The Complete SMB Toolkit for Reverse Benchmarking: Free and Budget Tools That Actually Work

Practical Guides
Written By Graham Falkner

Right, enough theory. Today we're getting practical: the actual tools, templates, and processes you need to implement reverse benchmarking without spending a fortune.

Everything in this guide is either free or costs less than a decent takeaway curry per month. Because I'm sick of "enterprise security" guides that assume unlimited budgets and dedicated staff.

This is the real-world, shoestring-budget, one-person-wearing-multiple-hats implementation guide.

The Core Toolkit: £0-50 Per Month

1. Asset Inventory and Management

Tool: Google Sheets or Excel Cost: £0 (you already have it) Time to Set Up: 2-4 hours

Stop buying expensive asset management platforms. For SMBs under 100 employees, a spreadsheet is perfectly adequate.

Template Structure:

Create a sheet with these columns:

  • Asset Name

  • Asset Type (Server, Workstation, Cloud Service, SaaS Application)

  • Location/Provider

  • Operating System/Version

  • Critical Software Installed

  • Internet-Facing? (Yes/No)

  • Data Classification (Public, Internal, Confidential, Restricted)

  • Owner/Administrator

  • Last Update Date

  • MFA Enabled? (Yes/No)

  • Backup Status

  • Notes

How to Populate It:

Week 1: Physical devices (servers, workstations, network equipment) Week 2: Cloud infrastructure (AWS instances, Azure VMs, etc.) Week 3: SaaS applications (365, Google Workspace, CRM, accounting software) Week 4: Network services (VPN, firewall, Wi-Fi access points)

Maintenance: Update monthly or whenever changes occur.

Real Talk: This sounds tedious because it is tedious. Do it anyway. You can't secure what you don't know exists. Every major breach we discussed this week started with attackers finding systems the organization had forgotten about.

2. Vulnerability Tracking and Patch Management

Tool: OpenVAS (free, open source) Cost: £0 Time to Set Up: 4-8 hours including learning curve

Alternative: Qualys Community Edition (free tier) Cost: £0 Time to Set Up: 2 hours

OpenVAS is more powerful but has a steeper learning curve. Qualys is easier to use but has limitations on the free tier. Pick based on your technical comfort level.

What It Does:

Scans your network for known vulnerabilities. Tells you what needs patching and how critical it is.

Setup Process:

  1. Download and install OpenVAS (runs on Linux) or sign up for Qualys Community Edition

  2. Configure initial scan target (start with internet-facing systems)

  3. Run first scan (will take 2-4 hours depending on number of systems)

  4. Review results and prioritize based on CVSS score (7.0+ is critical)

  5. Create remediation plan with timelines

Critical: Set up recurring scans. Weekly for internet-facing systems, monthly for internal systems.

Integration with Reverse Benchmarking:

When you study a breach (like Equifax's unpatched Struts), immediately check: do we have that software? Is it patched?

Your vulnerability scanner tells you definitively rather than relying on guesswork.

3. Security Advisory Monitoring

Tool: Email subscriptions and RSS feeds Cost: £0 Time to Set Up: 1 hour

This is criminally underutilized. Most software vendors publish security advisories for free. Subscribe to them.

What to Subscribe To:

For every critical piece of software in your environment:

  • Vendor security mailing list

  • CVE feeds for that product category

  • NCSC weekly threat reports (UK-specific)

  • CISA cybersecurity advisories (US, but globally relevant)

Setup:

  1. Review your asset inventory

  2. Identify all unique software products

  3. Visit each vendor's website

  4. Find their security advisory page

  5. Subscribe to email notifications

Time Investment: 15 minutes per week to review advisories.

Real-World Example:

The Apache Struts vulnerability that destroyed Equifax was publicly announced with a patch on 7 March 2017. If you'd been subscribed to Apache's security list, you'd have known about it the same day it was announced.

That's £0 and 5 minutes to avoid a £600 million breach.

4. Multi-Factor Authentication (MFA)

Free Options:

  • Google Authenticator (free mobile app)

  • Microsoft Authenticator (free mobile app)

  • Authy (free, includes multi-device sync)

Budget Option:

  • Duo Security (£3/user/month, more management features)

  • Authentrend FIDO2 keys (£25-35 one-time cost per user, FIDO2-certified, disclosure: podcast sponsor but genuinely excellent)

Implementation Priority List:

  1. Week 1: Enable MFA on all administrative accounts (Priority 1)

  2. Week 2: Enable MFA on VPN access (Priority 1)

  3. Week 3: Enable MFA on cloud infrastructure management (AWS, Azure, etc.) (Priority 1)

  4. Week 4: Enable MFA on email accounts (Priority 2)

  5. Week 5: Enable MFA on financial systems (Priority 2)

  6. Week 6: Enable MFA on all user accounts (Priority 3)

Colonial Pipeline Lesson: VPN without MFA = ransomware. Cost to implement MFA: £0-3 per user monthly. Cost of ransomware: millions of pounds plus reputational destruction.

Not a difficult calculation.

5. Access Control Auditing

Tool: Native OS tools + spreadsheet Cost: £0 Time: 2 hours quarterly

You don't need expensive IAM platforms. Use what you already have.

For Windows Environments:

Use built-in "Computer Management" → "Local Users and Groups" Export user list and group memberships Review in Excel

For Cloud/SaaS:

Most platforms have user management dashboards Export user lists and permission levels Review in Excel

What to Check:

  • Users who haven't logged in for 90+ days (disable them)

  • Users with administrative privileges (verify they need them)

  • Shared accounts (eliminate them)

  • Service accounts (document them, rotate credentials annually)

  • Contractor/vendor accounts (verify they're still required)

Quarterly Review Questions:

  1. Does every user account correspond to a current employee or approved contractor?

  2. Does every administrative account have MFA enabled?

  3. Does every user have only the minimum permissions required for their role?

  4. Have any accounts been dormant for 90+ days?

Target Lesson: Their HVAC vendor had more access than they needed. A quarterly review would have caught this. Cost: £0 and 2 hours per quarter. Benefit: not being the next Target.

6. Vendor Risk Assessment

Tool: Google Forms + Spreadsheet Cost: £0 Time to Set Up: 2 hours Time per Vendor: 30 minutes

Create a standardized vendor security questionnaire.

Template Questions:

Section 1: Basic Information

  • Vendor name

  • Services provided

  • What data/systems do they access?

  • Date of last review

Section 2: Security Certifications

  • Do you have ISO 27001? (If yes, request certificate copy)

  • Do you have SOC 2? (If yes, request report)

  • Do you have Cyber Essentials (Plus)? (If yes, request certificate)

  • If none of the above, what security standards do you follow?

Section 3: Technical Controls

  • What is your patch management SLA for critical vulnerabilities?

  • Do you use MFA for all administrative access?

  • Do you encrypt data in transit and at rest?

  • Do you perform regular penetration testing? (If yes, when was the last one?)

  • Do you have a bug bounty program?

Section 4: Incident Response

  • Do you have a documented incident response plan?

  • What is your notification SLA for security incidents affecting customer data?

  • Have you experienced any data breaches in the past 3 years? (If yes, details please)

Section 5: Access Control

  • How do you manage access to customer systems/data?

  • Do you use dedicated accounts or shared credentials?

  • How quickly can you revoke access when a contractor leaves?

Implementation:

  1. Create the form (Google Forms is easiest)

  2. Send to all vendors who access your systems or data

  3. Review responses and flag high-risk vendors

  4. For critical vendors, request evidence (certificates, reports)

  5. Re-assess annually or when contract renews

SolarWinds Lesson: Their customers trusted them blindly. A basic vendor security questionnaire wouldn't have prevented the breach, but it would have identified SolarWinds as a critical dependency requiring additional monitoring.

7. Breach Analysis Database

Tool: Notion (free tier), Google Sheets, or even a Word document Cost: £0 Time to Maintain: 2 hours monthly

This is your reverse benchmarking knowledge base.

Template Structure:

For each breach you analyze, document:

Breach Overview:

  • Organization name

  • Date discovered

  • Attack type (ransomware, data breach, etc.)

  • Estimated cost

  • Number of records/systems affected

Attack Path:

  • Initial access vector

  • Privilege escalation method

  • Lateral movement technique

  • Data exfiltration method (if applicable)

  • Persistence mechanisms

Control Failures:

  • What security controls were missing?

  • What security controls failed?

  • What security controls were bypassed?

Lessons for Our Organization:

  • Do we have similar vulnerabilities?

  • What specific actions should we take?

  • Timeline for implementation

  • Person responsible

Follow-Up Actions Taken:

  • What did we actually implement?

  • Date implemented

  • Verification method

Sources:

  • Links to breach reports, news articles, technical analyses

Monthly Process:

Week 1: Select one breach to analyze Week 2: Research and document the breach Week 3: Identify applicable lessons for your organization Week 4: Implement one specific control to address identified gap

Real Talk: This is the core of reverse benchmarking. Everything else is supporting infrastructure. If you only do one thing from this guide, do this.

The Weekly Reverse Benchmarking Routine (2 Hours)

Now you've got the tools. Here's how to use them systematically.

Monday (30 minutes): Threat Intelligence Review

  • Check NCSC weekly threat report

  • Review security advisories from critical vendors

  • Scan cybersecurity news for major breaches

  • Flag anything relevant to your industry/technology stack

Tuesday (30 minutes): Vulnerability and Patch Management

  • Review latest vulnerability scan results

  • Check for any critical vulnerabilities (CVSS 7.0+)

  • Verify patch deployment for previous week's critical issues

  • Update patch tracking spreadsheet

Wednesday (30 minutes): Access Control Review

  • Review user account activity logs for anomalies

  • Check for any new user accounts created

  • Verify MFA is enabled on all administrative accounts

  • Review any vendor access changes

Thursday (30 minutes): Breach Analysis

  • Continue research on current month's selected breach

  • Update breach analysis database

  • Identify specific lessons applicable to your organization

Once per month, dedicate the Thursday slot to:

  • Tabletop exercise based on analyzed breach

  • Implementation of one specific control gap identified

  • Verification that previously implemented controls still work

Friday (No time required): Weekly security email to staff

Send a brief (3-4 sentence) security tip or reminder based on the week's findings. This costs nothing but maintains security awareness without formal training programs.

The Monthly Deep-Dive (4 Hours)

Week 1: Vendor Risk Assessment

Review one critical vendor. Send security questionnaire if not done in past year. Review responses and update vendor risk register.

Week 2: Breach Case Study

Complete analysis of selected breach. Document in breach database. Present findings to management/team.

Week 3: Control Implementation

Actually implement one security control identified from breach analysis. Don't just plan it. Do it.

Week 4: Verification and Documentation

Verify all controls implemented in the past month are working correctly. Update documentation. Update asset inventory if needed.

The Quarterly Review (8 Hours)

Once per quarter, dedicate a full day to:

  1. Asset Inventory Audit: Verify every asset is documented and current

  2. Access Control Audit: Review all user accounts and permissions

  3. Vendor Risk Review: Update risk assessments for all critical vendors

  4. Penetration Test: Either hire a professional (£1,000-3,000) or use free tools like Metasploit to test your own defenses (requires technical knowledge)

  5. Breach Database Review: Are the lessons we learned actually being applied?

  6. Control Verification: Test each security control to ensure it still works

  7. Management Reporting: Update senior management on security posture

  8. Budget Review: Evaluate if any security investments need adjusting

Budget Allocation: Where to Spend Your Limited Funds

You can't do everything for free. Here's where to actually spend money if you have it:

Tier 1: £0-50/month (Essential)

  • MFA tools: £0-10/user/month

  • Password manager (business edition): £3-8/user/month

  • Backup service: £5-20/month depending on data volume

  • Total: Approximately £20-100/month for a 10-person organization

Tier 2: £200-500/month (Strong Foundation)

  • Everything in Tier 1

  • EDR (Endpoint Detection and Response): £3-8/user/month

  • Security awareness training: £5-15/user/year

  • Annual penetration test: £1,000-3,000 (amortized monthly)

  • Total: Approximately £300-600/month for a 10-person organization

Tier 3: £1,000-2,000/month (Comprehensive)

  • Everything in Tier 1 and 2

  • SIEM (Security Information and Event Management): £200-500/month

  • Managed Security Service Provider: £500-1,500/month

  • Cyber insurance: £500-2,000/year (amortized monthly)

  • Total: Approximately £1,500-3,000/month for a 10-person organization

Critical Point: Start with Tier 1. Master it. Then move to Tier 2. Don't jump straight to Tier 3 thinking more spending = more security. Basic controls implemented properly beat expensive tools implemented poorly. Every single time.

Common Implementation Mistakes (And How to Avoid Them)

Mistake 1: Tool Hoarding

Collecting security tools without actually using them systematically.

Fix: Implement one tool completely before adding another. Master the basics.

Mistake 2: Analysis Paralysis

Spending months planning the perfect security program instead of implementing basic controls today.

Fix: 80% implementation now beats 100% implementation never.

Mistake 3: Outsourcing Understanding

Hiring an MSP and assuming they'll handle everything without oversight.

Fix: Verify regularly. Trust, but verify. The asset inventory and vendor questionnaire are YOUR responsibility.

Mistake 4: Checkbox Mentality

Implementing controls to tick boxes rather than reduce actual risk.

Fix: For every control, ask: "What specific threat does this prevent?" If you can't answer, don't implement it.

Mistake 5: Forgetting to Maintain

Setting up tools and then never reviewing the results.

Fix: Calendar reminders. Weekly, monthly, quarterly reviews are non-negotiable.

The One-Day Quick-Start Implementation

Don't have time for gradual rollout? Here's the absolute minimum you can implement in one working day:

Hour 1-2: Asset Inventory Create spreadsheet. List all critical systems. Internet-facing systems first.

Hour 3-4: MFA Implementation Enable MFA on administrator accounts and VPN. Use free authenticator apps.

Hour 5: Vulnerability Scan Setup Sign up for Qualys Community Edition. Configure first scan.

Hour 6: Access Control Audit Review user accounts. Disable anything inactive for 90+ days.

Hour 7: Vendor Access Review List all vendors with system access. Document what they can access and why.

Hour 8: Breach Analysis Selection Pick one major breach relevant to your industry. Create breach database document. Schedule time next week to complete the analysis.

This won't make you invulnerable. But it's infinitely better than doing nothing while you plan the perfect comprehensive security program that never materializes.

Tomorrow and Beyond

Friday we'll apply this toolkit to a specific UK case study, showing exactly how reverse benchmarking would have prevented a real breach.

Saturday I'll share my opinion on why UK SMBs keep failing at this despite all the free resources available.

Sunday we'll preview next week's content on the office printer security disaster you didn't know you had.

But for today: pick one tool from this guide. Implement it. Not next week. Today.

The Target breach was in 2013. The Equifax breach was in 2017. The Colonial Pipeline breach was in 2021. SolarWinds was 2020.

The lessons are available. The tools are free or cheap. The question is: will you implement them before you become next year's cautionary tale?

Complete Toolkit Summary

Free Tools (£0/month)

✓ Google Sheets (asset inventory, access audit) ✓ OpenVAS (vulnerability scanning) ✓ Email subscriptions (security advisories) ✓ Google Authenticator (MFA) ✓ Native OS tools (user management) ✓ Google Forms (vendor assessments)

Budget Tools (£50-200/month for 10 users)

✓ Duo Security (£3/user/month for enhanced MFA) ✓ Business password manager (£3-8/user/month) ✓ Cloud backup service (£10-50/month) ✓ Authentrend FIDO2 keys (£25-35 one-time per user)

Time Investment

✓ Initial setup: 8-16 hours ✓ Weekly maintenance: 2 hours ✓ Monthly deep-dive: 4 hours ✓ Quarterly review: 8 hours

Total annual time investment: approximately 250 hours spread across the year Total annual cost for 10-person SMB: £600-2,400 depending on tier

Graham Falkner
Next

The Psychology of Security Failures: Why Smart People Keep Making the Same Stupid Mistakes