Cyber security sounds technical and intimidating. In practice, the basics that stop the vast majority of attacks on small businesses are straightforward actions that can be completed in an afternoon. The 2025 UK Government Cyber Security Breaches Survey found that phishing — criminals sending deceptive emails to trick you into handing over passwords or clicking malicious links — was behind 93% of successful cyber attacks on businesses. That means nine out of ten successful attacks exploit human behaviour, not sophisticated technical vulnerabilities. The protections are equally human: awareness, good habits, and a few free or low-cost tools.
This guide is structured so you can work through it section by section, implementing as you go, or read it end-to-end first and then use the 30-day action plan at the end to prioritise. Either way, by the end, you will have a complete picture of what your business needs — and the knowledge to implement it.
What this guide covers:
- The real threat landscape for small UK businesses in 2026 — the facts, not the fear
- The five most common attacks that hit small businesses, and exactly how each one works
- Password security done properly — including the best free password managers
- Multi-factor authentication — the single most effective protection against account takeover
- How to recognise and stop phishing attacks before they cause damage
- Software updates, backups, and Wi-Fi security — three things most businesses get wrong
- How to train your team without spending thousands on courses
- Your UK GDPR obligations if a data breach occurs
- Cyber Essentials certification — what it is, what it costs, and whether you need it
- The best free cyber security tools available to UK small businesses
- Exactly what to do in the first hour after a cyber attack
- A complete 30-day action plan
The Cyber Threat Landscape for Small UK Businesses in 2026
Before diving into solutions, it helps to understand what you are actually protecting against. The cyber threat landscape has changed significantly in the past two years, and the nature of attacks targeting small businesses is different from what most people imagine.
The National Cyber Security Centre (NCSC), part of GCHQ, recorded 204 "nationally significant" cyber incidents in the 12 months to August 2025 — a 50% increase on the previous year. 18 of those were classified as "highly significant". But those headline figures refer to attacks on critical national infrastructure and large organisations. For small businesses, the threats are less dramatic and more pervasive.
Importantly, the UK Government's Cyber Security and Resilience Bill, expected to become law later in 2026, will introduce stronger reporting requirements and higher penalties for businesses that fail to protect personal data. Even if your business is not directly in scope, the implications for supply chain security mean that many more small businesses will face demands from clients and partners to demonstrate basic cyber security controls. Starting now puts you ahead of that curve.
How the threat has changed — AI-powered attacks
The most significant development in 2025 and into 2026 is the use of artificial intelligence by cyber criminals. AI-driven attacks rose 67% year-on-year in 2025. What this means practically for small businesses: phishing emails are now dramatically more convincing. Gone are the misspelt, poorly worded emails that were once easy to spot. AI-generated phishing messages are grammatically perfect, contextually relevant, and often personalised with real details about you or your business gathered from LinkedIn, your website, or social media. The barrier to a convincing attack has dropped to near zero.
🚨 The most important 2026 update to know
The Cyber Essentials v3.3 update (April 2026) now makes multi-factor authentication (MFA) mandatory wherever it is technically available. If your business is seeking Cyber Essentials certification and you have not enabled MFA across your accounts, you will fail the assessment automatically. Even if certification is not your goal, this update reflects the NCSC's assessment that MFA is now a non-negotiable basic control — not an optional extra.
The 5 Biggest Cyber Threats to Small UK Businesses
Understanding how attacks work is the first step to stopping them. Here are the five threats most likely to affect a small UK business — with the reality of how each one actually happens.
Threat 1: Phishing Attacks
Phishing is the practice of sending deceptive emails (or text messages, called "smishing") that impersonate a trusted source — your bank, HMRC, a courier company, Microsoft, or even a colleague — to trick you into clicking a malicious link, downloading malware, or handing over login credentials or payment details.
How modern phishing attacks actually work:
- Credential harvesting: A fake login page for Microsoft 365, your banking portal, or another service captures your username and password. The criminal then uses those credentials to access the real account.
- Malware delivery: A link or attachment downloads malicious software — often ransomware — that encrypts your files and demands payment to restore access.
- Business Email Compromise (BEC): A criminal impersonates your CEO, your accountant, or a supplier to instruct your finance team to make an urgent bank transfer. This type of attack cost UK businesses an estimated £190 million in 2024 alone.
- Spear phishing: A targeted attack where the email is specifically crafted for you — referencing a recent invoice, a colleague's name, or an ongoing project — gathered from your company website or LinkedIn.
Threat 2: Ransomware
Ransomware is malicious software that encrypts all the files on your computer and any connected drives or networks — making everything completely inaccessible. The attacker then demands a ransom (typically in cryptocurrency) to provide the decryption key. Most ransomware arrives via a phishing email or through an unpatched software vulnerability.
Why ransomware is so devastating for small businesses:
- Total business shutdown: With all files encrypted, you cannot access any work documents, customer records, accounting data, or emails. For many small businesses, operations stop entirely.
- Paying does not guarantee recovery: Research consistently shows that a significant proportion of businesses that pay the ransom still do not receive working decryption keys, or receive partial ones. You have no legal recourse.
- Recovery is slow and expensive: Even with backups, restoring systems after a ransomware attack typically takes days to weeks, with associated downtime costs that often dwarf the ransom demand itself.
- The NCSC strongly advises against paying: Payment funds future criminal activity and does not guarantee you will get your files back.
Threat 3: Password Attacks and Account Takeover
Account takeover happens when a criminal gains access to your business accounts — email, banking, accounting software, cloud storage — using compromised or guessed passwords. The most common routes are credential stuffing (using passwords leaked in previous data breaches on other sites), brute force attacks (automated password guessing), and phishing (as described above).
Why weak or reused passwords are catastrophic:
- Password reuse is the biggest risk: If you use the same password on multiple sites and one of those sites suffers a data breach, every account with that password is immediately compromised. Billions of username/password pairs from previous breaches are freely available to criminals online.
- Email account access is catastrophic: Access to your business email allows a criminal to reset every other password you have, intercept invoices, impersonate you to clients and suppliers, and access every connected service.
- Banking access speaks for itself: Unauthorised access to business banking, payment platforms, or accounting software can drain accounts or redirect supplier payments within minutes.
Threat 4: Malware and Spyware
Malware (malicious software) is an umbrella term for any software designed to damage your systems or gain unauthorised access. Beyond ransomware, small businesses face risks from spyware (software that secretly monitors your activity and steals information), keyloggers (which record everything you type, including passwords), and trojans (legitimate-looking software that installs malware in the background).
Common malware entry points for small businesses:
- Email attachments — PDFs, Word documents with macros, or ZIP files from unknown senders
- Pirated software or free downloads from unofficial sources
- Visiting compromised or malicious websites (often via a link in a phishing email)
- USB drives — especially those found or received unexpectedly
- Unpatched software with known security vulnerabilities that malware can exploit automatically
Threat 5: Supply Chain Attacks
Supply chain attacks have doubled year-on-year and now account for 15% of all cyber attacks. A supply chain attack happens when a criminal compromises one of your trusted suppliers or software providers and uses that trusted relationship to attack you. The 2025 breach affecting Mailchimp and HubSpot allowed attackers to distribute malicious emails from trusted vendor domains — affecting thousands of downstream UK businesses whose customers received emails they thought were legitimate.
How to reduce supply chain risk:
- Keep a list of all third-party software and services your business uses — particularly those with access to customer data
- Use unique passwords for every supplier and software account (a password manager makes this practical)
- Enable MFA on every supplier account that offers it
- Monitor supplier communications for any reports of security incidents — respond immediately if a supplier you use reports a breach
Threat frequency overview for UK small businesses
% of breached UK businesses affected by each attack type (2025)
Password Security — The Basics Done Properly
Password security is the foundation of everything else in cyber security. A strong, unique password for every account, managed with a password manager, eliminates one of the most exploited attack vectors at near-zero cost. Yet the majority of UK small businesses still use weak passwords, reuse passwords across multiple accounts, or share passwords between team members in insecure ways.
What makes a password strong in 2026
The old advice about complex passwords containing uppercase, numbers, and symbols is outdated and creates passwords that are hard for humans to remember but actually not that hard for computers to crack. The NCSC's current guidance focuses on three things: length, uniqueness, and unpredictability.
| Password Approach | Example | Security Level | Practical? |
|---|---|---|---|
| Short complex password | P@ssw0rd! | Very Weak | Appears complex, easily cracked |
| Three random words (NCSC method) | CoffeeBadgerLamp | Good | Easy to remember, hard to crack |
| Password manager generated | X8#kQm!vLpZ$2rNw | Excellent | You never need to remember it |
| Same password everywhere | Any password reused | Critical Risk | One breach = all accounts compromised |
Password managers — free and essential
A password manager generates, stores, and autofills unique, complex passwords for every account you use. You only need to remember one master password. This is the single change that has the highest impact on password security — and the best options are free or very low cost.
| Password Manager | Free Tier? | Best For | Cost (paid) |
|---|---|---|---|
| Bitwarden | Free | Best all-round free option — open source, excellent security audits | £8/year per user for teams |
| KeePass | Free (forever) | Technical users who want local storage only — no cloud | Free |
| 1Password | 14-day trial | Teams — excellent sharing and admin features | £3.99/month per user |
| Dashlane | Free (1 device) | Solo users — good interface, dark web monitoring included | £3.33/month |
💡 The NCSC's advice on password managers
The NCSC explicitly recommends password managers as a practical way to improve password security without requiring people to remember dozens of complex passwords. Using a reputable password manager is significantly safer than the common alternative: writing passwords down, reusing them, or making them simple enough to remember. For a small business, Bitwarden's free tier handles everything most businesses need.
SETTING UP YOUR FIRST PASSWORD MANAGER — STEP BY STEP
- Download Bitwarden from bitwarden.com — create a free account with a strong master password (use the three random words method: three unrelated words, easy to remember, impossible to guess)
- Install the browser extension — this allows Bitwarden to autofill passwords as you log in to sites
- Import any saved passwords from your browser (Chrome, Safari, and Edge all have an export option in their password manager settings)
- Change your highest-priority passwords first — email, banking, accounting software, and any services storing customer data
- For every new account or password change — use Bitwarden's built-in password generator (set to 16+ characters) and let it save automatically
Multi-Factor Authentication — Your Most Important Single Protection
Multi-factor authentication (MFA), also called two-factor authentication (2FA), requires a second piece of verification beyond your password when logging in to an account. Even if a criminal has your password — whether through a data breach, phishing, or guessing — they cannot access your account without the second factor.
The NCSC describes MFA as the single most effective technical control for protecting against account takeover. Research by Microsoft suggests that enabling MFA blocks 99.9% of automated account compromise attacks. And yet, the majority of small businesses have not enabled it on their critical accounts.
Types of MFA — which to use
| MFA Type | How It Works | Security Level | Recommended? |
|---|---|---|---|
| Authenticator App | Time-based code from an app (Microsoft Authenticator, Google Authenticator) | Strong | ✅ Yes — best balance of security and convenience |
| Push Notification | Approve login via a notification on your phone | Strong | ✅ Yes — convenient and secure |
| SMS Text Code | One-time code sent by text message | Moderate | ⚠️ Better than nothing — but SIM swap attacks can bypass it |
| Hardware Key (YubiKey) | Physical USB/NFC key you tap to authenticate | Strongest | ✅ For highest-risk accounts — costs ~£35-60 |
| Email code | Code sent to your email address | Weak | ❌ Avoid — if your email is compromised, this MFA is useless |
Where to enable MFA — priority order for small businesses
✅ MFA Activation Checklist — Work through in this order
Recognising and Stopping Phishing Attacks
Since phishing is behind 93% of successful attacks, being able to identify suspicious emails before clicking anything is the most valuable cyber security skill a small business owner or employee can develop. Modern phishing emails are often indistinguishable from legitimate ones — but there are consistent patterns to watch for.
The 8 phishing red flags to look for
How to Spot a Phishing Email
- The sender's email address doesn't match the organisation: The display name might say "HMRC" or "Microsoft", but the actual email address (click or hover on the sender name to reveal it) is something like "hmrc.refund@tax-gov.uk.com" or "support@microsoft-helpdesk.net". The domain name is the key — microsoft.com is legitimate, microsoft-helpdesk.net is not.
- Urgent or threatening language: "Your account will be suspended in 24 hours", "Immediate action required", "Your account has been compromised". Urgency is designed to make you act before you think. Legitimate organisations do not communicate critical account changes via a single email with a 24-hour deadline.
- Unexpected requests for login credentials, payment details, or sensitive information: No legitimate service will ask you to verify your password, confirm your bank details, or provide a one-time code by replying to an email.
- Links that don't go where they appear to: Hover over (do not click) any link in an email to see the actual destination URL in the bottom of your browser. A link labelled "Click here to sign in to your Microsoft account" that points to "login.m1cr0s0ft-secure.net" is a phishing link.
- Unexpected attachments: Be especially cautious with .zip files, .exe files, Word documents with macros (the document asks you to "enable content" or "enable editing"), and PDF files with links embedded in them.
- Generic greetings: "Dear Customer", "Dear Account Holder", "Dear Sir/Madam" — legitimate services that hold your account typically address you by name. Not always — but it is a signal worth noting alongside others.
- Unexpected success or prize notifications: Unexpected invoice payments, parcel delivery notifications for items you did not order, HMRC refund notices — check by logging into the relevant service directly (type the URL yourself, do not click the link) to verify if the notification is real.
- The email asks you to call a phone number to resolve a problem: "Vishing" (voice phishing) is a growing tactic where a phishing email directs you to call a number staffed by criminals who then walk you through "resolving" a fake problem that results in access to your accounts or payment of a fake invoice.
Free tools that catch phishing before it reaches you
Technical controls can intercept many phishing attempts before they reach your inbox, reducing the burden on human judgement:
- Microsoft 365 Defender: Included in most Microsoft 365 business subscriptions — provides anti-phishing filters, safe link scanning, and safe attachment detonation. Ensure it is turned on in your admin settings.
- Google Workspace Advanced Phishing Protection: Similarly built into Google Workspace — enabled by default but configurable for stronger settings in the Admin Console.
- DMARC, SPF, and DKIM for your email domain: These are DNS-level email authentication records that make it significantly harder for criminals to send emails that appear to come from your domain. Your IT support provider or domain registrar can help set these up — they cost nothing beyond the time to configure them.
Software Updates and Patch Management
Unpatched software is one of the most exploited attack vectors in cyber crime. Software vendors regularly release security updates that fix known vulnerabilities — once a vulnerability is publicly disclosed, criminals actively scan for businesses running the unpatched version and attempt to exploit it automatically. The window between a patch being released and criminals actively exploiting the vulnerability it fixes is often less than 48 hours.
⚠️ The risk of "I'll update later"
One of the most common explanations for delayed updates is that they interrupt work or cause compatibility issues. This is a real concern — but the risk of deferring critical security patches far outweighs the inconvenience. A good practice: schedule updates for Friday afternoons or outside business hours so they do not disrupt the working day, but still happen within the week they are released for security-related updates.
PATCH MANAGEMENT FOR SMALL BUSINESSES — PRACTICAL STEPS
- Enable automatic updates on all Windows and Mac computers — for operating system updates, automatic is the right choice for most small businesses. Go to Settings → Update (Windows) or System Preferences → Software Update (Mac) and ensure automatic updates are on.
- Enable automatic updates on smartphones and tablets — business devices used to access email, cloud storage, or business apps need the same attention as computers.
- Update software applications as promptly as possible — browsers (Chrome, Firefox, Edge), Microsoft Office, Adobe products, and any other business software should be updated within a week of a security patch being released.
- Check for router/firewall firmware updates quarterly — routers are often forgotten but can be exploited to intercept all traffic on your network. Log in to your router's admin interface and check the manufacturer's website for firmware updates.
- Replace end-of-life software immediately — software that no longer receives security updates (like Windows 10 after October 2025, Office 2016, or older versions of macOS) should be upgraded. Running software that no longer receives security patches is running software with known, permanently unfixed vulnerabilities.
Backups — Your Last Line of Defence Against Ransomware
A reliable backup strategy is the only guarantee that a ransomware attack does not result in permanent data loss — and the difference between paying a ransom and recovering for free. Yet business backup strategy is one of the most consistently neglected areas of small business IT.
The 3-2-1 backup rule
The 3-2-1 Backup Rule — Memorise This
- 3 copies of your data — the original plus two backups
- 2 different types of media or storage — e.g. cloud storage + external hard drive
- 1 copy stored offline or offsite — physically disconnected from your network (ransomware cannot encrypt a drive it cannot reach)
Practical backup implementation for small businesses
| Backup Type | What It Covers | Recommended Solution | Cost |
|---|---|---|---|
| Cloud backup | All computer files, documents, and data | Backblaze Business Backup, Microsoft OneDrive with version history, Google Drive | From £5/month |
| External hard drive backup | Full system or key files — disconnect after each backup | Any portable hard drive (1-2TB) + Windows Backup or Mac Time Machine | £40-80 one-time |
| Email backup | Business email archive — often overlooked | Microsoft 365 archive feature; Google Vault for Workspace | Included in most business plans |
| Cloud application data | Xero, QuickBooks, CRM data — cloud ≠ backed up | Check each application's export/backup feature; schedule monthly exports | Free (built-in) |
🚨 Critical: Cloud storage is NOT a backup
Many small businesses believe that storing files in OneDrive, Google Drive, or Dropbox means they are backed up. This is incorrect. These are synchronisation services — if ransomware encrypts your local files, the encrypted versions sync to the cloud and overwrite the originals. You must use the version history feature (available on all three services) and a separate cloud backup service to be genuinely protected.
Testing your backups
A backup that has never been tested is a backup you cannot rely on. At minimum, quarterly: pick one file or folder from your backup and restore it to confirm the process works and the data is intact. If you have never successfully restored from your backup, you do not know if it works.
Wi-Fi and Network Security
Your Wi-Fi network is the gateway that everything in your business connects through — computers, phones, printers, payment systems, and CCTV. An insecurely configured network allows an attacker within range to intercept traffic, access connected devices, or gain a foothold in your system. The good news: securing your Wi-Fi takes about 20 minutes and costs nothing.
SECURING YOUR BUSINESS WI-FI — ESSENTIAL STEPS
- Change the default router admin password immediately — default passwords for most routers are publicly known (e.g. "admin" / "admin"). Log in to your router's admin interface (usually at 192.168.1.1 or 192.168.0.1) and change the admin password to something unique.
- Use WPA3 encryption, or WPA2 minimum — in your router's wireless settings, ensure the security protocol is set to WPA3 or WPA2-AES. WPA and WEP are outdated and can be cracked quickly.
- Change your Wi-Fi password to something strong and unique — not "businessname123" or your address. Use a long passphrase and store it in your password manager.
- Create a separate guest network — most modern routers allow you to create a separate, isolated guest Wi-Fi network. Put visitors, customers, and IoT devices (smart TVs, printers, CCTV) on this network, keeping them isolated from your main business network.
- Disable remote management — in your router settings, ensure the option to manage the router remotely (from outside your network) is turned off unless you specifically need it.
- Keep your router firmware updated — check the manufacturer's website for router firmware updates quarterly. Many newer routers update automatically when the setting is enabled.
💡 Public Wi-Fi — never use it for business without a VPN
Coffee shops, hotels, airports, and co-working spaces offer free Wi-Fi that is convenient and potentially dangerous. Public Wi-Fi networks can allow other users on the same network to intercept unencrypted traffic. If you or your team work on laptops in public spaces, invest in a VPN (Virtual Private Network) — this encrypts all your internet traffic regardless of which network you are on. Reputable options include ProtonVPN (free tier available), Mullvad (£5/month), and NordVPN for Teams. A business-grade VPN costs less than one large coffee per month per person.
Staff Training — Managing the Human Risk
Since 68% of cyber breaches involve the human element, training your team to recognise and respond to threats is not a nice-to-have — it is a fundamental control. This does not need to be expensive, time-consuming, or dull. The most effective staff cyber security training is brief, relevant, and regularly reinforced.
What to cover in small business cyber security training
- How to recognise phishing emails — walk through real examples of phishing emails your industry receives, discuss the red flags, and establish a clear process for what to do when someone receives a suspicious email (forward to a nominated person, do not click, do not delete)
- Password and MFA policy — ensure every team member understands the business password policy, has set up MFA on their accounts, and knows how to use the password manager
- Safe handling of attachments and links — the habit of hovering over links before clicking, being cautious with unexpected attachments, and verifying unexpected financial requests by phone
- Physical security — locking screens when away from desks, not leaving devices unattended in public, not connecting unknown USB drives, and securing physical documents containing sensitive data
- What to do if something goes wrong — the most important behaviour is to report suspected incidents immediately, not to hide them. Many cyber incidents are far worse than they needed to be because employees were afraid to report that they had clicked something suspicious.
Free training resources for small UK businesses
| Resource | What It Covers | Cost | Link |
|---|---|---|---|
| NCSC Small Business Guide | Comprehensive, plain-English guide from the UK's national security authority | Free | ncsc.gov.uk/collection/small-business-guide |
| NCSC Staff Training Exercises | Tabletop exercises simulating phishing, ransomware, and data breach scenarios | Free | ncsc.gov.uk/training |
| Cyber Aware (DCMS) | Government campaign materials for staff awareness | Free | cyberaware.gov.uk |
| Google Phishing Quiz | Interactive quiz to test phishing recognition skills | Free | phishingquiz.withgoogle.com |
UK GDPR — Your Legal Obligations After a Data Breach
The UK General Data Protection Regulation (UK GDPR) applies to every business that processes personal data — which includes virtually every business that holds customer names, email addresses, or payment information. Understanding your legal obligations around data security and breach notification is not optional — violations can result in significant fines from the Information Commissioner's Office (ICO).
Your key obligations under UK GDPR
UK GDPR Data Security Obligations
- Implement appropriate technical and organisational security measures — UK GDPR requires you to protect personal data with measures proportionate to the risk. For a small business, this means at minimum: strong passwords, MFA, regular updates, and encrypted storage for sensitive data.
- Report personal data breaches to the ICO within 72 hours — if a cyber attack results in personal data being accessed, stolen, or destroyed, you must notify the ICO within 72 hours of becoming aware of the breach — unless the breach is unlikely to result in any risk to individuals. Failure to report carries fines of up to £8.7 million or 2% of global annual turnover (whichever is higher).
- Notify affected individuals without undue delay — if the breach is likely to result in a high risk to the rights and freedoms of individuals (e.g. financial fraud risk, identity theft risk), you must also notify those individuals directly.
- Document all breaches — even if a breach does not meet the threshold for ICO reporting, you must document it internally. This creates an audit trail demonstrating compliance.
- Conduct a Data Protection Impact Assessment (DPIA) for high-risk processing — if your business processes particularly sensitive data (health information, children's data, financial data at scale), a DPIA is required before starting that processing activity.
Cyber Essentials — The UK's Cyber Security Certification for Small Businesses
Cyber Essentials is a UK government-backed certification scheme that sets out five basic technical controls every business should have in place. It is designed specifically for organisations without large IT teams or dedicated security staff — the controls are practical, achievable, and focus on the most common attack vectors.
The five Cyber Essentials controls
Should your small business get Cyber Essentials?
| Situation | Cyber Essentials? | Reason |
|---|---|---|
| You supply goods or services to UK government | Mandatory | Required for all central government contracts |
| You handle sensitive or personal data for clients | Strongly recommended | Demonstrates due diligence; increasingly required by enterprise clients |
| You want cyber insurance | Strongly recommended | Many insurers offer lower premiums and better coverage with Cyber Essentials |
| You want to demonstrate security to clients and partners | Recommended | A recognised certification carries more weight than self-attestation |
| You just want to implement the basics without certification | Framework only | The Cyber Essentials controls are excellent guidance even without formal assessment |
✅ Cyber Essentials certification costs and what you get
- Cyber Essentials (Basic): Self-assessment questionnaire verified by a certification body — from approximately £300 + VAT. Provides a certificate valid for 12 months.
- Cyber Essentials Plus: As above, but with an independent technical audit verifying your controls are actually in place — from approximately £1,500-3,000 + VAT depending on organisation size.
- Both include: Certificate recognised by UK government and most major enterprise procurement processes, and up to £25,000 cyber insurance cover (for businesses under £20m turnover) — free with basic Cyber Essentials through the NCSC scheme.
Free Cyber Security Tools Every Small UK Business Should Use
You do not need to spend money to implement the core protections against the most common threats. Here are the best free cyber security tools available to UK small businesses today.
| Tool | What It Does | Cost |
|---|---|---|
| Bitwarden | Password manager — generates and stores unique passwords for all accounts | Free |
| Microsoft Authenticator / Google Authenticator | MFA authenticator app — generates time-based codes for account logins | Free |
| Windows Defender / Mac XProtect | Built-in anti-malware — strong protection built into modern operating systems | Free (built-in) |
| Have I Been Pwned | Check if your email addresses have appeared in known data breaches | Free |
| NCSC Check Your Cyber Security | Free vulnerability scanner from the NCSC — checks your public-facing services | Free |
| VirusTotal | Scan suspicious files or URLs before opening — uses 70+ anti-malware engines | Free |
| ProtonVPN | VPN for securing public Wi-Fi connections | Free (basic tier) |
| MXToolbox | Check your email domain's SPF, DKIM, and DMARC records — free diagnostic tool | Free |
💡 Check if you've already been breached
Visit haveibeenpwned.com and enter every business email address you use. The site checks against billions of compromised credentials from known data breaches. If your email appears, change the password on every account that used the same password immediately — and check whether your password manager flags any reused passwords that match the leaked one.
What to Do If Your Business Gets Hacked
Having a basic incident response plan — even a single printed page — dramatically reduces the chaos and damage when a cyber incident occurs. Knowing what to do in the first hour, without having to think it through under pressure, is the difference between a contained incident and a catastrophic one.
INCIDENT RESPONSE — THE FIRST HOUR
- Stay calm and do not panic-click — the temptation to click around and try to fix things quickly often makes incidents worse. Take 30 seconds to assess what you know before acting.
- Isolate affected devices immediately — disconnect any infected or suspected compromised devices from your network. Unplug ethernet cables, disconnect from Wi-Fi, and turn off Bluetooth. This stops malware or an attacker from spreading to other devices on your network.
- Do NOT turn the device off (unless instructed by a specialist) — modern forensic investigation and some recovery tools require the device to be on. Unless a specialist advises otherwise, put it to sleep rather than powering down.
- Change all passwords from a clean, unaffected device — start with email, then banking, then accounting software. Do this from a different device than the one affected.
- Report to Action Fraud — actionfraud.police.uk or 0300 123 2040. This is the UK's national reporting centre for cyber crime. Reporting creates a record and may help if you need to make an insurance claim or legal complaint.
- Report to the ICO within 72 hours if personal data was involved — ico.org.uk/report-a-breach. Fines for late reporting can be significant. If you are unsure whether personal data was accessed, report it as a precaution.
- Contact your cyber insurance provider if you have cyber insurance — they often provide free incident response assistance as part of the policy.
- Contact your bank immediately if any financial accounts may have been accessed or if fraudulent transactions are possible — UK banks have fraud response teams available 24/7 and can freeze accounts or reverse transactions quickly if contacted promptly.
- Notify affected customers if there is any risk their personal data has been compromised — this is both a legal obligation and a reputational management necessity. Prompt, transparent communication is far better received than a delayed response.
Your 30-Day Cyber Security Action Plan
30 Days to a Fundamentally More Secure Business
Days 1–5: Emergency Fixes — Do These First
- Check if any of your business email addresses have appeared in known data breaches at haveibeenpwned.com
- Enable multi-factor authentication on your business email account — this single action blocks 99.9% of automated account takeover attacks
- Sign up for Bitwarden (free) and begin changing your highest-priority passwords — email, banking, accounting software — to unique, password-manager-generated passwords
- Enable automatic updates on all computers used for business — operating systems and browsers first
- Change your Wi-Fi router's admin password and ensure your Wi-Fi uses WPA2 or WPA3 encryption
Days 6–14: Build the Core Foundations
- Enable MFA on all remaining priority accounts — banking, accounting software, cloud storage, domain registrar, social media
- Complete the password manager setup — import all saved passwords, generate new unique passwords for all business accounts
- Check your backup situation — do you have a copy of critical data that is offline and cannot be reached by ransomware? If not, set up Backblaze (cloud) and an external hard drive rotation this week
- Check and update (or create) your Wi-Fi guest network for visitors and non-business devices
- Review who in your business has admin access to which systems — remove any access that is not currently needed (principle of least privilege)
Days 15–22: Team and Process
- Run a team meeting or briefing covering phishing red flags — use real examples (Google "recent phishing examples UK" for topical material) and work through them together
- Establish and document your incident response procedure — print it and pin it somewhere visible. Include: who to call, how to isolate a device, Action Fraud number, ICO breach report URL, and your IT contact
- Review the NCSC Small Business Guide (free at ncsc.gov.uk) — identify any gaps between what it recommends and your current setup
- Check your email domain's SPF, DKIM, and DMARC records at mxtoolbox.com — consult your IT provider or domain registrar if any are missing or incorrect
Days 23–30: Compliance and Improvement
- Review whether Cyber Essentials certification is right for your business — if you supply to public sector or handle sensitive client data, begin the self-assessment process at iasme.co.uk
- Check your UK GDPR compliance — do you have a privacy policy? Are you clear on what personal data you hold and why? Have you registered with the ICO (required for most businesses that process personal data — costs £40-60/year)?
- Test your backup — actually restore a file from your backup to confirm it works
- Schedule a recurring quarterly review: update passwords, check for new account breaches, review who has access to what, and verify backups are running correctly
- Consider cyber insurance if you do not already have it — costs from approximately £250-500/year for basic small business cover. Compare at a business insurance broker.
After 30 days of consistent implementation, your business will have eliminated the vulnerabilities that account for the vast majority of successful attacks on small UK businesses. The tools cost less than a monthly business lunch. The time investment is less than a single working day. The protection is fundamental and permanent — as long as the good habits are maintained.
Building your online presence? Read our guides on What Is SEO and Why Your Small Business Needs It and Local SEO: How Small UK Businesses Can Rank Higher in 2026.
Frequently Asked Questions
Do small businesses really get targeted by cyber criminals?
Yes — small businesses are frequently targeted precisely because they have weaker defences than large organisations. The UK Government's Cyber Security Breaches Survey 2025 found that 43% of UK businesses — approximately 612,000 companies — experienced a cyber attack in the past year. Cyber criminals do not specifically target large companies. They look for the easiest targets, and a small business with no basic cyber security measures is an extremely easy target. The Cyber Security Minister has publicly stated: "No business is out of reach from cyber criminals — SMEs play a vital role in our economy and too many still assume cyber criminals only go after big brands."
What is Cyber Essentials and does my small business need it?
Cyber Essentials is a UK government-backed certification scheme setting out five basic technical controls: firewalls, secure configuration, access control, malware protection, and patch management. Certification starts from around £300 + VAT for the basic self-assessed version. If you supply to central government, it is mandatory. If you handle client data or want to demonstrate security credibility, it is strongly recommended — it also comes with up to £25,000 of free cyber insurance for qualifying businesses. Even if you do not pursue formal certification, following the Cyber Essentials controls is excellent practical guidance for any small business.
What should I do if my small business gets hacked?
Act within the first hour: isolate affected devices from your network (disconnect from Wi-Fi and ethernet), change all passwords from a clean unaffected device (email first), then call Action Fraud on 0300 123 2040. If personal data was involved, you must report to the ICO at ico.org.uk/report-a-breach within 72 hours of becoming aware — failure to report can result in significant fines. Contact your bank immediately if financial accounts may have been accessed. Notify affected customers if their personal data may have been compromised. Having this process written down before an incident makes an enormous practical difference under pressure.
How much does basic cyber security cost for a small business?
The most impactful basic protections cost very little. A password manager like Bitwarden is free. Multi-factor authentication is free on almost every platform. Automatic software updates cost nothing. Windows Defender and macOS XProtect are built-in and free. The NCSC Small Business Guide is free. The total cost of implementing everything in this guide is under £100 per year for most businesses — possibly nothing at all. Compare that to the UK government's figure of £7,960 as the average cost of a cyber incident for a small business. The return on a few hours and zero to minimal spend is extraordinarily high.
What is the single most important cyber security step for a small business?
If you can only do one thing, enable multi-factor authentication (MFA) on your business email account. Email is the master key to virtually every other account — it is used to reset passwords on banking, accounting software, cloud storage, and every other service. If a criminal gets access to your email, they effectively have access to everything. MFA means that even if they have your password, they cannot log in without a second verification step that only you can provide. The NCSC's research and Microsoft's data both consistently show that MFA blocks over 99% of automated account takeover attacks. It takes five minutes to enable and costs nothing.
Need hands-on cyber security support for your small business?
Workvera provides practical, jargon-free digital support for small UK businesses — including cyber security setup, Cyber Essentials guidance, Google Business Profile management, and ongoing IT advisory. No technical background required. No unnecessary complexity.
Book a Cyber Security Review