Guide
Cyber security basics for small businesses
Practical, low-cost steps to protect your small business from cyber attacks. Covers the five Cyber Essentials controls, free security tools, staff awareness, and how to respond if something goes wrong.
Cyber attacks are not just a problem for large companies. Small businesses are targeted in 71% of ransomware attacks because criminals assume they have weaker defences. The good news is that most attacks can be prevented with straightforward, low-cost measures.
This guide covers practical steps you can take today to protect your business, using free tools and built-in security features you probably already have.
Why small businesses are at risk
The National Cyber Security Centre (NCSC) states: "The question is no longer if your organisation will face a cyber incident, but when."
Understanding the current threat helps you take action before it is too late.
These numbers are not just statistics for large corporations. Over 90% of successful attacks begin with phishing emails - and small businesses often lack the training and filters that larger organisations have.
The average ransomware downtime is 21 days. For a small business, three weeks without access to your systems could mean losing customers, missing deadlines, and permanent closure.
The five essential security controls
The government's Cyber Essentials scheme identifies five technical controls that protect against approximately 80% of common cyber attacks. You do not need to be certified to implement these - start with the controls themselves.
Low-cost actions you can take today
Most of these cost nothing except your time. Work through them systematically.
-
Turn on automatic updates everywhere
Enable automatic updates on Windows, Mac, phones, tablets, and your router. Security updates fix vulnerabilities that criminals exploit. This single action blocks many common attacks at no cost.
-
Use strong, unique passwords
Never reuse passwords across accounts. Use a password manager (many are free) to generate and store unique passwords. For your most important accounts, use passwords of at least 12 characters.
-
Enable two-step verification on email and banking
Two-step verification (also called 2FA or MFA) means criminals cannot access your account even if they steal your password. Enable it on email, banking, accounting software, and cloud storage. Most services offer this free in settings.
-
Install security software
Windows Defender (built into Windows) provides good protection at no extra cost. Mac users should enable the built-in security features. Ensure any security software updates automatically.
-
Back up your data
Ransomware encrypts your files and demands payment. If you have backups, you can recover without paying. Use the 3-2-1 rule - three copies, on two different types of storage, with one copy kept offline or in the cloud.
-
Change default passwords on your router
Your internet router comes with a default password printed on a sticker. Change it. Attackers know these defaults. Log into your router's admin panel and set a strong, unique password.
Protecting against phishing
Over 90% of successful attacks start with a phishing email. Train yourself and your staff to spot the warning signs.
Red flags in suspicious emails
- Urgency - "Act now", "Your account will be closed", "Immediate action required"
- Unexpected requests - Asking you to click a link, open an attachment, or transfer money
- Sender address - Check the actual email address, not just the display name
- Poor spelling and grammar - Though sophisticated attacks may be well-written
- Suspicious links - Hover over links to see the actual destination before clicking
What to do with suspicious emails
- Do not click any links or open attachments
- Do not reply or engage with the sender
- Forward suspicious emails to report@phishing.gov.uk
- Delete the email after reporting
- Verify requests by contacting the sender through a known, trusted method (not by replying to the email)
Training your staff
Your staff are your first line of defence - and your biggest vulnerability. A single click on a malicious link can compromise your entire business.
Free training options
- NCSC "Top Tips for Staff" - Free downloadable resources you can share
- Regular reminders - Brief monthly emails about current threats cost nothing
- Test phishing - Send fake phishing emails to see who clicks (many free tools available)
Key messages for staff
- Think before you click - if in doubt, do not
- Report suspicious emails immediately (make this easy)
- Never share passwords or give remote access to callers
- Lock computers when leaving your desk
- Use work devices for work only
Securing remote and hybrid working
If your staff work from home or use personal devices, you need additional precautions.
Essential measures for remote work
- VPN - Require a Virtual Private Network for accessing company systems remotely
- Company devices - Where possible, provide work devices rather than relying on personal ones
- Home router security - Remind staff to change default passwords and update firmware
- Screen locking - Ensure devices lock automatically after a few minutes of inactivity
- Cloud storage - Use secure, approved cloud services with two-step verification rather than USB sticks
What to do if you are attacked
Despite your best efforts, attacks can still happen. Knowing what to do reduces damage and recovery time.
Immediate steps
- Disconnect - Remove affected devices from the network to stop the attack spreading
- Do not pay - Never pay ransom demands; there is no guarantee you will get your data back
- Report - Contact Report Fraud (0300 123 2040) or Police Scotland (101)
- Notify the ICO - Within 72 hours if personal data was affected and there is risk to individuals
- Restore from backup - If you have clean backups, you can recover without paying attackers
Getting certified (optional but recommended)
Once you have implemented the basic controls, consider formal Cyber Essentials certification. This provides independent verification that your security measures work and is required for some government contracts.
When certification makes sense
- Government contracts - Mandatory for contracts involving personal data or ICT services
- Customer confidence - Some larger customers require suppliers to be certified
- Insurance - Many cyber insurance policies require certification or offer discounts
- Structured improvement - The certification process helps identify gaps
For most small businesses, basic Cyber Essentials (around £320 for micro businesses) is sufficient. Cyber Essentials Plus is for businesses handling sensitive data or bidding on higher-risk contracts.
Creating your security checklist
Use this checklist to track your progress. You do not need to complete everything at once - start with the highest-impact items.
Do today (free)
- Enable automatic updates on all devices
- Turn on two-step verification for email and banking
- Change your router's default password
- Check Windows Defender is running (or Mac security features)
Do this week
- Review and strengthen passwords (get a password manager)
- Set up cloud backup or verify existing backups work
- Brief staff on phishing awareness
Do this month
- Review who has access to what systems (remove unnecessary access)
- Test that you can restore from backup
- Create a simple incident response plan
Do this quarter
- Review cyber insurance options
- Consider Cyber Essentials certification
- Run a test phishing exercise
Free resources
The following government resources are free and designed for small businesses:
- NCSC Cyber Action Plan - Free online tool that creates a personalised action plan
- Cyber Aware - Government campaign with practical advice
- NCSC guidance - Detailed technical guidance on specific security topics
- Exercise in a Box - Free cyber security exercises to test your response