Set Up Security Logging for Your Small Business in 60 Minutes: A Step-by-Step Guide
This is the practical companion to this week’s podcast and articles. No theory. No vendor pitches. Just the specific steps to get security logging working on the platforms most UK small businesses actually use.
Total time: sixty minutes. Total cost: nothing. The tools are already in the software you pay for.
Before You Start
You need admin access to your cloud platform (Microsoft 365 or Google Workspace), your firewall or router admin panel, and your endpoint protection management console. If someone else manages these for you, either ask them for temporary access or forward this guide to them with a deadline.
If your IT provider charges you for “setting up logging”, ask them why it was not included as standard. This is basic configuration, not a project.
Minutes 0-15: Cloud Platform
If You Use Microsoft 365
Step 1: Verify unified audit logging is enabled. Go to the Microsoft Purview compliance portal (compliance.microsoft.com). Navigate to Audit. If you see a banner saying “Start recording user and admin activity”, click it. This enables the unified audit log. If audit logging is already active, you will see a search interface. This takes thirty seconds.
Step 2: Check your audit log retention period. Microsoft 365 Business Basic and Standard plans retain audit logs for 180 days by default. Enterprise plans offer longer retention. Confirm your retention period under Audit > Audit retention policies. If you have a Business Basic or Standard plan and need longer retention, consider exporting logs monthly to a secure storage location.
Step 3: Configure alert policies. Go to the Microsoft Defender portal (security.microsoft.com). Navigate to Email & collaboration > Policies & rules > Alert policy. Microsoft provides several default alert policies. Verify the following are enabled:
- Suspicious email sending patterns detected
- Admin submission completed
- Creation of forwarding/redirect rule
- Elevation of Exchange admin privilege
- Unusual volume of file deletion
Then create custom alerts for: login from unusual location, multiple failed sign-in attempts (set threshold at 10 within 5 minutes), and new device registration for admin accounts. Each alert takes about two minutes to configure.
Step 4: Verify notification recipients. Each alert policy has a notification setting. Make sure alerts are sent to an email address that someone actually monitors. Not a shared inbox that nobody checks. A real person who will act on it.
If You Use Google Workspace
Step 1: Access the Admin Console. Go to admin.google.com. Navigate to Reporting > Audit and investigation.
Step 2: Enable alert rules. Go to Security > Alert centre. Google provides default alerts for suspicious login activity, government-backed attack warnings, and device compromise. Verify these are enabled.
Step 3: Create custom alert rules. Navigate to Rules. Create rules for: login from a new geographic location, account suspended due to suspicious activity, changes to admin roles, and new email forwarding or delegation rules. Google’s rule creation interface is straightforward: select the log source, define the condition, set the notification.
Step 4: Check data retention. Google Workspace logs are retained for six months in most editions. Verify this under Account > Data retention settings. For Business Starter plans, check whether your edition includes full audit logging.
Minutes 15-30: Firewall and Router
This section varies depending on your hardware. The principles are the same regardless of brand.
Step 1: Log into your firewall or router admin panel. This is usually accessed via a web browser at the device’s IP address (commonly 192.168.1.1 or similar). If you do not know the address or login credentials, check the device label or your IT provider’s documentation.
Step 2: Enable connection logging. Look for settings labelled “logging”, “traffic logs”, “connection logs”, or “firewall logs”. Enable logging for inbound and outbound connections. Most devices offer different verbosity levels; start with “standard” or “normal” rather than “verbose” to avoid filling storage.
Step 3: Set log retention. Check how long logs are stored on the device. Many consumer and small business routers have limited storage and overwrite logs after a few days. If your device supports it, extend retention to 90 days. If it does not have enough storage, look for a syslog forwarding option.
Step 4: Configure syslog forwarding (if available). More capable firewalls and managed routers can forward log data to a syslog server or cloud service. This means your logs survive even if the device storage fills up or the device is compromised. If your IT provider offers this, ask them to set it up. If you want to do it yourself, the NCSC’s guidance page lists open-source tools including Graylog, Elastic Stack, and Grafana Loki as starting points.
Step 5: Note what you have. Write down the make, model, and firmware version of your firewall or router, what logging you have enabled, and where the logs are stored. You will need this if you ever need to hand information to investigators.
Minutes 30-45: Endpoint Protection
Whether you use Windows Defender, a commercial antivirus product, or an endpoint detection and response (EDR) solution, the configuration check is similar.
Step 1: Verify alert notifications. Log into your endpoint protection management console (or settings panel if you use Windows Security locally). Check that email notifications are enabled for detected threats, blocked connections, and policy violations.
Step 2: Check scan schedule. Confirm that a full scan runs at least weekly and real-time protection is enabled. If scans are set to run only on demand, change them to scheduled.
Step 3: Verify update status. Check that definition updates are automatic and current. An antivirus product with definitions from two weeks ago is not protecting you against threats discovered yesterday.
Step 4: Confirm management access. If you use a managed endpoint protection product, verify that you know how to access the management dashboard and that the dashboard URL and login details are documented somewhere accessible to your incident response contacts.
Minutes 45-60: Document and Schedule
This is the step most people skip. It is the most important one.
Step 1: Create a logging configuration record. A simple document listing: what logging you have enabled, on which platforms, with what retention periods, and where the logs can be accessed. Store this in a shared location that your IT contacts can reach. A single page is sufficient.
Step 2: Create an incident response contact sheet. One page listing: your IT support provider (name, phone, email, out-of-hours number), your cyber insurance incident line (if applicable), Action Fraud (0300 123 2040), and the NCSC’s reporting page (report.ncsc.gov.uk). Pin this somewhere visible.
Step 3: Set a weekly review calendar reminder. Pick a consistent time each week. Tuesday mornings work well because Monday’s alerts from the weekend will have accumulated. Block fifteen minutes. Review sign-in activity, admin changes, and any alerts that fired since last week.
Step 4: Record today’s date and what you changed. In your logging configuration record, note: “Security logging configured on [date] by [name]. Unified audit logging enabled, five alert policies active, firewall logging extended to [X] days, weekly review scheduled for [day/time].” This documentation has value with regulators, insurers, and auditors.
Common Obstacles and How to Handle Them
“I do not have admin access.” Forward this guide to whoever does, with a specific deadline. If your IT provider resists, ask them to explain why basic logging was not configured as part of their managed service.
“My router does not support proper logging.” Consumer-grade routers often have minimal logging capability. If yours cannot retain logs for more than a few days and does not support syslog forwarding, this is a reason to upgrade. A small business firewall with proper logging costs between £150 and £500 and is a one-time purchase.
“We use multiple cloud platforms.” Apply the same process to each one. The principles are identical: enable audit logging, extend retention, configure alerts, verify notifications. Priority order: start with whichever platform holds your email, because email accounts are the primary target.
“Our IT provider says they handle all this.” Ask them to prove it. Request a summary of what logging is enabled, what the retention periods are, and what alerts are configured. If they cannot answer, they are not handling it.
How to Turn This Into a Competitive Advantage
Once you have completed this guide, you can truthfully state to clients, partners, and procurement teams: “We have active security logging with defined retention periods, automated alerting on key risk indicators, and a documented weekly review process.” That statement puts you ahead of the majority of UK small businesses. Use it in tender responses, client onboarding, and supply chain assurance questionnaires.
How to Sell This to Your Board
Time investment: one hour today, ten minutes per week ongoing. That is the complete cost. There is no software to buy, no subscription to sign, and no consultant to hire.
Regulatory readiness. The NCSC’s 10 Steps to Cyber Security includes logging and monitoring. The ICO expects organisations to detect and respond to breaches. The incoming Cyber Security and Resilience Bill will likely tighten requirements further. Completing this guide puts you on the right side of all three.
Insurance compliance. Cyber insurance applications increasingly ask specific questions about logging, monitoring, and incident response capability. Having documented answers strengthens your application and may improve terms.
Sources
Related Posts: