Cyber security for a small business means putting the right controls in place to protect your data, your customers' information, and your ability to trade - without spending enterprise-level budgets. It covers everything from the password policy on your email accounts to how you back up your files and who can access your customer database. The good news is that most of the genuinely effective controls are straightforward and affordable, especially when you follow the guidance published by the National Cyber Security Centre (NCSC), which is the UK government body responsible for helping businesses of every size improve their cyber resilience.
Softomate Solutions works with dozens of London and UK-based businesses that previously assumed cyber security was "a big company problem." The data tells a different story. According to the DSIT (Department for Science, Innovation and Technology) Cyber Security Breaches Survey, 50% of UK businesses experienced a cyber breach or attack in the past 12 months. For small businesses, the average cost of a single incident now exceeds ยฃ15,000 when you factor in downtime, data recovery, regulatory fines, and the reputational damage of losing client trust.
This guide walks through the practical steps every UK small business should take, in plain English, without jargon.
Small businesses are targeted precisely because cyber criminals assume their defences are weaker than larger organisations. Many SMEs have no dedicated IT department, use consumer-grade software, and rely on the same password across multiple systems. Attackers use automated tools to scan millions of IP addresses simultaneously, looking for unpatched software, weak credentials, and misconfigured cloud services. When they find a vulnerability, they exploit it - often without any human even making a deliberate decision to "attack" your company specifically.
There are three primary threat actors that London SMEs face regularly:
The NCSC's 2023 Annual Review noted that ransomware remains the most significant cyber threat to UK businesses. For small businesses without a business continuity plan, a single ransomware incident can mean permanent closure.
Understanding the attack types helps you prioritise where to spend your limited security budget. The most common threats facing UK SMEs, in order of frequency, are phishing emails, ransomware, credential stuffing, supply chain attacks, and insider threats.
Phishing accounts for over 80% of cyber incidents reported to the NCSC. Attackers send emails that appear to come from trusted sources - HMRC, a supplier, your bank, or even a colleague. The goal is to trick someone into clicking a malicious link, downloading malware, or handing over credentials. Modern phishing emails are often indistinguishable from genuine messages, especially when attackers use compromised email accounts or domains that are visually similar to legitimate ones (e.g., softomatesolutions vs softomate-solutions).
Ransomware encrypts your files and demands payment - typically in cryptocurrency - for the decryption key. Even if you pay, there is no guarantee your data will be recovered, and you may face further extortion demands. In 2023, UK organisations paid an estimated ยฃ350 million in ransomware payments, though the NCSC and the National Crime Agency (NCA) strongly advise against paying. The only reliable protection is a tested, offline backup strategy combined with endpoint protection that can detect and block ransomware behaviour before encryption begins.
Billions of username and password combinations from historic data breaches are freely available on dark web forums. Attackers use automated tools to test these credentials against thousands of services simultaneously. If any of your employees reuse passwords across personal and work accounts, there is a meaningful chance their credentials have already been compromised. Multi-factor authentication (MFA) is the single most effective control against this attack type.
Attackers compromise a supplier or software vendor and use that access to reach the supplier's customers. Even if your own security is excellent, a breach at a third party that has access to your systems or data can expose you. This is why the NCSC recommends that all businesses, including small ones, assess the cyber security posture of their key suppliers.
Not all breaches come from outside. Disgruntled employees, contractors with excessive access rights, or simply someone clicking the wrong link can cause significant damage. Access control - giving people only the access they genuinely need to do their job - is a simple but powerful mitigation.
Cyber Essentials is a UK government-backed certification scheme, administered by the NCSC, that sets out five fundamental technical controls every organisation should have in place. The five controls are: boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management. Organisations that achieve Cyber Essentials certification demonstrate to customers, partners, and insurers that they have addressed the most common attack vectors.
Cyber Essentials certification costs as little as ยฃ400 for the self-assessment tier, making it accessible for businesses of all sizes. The higher tier, Cyber Essentials Plus, includes a verified technical audit and provides stronger assurance. If your business supplies services to the UK government, Cyber Essentials certification is mandatory. Many large private sector organisations are now requiring it from suppliers as well.
Beyond the commercial benefits, going through the Cyber Essentials process is genuinely useful. It forces you to audit what devices are on your network, who has administrator-level access, and whether your software is up to date - basic hygiene that many small businesses have never formally reviewed.
UK GDPR, enforced by the Information Commissioner's Office (ICO), requires businesses to implement "appropriate technical and organisational measures" to protect personal data. A cyber breach that exposes customer or employee data is not just an operational crisis - it is likely a reportable incident. The ICO can and does issue significant fines; the maximum is ยฃ17.5 million or 4% of global annual turnover, whichever is higher, though in practice fines are scaled to the size and circumstances of the organisation.
For small businesses, the practical requirements are: encrypt personal data at rest and in transit, implement access controls so staff can only see the data they need, maintain a record of what personal data you hold and where it is processed, have a tested data breach response procedure, and report certain breaches to the ICO within 72 hours of becoming aware of them.
The ICO publishes practical guidance aimed at SMEs, and the NCSC provides technical advice that aligns with GDPR obligations. Following both means you are likely to meet your legal requirements without needing a team of lawyers to interpret them.
The following actions are the highest-impact, lowest-cost measures any UK small business can implement. They address the most common attack vectors and align with both Cyber Essentials and NCSC guidance.
MFA requires a second form of verification - typically a code sent to your phone or generated by an authenticator app - in addition to a password. Enable it on email, cloud storage (Microsoft 365, Google Workspace), accounting software, CRM, and any system that holds customer or financial data. MFA blocks approximately 99.9% of credential-based attacks, according to Microsoft's own research. There is no technical reason for a small business not to have MFA enabled across all critical systems today.
Software vulnerabilities are discovered and published every day. When vendors release patches, attackers immediately start scanning for systems that have not yet applied them. Enable automatic updates on operating systems, browsers, and any business-critical software. For Windows devices, Microsoft releases updates on "Patch Tuesday" - the second Tuesday of each month. Ensure these are applied within 14 days of release, as the NCSC recommends.
A backup that has never been tested is not a backup - it is a hope. Follow the 3-2-1 rule: three copies of your data, on two different types of media, with one copy stored offsite (or in cloud storage that is not directly connected to your primary systems). Test your backup restore process at least quarterly. If you are hit by ransomware, a verified backup means you can restore your systems without paying the ransom.
Your team is your most important line of defence and your biggest risk. A single click on a phishing link can compromise your entire network. Regular, practical security awareness training - not a once-a-year compliance tick-box - significantly reduces your exposure. The NCSC offers free e-learning resources specifically designed for small businesses, including training on spotting phishing emails and reporting suspicious activity.
Password reuse is endemic in small businesses. A password manager generates unique, strong passwords for every service and stores them securely. Staff only need to remember one master password. Leading options for business use include 1Password Teams, Bitwarden Business, and LastPass Teams. The cost is typically ยฃ3 - ยฃ5 per user per month - far cheaper than the cost of dealing with a credential-stuffing breach.
If your business premises has a Wi-Fi network, ensure it uses WPA3 (or at minimum WPA2) encryption. Create a separate guest Wi-Fi network for visitors and ensure it cannot access your internal systems. Review what is exposed to the internet - if you do not need a service accessible from the outside, close the relevant port or disable remote access entirely. The NCSC's free "Cyber Action Plan" tool helps identify quick wins specific to your situation.
There are moments when DIY security genuinely is not enough. If you process significant volumes of payment card data, hold sensitive personal information (medical records, financial data), or operate in a regulated sector such as finance or healthcare, you should consider professional cyber security support. Similarly, if you have experienced a breach, are growing rapidly, or are about to undertake a digital transformation project, professional guidance can save far more than it costs.
Our cyber security consultancy service in London provides small and medium-sized businesses with the expert guidance they need without the cost of hiring a full-time security team. Whether you need a one-off security review, help achieving Cyber Essentials certification, or ongoing advisory support, we work with you at the pace and budget that suits your business.
For businesses with remote or hybrid workforces, protecting the devices your staff use away from the office is equally important. Our endpoint protection services in London cover laptops, desktops, and mobile devices with enterprise-grade security tools configured for SME budgets.
The range is wide, but the floor is lower than most business owners expect. Many of the most effective controls - MFA, patching, backups, staff training - cost nothing beyond staff time. A basic security toolkit for a 10-person business, covering endpoint protection, a password manager, and cloud backup, typically costs ยฃ100 - ยฃ300 per month. Cyber Essentials certification adds a one-off cost of around ยฃ400 for the self-assessment tier.
Contrast this with the cost of an incident. The DSIT survey puts the average cost of a material breach for a small business at over ยฃ15,000. For many small businesses, a serious breach means months of disruption, potential ICO investigation, loss of customer trust, and in worst-case scenarios, closure. The return on investment for basic cyber security measures is not even close - it is unambiguously the right business decision.
Cyber insurance is increasingly available for SMEs and can provide a financial safety net for breach response costs, legal fees, and business interruption losses. However, insurers are scrutinising cyber hygiene more carefully. Many policies now require evidence of basic controls - MFA, patching, backups - before they will pay out. Achieving Cyber Essentials certification is increasingly used as evidence of good hygiene for insurance purposes.
An incident response plan does not need to be a 50-page document. For a small business, a clear one-page checklist that everyone knows about is far more useful than an elaborate plan that lives in a folder no one reads. At minimum, your plan should cover: who to call first (your IT provider, your cyber security consultant, or a specialist incident response service), how to isolate affected systems (disconnect from the network without switching off, to preserve forensic evidence), who is responsible for communicating with customers and staff, and how to report to the ICO if personal data has been compromised.
The NCSC publishes a free incident response guide specifically for small organisations. The National Crime Agency also has a reporting mechanism for cyber incidents at its Action Fraud service. Reporting is important - not just for your own investigation but because it helps law enforcement build a picture of the threat landscape affecting UK businesses.
Common signs include unexpected account lockouts, unfamiliar devices appearing on your network, unusual outbound data transfers, ransom messages appearing on screens, contacts receiving emails you did not send, or unexplained charges on business accounts. If you notice any of these, isolate the affected systems from your network immediately and contact a cyber security professional. Many breaches go undetected for weeks or months, so proactive monitoring is always preferable to waiting for obvious symptoms.
If you process personal data, UK GDPR requires you to implement appropriate security measures - making a baseline of cyber security legally mandatory for most businesses. Regulated sectors such as financial services and healthcare have additional, sector-specific requirements. While there is no universal legal requirement to achieve a specific certification, demonstrating compliance with standards like Cyber Essentials significantly reduces your regulatory risk if a breach occurs.
The National Cyber Security Centre is the UK government's authority on cyber security, operating as part of GCHQ. It publishes free, practical guidance for businesses of all sizes, including the Cyber Essentials scheme, the Small Business Guide, e-learning resources, and the Cyber Action Plan tool. The NCSC's guidance is written for non-technical readers and provides a credible, government-backed baseline that holds up to regulatory scrutiny.
The NCSC, the NCA, and law enforcement agencies universally advise against paying ransoms. Payment does not guarantee data recovery, funds criminal organisations, marks you as a business willing to pay (inviting further attacks), and may breach financial sanctions regulations if the ransomware group is a designated entity. The best response is to restore from a verified backup, which is why tested offline backups are the single most important ransomware protection measure.
Security awareness training should be ongoing rather than a single annual session. The most effective approach combines regular short sessions (monthly newsletters, simulated phishing tests, brief video updates on current threats) with a more comprehensive annual training refresh. The NCSC offers free e-learning modules that can be assigned to staff without any specialist IT knowledge required. Simulated phishing exercises, where your own team receives realistic test phishing emails to see who clicks, are particularly effective at changing behaviour.
More from the blog
Let us help
Talk to our London-based team about how we can build the AI software, automation, or bespoke development tailored to your needs.
Softomate Solutions Limited
Deen Dayal Yadav
Online
