Most businesses know they need better cybersecurity. Fewer know where to start, and even fewer believe they can afford it.
But the truth is, you do not need a massive budget to build a meaningful security roadmap. You just need a plan that prioritises the right things at the right time.
A three-year cybersecurity strategy is not about buying every tool on the market, or about testing everything every year (Lord knows that is completely unrealistic for almost all businesses).
It is about making smart, incremental improvements that compound over time, turning your current spend into genuine resilience rather than a collection of one-off fixes.
Why “We’ll Sort It Later” Is Costing You Now
The temptation to push cybersecurity down the priority list is understandable when budgets are tight. But the numbers tell a different story.
According to the UK Government’s Cyber Security Breaches Survey 2025, 43% of UK businesses experienced a cyber breach or attack in the past 12 months, with phishing accounting for 93% of those incidents.
Meanwhile, only 29% of businesses conducted any kind of cyber risk assessment. That gap between exposure and preparedness is where real damage happens.
And the financial hit is climbing.
The average cost of the most disruptive breach for UK businesses now stands at £1,600, but for those that suffer a material outcome, such as data loss or financial theft, it rises sharply to £8,260. For SMEs operating on tight margins, that is not a rounding error.
The good news? You do not need to fix everything at once. A phased plan will do just fine.
Year One: Lock Down the Basics
Your first year should focus on the fundamentals. These are low-cost, high-impact actions that address the most common attack vectors.
Start with access controls and credential hygiene. This is where we see businesses fall down time and again.
In recent penetration tests, our team at Fortifi has encountered organisations where employees openly shared login credentials via internal messaging platforms such as Slack and Microsoft Teams. In those cases, our pentesters were able to fully infiltrate the business with minimal resistance. No sophisticated exploit required. Just a password sitting in a chat thread.
Implement multi-factor authentication across every system that supports it. According to the Breaches Survey, only 40% of UK businesses currently use two-factor authentication. That means the majority are leaving their front door unlocked. Pair MFA with a clear policy on how credentials are stored and shared (the short version: they should not be shared at all).
It is worth noting that experienced hackers are becoming increasingly adept at bypassing MFA, so it should serve as only one of many security measures to counter criminal hacking.
Beyond access controls, year one is the time to achieve Cyber Essentials certification if you have not already, review your backup procedures, and roll out basic phishing awareness training.
None of this requires a large budget. It requires discipline.
Related Reading: Why Cyber Essentials Alone Won’t Protect You: Building Real Cyber Resilience
Related Reading: Starting Your Cyber Security Journey: Why Any Pen Test Beats No Pen Test
Year Two: Test, Measure, and Tighten
Once the basics are in place, year two is about stress-testing what you have built and closing the gaps you did not know existed.
This is where penetration testing becomes essential. Not as a tick-box exercise, but as a genuine assessment of how your defences hold up under pressure.
A well-scoped pen test will reveal whether the policies you put in place during year one are actually being followed, or whether credentials are still floating around in chat channels and access privileges have quietly crept beyond what is necessary.
Year two is also the time to look at your attack surface from the outside. How much of your infrastructure is visible to an attacker scanning the internet? Are there forgotten subdomains, exposed admin panels, or legacy systems still connected to your network?
Consider introducing regular vulnerability scanning and formalising your incident response plan. Only 22% of UK businesses have a formal cybersecurity incident management plan in place. Writing one does not cost a penny. Not having one when you need it could cost you everything.
Related Reading: What is the Pentest Trap? How Routine Testing Creates False Security
Related Reading: External Attack Surface Testing vs Traditional Pen Testing: Why Scope Matters More Than Frequency
Year Three: Build Resilience and Mature Your Approach
By year three, you should be shifting from reactive security to proactive resilience. This does not mean doubling your budget. It means making smarter use of what you already spend.
Look at where your security investment is delivering returns and where it is not. Are you paying for tools nobody uses? Are your staff retaining what they learned in awareness training twelve months ago, or have old habits crept back in? The Breaches Survey found that only 19% of UK businesses provided cybersecurity training in the past year. If you trained your team in year one and never revisited it, you are likely back to square one.
Year three is also where you consider more advanced testing. Red teaming, scenario-based exercises, and supply chain risk assessments all become viable once your foundational controls are mature enough to benefit from them.
These are not luxuries reserved for enterprise organisations. They are the natural next step for any business serious about staying ahead of evolving threats. For example, here at Fortifi, we run mini-red team assessments, which are exactly what it sounds like: smaller red team engagements that cut out all of the fluff.
Related Reading: Cyber Essentials vs Cyber Resilience: Moving Beyond Tick-Box Security
You Do Not Need a Bigger Budget. You Need a Better Plan.
A three-year cybersecurity strategy is not about spending more. It is about spending with purpose. The businesses that get breached are rarely the ones that spent too little. They are the ones who spent without direction, ticking boxes without understanding what those boxes actually protected.
If you are not sure where your organisation stands today, start with a conversation.
A scoped penetration test will show you exactly where your vulnerabilities lie, what an attacker could exploit, and where your current budget is best directed.
At Fortifi, we work with businesses at every stage of their security journey, from first-time pen tests to advanced red team engagements, helping you build a strategy that fits your budget and actually works.
Get in touch with the Fortifi team to discuss where your cybersecurity strategy should start: forti.fi/contact