UK small businesses can block the vast majority of cyber attacks with five free controls and one certification that costs roughly £300 to £500 a year. Turn on multi-factor authentication (MFA) everywhere, which Microsoft data shows stops 99.9% of automated account takeovers; keep software patched; use a password manager with three-random-word passphrases; run regular antivirus; and keep tested backups following the 3-2-1 rule. With 43% of UK businesses reporting a breach in the last 12 months and phishing involved in around 93% of attacks, the threat is real, but the defence is cheap. Getting Cyber Essentials certified also unlocks free £25,000 cyber insurance for firms turning over under £20m and makes you eligible for many public-sector contracts. The average breach costs a UK SME about £15,300, so a weekend of setup work and a few hundred pounds a year is a strong return.
Last updated: June 2026
UK small businesses are targeted precisely because criminals assume they have weak defences, and the data backs that assumption. The government's Cyber Security Breaches Survey consistently finds that around 43% of all UK businesses suffered a breach or attack in the previous 12 months, and small and medium firms collectively lose an estimated £3.4bn a year to cyber crime. The wider cost of cyber crime to the UK economy runs north of £27bn annually. Criminals are not hand-picking your business because you are special; they are running automated tools that scan the whole internet, find the easy doors, and walk through them.
The uncomfortable truth is that most attacks are opportunistic, not targeted. A bot does not know or care whether you are a 4-person accountancy practice in Stanmore or a national retailer. It knows you have an email address, a remote login portal, or a website with an out-of-date plugin. That is the door. Smaller firms are attractive precisely because they are likely to have no dedicated IT security person, no formal policies, and a culture where one busy director clicks links between meetings.
Here is our honest view: the "we are too small to be a target" mindset is the single most dangerous belief in UK SME security. It is exactly backwards. You are not too small to be targeted; you are the perfect size, because you have enough money to be worth stealing and enough busy-ness to be careless. The attacker's economics favour volume. Sending a million phishing emails costs almost nothing, so even a 0.1% success rate is a profitable day.
Consider what makes an SME attractive from the attacker's point of view:
The scale figures matter because they reframe the decision. When only around 3% of UK businesses hold Cyber Essentials and only 22% have a formal incident response plan, doing the basics genuinely puts you ahead of the field. You do not have to outrun the bear; you have to be less exposed than the next firm the bot scans. The good news is that the controls that stop the overwhelming majority of these automated attacks are cheap, fast and well within reach of any business owner reading this.
The four threats that account for almost all real-world SME damage are phishing, ransomware, account takeover and malware, with phishing being the gateway to nearly all of the others. Around 93% of cyber attacks involve phishing in some form, which is why the National Cyber Security Centre (NCSC) treats email and human awareness as the front line. Understanding what each threat actually does helps you prioritise where to spend your limited time and money.
Let us take them in turn, because the defences differ.
The table below maps each threat to its primary defence, so you can see why the action plan in the next section is ordered the way it is.
| Threat | How it usually starts | Primary defence | Cost to defend |
|---|---|---|---|
| Phishing (incl. AI-generated) | Convincing email or text | Staff awareness, verify by phone, MFA | Free to low |
| Ransomware | Malicious attachment or exposed remote login | Tested 3-2-1 backups, patching, MFA | Free to moderate |
| Account takeover | Reused or leaked password | MFA, password manager, unique passwords | Free |
| Malware | Bad download or attachment | Antivirus, updates, least-privilege accounts | Free (built-in) |
Our stance on AI-phishing specifically: be sceptical of any urgent payment or password request, no matter how perfect it reads. The 2026 rule is that you can no longer trust the quality of writing as a signal. Trust the process instead. Any change to bank details, any urgent fund transfer, any password reset gets verified through a separate, known channel, such as phoning the supplier on a number you already had, never the number in the email. If you train your team on one single thing this year, make it this: verify out of band before money or credentials move. That habit alone defeats the most expensive attacks UK SMEs face. For firms already exploring AI tools, it is worth understanding that the same models powering legitimate AI chatbot development can be misused by criminals, which is exactly why human verification stays essential.
You can meaningfully reduce your risk in a single focused afternoon, at zero or near-zero cost, by working through a short ordered checklist. The goal is not perfection; it is to close the easy doors that automated attacks walk through. Most of the items below are free and take minutes. We have ordered them by impact-per-minute so that if you only get halfway, you have still done the highest-value work.
Here is the costed afternoon action plan. Block out three hours, make a coffee, and work top to bottom.
| # | Action | Time | Cost | Why it matters |
|---|---|---|---|---|
| 1 | Turn on MFA for email, banking and cloud accounts | 30 min | Free | Stops 99.9% of automated account takeover |
| 2 | Install a password manager, start moving key logins in | 30 min | Free to £35/yr | Ends password reuse, generates strong unique passwords |
| 3 | Switch on automatic updates on every device | 20 min | Free | Closes known vulnerabilities ransomware exploits |
| 4 | Confirm antivirus is on (Microsoft Defender is fine) | 10 min | Free | Catches common malware |
| 5 | Set up an automatic cloud backup and test a restore | 40 min | £5 to £15/mo | Survive ransomware without paying a ransom |
| 6 | Remove admin rights from day-to-day user accounts | 20 min | Free | Limits the damage any single compromise can do |
| 7 | Brief staff on the out-of-band verification rule | 20 min | Free | Defeats invoice fraud and AI-phishing |
| 8 | Note who to call if something goes wrong | 10 min | Free | A 5-minute incident plan beats panic |
Notice that six of the eight items are completely free, and the two paid items cost less than a single business lunch per month. This is the central message of this guide: the gap between "wide open" and "genuinely well-protected" for a small UK business is measured in hours and tens of pounds, not in expensive consultants and enterprise firewalls.
A few practical notes as you work through it. For MFA, prefer an authenticator app (like Microsoft Authenticator or Google Authenticator) over SMS text codes where you can, because SIM-swap fraud can intercept texts; SMS is still far better than nothing, so do not let perfect be the enemy of good. For backups, the test restore is the part everyone skips and the part that actually matters. A backup you have never restored is a hope, not a backup. Pick one folder, delete a test file, and restore it, so you know the process works before you need it at 2am during an incident.
If your business runs core operations through cloud tools and you want this hardening done properly across every account, payroll system and customer database, that is exactly the kind of structured rollout a business process automation partner handles as part of a wider operational review, rather than you doing it piecemeal between client calls.
Multi-factor authentication is the single most effective control because it makes a stolen password almost worthless, blocking roughly 99.9% of automated account-compromise attacks according to Microsoft's data, and the NCSC names it the top technical control for exactly this reason. MFA means that even if a criminal has your password, from a breach, a phishing kit or a reused login, they still cannot get in without the second factor sitting in your pocket. It is the closest thing to a silver bullet that exists in everyday security, and it is free.
The logic is simple. Most account takeovers depend entirely on the password being the only barrier. Add a second factor and the entire economy of automated attacks collapses, because the bot that just bought a million leaked passwords cannot also be holding a million phones. This is why we tell every client the same thing: if you do only one item from this entire guide, turn on MFA for your email first. Email is the master key, because almost every other account can be reset through it.
Passwords still matter, but their job has changed. Instead of memorising a dozen complex passwords (which leads to reuse, the real killer), you use a password manager to generate and store a unique random password for every account, and you only have to remember one strong master password. The NCSC recommends building that master password from three random words, which produces something long, memorable and hard to crack, such as a phrase combining three unrelated everyday words. Length beats complexity. A long passphrase of ordinary words is stronger and far easier to remember than a short string of symbols.
The table below compares the realistic password approaches a small business takes.
| Approach | Security | Convenience | Our verdict |
|---|---|---|---|
| One password reused everywhere | Very poor | High | Never. One breach unlocks everything. |
| Memorised complex passwords | Moderate | Poor | Leads to reuse and sticky notes. |
| Three random words, no manager | Good | Moderate | Fine for the master password only. |
| Password manager + unique passwords + MFA | Excellent | High | The standard. Do this. |
Our honest rule on this: stop trying to be a human password vault. It does not work, it never worked, and the reused-password habit it creates is responsible for a huge share of real breaches. Hand the job to a password manager, protect the manager with a three-random-word master password and MFA, and you have removed an entire category of risk. Reputable password managers cost between £0 (free tiers and the built-in browser options) and around £35 a year for a business plan with shared vaults, which is trivial against the cost of a single account takeover. When we build a custom CRM or any system that holds client data for a client, enforced MFA and unique credentials are baked in from day one, not bolted on later.
Backups, patching and antivirus form the resilience layer that lets you survive an attack that gets through, and the rule that ties them together is "3-2-1 backups, automatic updates, and antivirus left switched on". These three are unglamorous, which is exactly why so many businesses neglect them, and exactly why neglecting them is so often fatal. If MFA and passwords stop the attack starting, this layer determines whether an attack that lands is an inconvenience or a catastrophe.
Start with backups, because they are your last line of defence against ransomware. The 3-2-1 rule is the established standard:
The off-site or offline copy is the one that saves you. Ransomware specifically hunts for connected backups and encrypts them along with everything else, so a backup drive permanently plugged into the same machine is no protection. The other non-negotiable is restore testing. Schedule a quarterly test where you actually restore files from each backup and confirm they open. A frightening number of businesses discover during an incident that their backups were silently failing for months. Test, or you do not really have a backup.
Patching is next. Most successful malware and ransomware exploit known vulnerabilities for which a fix already exists; the firm simply had not applied the update. The defence is to turn on automatic updates everywhere: operating systems, browsers, phones, and crucially any business applications and website plugins. The window between a vulnerability being announced and being exploited is now days, sometimes hours, so manual monthly patching is too slow. Automate it.
Antivirus is the simplest of the three. On modern Windows, Microsoft Defender is built in, free, and genuinely good; for most small businesses it is entirely sufficient, and you simply need to confirm it is switched on and updating. Paid endpoint protection adds value for larger or higher-risk firms, but do not let a sales pitch convince you the free built-in option is worthless. It is not.
| Control | Minimum standard | What "good" looks like | Common failure |
|---|---|---|---|
| Backups | One automatic cloud backup | 3-2-1 with offline copy, tested quarterly | Never restoring; backup plugged in permanently |
| Patching | Auto-updates on OS | Auto-updates on OS, apps, plugins, phones | Out-of-date website plugins |
| Antivirus | Microsoft Defender on | Defender or managed endpoint, monitored | Disabled or never checked |
Our stance: of these three, backups are the one to obsess over. Patching and antivirus reduce how often you get hit; backups decide whether being hit ends your business. If you have a tested, offline backup, ransomware becomes a bad week instead of a closure. We have seen the difference first-hand, and it is the single clearest line between firms that recover and firms that do not. Sites and applications we build with our web application development team ship with automated, versioned backups precisely so a client is never one bad day from losing everything.
Cyber Essentials is the UK government-backed certification scheme that verifies you have five basic technical controls in place, it costs roughly £300 to £500 a year for the self-assessed level, and for most small businesses it is clearly worth it, because it also unlocks free £25,000 cyber insurance and makes you eligible for many public-sector and corporate contracts. Run by the NCSC and delivered through IASME, the scheme is deliberately pitched at the level a small business can achieve without an IT department. If you have done the afternoon action plan above, you are most of the way to passing already.
The five technical controls Cyber Essentials checks are the same fundamentals this guide has covered, which is not a coincidence; they are the controls that stop the common attacks:
There are two tiers. The standard Cyber Essentials is a verified self-assessment questionnaire, while Cyber Essentials Plus adds a hands-on technical audit by an assessor who tests your systems directly. The pricing below reflects typical 2026 UK figures; exact costs vary slightly by certification body and your organisation size.
| Tier | What it involves | Typical 2026 cost | Best for |
|---|---|---|---|
| Cyber Essentials | Verified self-assessment questionnaire | £300 to £500 + VAT per year | Most small businesses, contract eligibility |
| Cyber Essentials Plus | Self-assessment plus hands-on technical audit | £1,999 to £2,250+ + VAT per year | Firms bidding for larger or government contracts |
Now the return on investment, because this is where the decision becomes easy. First, the free cyber insurance: organisations with a head office in the UK and an annual turnover under £20m that achieve the standard Cyber Essentials certification (and certify their whole organisation) qualify for £25,000 of cyber insurance included at no extra cost. That alone often covers the certification fee in value. Second, contract eligibility: Cyber Essentials is mandatory for many central government contracts handling sensitive information, and a growing number of private-sector buyers now require it from their suppliers. If you sell to larger organisations, the certificate is increasingly a ticket to even bid. Third, the discipline: going through the questionnaire forces you to actually verify your controls rather than assume them.
Our honest opinion: for a typical UK small business, standard Cyber Essentials is one of the highest-return spends available in the whole security budget. A few hundred pounds buys you a credibility badge clients recognise, free insurance, contract access, and the structure to lock in the basics. Cyber Essentials Plus is worth it only if your customers or contracts specifically demand the audited level, or if you handle particularly sensitive data and want independent verification. Do not pay for Plus out of vanity; pay for it when a contract requires it. Given that only around 3% of UK businesses hold any Cyber Essentials certification, getting it genuinely sets you apart in supplier vetting.
Under UK GDPR you must put in place "appropriate technical and organisational measures" to protect personal data, and if a breach occurs that risks people's rights, you generally have to report it to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it. This is not optional and it applies to businesses of every size that hold personal data, which in practice means almost all of them: customer records, staff details, email lists and supplier contacts are all personal data. The legal obligation is one more reason the controls in this guide are not just good practice but part of compliance.
The phrase "appropriate technical and organisational measures" is deliberately not a prescriptive checklist, but the ICO and NCSC have made clear that the kind of basics covered here, MFA, access control, patching, encryption and staff training, are what "appropriate" looks like for a small business. Crucially, if you achieve Cyber Essentials, you have strong evidence that you took reasonable measures, which matters enormously if you ever have to demonstrate to the ICO that you did the right things before an incident.
When something does go wrong, you need to know the steps in advance, because the 72-hour clock is unforgiving and panic wastes hours. Here is a simple incident-response template every small business should write down before they need it:
The table below clarifies who you report what to, because this trips people up.
| Situation | Report to | Deadline |
|---|---|---|
| Personal data breach with risk to people | ICO | Within 72 hours of becoming aware |
| Cyber crime or fraud (e.g. ransomware, theft) | Action Fraud | As soon as practical |
| High-risk breach affecting individuals | The affected individuals | Without undue delay |
| Bank fraud or payment diversion | Your bank, immediately | Same day |
Our stance here is blunt: write your incident plan now, while you are calm, not during the breach. It does not need to be long. A single page taped inside a cupboard with the steps above, the ICO link, the Action Fraud number, your bank's fraud line and the name of who decides what, beats a fancy 40-page policy nobody can find at 2am. Remember that only around 22% of UK businesses have any formal incident plan, so even a one-page version puts you well ahead. The combination of "appropriate measures" plus a written plan is precisely what regulators expect, and exactly what protects you if the worst happens.
Softomate Solutions hardens a UK small business through a structured five-stage process that typically runs over two to four weeks and ends with you Cyber Essentials-ready, with fixed-quote pricing agreed before any work starts so there are no surprises. We are a London-based software, automation and digital agency in Stanmore (HA7), and while we build AI systems, CRMs and automated workflows day to day, security is woven through everything we deliver because the systems we build hold our clients' most sensitive data. Below is exactly how an engagement runs.
The five stages are deliberately sequenced so that the highest-impact, lowest-cost controls land first, mirroring the afternoon plan earlier but executed and verified properly across your whole estate.
The indicative timeline and pricing below show how a typical engagement maps out. Every project is fixed-quote: we agree the scope and price up front, so you know the cost before you commit.
| Stage | Timeframe | Outcome |
|---|---|---|
| 1. Discovery and risk review | Days 1 to 3 | Plain-English risk summary |
| 2. Quick wins rollout | Week 1 | MFA, password manager, updates live |
| 3. Resilience build | Week 2 | Tested backups, access control, incident plan |
| 4. Cyber Essentials readiness | Week 3 | Certification-ready, insurance eligible |
| 5. Staff training and handover | Week 4 | Trained team, clear documentation |
Pricing starts from £1,200 for a focused small-business hardening and Cyber Essentials readiness engagement, with most projects landing between £1,200 and £3,500 depending on the number of users, devices and cloud systems involved. Cyber Essentials certification fees (the £300 to £500 to the certification body) are separate and paid directly to IASME, so you are never marked up on them. If you also want us to build or secure custom systems, an AI automation workflow, a CRM, an Odoo ERP implementation or a mobile app, security is designed in from the first line of code rather than added as an afterthought.
Our promise is simple: clear scope, fixed quote, plain English, and a business that is genuinely harder to attack at the end than it was at the start. If you want to talk it through with no obligation, our team is in Stanmore and happy to have an honest conversation about where your real risks are.
The core controls are free or near-free: MFA, patching and antivirus cost nothing, and a password manager runs £0 to £35 a year. Cyber Essentials certification adds roughly £300 to £500 a year. A full professional hardening engagement typically costs £1,200 to £3,500 one-off, with backups around £5 to £15 a month.
It is not legally mandatory for all businesses, but it is required for many central government contracts handling sensitive information, and a growing number of private buyers demand it from suppliers. UK GDPR separately requires "appropriate technical and organisational measures", and Cyber Essentials is strong evidence you have met that standard.
Turn on multi-factor authentication (MFA) for your email account first, then your banking and cloud services. Microsoft data shows MFA blocks about 99.9% of automated account takeovers, and the NCSC names it the top technical control. It is free, takes about 30 minutes, and protects you even if your password is stolen.
If a personal data breach is likely to risk people's rights and freedoms, you must report it to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it. You should also report cyber crime to Action Fraud, notify affected individuals if the risk to them is high, and contact your bank immediately for payment fraud.
Keep 3 copies of important data, on 2 different types of storage, with 1 copy kept off-site or offline. The offline copy is what saves you from ransomware, which hunts for and encrypts any connected backups. Always test a restore, because an untested backup is a hope, not a safeguard.
For most UK small businesses, yes. Microsoft Defender is built into modern Windows, free, and genuinely effective against common malware, so you simply need to confirm it is switched on and updating. Paid endpoint protection adds monitoring and value for larger or higher-risk firms, but the built-in option is far from worthless.
Stop relying on spelling and grammar as warning signs, because AI-written phishing is flawless and contextually convincing. Instead, verify any request for money, bank-detail changes or passwords through a separate known channel, such as phoning the supplier on a number you already had. This out-of-band verification habit defeats the most expensive attacks.
UK-headquartered organisations with annual turnover under £20m that achieve standard Cyber Essentials, certifying their whole organisation, qualify for £25,000 of cyber insurance included at no extra cost. It helps cover incident response and recovery costs. Exact terms come from the insurer via IASME, so confirm the conditions when you certify.
Yes. Strong passwords help, but they can still be stolen through phishing, malware or third-party breaches and password reuse. MFA adds a second factor a criminal does not have, which is why it stops around 99.9% of automated account takeovers. Use both: unique strong passwords in a manager, plus MFA everywhere.
Report cyber crime and fraud to Action Fraud on 0300 123 2040 or online. Report personal data breaches that risk individuals to the ICO within 72 hours. Contact your bank immediately for any payment fraud, and notify affected customers if their risk is high. Keep these contacts on a one-page incident plan.
Cyber security for a UK small business comes down to a short, achievable list. Turn on MFA everywhere, the control that blocks roughly 99.9% of automated takeovers; use a password manager with three-random-word passphrases; automate your updates; keep antivirus on; and maintain tested 3-2-1 backups with an offline copy. Add Cyber Essentials certification for £300 to £500 a year to unlock free £25,000 cyber insurance and open up contracts. Write a one-page incident plan covering the ICO 72-hour rule and Action Fraud, so a breach is handled, not fumbled. With 43% of UK businesses hit each year and the average SME breach costing about £15,300, an afternoon of work and a few hundred pounds is one of the best returns in your budget. You do not need to be a security expert; you need to close the easy doors before the next automated scan finds them, and now you know exactly which doors those are.
If you would rather have this done properly and verified across every account, system and device, our team can harden your business and get you Cyber Essentials-ready on a fixed quote: talk to a London automation and security agency that builds resilience in from day one, or simply get in touch for an honest conversation about your real risks.
Written by Deen Dayal Yadav, Founder of Softomate Solutions, a London-based software development and AI automation agency in Stanmore (HA7). With over 12 years building software, CRMs and automation systems for UK businesses, Deen has helped firms across London and beyond secure the systems their operations depend on. Softomate Solutions is a registered company at Companies House, and the team designs security into every build rather than treating it as an afterthought. Learn more about Softomate Solutions and how we help UK small businesses build resilient, automated and secure operations.
We protect the real names of all clients featured in examples and case studies. Every testimonial is from a real client.
More from the blog
Work with us
Every project we take on has a measurable outcome. Talk to our London team and we will show you exactly how we would approach your challenge.
Softomate Solutions Limited
Deen Dayal Yadav
Online
