Risk-Based Cybersecurity: All you need to know

In the latest in our regular series of articles, Greg Du-feu, Managing Director of Dufeu IT, explains how Risk-Based Cybersecurity planning helps protect margins.

Margins in fabrication are tight. Energy costs, material prices, and supply-chain pressures already squeeze profitability. Cybersecurity shouldn’t be another expense—it should be a strategy for protecting what you earn.

A risk-based approach to cybersecurity focuses your investment where it delivers the biggest reduction in risk, rather than spreading budget thinly across every possible threat.

The Problem with “Checkbox” Security

Many SMEs buy tools reactively: antivirus one year, a firewall the next, staff training later. Without strategy, money goes into the wrong places.

A risk-based plan starts by asking:

• What would hurt us most if it stopped working?
• What’s most likely to fail or be attacked?
• What can we afford to fix versus accept?

Step 1: Identify Critical Assets

For a glazing fabricator these include:

• ERP/order management systems
• Accounts and payroll data
• Supplier and customer contact records
• Workshop PCs controlling production scheduling

These are your “crown jewels.” Protect them first.

Step 2: Assess Threats and Likelihood

Examples:

• Phishing → high probability, medium impact
• Ransomware → medium probability, high impact
• Human error → medium probability, medium impact

Scoring risk this way gives you a heatmap showing where to act first.

Step 3: Prioritise Controls That Reduce Real Risk

Rather than chasing every new tool, invest in controls that directly address your biggest threats:

• Multi-Factor Authentication for ERP and email.
• Endpoint Detection & Response (EDR) for all PCs.
• Off-site immutable backups for critical servers.
• Phishing simulation training for office staff.

These give the highest “risk-reduction-per-pound-spent.”

Step 4: Align with Business Goals

Cybersecurity isn’t just about defence—it supports growth. Clients and contractors increasingly demand proof of security (Cyber Essentials, ISO 27001, supplier questionnaires). Meeting these standards wins business.

Step 5: Review Quarterly

Your risks change as you add machinery, staff, or new software. Review quarterly and adjust your plan accordingly.

Why This Approach Protects Margins

• Prevents costly incidents that wipe out profit for the month.
• Reduces insurance premiums when you can evidence controls.
• Avoids rework and downtime—the silent killers of margin.
• Supports sales through compliance credibility.

Real-World Example

A South-East fabricator implemented risk-based controls using this approach. Within six months, phishing incidents dropped by 90 %, cyber insurance premiums fell 20 %, and they gained a new contract requiring Cyber Essentials Plus certification.

Final Word

You can’t eliminate every risk—but you can make attacks uneconomical for criminals. That’s what risk-based cybersecurity delivers: smarter spending and stronger defence.

Follow Dufeu IT on LinkedIn, connect with me personally, or visit dufeu-it.co.uk/contact to discuss how a risk-based strategy can protect your margins.