Live National Cyber Helpline · 0300 123 2040
Assured Cyber Protection Cyber & insurance briefing

Security Controls Insurers Require

Network Security Solutions for Small Businesses: UK Guide

By the Assured Cyber Protection team · Updated 2026 · Reviewed

Choosing network security solutions for a small business is less about buying the flashiest product and more about closing the gaps that let attackers in and, increasingly, the gaps that let insurers refuse a claim. UK small firms are targeted precisely because their defences are thinner than a large enterprise’s, yet the controls that stop most attacks are the same handful of basics that Cyber Essentials and cyber insurers now insist on. This guide explains what those controls are, how to assess where your network stands today, and how to build up protection without an enterprise budget.

What network security means for a small business

Network security is the set of controls that protect the devices, connections and data moving across your business network, from your broadband router to the laptops, phones and cloud services your team uses every day. For a small firm it usually breaks down into a few layers: a properly configured firewall at the boundary, secure remote access, segmented Wi-Fi, endpoint protection on every device, and monitoring so you notice when something is wrong.

The good news is that you rarely need bespoke enterprise kit. Most of what an insurer or the Cyber Essentials scheme expects can be delivered with the business features already built into your firewall, Microsoft 365 or Google Workspace, and a reputable endpoint product.

The core controls insurers and Cyber Essentials expect

Underwriters have tightened their requirements sharply. If you want affordable cover, or you are pursuing certification, these are the network security controls that carry the most weight.

  • A configured firewall. Every internet connection needs a firewall with a changed default admin password, unused services turned off, and inbound access locked down. This is one of the five Cyber Essentials controls.
  • Multi-factor authentication (MFA). MFA on email, remote access and cloud admin accounts is now effectively mandatory. Since April 2026, Cyber Essentials requires MFA across cloud services, and insurers ask about it on every proposal form.
  • Endpoint detection, not just antivirus. Underwriters increasingly want modern endpoint protection that can detect and respond to threats, rather than basic signature antivirus alone.
  • Secure remote access. Exposed remote desktop (RDP) is a leading ransomware entry point. Remote access should go through a VPN or a zero trust access service, never straight to the open internet.
  • Patching within 14 days. Critical and high-severity updates on operating systems, browsers and firmware need applying promptly. The Cyber Essentials rule is 14 days, and insurers expect the same.
  • Segmentation. Keeping guest Wi-Fi, staff devices, servers and backups on separate network segments limits how far an attacker can move if one device is compromised.

Our security controls cyber insurers demand checklist goes through each of these in detail, and the MFA for business guide covers the authentication side.

How to run a simple network security assessment

You cannot protect what you have not mapped. A short assessment, which you can do in an afternoon, tells you where the holes are before an attacker or an underwriter finds them.

  1. List every device and connection. Routers, firewalls, switches, servers, laptops, phones and any internet-facing service. Note what is still running an unsupported operating system.
  2. Check the boundary. Confirm your firewall’s admin password has been changed, remote management from the internet is off, and no ports are open that do not need to be.
  3. Review remote access. Is anything reachable over RDP directly? Is remote access protected by MFA and a VPN?
  4. Audit accounts. Remove old user accounts, separate everyday logins from admin accounts, and confirm MFA is on for email and cloud admin.
  5. Test backups. Confirm you hold backups that are offline or immutable, and that you have actually restored from one recently.

If any of that feels beyond your in-house skills, a managed provider or an independent tester can run it for you. Our guide to managed cyber security services explains what to look for, and penetration testing for UK businesses covers when a hands-on test is worth it.

Network security services: doing it yourself vs outsourcing

Very small firms often start by hardening what they already own: turning on firewall features, enforcing MFA, and installing a business endpoint product. That handles the essentials cheaply.

As you grow, or if you handle sensitive client data, the case for outsourcing to a managed security provider strengthens. A good provider gives you continuous monitoring, patch management and an incident response route you could not staff yourself. The trade-off is a monthly cost against the reassurance of someone watching the network out of hours. There is no single right answer; it depends on your risk, your contracts, and whether clients demand evidence of active monitoring.

How this links to Cyber Essentials and insurance

The reason network security pays off twice is that the same controls unlock certification and cheaper cover. Passing Cyber Essentials proves your network meets a recognised baseline, which insurers reward with lower premiums and, in many cases, a bundled level of cyber insurance. Weak network security works the other way: it is one of the most common reasons a cyber insurance claim gets refused, because policies assume you had the controls you declared on the proposal form.

Treat network security, certification and insurance as one joined-up effort rather than three separate purchases, and each one makes the others cheaper and easier.

Frequently asked questions

What are the most important network security solutions for a small business? A configured firewall, multi-factor authentication on email and remote access, modern endpoint protection, secure remote access through a VPN, prompt patching, and network segmentation. Those controls stop the majority of attacks and are the ones insurers and Cyber Essentials focus on.

Do I need network security services or can I do it myself? Many small firms can implement the basics themselves using the business features in their firewall and Microsoft 365 or Google Workspace. Outsourcing to a managed provider becomes worthwhile as you grow, handle sensitive data, or need continuous monitoring you cannot staff internally.

How does network security affect my cyber insurance? Insurers price cover on your controls. Strong network security, evidenced by MFA, endpoint detection and secure remote access, lowers your premium and reduces the risk of a claim being refused. Weak controls can invalidate cover if you declared them on the proposal form but did not have them.

What is a network security assessment? It is a review of your devices, connections, accounts and defences to find gaps before an attacker does. For a small business it can be as simple as mapping every device, checking the firewall and remote access, auditing accounts and testing backups.

Is a firewall enough on its own? No. A firewall is essential but only protects the boundary. You also need MFA, endpoint protection, secure remote access, patching and segmentation, because many modern attacks arrive through phishing and stolen credentials rather than a direct network breach.

Where to go next

Start with the cyber security for businesses checklist to see the full picture, then read the endpoint security guide for the device layer. For the authoritative baseline, the UK’s National Cyber Security Centre publishes a free small business guide worth reading alongside this one.

The Threat Brief

A calm, plain-English security update. Once a week.

New scams, breach lessons, and cyber insurance changes that affect UK businesses, explained without the jargon. No alarmism, no vendor spin.

Unsubscribe anytime. We never share your address.