You shouldn't have to take cyber security on faith.
If you run a 10–50 person business in Greater Manchester, here's the question that probably keeps you up: am I actually protected, or do I just hope I am? Your last IT review was a colour-coded slide deck. Your insurer keeps adding questions. The Cyber Resilience Bill is on its way. And you genuinely cannot tell if one bad click on a Tuesday would be a bad week — or the end of the business.
We can. And we can show you the number.
Want a head start? See where you stand in two minutes — a free 0–100 cyber resilience score, no email gate.
Written and reviewed by
Brett Casterton — Founder & Managing Director, Inology IT. Ex-UK Armed Forces. 24 years running IT and cyber security for Manchester small businesses. ISO 27001 lead. Last reviewed: June 2026.
Three things changed in the last 18 months — and they all land on you.
The bigger you get, the more they come for you.
Share of UK businesses that suffered a cyber breach or attack in the last 12 months, by company size. Hit a payroll of ten and the probability flips against you.
Source: Cyber Security Breaches Survey 2025, GOV.UK (published 10 April 2025). "Any cyber security breach or attack" includes phishing, impersonation, malware, denial-of-service, ransomware and unauthorised access.
1. The law is catching up
The Cyber Security and Resilience Bill, announced in the King's Speech, expands incident reporting and minimum security duties beyond critical infrastructure — into supply chains, managed service providers and the SMBs they serve. If you sell into the NHS, the public sector or a regulated industry, you are already feeling it. Read the Bill summary on GOV.UK →
2. Cyber insurance questions have sharpened
Renewal questionnaires that used to ask "do you have antivirus" now demand multi-factor authentication on every admin account, endpoint detection and response, immutable backup, email security with link inspection, and a documented incident plan. Get one wrong and the cover quietly thins — or disappears. NCSC guidance on cyber insurance →
3. The attacks moved to your size
Ransomware crews have stopped chasing FTSE 100 boards and started running mass-market campaigns against 20-person firms — because the controls are weaker, the payouts are quicker, and one compromised mailbox can phish an entire customer list. NCSC Small Business Guide →
Manchester since 2002. Veteran-founded. ISO 27001 certified.
We are not a national brand running a sales team out of London. We are a small, accountable Manchester firm — the same engineers you speak to today will still be answering the phone in three years.
The people who pick up the phone: Brett Casterton (founder, ex-UK Armed Forces, ISO 27001 lead) and Simon, lead engineer. Between them, 40+ years of running infrastructure and cyber security for Manchester firms in healthcare, legal, accountancy, manufacturing and distribution.
We hold ISO 9001 and ISO 27001 at organisation level, Cyber Essentials certification, and Microsoft Solutions Partner status for Modern Work. The same controls we deploy on your network run on ours — if we don't trust it, we don't sell it.
One number. A priority list. A re-score every 90 days.
We don't sell you a stack of products. We measure where you actually sit, fix the gaps in the order that retires risk fastest, and prove it with a number you can take to your board, your insurer and your customers.
-
01
We score where you are — on a 0–100 cyber score
A two-week assessment through our SecureState™ benchmark — identity, endpoint, email, recovery and incident response. One score. One page. Honest gaps. No theatre, no fear-selling.
-
02
We fix the gaps in priority order
The fixes that retire the most risk fastest go first — usually identity hardening and backup integrity inside the first month. Cyber Essentials and 24/7 monitoring layered on next, only if they earn their place.
-
03
We re-score every 90 days
Your number goes up. You see it move. When your insurer or a customer asks "how do you know you're secure?", you have a one-page answer with a date on it — not a marketing slide.
-
04
We answer the awkward questions for you
Insurer renewals, supply-chain questionnaires, Cyber Essentials assessor calls, DSPT submissions, board updates — we complete them. You sign them. It's part of the service, not an extra invoice.
What does the score actually measure? — click to see the five categories
Identity & access — multi-factor authentication coverage, conditional access policies, admin separation, legacy authentication blocked.
Endpoint protection — managed detection and response on every device, patch posture, removable-media controls.
Email security — phishing and impersonation defences, link inspection, attachment sandboxing, banner warnings.
Recovery — immutable backup of Microsoft 365 and servers, quarterly restore evidence, retention against ransomware dwell time.
Incident readiness — documented response plan, named decision-makers, tested escalation, awareness training cadence.
The score is the summary — these are the layers underneath it. We deliver them as part of your managed IT, not as a separate product line.
Call us first — even if you've never worked with us before.
We handle active incidents for businesses we've never met. Ransomware in progress, account compromise, suspected data exfiltration. The first hour matters most: isolate, preserve evidence, communicate. No engagement contract required to take the first call.
Response times — 15 minutes in hours (Mon–Fri, 8am–6pm). 60 minutes out-of-hours.
A 30-minute walk-through. No deck. No pressure.
Brett or Simon on the phone or video. We'll ask what you've got, what worries you, and what your insurer and customers are demanding. You'll leave the call with an honest read on where you sit — and whether a SecureState assessment is the right next move.
The cost of "we'll get to it next year".
We've sat with three Manchester owners in the last 18 months who said this exact thing. Each of them is now spending what a full year of proper managed cyber security would have cost — in a single bad month.
Ransomware lands on a Friday afternoon.
Five days offline. Customers ringing. Staff sent home. The backup turns out not to have been tested in 14 months. Recovery costs north of £40,000 before the lost revenue is even counted.
Cyber insurance pays out — then doesn't.
The renewal questionnaire ticked "MFA everywhere". The forensic investigation finds the breach started on the one admin account that didn't have it. Cover voided. Legal costs follow.
A regulator comes knocking.
The Cyber Resilience Bill, GDPR, or sector regulator turns up after an incident. There is no documented response plan, no evidence of awareness training, no audit trail. The fine sizes itself against your turnover. ICO enforcement register →
You sleep at night. And you have the receipts.
You can answer the question. When your insurer, your biggest customer or your board asks "how do you know you're secure?", you hand over a one-page SecureState report with a date on it and a score that has gone up four quarters running.
You stop being the IT department. Patching, MFA, backups, monitoring, incident playbooks — all running quietly in the background. Your job goes back to being running the business.
The bad Tuesday becomes a non-event. Somebody clicks something. The endpoint isolates itself. The mailbox is locked. The team at our end has it triaged before lunch. No ransom paid, no data lost, no customer ever knows.
Built into managed IT — not bolted on the side.
SecureState is included with every Inology managed IT client by default. Cyber Essentials and CE+ certifications are fixed-price projects. ISO 27001, DSPT and PCI DSS readiness are scoped consulting engagements, quoted separately on the scale of the audit involved.
Cyber security — frequently asked.
How do I know if my business is actually protected?
You measure it. We score your environment on a 0–100 cyber score covering identity, endpoint, email, recovery and incident response, then re-score every 90 days. A single number tells you, your board and your insurer where you stand — and where to focus next. See how SecureState works.
What is the Cyber Resilience Bill and does it affect small businesses?
The UK Cyber Security and Resilience Bill, announced in the King's Speech, expands incident reporting and minimum security duties beyond critical national infrastructure. Managed service providers and many of their customers are inside the new scope. Small businesses that sell into the NHS, public sector or regulated supply chains will feel it first — your customers will pass the obligations down before the regulator does.
What does cyber insurance actually require from a small business now?
The six controls UK insurers consistently ask for: MFA on all admin and remote access, endpoint detection and response (not just antivirus), immutable or segregated backup, email security with attachment and link inspection, annual cyber awareness training, and a documented incident response plan. We deliver all six as part of managed IT, and we answer the questionnaires for you. NCSC guidance on cyber insurance →
Are you certified yourselves?
Yes. Inology IT is ISO 9001 and ISO 27001 certified at organisation level, Cyber Essentials certified, and a Microsoft Solutions Partner for Modern Work. We run the same controls on our own network that we deploy on yours. If we can't trust it, we won't sell it.
What happens if we're already mid-incident?
Call 0161 503 3535 first — even before reading this page. We've handled active incidents for businesses we've never worked with before, including ransomware in progress and email account compromise. The first hour matters most: isolate, preserve evidence, communicate. 15 minutes in hours, 60 minutes out-of-hours. No engagement contract required for the first call.
Trusted IT. Built-in cyber resilience. Manchester since 2002.
Book the 30-minute walk-through with Brett or Simon. No deck, no pressure — just an honest read on where you sit and what the right next move would be.