Cyber crime isn’t just a risk for big companies with large IT departments. Small and medium-sized businesses across the UK are increasingly being targeted — often because attackers see them as underprepared, under-resourced, and easier to breach.
The good news? You don’t need a six-figure cyber budget to protect your business.
With a few straightforward changes and the right habits, you can drastically reduce your exposure and reassure your customers, suppliers, and insurers that you take security seriously.
Here are nine practical cyber security strategies that every business owner should prioritise:
- Use Strong Passphrases and Multi-Factor Authentication (MFA)
Forget simple passwords — they’re not enough. Instead, use passphrases that are longer, unique, and easy for you (but not others) to remember.
Pair these with multi-factor authentication (MFA) wherever possible — especially for business-critical tools like email, cloud storage, HR systems, and accounting software.
MFA adds an extra security check, such as a code sent to your mobile, making it far harder for attackers to access your systems, even if your password is compromised.
Practical tip: Use a password manager to generate and store secure passwords for your entire team.
- Train Your Team — Regularly and Repeatedly
Human error causes the vast majority of cyber breaches, often because someone clicked on a dodgy email or reused a weak password. Make cyber awareness a key part of your onboarding and ongoing training.
Cover the basics: how to spot phishing emails, avoid suspicious downloads, and report unusual activity.
You don’t need formal classrooms — short, engaging video modules or monthly email tips can do the job.
Practical tip: Use phishing simulation tools to test your team’s readiness in a safe environment.
- Secure Your Business Email and Domain Name
Many cyber attacks begin with a fake email that looks like it’s come from your business. Setting up DMARC, SPF, and DKIM on your email domain helps stop criminals from spoofing your email address.
Not only does this protect your clients and suppliers from scams, but it also safeguards your reputation — no one wants to discover their brand is being used to deceive people.
Practical tip: If you’re unsure whether your email is protected, use free tools like MXToolbox to check your domain’s security status.
- Keep Devices and Software Updated Automatically
Cyber criminals actively search for outdated software because it’s easier to exploit. Ensure all devices — from laptops to tablets and smartphones — have automatic updates switched on.
This applies to operating systems, web browsers, antivirus software, and even the apps your staff use daily. Patch management tools can help larger teams manage this at scale.
Practical tip: Set a company-wide “Tech Tuesday” to check updates and restart devices. It helps instil the habit.
- Know Who You’re Working With: Third-Party Risk
You may have rock-solid internal defences — but what about your suppliers? Your CRM provider, IT contractor, or freelance designer may handle sensitive data, but how secure are their systems?
Ask direct questions. Request evidence of cyber hygiene, such as Cyber Essentials certification or clear data handling policies. If they’re hesitant or vague, that’s a red flag.
Practical tip: Add basic cyber security questions to your onboarding process for new suppliers and freelancers.
- Back Up Your Data and Test the Recovery Process
If ransomware locks your systems or data is accidentally deleted, backups are your safety net.
Back up your key data daily to a secure offsite location or a reputable cloud platform. And don’t just back it up — test it regularly to make sure you can actually restore it.
Practical tip: Keep one backup completely offline or disconnected from your main systems. This is known as “air-gapped” and can’t be hit by ransomware.
- Use Role-Based Access: Keep Control of Who Sees What
Not every employee needs access to every file or system. By limiting access based on job roles, you reduce the risk of both internal mistakes and external breaches.
If an attacker gains access to a junior employee’s login, role-based access stops them reaching critical data, like payroll files or customer databases.
Practical tip: Review access rights quarterly — especially when staff leave or change roles.
- Have a Basic Cyber Incident Response Plan
When a cyber incident hits, panic and confusion make things worse. A simple, written response plan helps you stay calm and act fast.
Define who takes charge, how to contain the issue, and how to communicate with customers, suppliers, and regulators.
Even small breaches — like an email account being compromised—can trigger regulatory reporting obligations under the UK GDPR.
Practical tip: Store your plan in the cloud (not just on local machines), and print a copy too. Include IT support contacts and your insurance provider’s details.
- Use Smart Tools to Block Malware and Phishing
Equip all devices with reliable antivirus and anti-malware software. This is your first line of defence against common threats.
Combine it with browser extensions that block known phishing sites and VPNs to encrypt staff connections – especially important for remote or hybrid workers.
Practical tip: Set rules so staff can’t install unauthorised apps or software. This reduces risk from unknown vulnerabilities.
Summary: Cyber Security is Business Essential
The risks are growing, but so are the tools and strategies available to defend against them. Building a cyber-resilient business isn’t about being perfect — it’s about being prepared.
The businesses that make security part of their culture — not just an annual checklist — are the ones that will thrive.
Take small steps now, and you’ll build a safer, stronger foundation for your future.
Small businesses access unsecured, fast funding from Got Capital. As an alternative lender, Got Capital offers financing solutions specifically designed for and catered to the needs of SMEs, free from personal guarantees.
