Demonstrating Reasonable Care: Your Practical Guide to Cybersecurity Accountability

Small Business Security
Written By Graham Falkner

Three days of frameworks and psychology. Time for something you can actually implement.

Whether director liability becomes law tomorrow or never, demonstrating reasonable care protects your business right now. Insurance claims require evidence. Customer contracts demand due diligence. GDPR investigations ask what you did before the breach, not after.

Today: Exactly what reasonable care looks like, exactly how to document it, exactly what it costs.

No consultants required. No enterprise budgets necessary. Just clear steps for businesses of every size.

The Five Controls That Actually Matter

Forget comprehensive security frameworks for a moment. At the core, reasonable care for SMBs means implementing five fundamental controls consistently. These aren't arbitrary. They're the Cyber Essentials controls, based on analysis of actual UK cyber attacks.

1. Boundary Firewalls and Internet Gateways

What it means: Something sits between your network and the internet, blocking unwanted traffic.

For most small businesses: Your router has a built-in firewall. Make sure it's enabled. If you use cloud services predominantly, this is largely handled by your providers.

Evidence needed:

  • Screenshot of firewall settings showing it's enabled

  • Router configuration showing default credentials changed

  • Annual check documented (even just a note saying "Checked firewall settings, still enabled")

Cost: Usually £0 (already built into your router)

2. Secure Configuration

What it means: Systems configured to reduce vulnerability. Default passwords changed. Unnecessary features disabled. Only required software installed.

Practical steps:

  • Change all default passwords on routers, printers, any networked devices

  • Remove software your business doesn't use

  • Disable guest accounts unless specifically needed

  • Turn off auto-run for removable media

Evidence needed:

  • Documented process for setting up new devices/computers

  • List of approved software

  • Confirmation that default passwords changed (date and who did it)

Cost: Usually £0 (your time only)

3. Access Control

What it means: Users only have access to what they need. Admin accounts restricted. Proper user management.

Practical steps:

  • Use standard user accounts for daily work (not admin accounts)

  • Separate admin credentials from regular login

  • Remove access when staff leave

  • Review who has access to what annually

Evidence needed:

  • User account list with access levels

  • Documented process for new starters and leavers

  • Evidence of annual access review (even just a dated note confirming review)

Cost: Usually £0 (built into Windows, Microsoft 365, Google Workspace)

4. Malware Protection

What it means: Anti-malware software installed, updated, and actually running.

Practical steps:

  • Windows Defender is genuinely adequate for most SMBs (it's free and automatic)

  • Ensure automatic updates are enabled

  • Don't disable it for "convenience"

  • Periodic scan scheduled

Evidence needed:

  • Screenshot showing anti-malware is active and up-to-date

  • Confirmation that automatic updates enabled

  • Annual check documented

Cost: £0 with Windows Defender (enterprise solutions cost more but aren't required for Tier One)

5. Security Update Management

What it means: Software updates applied promptly, especially security patches.

This is where most SMBs fail. The Cyber Essentials standard requires critical patches applied within 14 days of release. Most businesses take months or never.

Practical steps:

  • Enable automatic updates on all devices

  • Restart computers weekly (updates often require restart)

  • Update business applications regularly

  • Have a process for urgent security patches

Evidence needed:

  • Automatic updates enabled (screenshot)

  • Evidence that systems are actually up to date

  • Process document for handling urgent patches

  • Log of when major updates were applied

Cost: £0 for automatic updates

The Documentation That Proves You Tried

Evidence matters. Not for prosecution avoidance, but because every security incident generates questions. Insurance companies ask. Lawyers ask. Customers ask. Having documentation ready saves enormous stress and potentially enormous money.

Minimum Documentation for Tier One Businesses

Security Policy (One Page)

You don't need 200 pages. You need one page covering:

  • Who is responsible for security (name)

  • What controls are in place (the five above)

  • How often they're checked (at least annually)

  • What to do if something goes wrong (contact details)

Template opening: "This policy sets out how [Company Name] protects its systems and data. Last reviewed: [Date]. Responsible person: [Name]."

Asset Register (Spreadsheet)

What do you have? Where is it? How is it protected?

Columns needed:

  • Device/system name

  • Type (laptop, server, cloud service)

  • Location

  • Who uses it

  • Password manager/MFA status

  • Last update check date

Review quarterly. Takes 30 minutes once set up.

Incident Response Checklist (One Page)

What to do when something goes wrong:

  1. Disconnect affected device from network

  2. Contact [Name/IT support number]

  3. Document what happened and when

  4. If personal data involved, consider ICO notification (within 72 hours if serious)

  5. Preserve evidence before fixing anything

Training Record (Simple Log)

Who was trained, when, on what:

  • Name

  • Date

  • Topic (even "read NCSC phishing guidance" counts)

  • Signature or confirmation method

Evidence Gathering Process

Monthly (15 minutes):

  • Check one device for updates being current

  • Screenshot confirmation

  • File in "Security Evidence" folder

Quarterly (30 minutes):

  • Review asset register for accuracy

  • Check user access list still correct

  • Document any changes

Annually (2-3 hours):

  • Full review of all five controls

  • Update security policy date

  • Renew Cyber Essentials certification

  • Review incident response contact details

The Cyber Essentials Certification Process

Cyber Essentials certification provides documented proof of reasonable care. Here's exactly how to get it.

Self-Assessment (Cyber Essentials Basic)

Cost: Approximately £300-£400

Process:

  1. Register with an accredited certification body

  2. Complete online self-assessment questionnaire

  3. Attest to your answers being accurate

  4. Receive certificate valid for one year

Time required: 2-4 hours to complete questionnaire if you've already implemented controls

What you need beforehand:

  • All five controls actually implemented

  • Understanding of your systems and configuration

  • Honest answers (false attestation creates liability)

Verified Assessment (Cyber Essentials Plus)

Cost: Approximately £1,500-£3,000 depending on business size

Process:

  1. Complete self-assessment as above

  2. Schedule technical verification visit (often remote now)

  3. Assessor tests your controls actually work

  4. Vulnerability scan of external systems

  5. Receive certificate valid for one year

Time required: Half day for verification, plus preparation

This is recommended for Tier Two businesses because it proves controls work, not just that you claim they work.

Realistic Timelines by Business Size

Five-Person Business (Starting from Nothing)

Week 1: Enable automatic updates everywhere. Change default passwords on router and any networked devices. Document what you've done.

Week 2: Review who has admin access. Create standard user accounts for daily use. Set up asset register spreadsheet.

Week 3: Verify anti-malware running on all devices. Create one-page security policy. Designate security responsibility.

Week 4: Create incident response checklist. Brief all staff on phishing basics (NCSC has free resources). Document training.

Week 5-6: Complete Cyber Essentials self-assessment.

Total time investment: 10-15 hours over six weeks Total cost: £300-£400 for certification

30-Person Business (Some Controls Already Exist)

Month 1: Audit current state. Document what controls exist. Identify gaps against Cyber Essentials requirements.

Month 2: Close gaps. Update patch management process. Review user access across all systems. Implement MFA on critical accounts if not already done.

Month 3: Formalize documentation. Asset register, security policy, incident response plan, training records.

Month 4: Complete Cyber Essentials Plus assessment.

Total time investment: 40-60 hours spread across team Total cost: £1,500-£3,000 for CE Plus, possibly some IT support costs

100-Person Business (Formalizing Existing Practices)

Quarter 1: Comprehensive security assessment. Gap analysis against Cyber Essentials Plus and NCSC 10 Steps. Third-party vulnerability assessment.

Quarter 2: Remediation of identified gaps. Documentation formalization. Staff training programme implementation.

Quarter 3: Cyber Essentials Plus certification. Incident response testing. Board reporting on security posture.

Quarter 4: Ongoing monitoring establishment. Security metrics definition. Annual review process.

Total cost: £10,000-£25,000 including assessments and remediation This is appropriate investment for Tier Two businesses

The Insurance Documentation Benefit

Cyber insurance claims increasingly require demonstrating pre-breach security measures. Having documentation ready dramatically improves claim success.

What insurers typically want to see:

  • Evidence of MFA on email and critical systems

  • Patch management process with evidence it was followed

  • Backup testing records

  • Staff security training records

  • Incident response plan (bonus if tested)

Without documentation: "We had security" is worthless. Claims get denied.

With documentation: "Here's our CE Plus certificate, training records, and patch logs" gets claims paid.

The time spent on documentation often pays for itself in the first claim.

What "Reasonable Care" Actually Looks Like in Court

If cybersecurity accountability ever does face legal examination, courts will likely ask three questions:

1. Did you follow established standards? Cyber Essentials exists specifically as a government-backed reasonable care standard. Following it is strong evidence.

2. Did you act on warnings? If your MSP warned you six times about critical patches and you have emails ignoring them, that's problematic. If you have evidence of acting on warnings, that's protective.

3. Was your investment proportionate? A five-person company isn't expected to spend £100,000 on security. But spending £0 when you hold customer data isn't defensible.

The standard isn't perfection. It's demonstrable effort appropriate to your size and risk.

Your Action List for This Week

Today:

  • Enable automatic updates on your personal device if not already

  • Verify your router's default password has been changed

This week:

  • Create or update your asset register

  • Check MFA is enabled on your primary email

This month:

  • Write your one-page security policy

  • Brief staff on phishing (use NCSC's free materials)

  • Consider Cyber Essentials certification

This quarter:

  • Complete Cyber Essentials certification

  • Establish monthly evidence collection routine

  • Test your backups restore properly

None of this requires expensive consultants. None of this requires enterprise budgets. All of it creates evidence that you took security seriously.

Tomorrow: UK case studies showing what HSE-style enforcement achieved for workplace safety and what similar approaches could accomplish for cybersecurity.

Graham Falkner
Previous

When Enforcement Gets Teeth: UK Case Studies in Accountability That Works
Next

Why Personal Accountability Changes Everything: The Psychology of Director Liability