Automated scanners probe your IP address range, identify exposed management ports or unprotected services, and attempt to connect. This takes minutes, not days, and requires no human attacker to be actively watching.

An attacker gains direct access to your internal network. From there they can move laterally to other systems, install ransomware, steal data, or use your infrastructure to attack others. The average time to detection for network intrusions is over three weeks.

Install and configure a boundary firewall with default-deny inbound policy. Document every permitted inbound service. Change all default credentials. Ensure remote workers are protected by software firewalls even outside the office.

Attackers use publicly available default credential lists and vulnerability databases. A device management interface left on default settings can be found via Shodan (a search engine for internet-connected devices) and accessed in seconds.

Attackers gain administrative access to a device and use it as a foothold to reach the rest of the network. End-of-life software with no available patches creates permanent, unresolvable vulnerabilities regardless of what other controls are in place.

Follow a hardening checklist for every device: change all defaults, remove unnecessary accounts, disable unused services and protocols, enforce screen lock, maintain software currency. Eliminate end-of-life software before applying for CE certification.

Once a patch is released, exploit code typically follows within days. Automated scanners probe networks for systems running known vulnerable versions. No sophisticated targeting is required — your unpatched system shows up in a routine scan.

An attacker exploits the known vulnerability to gain unauthorised access or execute code on your system. Ransomware campaigns routinely exploit recently disclosed vulnerabilities at scale, affecting thousands of organisations simultaneously. Patched organisations are unaffected; unpatched ones are not.

Implement automated patch management covering OS, all applications, browser extensions and firmware. Establish monitoring for new vulnerability disclosures. Apply critical and high-severity fixes within 14 days. Verify patch status across all devices via a compliance report.

A phishing email or credential-stuffing attack obtains a user's password. Without MFA, the attacker has immediate, unrestricted access to every cloud service that account can reach. An admin account used for daily browsing is compromised, giving full network control.

A single compromised account leads to a full data breach. Business email compromise — where attackers intercept communications and divert payments — is one of the most financially damaging outcomes. Average UK business email compromise loss is over £30,000 per incident.

Enforce MFA on every cloud service where it is available — this became an automatic CE failure in 2026. Apply least privilege — users get only what their current role requires. Create dedicated admin accounts. Remove access immediately when staff leave. Review permissions quarterly.

A malicious file arrives as an email attachment, a drive-by download, or via a compromised USB device. Without real-time anti-malware scanning, it executes silently. Modern ransomware moves laterally across the network before triggering, maximising the number of encrypted systems.

Ransomware encrypts all accessible files — local, network shares, and any connected backup drives. Business operations cease completely. Recovery requires either paying the ransom (no guarantee of data return) or restoring from clean offline backups, which many SMBs do not have.

Deploy enterprise anti-malware to all devices, managed centrally with full coverage visibility. Enable real-time scanning and tamper protection. Keep definitions updating automatically. Add DNS filtering to block malicious domains. Consider application control to prevent unauthorised software from executing.