Small businesses often feel overwhelmed by cyber security, but taking control is simpler than it seems. This guide outlines the information to gather, immediate steps and medium term actions to secure your business and align with the Cyber Essentials framework, offering clear, non-technical advice to build confidence and resilience.
Why Cyber Security Matters for Small Businesses
Why It’s Critical
Small businesses are not immune to cyber threats. From data breaches to operational disruptions, the consequences can be severe—financially and reputationally. For example, a Merseyside law firm was fined £60,000 in April 2025 after client data was exposed on the dark web, underscoring the need for proactive measures.
Key Reasons to Prioritize Cyber Security:
- Prevent disruptions to business operations, such as IT downtime.
- Protect sensitive customer data to maintain trust and comply with regulations.
Case Study Reference:
Learn more about the Merseyside law firm breach at ICO News.
Risks to Address
Cyber threats stem from multiple sources:
- People: Employees or contractors may unintentionally create vulnerabilities.
- Physical Security: Unsecured devices or premises can be exploited.
- Networks and Software: Outdated systems are prime targets for attackers.
- Devices: Any device accessing your network can be a weak point.
Cyber security also overlaps with data protection laws, such as GDPR, making compliance essential.
Benefits of Strong Cyber Security
Investing in cyber security may seem daunting, but the rewards are significant:
- Avoid fines and legal penalties.
- Maintain trust with customers and employees.
- Ensure uninterrupted business operations.
- Build resilience against ransomware and other threats.
- Gain a competitive edge by demonstrating robust security.
Actionable Next Step: Use the Cyber Essentials framework to guide your efforts. Start with the NCSC Small Business Guide and create an action plan at NCSC Cyber Aware.
Immediate and Medium-Term Actions for Cyber Security
Cyber security is a system of interconnected components. Below, we outline key areas, provide two immediate actions for each, and suggest medium-term steps to strengthen your defenses. Document your current setup for each component to create a clear overview and ongoing checklist.
Data Backup Strategy
A solid backup strategy ensures your critical data remains available and secure, even during a cyber attack or system failure.
Information Gathering:
- Identify all critical data and where it’s stored (e.g., cloud, local servers, employee devices).
Immediate Actions:
- Back up critical data to a secure, offsite location (e.g., encrypted cloud storage).
- Schedule automatic backups at least weekly to minimize data loss.
Medium-Term Actions:
- Develop a formal backup policy outlining what, when, and how data is backed up. Use this Backup Policy Template.
- Test your backups quarterly to ensure they can be restored quickly.
Further Reading:
Password Security
Weak passwords are an easy target for attackers. Strong password practices are a quick win for your business.
Information Gathering:
- List all devices and applications requiring passwords and note current password policies.
Immediate Actions:
- Enforce strong passwords (at least 12 characters, mixing letters, numbers, and symbols).
- Enable two-factor authentication (2FA) on critical accounts, such as email and financial systems.
Medium-Term Actions:
- Implement a password manager for employees to securely store and generate complex passwords.
- Train staff on password best practices and phishing awareness.
Further Reading:
Software Updates
Outdated software is a common entry point for cyber attacks. Keeping systems updated is critical.
Information Gathering:
- Inventory all software and devices used in your business, including operating systems and plugins.
Immediate Actions:
- Update all software, including operating systems, browsers, and content management systems (CMS).
- Remove unnecessary software from employee devices to reduce vulnerabilities.
Medium-Term Actions:
- Enable automatic updates where possible to ensure timely patches.
- Schedule monthly checks to verify all systems are up to date.
Further Reading:
Email Security (Microsoft 365 and Beyond)
Email is a primary attack vector. Securing your email configuration can prevent unauthorized access and phishing.
Information Gathering:
- Identify who manages your email configuration and which devices access company email.
Immediate Actions:
- Restrict email access to known IP addresses or locations (e.g., office network).
- Enable DMARC, DKIM, and SPF records to prevent email spoofing.
Medium-Term Actions:
- Train employees to recognize phishing emails and avoid sharing sensitive information.
- Consider email encryption for sensitive communications.
Further Reading:
Data Protection and GDPR Compliance
Cyber security and data protection are intertwined. Assigning responsibility ensures compliance and accountability.
Information Gathering:
- Document all personal data your business collects and processes (e.g., customer names, emails).
Immediate Actions:
- Appoint a data protection officer or point of contact to oversee GDPR compliance.
- Review and update privacy policies to reflect current data practices.
Medium-Term Actions:
- Conduct a data protection impact assessment (DPIA) for high-risk processes.
- Partner with an IT support service for expert guidance on compliance.
Further Reading:
Physical Security
Strong cyber defenses are useless if physical access to devices or premises is unsecured.
Information Gathering:
- List all physical access points to your office and devices used by remote workers.
Immediate Actions:
- Ensure visitors are escorted at all times and never left alone with devices.
- Ban writing passwords on paper or storing them in unsecured locations.
Medium-Term Actions:
- Implement keycard access for office entry and secure device storage.
- Conduct regular security audits of physical premises.
Further Reading:
Secure Remote Work
Remote work introduces risks, especially when employees use personal devices.
Information Gathering:
- Identify all devices used for remote work and the data they access.
Immediate Actions:
- Require strong passwords and 2FA for remote access to company systems.
- Prohibit storing sensitive data on personal devices.
Medium-Term Actions:
- Develop a Bring Your Own Device (BYOD) or Company-Owned, Business-Only (COBO) policy.
- Use virtual private networks (VPNs) for secure remote connections.
Further Reading:
Email Communication with Clients
Sending sensitive information via email is risky. Secure methods protect both your business and your clients.
Information Gathering:
- Review how your business communicates with clients and what data is shared.
Immediate Actions:
- Verify your domain’s email security settings (e.g., DMARC) to prevent spoofing.
- Use secure file-sharing platforms instead of email attachments for sensitive data.
Medium-Term Actions:
- Train staff on secure communication practices with clients.
- Explore encrypted client portals for sensitive data exchange.
Further Reading:
Smart Phone Security
Mobile devices are vulnerable entry points if not properly secured.
Information Gathering:
- Document which employees use smartphones to access company apps or data.
Immediate Actions:
- Require biometric authentication (e.g., fingerprint) or strong passcodes on all devices.
- Disable lock screen access to apps like Siri or notifications.
Medium-Term Actions:
- Implement mobile device management (MDM) software to enforce security policies.
- Train employees on mobile security best practices.
Further Reading:
Insider Threats
Employees, even with good intentions, can inadvertently cause security breaches.
Information Gathering:
- Document all devices, software, and access levels used by employees.
Immediate Actions:
- Create a central record of all IT assets and access permissions.
- Communicate clear guidelines on reporting new devices or software use.
Medium-Term Actions:
- Provide regular cyber security training for all staff, including temporary workers.
- Limit access to sensitive systems based on job roles.
Further Reading:
Video Conferencing Security
Video conferencing platforms are increasingly targeted by attackers.
Information Gathering:
- Identify which platforms (e.g., Zoom, Teams) your business uses and their security settings.
Immediate Actions:
- Require passwords for all video meetings and restrict access to invited participants.
- Disable file sharing in meetings unless necessary.
Medium-Term Actions:
- Use enterprise-grade video conferencing tools with end-to-end encryption.
- Train staff to avoid sharing sensitive information during calls.
Further Reading:
Ransomware Protection
Ransomware can cripple a business. Proactive measures are essential.
Information Gathering:
- Assess which systems and data are most critical to your operations.
Immediate Actions:
- Ensure all systems are backed up and backups are stored offline.
- Install reputable antivirus software on all devices.
Medium-Term Actions:
- Develop an incident response plan for ransomware attacks.
- Conduct simulated ransomware drills to test preparedness.
Further Reading:
Stay Informed About Threats
Awareness of current threats helps you stay one step ahead.
Immediate Actions:
- Sign up for the NCSC’s Early Warning Service for real-time threat alerts.
- Monitor industry news for emerging cyber threats.
Medium-Term Actions:
- Join a local cyber security network or business group for shared insights.
- Schedule quarterly reviews of threat intelligence reports.
Path to Cyber Essentials Certification
The Cyber Essentials framework provides a structured approach to securing your business. It’s a government-backed scheme that helps you implement basic protections and achieve certification.
Immediate Actions:
- Use the Cyber Essentials Readiness Tool to assess your current security posture.
- Start implementing the five key controls: firewalls, secure configuration, user access control, malware protection, and patch management.
Medium-Term Actions:
- Work toward Cyber Essentials or Cyber Essentials Plus certification with the help of an accredited consultant.
- Regularly review and update your security measures to maintain compliance.
Further Reading:
Partnering with a Cyber Security Consultant
Navigating cyber security can be complex, but you don’t have to do it alone. A qualified consultant can guide you through the process, offering tailored advice in plain language.
Next Steps:
- Develop a long-term cyber security strategy with expert support.
- Learn more about Cyber Essentials Compliance