Phase 2 · Strategy & Planning · From Idea to Executable Plan
Cybersecurity Foundations for SMEs
Cybercriminals do not target large organisations exclusively. They target vulnerable ones — and most SMEs are significantly more vulnerable than they realise.
Cybersecurity foundations for SMEs is the practical implementation of the essential cybersecurity protections that every business needs to protect its data, its systems, its client relationships, and its reputation from the cyber threats that now target organisations of every size. We implement the foundations that are proportionate to the SME's size and resources — not the enterprise framework an SME cannot afford or maintain, but the practical protections that eliminate the most common and most damaging vulnerabilities.
The Pain We Solve
You may recognise yourself in one of these.
Three audience scenarios · because the same service produces a different transformation depending on where you are in the business journey.
Scenario 1
The SME business owner who has not thought about cybersecurity because they believe they are too small to be a target
Automated cyber attacks do not discriminate by size. The ransomware that encrypts the business's files does not check the company's revenue before deploying. The assumption that small means safe is one of the most expensive beliefs in business.
Scenario 2
The business that stores client data and has never been audited for data protection compliance
The business holds customer names, email addresses, payment details, and personal information. It has never conducted a GDPR audit, never implemented a data breach response plan, and is not certain how the data is stored, who has access to it, or whether it is encrypted.
Scenario 3
The business that has suffered a cyber incident and is now implementing security reactively
A phishing email succeeded. A system was compromised. Client data may have been accessed. The incident is over but the confidence is shaken — and the security that should have been in place before the incident needs to be implemented now, in the aftermath of a crisis that has cost money, time, and reputation.
The Impact It Creates
The Moment You Will Feel the Difference.
Most common and most damaging cyber vulnerabilities eliminated
Client data and business systems protected to the standard the law requires
Cyber incident response plan in place so a breach is managed rather than catastrophic
Cyber Essentials certification achieved — opening public sector procurement
What You Receive
The Specific Deliverables.
Tangible outputs · documented, dated, and yours to keep.
- Cybersecurity risk assessment — current vulnerabilities and threat exposure
- Cyber Essentials implementation — the five core security controls
- Staff security awareness training
- Password management and multi-factor authentication implementation
- Data protection and GDPR compliance review
- Incident response plan
The Outcome
Where You Will Be on the Other Side.
The business is protected against the most common and most damaging cyber threats — with the staff training, the technical controls, and the incident response capability that mean a cyber attack is an incident rather than a crisis.
Primary Focus
Implementing the practical cybersecurity foundations that protect SME businesses from the most common and damaging cyber threats.
KPI Measurement
- Cyber Essentials certification achieved
- Phishing simulation failure rate
- Vulnerability score before and after
- Staff security awareness score
- Incident response readiness assessment
Investment & ROI
Pricing Engineered Around the Value You Create.
Every engagement is sized against the value we believe we can create with you · the fee is always a fraction of the outcome. Four tiers · so the investment matches your stage of business.
Tier 1
Foundations
£5,000 – £15,000
Right for
Pre-startup, startup, and micro-business founders ready to build on evidence rather than instinct.
Typical Value Created
£100K+ in sharper resource allocation and avoided strategic missteps
Engagement
4 – 8 weeks
Target Return
5 – 10× ROI
within 12 – 18 months
Tier 2
Acceleration
£15,000 – £50,000
Right for
Growing SMEs and established small businesses ready to scale a working model into the next revenue band.
Typical Value Created
£500K – £3M in faster execution and pipeline acceleration
Engagement
8 – 16 weeks
Target Return
5 – 10× ROI
within 12 – 18 months
Tier 3
Transformation
£50,000 – £250,000
Right for
Medium enterprises and scale-stage businesses ready to commit to a multi-quarter, organisation-wide shift.
Typical Value Created
£2M – £20M in strategic value through repositioning, model redesign, and growth-system installation
Engagement
3 – 9 months
Target Return
5 – 10× ROI
within 12 – 18 months
Tier 4
Enterprise
£250,000 – £2M+
Right for
Large enterprises, global operators, and complex organisations ready for a multi-year strategic partnership.
Typical Value Created
£10M+ in major strategic initiatives, capital deployment efficiency, and competitive repositioning
Engagement
12 months and onward
Target Return
5 – 10× ROI
within 12 – 18 months
Why We Price This Way
Every engagement is sized around the value we believe we can create with you. The fee is always a fraction of the outcome · typically 10 – 20% of the expected first-year return.
This is how we make sure pricing aligns with results. The conversation is never “what does this cost?” · it is always “what is this worth to your business?” We answer that together in the first call, transparently, and decide the right tier from there.
If we cannot articulate a credible 5–10× return for your specific situation, we will tell you in the first call. That honesty is part of why our clients trust us with the work that matters most.
Why This Conversation Matters
“The business that has never been breached is not the lucky one — it is the prepared one. The cyber threat is real, routine, and increasingly automated. The protections are practical, affordable, and essential. We implement them.”
A 90-minute structured strategy session · produces a usable roadmap whether you engage further or not.
More in Phase 2