The Reality of Cyber Threats for Small Businesses
Let's start with some uncomfortable truths. Small businesses are prime targets for cyber criminals—not despite being small, but because of it. Attackers know that small businesses often have weaker security than large corporations, yet they still have valuable data, bank accounts, and customer information worth stealing.
The good news? Most cyber attacks against small businesses use simple techniques that can be stopped with basic precautions. You don't need expensive security software or a dedicated IT team. You need to get the fundamentals right.
This guide focuses on what actually works for small businesses with limited time and budget. We'll skip the enterprise-level advice and concentrate on practical steps you can implement this week.
The Threats You're Most Likely to Face
Understanding what you're protecting against helps you focus your efforts:
Phishing Emails
The number one threat to small businesses. These are fake emails designed to trick you into revealing passwords, making payments to criminals, or installing malware. They often impersonate banks, suppliers, or even colleagues.
Modern phishing emails can be very convincing. They might use your company name, reference real invoices, or appear to come from someone you know. The criminals do their research.
Ransomware
Malicious software that encrypts your files and demands payment to unlock them. Even if you pay (which authorities advise against), there's no guarantee you'll get your data back. For many small businesses, losing all their files would be catastrophic.
Business Email Compromise
Criminals gain access to a business email account and use it to redirect payments, steal information, or attack other businesses. They might change bank details on invoices or impersonate the boss to authorise fraudulent transfers.
Password Attacks
Using stolen or guessed passwords to access your accounts. If you use the same password across multiple services, a breach at one company can give criminals access to all your accounts.
Invoice Fraud
Criminals pose as suppliers and send fake invoices with their bank details instead of the real supplier's. They often intercept genuine invoices and modify just the payment details.
The Absolute Essentials: Start Here
If you do nothing else, do these five things:
1. Use Strong, Unique Passwords
Every account should have a different password. Yes, this is annoying. Use a password manager to make it manageable.
A good password is long (at least 12 characters) and doesn't use obvious information like birthdays or pet names. The National Cyber Security Centre suggests using three random words together—something like "correct-horse-battery" is actually stronger than "P@ssw0rd123" and easier to remember.
Recommended password managers for small businesses:
- Bitwarden (free for individuals, affordable for teams)
- 1Password (excellent business features)
- LastPass (widely used, business plans available)
2. Turn On Two-Factor Authentication
Two-factor authentication (2FA) means you need both your password AND a code from your phone to log in. Even if someone steals your password, they can't access your account without your phone.
Enable 2FA on:
- Email (absolutely critical)
- Banking and financial services
- Social media accounts
- Cloud storage
- Any service containing sensitive data
Most services now offer 2FA for free. It takes five minutes to set up and stops the vast majority of account hijacking attempts.
3. Keep Software Updated
Software updates often fix security vulnerabilities. When you ignore that "Update available" notification, you're leaving your door unlocked.
Set Windows and Mac computers to update automatically. Keep your phone updated. Update your web browser. If you use WordPress, keep it and your plugins updated.
Yes, updates are occasionally inconvenient. They're far less inconvenient than recovering from a cyber attack.
4. Back Up Your Data
If ransomware encrypts your files, backups are your lifeline. If your laptop is stolen, backups save your business. If someone accidentally deletes important files, backups fix it.
Follow the 3-2-1 rule:
- 3 copies of important data
- 2 different storage types (e.g., cloud and external drive)
- 1 copy offsite (cloud storage counts)
For most small businesses, a combination of cloud storage (OneDrive, Google Drive, or Dropbox) plus occasional backups to an external hard drive works well. Test your backups regularly by actually restoring files—a backup you can't restore is worthless.
5. Train Your Team
The best security technology is useless if someone clicks a malicious link or shares their password. Brief, regular security awareness makes a huge difference.
Key points for team training:
- How to spot phishing emails (urgency, unusual requests, dodgy links)
- Never share passwords
- Verify unusual payment requests by phone (using a known number, not one from the email)
- Report suspicious emails rather than just deleting them
- What to do if they think they've clicked something bad
The NCSC offers free resources for small business security awareness training.
Dealing with Email Security
Email is both essential for business and the main attack vector for criminals. Here's how to make it safer:
Use a Business Email Provider
Microsoft 365 and Google Workspace include spam filtering, malware scanning, and security features that free email services don't provide. They're also much more professional than using Gmail or Outlook.com addresses for business.
Be Suspicious of Payment Requests
Any email asking you to change payment details, make urgent transfers, or pay invoices to new bank accounts should be verified by phone. Call the person or company using a number you know is genuine—not one provided in the email.
Check Before You Click
Hover over links to see where they actually go before clicking. If an email from "Microsoft" wants you to click a link that goes to "microsoft-account-verify-12345.com", that's not Microsoft.
Don't Open Unexpected Attachments
Be especially wary of unexpected attachments, even from known contacts. If in doubt, check with the sender through another channel.
Set Up Email Authentication
If you have your own domain for email, set up SPF, DKIM, and DMARC. These technical measures help prevent criminals sending emails that appear to come from your domain. Your email provider or IT support can help with this.
Protecting Your Devices
Antivirus Software
Windows includes Windows Defender, which is actually quite good for basic protection. Make sure it's enabled and up to date. For additional protection, paid options like Bitdefender or Norton offer more features.
Mac users aren't immune to malware—consider security software if you handle sensitive data.
Encryption
Enable full-disk encryption on laptops. If a laptop is stolen, this means thieves can't access the data without your password. Windows has BitLocker (on Pro and Enterprise editions), and Mac has FileVault. Both are free and built-in.
Screen Locks
Set devices to lock automatically after a few minutes of inactivity. Use PINs or passwords, not swipe patterns (too easy to observe and copy).
Lost Device Procedures
Know how to remotely wipe devices if they're lost or stolen. Microsoft 365 and Google Workspace both offer this capability. Set it up before you need it.
Separate Personal and Business
Ideally, use separate devices for work and personal use. If that's not practical, at least use separate browser profiles and don't mix business and personal accounts on the same services.
Network and Wi-Fi Security
Secure Your Office Wi-Fi
- Change the default router password (criminals know all the default passwords)
- Use WPA3 encryption if available, WPA2 at minimum (never WEP)
- Use a strong Wi-Fi password
- Consider a separate network for guests
Be Careful on Public Wi-Fi
Public Wi-Fi at cafés, hotels, and airports is convenient but risky. Avoid accessing sensitive accounts or making financial transactions on public networks. If you must, use a VPN (Virtual Private Network) to encrypt your connection.
Home Working Security
If staff work from home, ensure they follow basic security practices:
- Secure home Wi-Fi with strong passwords
- Update their home router firmware
- Don't let family members use work devices
- Be aware of who might see their screen
What to Do If Something Goes Wrong
Despite your best efforts, security incidents can still happen. Being prepared helps you respond quickly and limit damage.
If You Think You've Been Phished
- Immediately change your password for that account
- Enable two-factor authentication if you haven't already
- Check for any suspicious activity in the account
- If it's a financial account, contact your bank immediately
- Alert your team so they can watch for related attacks
If You Suspect Ransomware
- Disconnect the affected computer from the network immediately
- Don't turn it off (this might destroy evidence)
- Contact professional IT support or the police
- Don't pay the ransom—there's no guarantee you'll get your data back, and it funds further crime
- Restore from backups (this is why backups are so important)
If Money Has Been Stolen
- Contact your bank immediately—quick action may recover funds
- Report to Action Fraud (0300 123 2040 or actionfraud.police.uk)
- Preserve evidence (emails, transaction records)
- Review how it happened to prevent recurrence
Reporting Cyber Crime
- Action Fraud: actionfraud.police.uk or 0300 123 2040
- NCSC: ncsc.gov.uk/section/about-this-website/report-a-cyber-incident
- Your bank if financial services are affected
Cyber Essentials: The Government-Backed Standard
Cyber Essentials is a government-backed certification scheme that helps organisations protect against the most common cyber attacks. It's particularly relevant for small businesses.
What It Covers
- Firewalls and internet gateways
- Secure configuration
- User access control
- Malware protection
- Security update management
Why Get Certified
Besides improving your actual security, Cyber Essentials certification:
- Is required for many government contracts
- Demonstrates security commitment to customers
- Comes with cyber liability insurance (up to £25,000)
- Provides a framework for security improvement
How to Get It
Cyber Essentials involves an online self-assessment questionnaire and costs from around £300. Cyber Essentials Plus adds an independent technical verification and costs from around £1,500.
Many small businesses can complete basic Cyber Essentials themselves. The NCSC website has guidance and a list of approved certification bodies.
Building Good Security Habits
Security isn't a one-time project—it's an ongoing habit. Here's how to make it sustainable:
Monthly Security Check
- Review who has access to what systems
- Check for any unusual account activity
- Ensure all devices are up to date
- Verify backups are working
When Staff Join or Leave
- Set up accounts with appropriate access (don't give everyone admin rights)
- Provide security training on day one
- Immediately disable accounts when someone leaves
- Change shared passwords they knew
Ongoing Awareness
- Share news about relevant threats (especially new phishing campaigns)
- Encourage reporting of suspicious emails
- Celebrate good security behaviour rather than just punishing mistakes
- Review and update security practices annually
Getting Help
Free Resources
- NCSC Small Business Guide: ncsc.gov.uk/smallbusiness
- Action Fraud: actionfraud.police.uk
- Get Safe Online: getsafeonline.org
Professional Help
- Local IT support companies
- Cyber security consultants (get recommendations and check credentials)
- Managed security service providers
For most small businesses, the basics covered in this guide are sufficient. If you handle particularly sensitive data (healthcare, financial services, legal) or have been targeted before, consider professional security assessment.
The Bottom Line
Cyber security doesn't have to be complicated or expensive for small businesses. The criminals targeting you are mostly using simple techniques that basic precautions can stop.
Focus on getting the fundamentals right: strong passwords, two-factor authentication, software updates, backups, and staff awareness. These five things will protect you from the vast majority of attacks.
Perfect security is impossible, but good enough security is achievable for every small business. Start with one improvement this week, and build from there.
