Every UK business faces cyber risk. Whether you are a five-person accounting firm in Manchester or a 200-person manufacturing company in Birmingham, your business holds data, depends on technology, and is a potential target for cybercriminals. The question is not whether you face risk — it is whether you understand what that risk looks like, how severe it is, and what you are doing to manage it.
A cybersecurity risk assessment is the formal process of identifying, analysing, and evaluating the cyber risks your business faces. It provides the foundation for every security decision you make — from which controls to implement and how much to spend on security, to which risks to accept and which to prioritise for immediate action. Without a risk assessment, your security spending is essentially guesswork: you might be investing heavily in protecting against unlikely threats while leaving your most significant vulnerabilities completely unaddressed.
This guide provides a practical, step-by-step methodology for conducting a cybersecurity risk assessment suitable for UK SMEs. It aligns with the guidance published by the National Cyber Security Centre (NCSC), supports Cyber Essentials and Cyber Essentials Plus certification, and satisfies the risk assessment requirements of UK GDPR Article 32.
What Is a Cybersecurity Risk Assessment?
A cybersecurity risk assessment is a structured process for identifying and evaluating the risks that cyber threats pose to your business. It answers three fundamental questions: what could go wrong (threat identification), how likely is it to happen (likelihood assessment), and how bad would it be if it did happen (impact assessment). The combination of likelihood and impact gives you the overall risk level for each identified threat, which then guides your decisions about how to respond.
Risk assessments are not a one-off exercise. The threat landscape changes continuously, your business evolves, and new technologies introduce new vulnerabilities. Best practice is to conduct a comprehensive risk assessment annually and to review and update it whenever significant changes occur — such as adopting a new cloud platform, opening a new office, or experiencing a security incident.
Article 32 of UK GDPR requires data controllers to implement appropriate technical and organisational measures to protect personal data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of individuals. In practical terms, this means the ICO expects you to have conducted a risk assessment and to be able to demonstrate that your security measures are proportionate to the risks you have identified. A documented risk assessment is essential evidence of compliance.
Step 1: Identify Your Assets
The first step is to catalogue what you need to protect. In cybersecurity, an asset is anything that has value to your organisation and could be targeted, compromised, or lost. For most UK SMEs, the key asset categories include customer personal data (names, contact details, payment information), financial records and banking credentials, intellectual property and trade secrets, employee data (HR records, payroll information), IT systems and infrastructure (servers, workstations, network equipment), cloud services and accounts (Microsoft 365, CRM, accounting software), physical premises and equipment, and your business reputation.
For each asset, record its location (on-premises, cloud, or both), who has access to it, and how critical it is to your business operations. This inventory becomes the foundation for the rest of the assessment.
Step 2: Identify Threats and Vulnerabilities
With your asset inventory complete, identify the threats that could affect each asset and the vulnerabilities that those threats could exploit.
Common Threats for UK SMEs
The NCSC identifies several threat categories that are particularly relevant to UK businesses. Phishing and social engineering remain the most common attack vector, accounting for the majority of successful breaches. Ransomware encrypts your data and demands payment for its return. Credential theft — through phishing, brute force attacks, or credential stuffing using stolen password databases — gives attackers access to your systems and data. Insider threats, whether malicious or accidental, account for a significant proportion of data breaches. Supply chain attacks target your business through vulnerabilities in your suppliers, partners, or software providers.
Common Vulnerabilities
Vulnerabilities are the weaknesses that threats exploit. Common vulnerabilities in UK SME environments include unpatched software and operating systems, weak or reused passwords without multi-factor authentication, lack of staff security awareness training, inadequate backup systems or untested recovery procedures, excessive user privileges (staff having access to more data and systems than their role requires), unsecured remote access (particularly RDP exposed to the internet), and outdated or end-of-life hardware and software.
Step 3: Analyse and Evaluate Risks
For each combination of threat and vulnerability, assess both the likelihood of the threat materialising and the impact it would have on your business. Use a consistent scoring scale for both dimensions.
| Score | Likelihood | Impact |
|---|---|---|
| 1 - Very Low | Unlikely to occur in the next 3 years | Minor inconvenience, no financial or data loss |
| 2 - Low | Could occur once in the next 3 years | Limited disruption, under £5,000 cost |
| 3 - Medium | Likely to occur once per year | Significant disruption, £5,000–£50,000 cost |
| 4 - High | Likely to occur multiple times per year | Major disruption, £50,000–£250,000 cost, potential regulatory action |
| 5 - Very High | Almost certain to occur | Catastrophic, £250,000+ cost, serious regulatory penalties, business survival at risk |
Multiply the likelihood score by the impact score to get an overall risk score for each identified risk. This gives you a range from 1 (very low risk) to 25 (critical risk). Risks scoring 15 or above require immediate attention. Risks scoring 8 to 14 should be addressed within the next quarter. Risks scoring below 8 should be monitored and reviewed periodically.
Step 4: Determine Your Risk Response
For each identified risk, you have four options for how to respond.
Active Risk Responses
- Mitigate: Implement controls to reduce the likelihood or impact (e.g., deploy MFA to reduce credential theft risk)
- Transfer: Shift the risk to a third party through insurance or outsourcing (e.g., cyber insurance for financial impact)
- Avoid: Eliminate the risk by stopping the activity that creates it (e.g., stop storing unnecessary sensitive data)
Passive Risk Response
- Accept: Acknowledge the risk and choose not to take further action, typically because the cost of mitigation exceeds the potential impact
- Only appropriate for low-scoring risks where the cost of controls would be disproportionate
- Must be a documented, conscious decision — not an oversight
Step 5: Create Your Risk Treatment Plan
Your risk treatment plan documents the specific actions you will take to address each significant risk, along with timelines, responsibilities, and budget. This plan becomes your security roadmap — the document that guides your security investment and activities over the coming year.
For each risk being mitigated, specify the control or controls to be implemented, the person responsible for implementation, the target completion date, the estimated cost, and how you will verify that the control is effective. Prioritise actions based on risk score, with the highest-scoring risks addressed first.
Quick Wins for UK SMEs
Some security controls deliver outsized risk reduction for relatively modest investment. Based on NCSC guidance and the Cyber Essentials framework, the following measures address the most common vulnerabilities in UK SME environments and should be prioritised in your treatment plan.
Step 6: Document and Communicate
Your risk assessment must be documented. This serves multiple purposes: it provides evidence of compliance with UK GDPR, it enables consistent review and updating, it communicates risks and priorities to senior management, and it supports Cyber Essentials certification if you pursue it.
Your documentation should include the scope of the assessment, the methodology used, the asset inventory, the identified threats and vulnerabilities, the risk scoring matrix and results, the risk treatment plan with assigned responsibilities, and a review schedule.
Present the findings to senior management in business terms, not technical jargon. Executives need to understand the business impact of the risks you have identified and the rationale behind your recommended investments. A risk that might cause £100,000 in losses and regulatory fines is a more compelling argument for a £10,000 security investment than a technical explanation of vulnerability severity scores.
Ongoing Risk Management
A risk assessment is a living document, not a one-off exercise. Schedule a comprehensive annual review, but also update the assessment whenever significant changes occur. Triggers for reassessment include adopting new technology platforms or cloud services, significant changes in business operations or structure, a security incident or near-miss, changes in the regulatory landscape, and new threat intelligence relevant to your industry or region.
The NCSC recommends that UK businesses also subscribe to their threat intelligence services and early warning notifications. These free services alert you to emerging threats that may affect your industry, allowing you to proactively update your risk assessment and controls before a new threat materialises.
While Cyber Essentials certification does not explicitly require a formal risk assessment, the controls it mandates — firewalls, secure configuration, user access control, malware protection, and patch management — directly address the most common risks identified in SME risk assessments. Pursuing Cyber Essentials certification is an excellent way to address your highest-priority risks systematically. The UK government requires Cyber Essentials for any supplier bidding on government contracts that involve handling sensitive or personal information, making it increasingly important for businesses in the public sector supply chain.
Conclusion
A cybersecurity risk assessment is the single most important step any UK business can take to understand and manage its cyber risk. It replaces guesswork with evidence, ensures that security spending is directed where it will have the greatest impact, and provides the documentation needed to demonstrate compliance with UK GDPR and other regulatory requirements. The process does not need to be complex or expensive — for most SMEs, a thorough assessment can be completed in a few days with the right methodology and expertise.
The businesses that suffer most from cyber attacks are overwhelmingly those that never assessed their risks, never identified their vulnerabilities, and never implemented the basic controls that would have prevented the breach. A formal risk assessment ensures your business is not among them.
Need Help with Your Cybersecurity Risk Assessment?
Cloudswitched provides comprehensive cybersecurity risk assessments for UK businesses, aligned with NCSC guidance and supporting Cyber Essentials certification. Our team identifies your vulnerabilities, evaluates your risks, and delivers a practical treatment plan that addresses your most significant threats. Contact us for a free initial security consultation.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.