026
Identity (MFA, least privilege), patch management, logging on critical systems, offline or immutable backups, and a simple incident playbook with working phone trees.
Link this to a lightweight ISMS: building an ISMS does not require unread policy folders — start with risks leadership understands.