Half of UK small businesses were hit by a cyber attack last year. Most had no idea they were exposed. Is yours one of them? →

Your IT isn’t just a cost.
It’s a risk to everything you’ve built.

One breach. One compliance failure. One moment of exposure.
And the business you’ve spent years building is paying the price.

Secure State™ is Inology’s IT security framework for UK small businesses — applied to every managed IT client not to tick a box, but to protect your business, your livelihood, and your ability to operate. Built from 23 years of real incidents. Applied every 90 days, without exception.

Protect Your Business See the Framework
4 Risk
categories covered
90 Days to your
first clear picture
23 Years of real-world
incident response
2 Outcomes.
Protected or exposed.
ISO 9001
ISO 27001
★★★★★ 5.0
★★★★ 4.5 Trustpilot
Cyber Essentials
Microsoft Partner
The Reality
FACT:

Half of UK small businesses were hit by a cyber attack last year.

The average incident costs a small business £10,830 in immediate losses alone — before you count the client trust you’ll spend months trying to rebuild. For some, it’s the bill that ends everything. Secure State exists so that bill never arrives.

Source: GOV.UK Cyber Security Breaches Survey 2025
% of UK businesses experiencing a cyber breach, by size
Breach rate (%)
Why It Exists

The real cost isn’t the breach. It’s what comes after.

Twenty-three years of managed IT across Manchester. The same call, over and over — not from clients who were attacked, but from the ones picking up the pieces afterwards.

“I had no idea we were exposed.”

Lost clients who couldn’t trust them anymore. Regulatory fines they weren’t prepared for. Weeks of downtime they couldn’t afford. None of it was inevitable. All of it was preventable with a strategic framework in place beforehand.

Secure State is that framework.

Without a framework

  • Exposed in ways you don’t know about
  • IT spend is reactive — always firefighting
  • One incident from a bill you can’t absorb

With Secure State

  • Every risk identified, documented, owned
  • IT spend is planned, strategic, justified
  • Peace of mind that’s actually earned
The Framework

Four categories.
One clear standard.

The four areas of small business IT security where a gap stops being a technology problem and starts costing you money, clients, or regulatory standing. Not a government scheme, not a third-party certification. Inology’s own framework — because these are the areas that hurt businesses when they’re not covered.

Category 01
Cyber Security

The gap most exploited. Device security, access controls, threat detection, incident readiness — the criteria that determine whether an attack becomes a crisis or a footnote.

Category 02
IT Strategy

Unplanned IT spend is a silent drain on most small businesses. Strategy, roadmap, vendor relationships, and budget alignment — so your IT investment works for you, not against you.

Category 03
Growth Readiness

IT that can’t keep up with growth costs you time, people, and opportunity. Infrastructure resilience, onboarding efficiency, hybrid working, technology debt — all assessed.

Category 04
Compliance

Regulatory requirements aren’t going away — they’re increasing. GDPR, ICO obligations, audit readiness, policy documentation. Meet them before they become a fine or a client deal-breaker.

The Outcome

Two outcomes.
No grey area.

Most IT reviews leave you with a report you don’t know what to do with. Secure State gives you one of two answers — and if it’s the wrong one, you know exactly what to fix. No jargon. No traffic lights. Just clarity about where your business actually stands.

Not Met
Not Compliant

There are gaps in your business protection. Inology documents exactly what’s missing and why it matters — and those gaps become your roadmap. You know what’s at risk, and you know how to fix it.

Met
Compliant

Every risk area is covered. Your IT is actively managed to a defined standard. You carry the badge with confidence — because it reflects where you genuinely are, not where you hope you are.

Your status is reviewed every 90 days as part of your Inology programme. If you leave the programme, it lapses. That’s intentional — the badge means something because it reflects where you are right now, not where you were two years ago.

Why Every Criterion Exists

Every line in this framework came from a real business losing something.

Money. Clients. Reputation. Weeks of operational downtime. Across 23 years and hundreds of incidents, the same IT security gaps kept appearing in small businesses — preventable failures at real cost. Secure State is the IT security framework built to close them for good.

“We built the standard we wished our clients had been held to before they came to us.”
Referenced against
CIS Controls v8

Globally recognised benchmarks for the attacks that actually target small businesses — used to ensure our Cyber Security criteria catch what attackers exploit.

23 Years in the Field

Every criterion maps to a real incident. A real business paid the price for not having it in place. That’s the only reason it’s in the framework.

CIS Microsoft 365 Benchmark

M365 is the platform most UK small businesses run on — and the most commonly misconfigured. This benchmark directly informs our configuration and access control criteria.

UK Regulatory Landscape

UK GDPR, ICO obligations, and sector requirements that are actively being enforced. The regulatory environment is tightening — Secure State keeps you ahead of it, not caught by it.

Secure State is Inology's own framework. It is not a CIS certification scheme — CIS standards are referenced as a validation layer only.

Meet the Founder

Brett Casterton

Founder & Managing Director, Inology IT.
23 years building and securing Manchester’s small businesses.

Brett started Inology in 2002. He’s sat with business owners who built something real over 20 years — only to watch it unravel in days because their IT wasn’t protected to any defined standard. Secure State is the answer he built so that conversation never has to happen again.

“These are real businesses. Real people’s livelihoods. The technology risk is manageable — but only if you have a framework. Without one, you’re just hoping.”
About Brett →
Brett Casterton, Founder of Inology IT
SECURE STATE COMPLIANT by Inology Awarded to clients who meet the Secure State standard — reviewed every 90 days
The Compliant Badge

Proof your business
is protected.

When you reach Compliant status, you receive the badge. It’s not a certificate you file away — it’s a live signal to clients, insurers, and partners that your IT is actively managed to a defined standard. Something you can actually point to.

The moment your status lapses, the badge comes down. That’s what gives it weight — it always reflects where you are now, not where you were when you last thought about it.

Behind the badge: documented policies your staff sign. Controls you can hand to an insurer without hesitation. Evidence a new enterprise client can check before they commit. Secure State doesn’t just protect your business — it makes that protection visible.

Reviewed every 90 days

See how the programme works — or just get in touch.

See How the Programme Works ↓
How It Works

Built into your
Inology programme.

Secure State isn’t something you buy separately or book as a one-off. It’s the standard built into every Inology managed IT engagement — applied from day one of onboarding.

01

Applied During Onboarding

From day one of your Inology programme, the Secure State framework is applied across all four categories. It’s how we establish your baseline — not a separate exercise, just how we start.

02

Gaps Become the Plan

Any unmet criteria are documented and fed directly into your IT roadmap. Your Inology team works through them as part of normal service delivery — no separate project, no extra cost.

03

Reviewed Every 90 Days

The framework is revisited every 90 days as part of your programme — same standard, every time. Progress is measured, gaps are closed, and your status is updated to reflect where you actually are.

04

Compliant Status Awarded

Once all criteria are met, Compliant status is confirmed and the badge is issued. It reflects where you are right now — maintained through your ongoing programme, not frozen at a point in time.

Questions

Things people ask.
Answers that don't dodge.

We've heard every version of these. Here's what we actually say.

What exactly is Secure State?

It’s a strategic framework built to protect your business — not just your IT. Four categories: Cyber Security, IT Strategy, Growth Readiness, and Compliance. Each one represents an area where a gap stops being an IT problem and starts costing you money, clients, or regulatory standing. Not a government scheme. Not a third-party cert. The standard built into every Inology managed IT programme — because this is what protecting a real business actually looks like.

How is it different from Cyber Essentials or ISO 27001?

CE and ISO are external schemes with certification bodies, annual fees, and point-in-time audits. Secure State is Inology’s own standard — broader, continuous, and built from 23 years of actually fixing the things those audits missed. You can hold CE and still fail Secure State. You can pass Secure State and not have CE. They’re different tools for different conversations.

Who runs the framework review — us or Inology?

Inology runs it — with you. It’s not a portal, not a self-serve checklist, not a spreadsheet you fill in alone at 11pm. An Inology team member works through the framework with you as part of the TAM/vCIO process — embedded into onboarding and every 90-day review. Not a bolt-on. Not a one-off. Part of how Inology manages your IT. You’ll probably learn something about your own setup.

What happens if we're Not Compliant?

You get a clear picture of your exposure — not a vague summary, but a specific breakdown of exactly what isn’t covered, why it matters to your business, and what addressing it looks like. Those gaps go straight into your 90-day roadmap. Most clients reach Compliant within one or two cycles. The ones who find it hardest are usually the ones who were most confident going in.

Does the badge lapse if we stop working with Inology?

Yes. And we make no apology for that. A badge that never expires isn’t a standard — it’s a sticker. The Compliant status is tied to the 90-day cycle. Stop the cycle, the status lapses. It’s the same reason your car insurance renews annually. The thing it’s protecting doesn’t stop changing.

Is Secure State just a framework review, or is there more to it?

Much more. The framework review is the surface. Beneath it: a full set of IT security policies your team can actually read, understand, and sign. Checklists with ownership. Documented controls. Evidence packs. The kind of paper trail that makes an insurer relax, makes an enterprise procurement team stop asking questions, and makes an auditor genuinely bored. Secure State isn’t something you do once and file away. It’s the standard your Inology programme operates to — continuously.

What if we already think we’re pretty secure?

Then you’ll either confirm it — which is genuinely useful — or you’ll find the two or three things you missed, which is even more useful. We’ve applied this framework with businesses that had recent CE certification, a full-time IT manager, and a very confident MD. They found gaps. Not catastrophic ones, but real ones. The businesses that worry us least are the ones who say “we think we’re fine” and then want to find out for certain.

Protect Your Business

Find out where
your business is exposed.

Most business owners don’t know what an IT gap would actually cost them. Secure State changes that — applied as part of your Inology programme from day one, so the risk is identified before it becomes a bill. Leave your details and someone from the team will reach out.

  • Understand where your business is exposed
  • See how the 90-day programme protects you
  • No obligation, no sales script
0161 503 3535 Send us a message →

We respond within one business day. Your details are never shared.

By submitting this form you confirm you have read and agree to our Privacy Policy. We will use your details to respond to your enquiry and may follow up by phone or email. You can withdraw consent at any time by contacting us via this page or in writing to our registered office.