A Practical 2026 IT Security Advisory for Business Owners, Staff, and IT Professionals. Simplified explanation of requirements and risks.
There has never been a time where the volume and severity of cybersecurity incidents has been this intense. It has become a daily challenge to keep everyone safe, yet companies remain stubbornly reluctant to upgrade old hardware, strengthen their security posture, and invest in staff training.
A persistent issue we encounter is IT providers offering security guidance that falls well short of acceptable standards — not through negligence, but through a genuine lack of specialist expertise and accreditation in this area. This is reflected clearly in our audit results: when reviewing businesses managed by third-party IT support, 95% fail, spanning a wide range of security categories.
Merely having IT support is not a valid reason to assume your security is adequate. You need to specifically request a comprehensive security audit, act on the findings, and follow up with quarterly reviews and staff training. Security enhancements are often declined by business owners who perceive little risk and balk at even modest additional monthly costs but eventually it does catch up on them.
Your Legal Responsibility
As a company owner — or indeed as a member of staff — you bear ultimate responsibility for the security of the data your organisation holds, including personal data about others. This is not a scare tactic, this really is the reality of it. At minimum there will be a bill of a few thousand.
| ICO Fine: Up to £17.5 million or 4% of annual global turnover — whichever is higher — for serious data protection failures under UK GDPR. |
| Breach Remediation: The cost of IT remediation following a data breach starts at £2,500 and routinely exceeds £150,000. These costs reflect the difficulty in tracking, tracing and remediation when a compromised has taken place to a professional standard. IT Support contracts and most standard insurances will not cover this cost. |
| Additional financial exposure can include independent forensic investigations, legal fees, reputational damage, and compensation claims from affected individuals. In aggregate, these costs have the potential to bankrupt a business entirely. |
Importantly, assigning blame to your IT company is only viable where you have specifically contracted and paid for maximum audited security standards and they have demonstrably failed to deliver them. Blame often bounces back to the company owner believing security is not important.
Company insurance may not reimburse costs even with cyber security cover if no reasonable effort to secure the company was implemented.
Questions you need to ask:
Are my computers secure? All latest Windows 11 version, all software updated, no rouge apps, enterprise anti-virus, password manager and encrypted.
Is my network secure? Are you using modern (under 4 yrs) certified gateways, firewalls, switches (No low cost China brands like TP-Link) and have a working intrusion detections system with DNS malware/phishing protection in place. Is you WiFi using 12+ characters and not easy to guess.
Backups? Have you got multiple versions of your files to protect against loss or ransomware attacks. Ideally in two locations. It can be expensive but worth the extra cost.
Cloud systems secure? Are all cloud services you have in place strongly protected by 2FA/MFA and especially email services.
Other devices secure? Printers, CCTV, IoT and everything else is a critical part of your network – do not overlook the risks of old equipment or firmware with vulnerabilities that allow hackers in through the back door. If you are using Hikvision, Dahua, Ring, Lorex, Ezviz, Wyze, Eufy, etc you need to urgently consider moving to a secure system like Ubiquiti UniFi. This includes older alarm systems that have remote access to arm/disarm. We are seeing systems like these being hacked almost daily now, when a year ago this almost never happened.
Staff training? Yes – This is almost one of the most important aspects, get staff trained at least 3 times a year on latest threats and take this seriously.
Common Security Vulnerabilities We See Every Day
The following categories represent the most frequently encountered security failures identified during our audits. Each represents a genuine, active risk — not a theoretical one.
Networking Equipment — Routers, Firewalls, Switches & Wi-Fi
Equipment that is more than three years old and has never been updated carries a host of known vulnerabilities. Age and familiarity breed false confidence. Products such as Draytek or Fortigate firewalls are often regarded as dependable long-term solutions, but they frequently represent one of the highest-risk items in a business. In 2026, no gateway device should permit unsolicited inbound connections; all remote access should be exclusively via robust VPN solutions such as WireGuard.
File Storage & Backup Systems
NAS (Network Attached Storage) devices have become a significant new attack vector. Multi-function devices capable of running third-party applications, or those that have missed firmware update cycles, are frequently exploited — notably QNAP and Synology units. Businesses should favour storage-specific solutions with rigorous, vendor-enforced firmware update policies.
Backups deserve particular attention: they represent the entirety of what you need to recover from a catastrophic failure. Are they current? Are they versioned? Critically, are they stored in a location that a threat actor cannot reach or delete? Without versioning and offsite or air-gapped copies, even a good backup policy can be rendered worthless by a ransomware attack.
Printers
Printers that are five to ten or more years old are extremely susceptible to firmware vulnerabilities and remote takeover. Approximately 80% of devices we encounter have no password set on the administrative interface. This is a trivially simple attack surface that is almost universally overlooked even though access is internal, there are methods to bypass this.
Smart TVs, Mobiles, IoT Devices & Streaming Hardware
Smart TVs, Amazon Fire Sticks — particularly free or unlicensed variants, which are almost always configured as relay nodes to the dark web — and IoT devices from Chinese manufacturers represent substantial network security risks. Even established brands such as Samsung have been found to exhibit significant data leakage via built-in cameras and microphones. Mobile devices should also be checked, especially Android.
CCTV Systems
CCTV installations are frequently left in an insecure state. Products such as Hikvision, which have well-documented ties to the Chinese state, are no longer recommended and consistently fail penetration testing. Modern, secure alternatives such as Ubiquiti UniFi Protect are strongly preferred.
Point-of-Sale (Till) Systems
Many till systems are sourced from low-cost Chinese manufacturers and run obsolete operating systems such as Windows 97-era builds or outdated Android versions. They are high-value targets and are routinely overlooked during security reviews.
Computers & Workstations
Computers are almost never configured securely out of the box. In our audits they routinely fail phishing and malware simulation tests, are found to carry excessive unknown or unlicensed applications, are not enforced on update schedules, and have weak or shared password practices. Physical security — unlocked screens, unattended terminals, and unsecured hardware — adds further exposure.
Browser extensions deserve special mention: malicious extensions that present themselves as useful tools such as ad-blockers are in reality silently exfiltrating all browsing data. Business-grade antivirus, dedicated email phishing protection, network-level protection, and DNS filtering are all strongly advised.
Note: using macOS does not confer immunity. Mac users face near-identical risk from email and browser-based credential theft attacks, and a false sense of security makes them statistically more likely to be compromised.
Cloud Services
Cloud platforms form a core part of most businesses’ infrastructure, yet users routinely resist strong passwords and resist enforcement of two-factor or multi-factor authentication (2FA/MFA). A single compromised cloud account can expose an entire organisation’s data.
Staff Awareness & Training
Staff training is one of the most powerful and most consistently overlooked security controls available to any organisation. Untrained staff will, under social engineering pressure, bypass every technical safeguard to allow malicious software onto the network. Regular, scenario-based training and phishing simulations are essential — not optional.
Companies should have a good IT security policy in place – Here is an example for basic SME – https://itproexpert.com/company-it-security-policy/
Where Does Your Business Stand?
| ✅ Likely Secure: All equipment within four years old, fully updated, and audited to Cyber Essentials Plus or PCI DSS standards with all recommended security controls applied and an active security policy in place. |
| ⚠️ At Risk: Any equipment older than four years without an active security policy in place. Even isolated legacy devices create exposure that can compromise an otherwise well-managed estate. |
Security Action Checklist for SME Essential Services
Work through the following items with your IT security provider. Each represents a discrete, actionable control. None are optional if you are serious about protecting your business.
- Commission a comprehensive IT security audit and arrange staff awareness training.
- Networking equipment (routers, Wi-Fi access points, firewalls, switches) — within five years old, all firmware current, reputable brand, strong passwords on devices and Wi-Fi credentials (minimum 12 characters; 14+ for full compliance). In 2026, no gateway should permit inbound connections; use WireGuard or equivalent VPN.
- All computers fully updated to Windows 11 25H2 (February / March 2026) or latest edition and hardened to recommended standards. No unsupported Windows 10 or 7 systems are allowed.
- Business-grade antivirus deployed — ESET, ThreatDown, or Bitdefender. Products such as McAfee, Norton or Avast do not meet current business security requirements.
- Dedicated email phishing protection in place (e.g. Proofpoint or Microsoft Defender for Office 365), in addition to endpoint and network-level protection. Ensure your email is 100% inside a secure mail platform like 365 or Workspace, it is unlikely any other solution will pass checks.
- DNS filtering enabled at the firewall or router level using a threat-intelligence service such as NextDNS or Quad9. This is critical in 2026.
- Firewall with IDS/IPS capability, ideally with a paid threat signature subscription. If not currently in place, deploy Ubiquiti UniFi as a minimum.
- All cloud services secured and 2FA/MFA/Passkey enforced by policy across all accounts, including email specifically or cloud data. Remove old parallel insecure recovery methods.
- Backups verified to include versioning — essential for ransomware rollback — stored in multiple locations, at least one of which is offsite or air-gapped.
- A business password manager in use — Proton Pass is recommended. No important credentials stored in browsers.
- All browser extensions reviewed and blocked unless approved by IT security. Software installation restricted to IT-approved applications. No consumer VPN clients permitted on corporate devices due to current threat intelligence.
- All non-standard network-connected devices audited: CCTV, smart TVs, tills, IoT devices, and printers. Legacy or high-risk devices replaced or isolated.
Recommended Brands & Services
The following products and services have been evaluated by our team and consistently meet or exceed current security standards. We do not accept commercial arrangements in exchange for recommendations.
| Category | Recommended Product / Service |
| Networking & CCTV | Ubiquiti UniFi — switches, access points, gateways, UniFi Protect |
| Endpoint Protection | Malwarebytes / ThreatDown, Bitdefender, ESET (business editions) |
| Email Phishing Protection | Proofpoint Email Security, Microsoft Defender for Office 365 |
| DNS Filtering | NextDNS (Ideally with rules), Quad9 |
| Email & Productivity Suite | Microsoft 365 Enterprise, IONOS Enterprise Mail |
| Password Management | Proton Pass (business) |
| VPN / Remote Access | WireGuard |
| Security Audit Tool | PC Armour Auditor — free, safe, and code-signed |
| App Locking | AppLocker or ThreatLocker (optional but good additional protection) |
Want to Self Check Your System — A Quick PC Armour Auditor Check Will Help
Run PC Armour Auditor to instantly assess your system and/or network showing a clear, actionable report detailing what requires attention. PC Armour is free, safe, and secure, and is DigiCert code-signed for safety and security. Download, extract the zip and right click ‘run as administrator’ – see results.
| Accreditation: IT Pro Expert, Ravtic LLC and PC Armour are jointly accredited as Microsoft Development Partners and DigiCert Code Signed. |
For a full security audit, staff training programme, or tailored security advisory, contact IT Pro Expert directly.
A quick discussion is free, a basic overview security check is around £250 to £500 but a comprehensive implementation is something that needs quoting for, as each company will have vastly different requirements.
Additional Links:
https://itproexpert.com/business-pc-implementation-guide-2026-the-zero-trust-stateless-office-using-365/
https://itproexpert.com/your-inbox-is-a-phishing-time-bomb-in-2026/
Published March 2026 • IT Pro Expert, Ravtic LLC & PC Armour • Microsoft Development Partner • DigiCert Code Signed
