lead
  • Tel: 01491 69 3424
indigo it logo proper - final - 500x150px - 300dpi - PNG 002
Cyber Essentials Plus Logo Transparent background

90-day roadmap

A 90-day cyber security roadmap for SMEs

Most SMEs do not have a lack-of-tools problem. They have a sequencing problem. This roadmap puts the work in the right order: understand your position, close the priority gaps, then turn the work into evidence for customers, insurers and certification.

Book Your 30-Minute Review

THE ROADMAP

Why 90 days?

Ninety days is short enough to keep focus and long enough to fit the rhythm of leadership meetings, insurance renewals and customer security questionnaires. In that time, your business can improve its Microsoft 365 security, reduce obvious cyber risks, gather evidence for insurance and customer questionnaires, and create a clearer path towards Cyber Essentials.

what this means

The three phases of the 90-day roadmap

Days 1-30 - Visibility

Map your Microsoft 365 setup, devices, users and privileged accounts. Review your Microsoft Secure Score, backup position and the questions customers, insurers or suppliers are likely to ask.

 

Days 31-60 - Hardening

Reduce the highest-risk gaps first. Enforce MFA, block legacy authentication, reduce admin access, improve device management, harden email protection and confirm backups are properly configured.

Days 61-90 - Evidencing

Turn the work into proof. Gather security evidence, document key policies, review logs and retention settings, confirm your Cyber Essentials position and create a simple board-level summary.

THE OUTCOME

Reduce risk, collect evidence and prepare for Cyber Essentials

By day 90, your business should have a clearer Microsoft 365 security position, stronger access controls, tested backup evidence and a simple summary you can use with customers, insurers, auditors and your leadership team.

Speak To Us

2026 CYBER RESILIENCE REPORT

Find out more in our new 2026 Cyber Resilience Report

The 90-day roadmap is one section of our 2026 SME Cyber Resilience Report. Download the full PDF for practical guidance on Microsoft 365 security, Cyber Essentials, customer questionnaires, insurance evidence and SME cyber resilience.

  1. Why It’s Now Commercial – Why cyber resilience now affects contracts, insurance and customer confidence.
  2. The Microsoft-365 Gap – The common security settings SMEs miss – and the eight checks to make first.  
  3. Frameworks Compared – Cyber Essentials, Cyber Essentials Plus, ISO 27001, SOC 2 and NIST – when each one matters.
  4. Monitoring & Evidence – What to record, review and evidence before a customer or insurer asks.
  5. Zero Trust, Simply – How to reduce unnecessary access without slowing people down.
  6. The 90-Day Roadmap – A practical order of work: visibility, hardening, evidence and certification.  
  7. The Self-Assessment – A 25-question check to run with your leadership team in 15 minutes.  

 

Front cover of The 2026 SME Cyber Resilience Report by Indigo IT
Find Out More

PROOF

what our clients say

I have been using INDIGO IT as our trusted IT partner for more than 20 years, both with my previous and current company. They are so good I had to take them with me – recommended!

Mark Bosher · CAD/IT Manager – Watkins Payne

I have always found INDIGO IT to be technically ahead and keen to ensure we get the best service. I have had the good fortune of dealing with them for about 6 years now.

Peter Sudlow · MD, Sapphire Wealth

Hear More From Our Customers

Meet Matt, Managing Director of INDIGO IT

Making Great IT Personal and Accessible

Matt is passionate about technology and helping businesses to thrive with it. If your tech is in a tangle, he’d love to help you. Whether it’s tricky tech, cyber security, or transforming your business’s IT to achieve your goals, Matt can offer clear guidance, free from the technobabble. Ready to make headway to exceptional IT? It all starts with an informal conversation!
Schedule your meeting
Speak to us
Indigo team member profile picture 2

Frequently Asked Questions

Here are some of the most common questions businesses ask us:

What should be included in a 90-day cyber security plan?

A practical 90-day plan should cover visibility, hardening and evidence: know your setup, fix the priority gaps, then document what has changed for customers, insurers and internal leadership.

Yes. The best approach stages changes carefully, explains what is changing, pilots controls with a small group and uses Microsoft 365 policies to improve security without unnecessary friction.

IT support is often reactive help when something breaks. Managed IT services are broader: monitoring, maintenance, security, planning, user support, supplier management and continual improvement.

Start with visibility. Know your Microsoft Secure Score, who has admin access, whether MFA is enforced, whether backups are tested and what evidence you can provide if a customer or insurer asks.

A local provider can combine remote support with in-person help when needed, understand regional business networks and build a closer working relationship with owners, managers and internal teams. posture.