TL;DR:
- Enable multi-factor authentication on email and banking today — it blocks 99.9% of automated attacks
- Use a password manager across your team to eliminate the credential reuse behind most breaches
- Run automated offsite backups so ransomware can’t hold you hostage
43% of all cyberattacks target small businesses (Verizon Data Breach Investigations Report). The NCSC’s annual Cyber Breaches Survey tells a similar story for UK businesses, and the attacks are getting more sophisticated. You’re targeted because you hold valuable data — card numbers, employee records, client lists — without the same defences as larger organisations. The good news: most attacks exploit a handful of well-understood weaknesses. Fix those, and you eliminate the vast majority of your risk.
The threats hitting UK small businesses right now
Ransomware-as-a-Service has lowered the barrier to attack — criminal developers franchise ready-made kits to affiliates who need zero technical skill. A ten-person business in Birmingham is as viable a target as a mid-sized firm.
AI-generated phishing has eliminated the bad grammar that used to give away scam emails. Attackers now send convincing, personalised messages requesting urgent payments, referencing real supplier names and recent business events.
Business Email Compromise (BEC) impersonates a senior person to request a payment transfer. Action Fraud reports thousands of BEC cases from UK businesses every year, with average losses running into tens of thousands of pounds per incident.
Step 1: Enable multi-factor authentication on everything
Multi-factor authentication (MFA) requires your password plus a code from your phone. Even if your password is stolen, attackers can’t get in without your device. Microsoft reports MFA blocks 99.9% of automated account attacks.
Enable MFA first on your business email (Google Workspace or Microsoft 365) and your bank accounts. Then work through payment processors, accounting software like Xero or QuickBooks, cloud storage, and your domain registrar. Use an authenticator app (Google Authenticator or Authy) rather than SMS — SMS codes can be intercepted through SIM-swapping.
Step 2: Use a password manager for your whole team
A password manager generates and stores a unique, random password for every account. Nobody on your team needs to remember or reuse passwords. One leaked credential from any site can unlock your accounting software if passwords are shared.
| Option | Cost (5-person team) | Best For |
|---|---|---|
| 1Password Teams | ~£15–20/month | Easiest experience |
| Bitwarden Business | ~£12–15/month | Best value, open source |
| Keeper Business | ~£17–20/month | Regulated industries |
Step 3: Set up automated, offsite backups
The 3-2-1 backup rule: 3 copies of your data, on 2 storage types, with 1 copy offsite. Ransomware encrypts everything it can reach — an offsite backup is what saves you.
Set up Backblaze for Business (around £6/computer/month) running silently in the background for offsite cloud backup, an external hard drive for fast on-site restores, and a separate cloud copy of critical files for redundancy. Test your backups monthly by restoring a random file. Many businesses discover broken backups only when they desperately need them.
Step 4: Install endpoint protection on every device
Endpoint protection detects suspicious behaviour, blocks malicious websites, and alerts you to problems. Windows Defender lacks central management and stronger ransomware detection — don’t rely on it alone for business use.
Malwarebytes for Teams costs around £3–4 per device per month and has excellent ransomware detection. Bitdefender GravityZone is around £4–5 per device per month and top-rated in independent testing.
Step 5: Secure your email with SPF, DKIM, and DMARC
SPF, DKIM, and DMARC are three free DNS records that prevent criminals from spoofing your email address to invoice your clients or trick your staff. Check your status at mxtoolbox.com/dmarc — your IT support can add any missing records in under 30 minutes. This also protects your suppliers from receiving fraudulent invoices that appear to come from you.
Step 6: Lock down your Wi-Fi
Separate staff and guest networks — your router almost certainly supports a guest network via a single toggle in settings. Visitors get internet access without touching your internal systems.
Also: use WPA3 encryption if supported, change the router admin password from the factory default, and disable remote management unless you actively use it.
Step 7: Keep everything updated automatically
Around 60% of data breaches exploit vulnerabilities where a patch was already available. Enable automatic updates for operating systems, browsers, and check desktop software manually. Log into your router every few months and check for firmware updates — most people never do this.
Step 8: Train your team to spot phishing
Phishing remains the most common attack entry point for UK small businesses. Teach your team to watch for urgency and pressure, unusual sender addresses hiding behind a legitimate display name, and domain lookalikes — “rn” instead of “m”, added hyphens.
Send everyone Google’s Phishing Quiz at phishingquiz.withgoogle.com — free, 10 minutes, eye-opening. The NCSC’s Exercise in a Box at ncsc.gov.uk gives you a free facilitated exercise for the whole team.
Step 9: Write a one-page incident response plan
When something goes wrong is the worst time to figure out your process. Your plan needs four things: your IT contact’s emergency number, your bank’s fraud line, your cyber insurance claims number, and who has authority to take systems offline.
If you get ransomware: photograph the screen, disconnect from Wi-Fi, don’t pay before calling your insurer, and report to Action Fraud (actionfraud.police.uk) in the UK.
Step 10: Get cyber insurance
Cyber insurance covers the financial costs of an attack: ransomware response, breach notification to the ICO and affected individuals, legal defence, business interruption, and forensic investigation. For a UK business under £5M revenue, expect £400–£1,500 per year.
Insurers require MFA, tested backups, and security awareness training before issuing coverage — steps 1–3 above are effectively prerequisites. UK insurers worth contacting: Hiscox, AXA, CFC Underwriting, Markel.
Bottom line
Small business cybersecurity comes down to three starting moves: MFA on email, a password manager for your team, and automated offsite backups. Those three changes — completable in an afternoon — address the most common causes of breaches for UK businesses. Work through the remaining steps one at a time from there.