Cyber security basics for small businesses

Why small businesses are at risk

The National Cyber Security Centre (NCSC) states: "The question is no longer if your organisation will face a cyber incident, but when."

Understanding the current threat helps you take action before it is too late.

The five essential security controls

The government's Cyber Essentials scheme identifies five technical controls that protect against approximately 80% of common cyber attacks. You do not need to be certified to implement these - start with the controls themselves.

Low-cost actions you can take today

Most of these cost nothing except your time. Work through them systematically.

Protecting against phishing

Over 90% of successful attacks start with a phishing email. Train yourself and your staff to spot the warning signs.

Red flags in suspicious emails

• Urgency - "Act now", "Your account will be closed", "Immediate action required"
• Unexpected requests - Asking you to click a link, open an attachment, or transfer money
• Sender address - Check the actual email address, not just the display name
• Poor spelling and grammar - Though sophisticated attacks may be well-written
• Suspicious links - Hover over links to see the actual destination before clicking

What to do with suspicious emails

• Do not click any links or open attachments
• Do not reply or engage with the sender
• Forward suspicious emails to report@phishing.gov.uk
• Delete the email after reporting
• Verify requests by contacting the sender through a known, trusted method (not by replying to the email)

Training your staff

Your staff are your first line of defence - and your biggest vulnerability. A single click on a malicious link can compromise your entire business.

Free training options

• NCSC "Top Tips for Staff" - Free downloadable resources you can share
• Regular reminders - Brief monthly emails about current threats cost nothing
• Test phishing - Send fake phishing emails to see who clicks (many free tools available)

Key messages for staff

• Think before you click - if in doubt, do not
• Report suspicious emails immediately (make this easy)
• Never share passwords or give remote access to callers
• Lock computers when leaving your desk
• Use work devices for work only

Securing remote and hybrid working

If your staff work from home or use personal devices, you need additional precautions.

Essential measures for remote work

• VPN - Require a Virtual Private Network for accessing company systems remotely
• Company devices - Where possible, provide work devices rather than relying on personal ones
• Home router security - Remind staff to change default passwords and update firmware
• Screen locking - Ensure devices lock automatically after a few minutes of inactivity
• Cloud storage - Use secure, approved cloud services with two-step verification rather than USB sticks

What to do if you are attacked

Despite your best efforts, attacks can still happen. Knowing what to do reduces damage and recovery time.

Immediate steps

1. Disconnect - Remove affected devices from the network to stop the attack spreading
2. Do not pay - Never pay ransom demands; there is no guarantee you will get your data back
3. Report - Contact Report Fraud (0300 123 2040) or Police Scotland (101)
4. Notify the ICO - Within 72 hours if personal data was affected and there is risk to individuals
5. Restore from backup - If you have clean backups, you can recover without paying attackers

Getting certified (optional but recommended)

Once you have implemented the basic controls, consider formal Cyber Essentials certification. This provides independent verification that your security measures work and is required for some government contracts.

When certification makes sense

• Government contracts - Mandatory for contracts involving personal data or ICT services
• Customer confidence - Some larger customers require suppliers to be certified
• Insurance - Many cyber insurance policies require certification or offer discounts
• Structured improvement - The certification process helps identify gaps

For most small businesses, basic Cyber Essentials (around £320 for micro businesses) is sufficient. Cyber Essentials Plus is for businesses handling sensitive data or bidding on higher-risk contracts.

Creating your security checklist

Use this checklist to track your progress. You do not need to complete everything at once - start with the highest-impact items.

Do today (free)

• Enable automatic updates on all devices
• Turn on two-step verification for email and banking
• Change your router's default password
• Check Windows Defender is running (or Mac security features)

Do this week

• Review and strengthen passwords (get a password manager)
• Set up cloud backup or verify existing backups work
• Brief staff on phishing awareness

Do this month

• Review who has access to what systems (remove unnecessary access)
• Test that you can restore from backup
• Create a simple incident response plan

Do this quarter

• Review cyber insurance options
• Consider Cyber Essentials certification
• Run a test phishing exercise

Free resources

The following government resources are free and designed for small businesses:

• NCSC Cyber Action Plan - Free online tool that creates a personalised action plan
• Cyber Aware - Government campaign with practical advice
• NCSC guidance - Detailed technical guidance on specific security topics
• Exercise in a Box - Free cyber security exercises to test your response