The Reality of Small Business Security
You Are a Target
Common myths:
- 'We're too small to be targeted'
- 'We don't have anything worth stealing'
- 'Hackers only go after big companies'
Reality:
- 43% of cyber attacks target small businesses
- Small businesses are often easier targets (less security)
- Criminals don't care about your size—they care about your vulnerabilities
- Automated attacks hit everyone with weak defences
The Good News
Most attacks succeed because of basic security failures:
- Weak passwords
- Missing updates
- No backups
- Human error (clicking phishing links)
Fixing basics stops 80-90% of threats. You don't need expensive enterprise security—you need consistent fundamentals.
The Essential Security Checklist
1. Strong, Unique Passwords
The problem: Most people use weak passwords, and reuse them everywhere. One breach exposes all accounts.
The solution:
Use a password manager:
- Bitwarden (free/premium)
- 1Password (paid)
- LastPass (free/premium)
Password rules:
- Minimum 12 characters (longer is better)
- Different password for every account
- Let the password manager generate random passwords
- You only memorise one master password
Priority accounts:
- Email (if compromised, everything else follows)
- Banking and financial
- Accounting software
- Domain registrar
- Any admin accounts
2. Two-Factor Authentication (2FA)
What it is: After entering your password, you prove identity another way—usually a code from an app or text message.
Why it matters: Even if your password is stolen, attackers can't get in without the second factor.
Enable 2FA on:
- Email (critical—email resets other passwords)
- Banking
- Cloud services (Microsoft 365, Google Workspace)
- Domain registrar
- Hosting accounts
- Social media
- Accounting software
- Password manager
Best 2FA options:
1. Authenticator app (Microsoft Authenticator, Google Authenticator, Authy)—most secure
2. SMS codes—better than nothing, but less secure
3. Hardware key (YubiKey)—most secure but more complex
3. Keep Everything Updated
Why it matters: Updates fix security vulnerabilities. Unpatched software is how most malware gets in.
Keep updated:
- Operating systems (Windows, macOS)—enable automatic updates
- Browsers (Chrome, Firefox, Edge)—update automatically
- Applications (Office, Adobe, etc.)—check monthly
- Plugins and extensions—remove unused ones
- Router firmware—check quarterly
- Website software (WordPress plugins, themes)
Retire old software:
- Windows 7 and 8: Unsupported, security risk
- Old applications: If not updated in years, replace them
4. Reliable Backups
Why it matters: Backups make you resilient. Ransomware? Restore from backup. Hard drive failure? Restore from backup. Accidental deletion? Restore from backup.
Backup requirements:
- Automated (don't rely on remembering)
- Regular (daily for critical data)
- Offsite (cloud backup or rotated drives)
- Tested (verify you can actually restore)
Simple setup:
- Cloud backup service (Backblaze £6/computer/month)
- Plus external drive for local backup
- Test restoration quarterly
See our dedicated backup guide for details.
5. Email Security
Why it matters: Email is the main attack vector. Phishing leads to credential theft, malware, and business email compromise.
Technical measures:
- Use business email with good filtering (Microsoft 365, Google Workspace)
- Configure SPF, DKIM, DMARC (your email provider can help)
- Block dangerous attachment types
- Consider advanced email security for higher risk
Human measures:
- Train staff to recognise phishing
- Establish verification procedures for payment requests
- Create culture where reporting suspicious emails is encouraged
See our phishing guide for details.
6. Device Security
Computers:
- Use antivirus (business-grade recommended)
- Enable firewall (usually on by default)
- Encrypt hard drives (BitLocker on Windows, FileVault on Mac)
- Enable auto-lock (screen locks after inactivity)
- Don't use admin accounts for daily work
Mobile devices:
- Enable device lock (PIN, fingerprint, face)
- Enable remote wipe capability
- Keep updated
- Be careful with app permissions
- Consider mobile device management (MDM) for business phones
All devices:
- Know where devices are
- Have process for lost/stolen devices
- Wipe devices before disposal
7. Network Security
Router/WiFi:
- Change default admin password
- Use WPA3 or WPA2 (never WEP)
- Use strong WiFi password
- Create separate guest network
- Update firmware
Remote access:
- Use VPN for remote access to office resources
- Never expose Remote Desktop (RDP) directly to internet
- Disable unused services
Physical:
- Secure server/networking equipment
- Don't leave screens visible to visitors
- Shred sensitive documents
8. Access Control
Principle of least privilege: People should only have access to what they need for their job.
Practical steps:
- Don't give everyone admin rights
- Remove access when people leave
- Review access periodically (who has access to what?)
- Use role-based access where possible
- Separate personal and work accounts
9. Staff Awareness
Technical controls aren't enough. People are usually the weakest link—and can be the strongest defence.
Essential training topics:
- Recognising phishing emails
- Password hygiene
- Safe browsing habits
- What to do if something seems wrong
- Reporting without fear of punishment
Training options:
- NCSC free resources (ncsc.gov.uk)
- Commercial training (KnowBe4, Proofpoint)
- Regular reminders and examples
10. Incident Response Plan
Before something happens:
- Know who to call (IT support, insurance, authorities)
- Know what to do first (disconnect, don't panic)
- Have key information accessible (not only on potentially compromised systems)
Basic plan:
1. Recognise something is wrong
2. Contain (disconnect affected systems)
3. Assess (what happened, what's affected)
4. Respond (clean up, restore, investigate)
5. Recover (return to normal operations)
6. Learn (what changes prevent recurrence)
Document:
- Key contacts (IT, insurance, bank fraud line)
- Critical system information
- Backup access procedures
- Notification requirements (ICO if personal data)
Quick Wins: Start Here Today
This Week
1. Install a password manager and start using it
2. Enable 2FA on email (this one thing prevents many attacks)
3. Check backups are running (or set them up)
4. Enable auto-updates on all computers
5. Change default passwords on router and any default accounts
This Month
1. Enable 2FA on all critical accounts
2. Run security updates on all devices
3. Review who has access to critical systems
4. Brief staff on phishing basics
5. Test backup restoration on one file
This Quarter
1. Full security review (use NCSC small business guide)
2. Staff security training (formal or informal)
3. Review and update incident response contacts
4. Check cyber insurance (do you have it? is it adequate?)
5. Test full system restoration from backup
Security Investment Guide
Minimal Budget (DIY)
| Item | Cost |
|---|---|
| Password manager (Bitwarden) | Free |
| 2FA (Authenticator app) | Free |
| Windows Defender | Free |
| Manual security practices | Time |
| Total | £0 |
Recommended Budget (Small Business)
| Item | Annual Cost |
|---|---|
| Password manager (business) | £30-50/user |
| Antivirus (business) | £30-50/user |
| Cloud backup | £70/computer |
| Staff training | £20-50/user |
| Total (10-person business) | £1,500-2,500 |
Enhanced Budget (Higher Risk)
| Item | Annual Cost |
|---|---|
| Above, plus: | |
| Email security (advanced) | £30-60/user |
| Endpoint detection (EDR) | £50-100/user |
| Security audit | £500-2,000 |
| Cyber insurance | £300-1,000 |
| Total (10-person business) | £5,000-10,000 |
Compared to Incident Costs
| Scenario | Typical Cost |
|---|---|
| Annual security investment | £1,500-5,000 |
| Ransomware incident | £20,000-100,000+ |
| Data breach (ICO fine + costs) | £10,000-50,000+ |
| Business email compromise | £10,000-100,000+ |
Resources and Help
Free Resources
NCSC (National Cyber Security Centre):
- Small business guide: ncsc.gov.uk/collection/small-business-guide
- Cyber Essentials: ncsc.gov.uk/cyberessentials
- Exercise in a Box: ncsc.gov.uk/information/exercise-in-a-box
Cyber Aware: cyberaware.gov.uk
Certifications to Consider
Cyber Essentials:
- UK government-backed certification
- Shows you have basic security in place
- Required for some government contracts
- Self-assessment: ~£300
- Certified: ~£300-500
Cyber Essentials Plus:
- Includes technical verification
- More credibility
- ~£1,500-3,000
When to Get Professional Help
Consider professional help if:
- You handle sensitive data (financial, health, legal)
- You have compliance requirements
- You've had an incident
- You're growing rapidly
- You lack internal IT expertise
Types of help:
- Managed IT provider (ongoing)
- Security consultant (assessment, improvement)
- Incident response (if something happens)
The Bottom Line
Cybersecurity doesn't require being an expert. It requires consistently doing basics:
1. Strong, unique passwords (use a password manager)
2. Two-factor authentication (on all critical accounts)
3. Updates (automatic where possible)
4. Backups (automated, tested, offsite)
5. Staff awareness (phishing is the main threat)
Most successful attacks exploit businesses that don't do these basics. Do them, and you're ahead of most.
Start today. Enable 2FA on your email. Install a password manager. Check your backups. These three actions take an hour and dramatically reduce your risk.
Perfect security doesn't exist, but good-enough security is achievable for any small business willing to make it a priority.
