Many businesses in Gibraltar believe their IT systems are secure — especially when everything appears to be working. Emails are flowing. WiFi is available. Files open. But "working" doesn’t always mean "secure", and the gap between the two is where most breaches happen.
Over the past year we’ve audited more than thirty SMEs across the Rock. The pattern is remarkably consistent: a working network, a paying Microsoft 365 subscription, an antivirus product on every laptop, and a quiet sense that someone, somewhere, has it all under control. They don’t. Here’s the five-point check we run with every new client.
1. MFA on every account, no exceptions
We still find businesses where the CEO and finance director are the only ones not on multi-factor authentication — exactly the accounts attackers want most. Microsoft’s own data shows MFA blocks more than 99.9% of automated identity attacks. If you have to make one change this quarter, make it this one.
What "working" looks like
- Conditional access policies that prompt for MFA on risky locations
- FIDO2 keys for privileged accounts (admin, finance, legal)
- Documented break-glass procedures that don’t rely on MFA
2. Endpoint detection, not just antivirus
Signature-based AV is a 1990s answer to a 2026 problem. Modern endpoint detection (EDR) watches behaviour — what processes spawn what, what files are encrypted in what order, what an account is doing that it has never done before. When ransomware lands, EDR is what gives you minutes instead of hours.
We had antivirus. We thought we were fine. Then a contractor’s laptop spent forty minutes encrypting our file server before anyone noticed.
3. Backups you’ve actually tested
An untested backup is a hope, not a recovery plan. We test ours quarterly with every managed-IT client — full restore to an isolated environment, timed end-to-end. The first time we did this for a client last year, the restore failed at hour three. They fixed it before they needed it.
4. A patch cadence you can prove
Critical patches inside 14 days. High-severity inside 30. Documented exceptions for systems that genuinely can’t be patched, with compensating controls. If you can’t produce a report showing patch status across every endpoint and server, you don’t have a patch programme — you have a hope.
5. Awareness training that’s measured
Annual click-through e-learning is theatre. We run quarterly micro-modules and monthly phishing simulations across our managed clients. The data is humbling at first — and then, six months in, click-rates drop by an order of magnitude.
The honest truth
None of this is exotic. None of it requires a six-figure budget. What it requires is a partner who treats your security as an ongoing programme, not a one-time project. If you’d like a free, no-obligation audit against this five-point check, get in touch.
