If you’re a small business owner in the UK, cyber security probably feels like just another thing on an already overwhelming to-do list. Between managing staff, keeping customers happy, and keeping the lights on, finding time to think about digital threats can feel impossible.
But here’s the reality: businesses experienced an estimated 7.7 million cyber crimes1 over the past year, and many of these attacks specifically target smaller organisations. The good news? You don’t need a huge budget or technical expertise to dramatically improve your security posture.
We recently sat down with Chris White, Head of Cyber at the South East Cyber Resilience Centre, to discuss practical cyber security measures that actually work for time-strapped SME owners. What emerged was a clear roadmap that any business can follow – starting today. Watch our video here to hear the full conversation.
Understanding the real cyber threats facing UK small businesses
Before we dive into solutions, it’s important to understand what you’re up against. The threat landscape for small businesses has fundamentally changed.
The “I’m too small to be targeted” myth
This is perhaps the most dangerous misconception in cyber security. Chris was direct about this during our conversation: “You’ve got the most important thing to a small business. You’ve got brand, you’ve got reputation, you do have data. If I can get access to your website, if I can take over your email accounts, if I can disrupt your social media accounts, I’m having an impact and I’m disrupting your business.”
Recent government data confirms this isn’t just theory. 43% of UK businesses2 experienced a cyber security breach or attack in 2025, affecting an estimated 612,000 organisations. For context, that’s happening to nearly half of all businesses operating in the UK.
Why automation makes everyone a target
Modern cyber attacks aren’t personal. They’re automated, industrial-scale operations. “Sometimes I said it’s probably a privilege to be hacked by a real life human,” Chris explained. “You’re more than likely going to be targeted by what’s called a botnet, a bunch of computers that would just scan the Internet.”
The scale is staggering. Chris shared that if you connect a brand new computer to the internet, it will likely be scanned within eight hours. If that computer stays on continuously for 24 hours, it could be scanned at least three times – first to identify it exists, then to catalogue vulnerabilities, and finally to begin exploiting weaknesses.
This isn’t about sophisticated hackers specifically choosing your business. It’s about automated systems continuously scanning the internet for easy targets. Phishing attacks remain the most prevalent threat, affecting 84% of businesses2 that reported breaches in 2024.
The real cost of cyber attacks for SMEs
Beyond the immediate financial impact, cyber attacks can be business-ending events. Chris noted findings from his work with arrested criminals: they admitted they don’t need sophisticated tools “because the public or the business owners are making it so easy for us.”
Recent research paints a sobering picture of the aftermath. Studies show that a significant proportion of small businesses struggle financially after an attack, with some research suggesting that up to 60% of affected small businesses cease trading within six months of a serious breach3.
Five fundamental cyber security steps every SME should take
The encouraging news is that most cyber attacks exploit basic vulnerabilities. By addressing these five areas, you create a security foundation that stops the majority of threats.
1. Keep every device updated (and actually restart them)
This sounds almost too simple, but it’s critical. “It’s such an easy fix,” Chris emphasised. “I would say do you really need an IT company to help you do that is turn on the laptop, turn on the smartphone, click the auto update or just press the update button.”
Why updates matter so much:
When hackers discover a vulnerability in software, they share it within their communities. Software manufacturers then create patches to fix these problems, but they must publicly announce the fix – which alerts all the criminals who didn’t previously know about the vulnerability. From that moment, everyone using that software becomes a target unless they update.
The restart problem:
Many business owners and employees resist restarting their devices because they have multiple browser tabs open or important work in progress. But here’s what Chris had to say about that orange update notification: “If you get an orange icon there that says I’m due an update and I can only install it when I restart, don’t ignore it because that’s a vulnerability. That’s like you getting home and seeing that your front door lock is broken on the house door.”
Practical solutions:
- Enable automatic updates on all devices
- Bookmark frequently used websites rather than relying on open tabs (this also protects against phishing)
- Schedule restart times during lunch or end of day when disruption is minimal
- Remember that restarting also refreshes system resources, making devices run faster
As Chris put it: “You’ve now got five minutes to leave the desk, go and get a cup of tea, get some steps in and look after your own health as well.”
2. Implement strong passwords and multi-factor authentication
Password security remains one of the weakest links for many organisations. The National Cyber Security Centre’s guidance is straightforward: use three random words joined together, creating passwords at least 12 characters long4.
Password requirements for Cyber Essentials:
- At least 8 characters if linked to two-step verification
- At least 12 characters without two-step verification
- Never save passwords in your browser
Why multi-factor authentication is essential:
Two-step verification (also called multi-factor authentication or MFA) adds a crucial second layer of protection beyond your password. While SMS verification to mobile phones was traditional, Chris recommended a more secure approach: “If the text message comes through to your phone, criminals are finding ways to intercept mobile phone lines. But if it’s an authenticator app, it’s on your phone, they can’t get access to that.”
Popular authenticator apps include Microsoft Authenticator, Google Authenticator, and Authy. These generate time-based codes that change every 30 seconds, making them far more secure than SMS messages.
3. Enable and configure firewalls properly
Chris used a helpful analogy to explain firewalls: “If the burglar is walking down a residential street and they see a window open, they could exploit it. It’s a weakness, isn’t it? On a computer, we’d call that a port.”
Most devices come with firewalls available, but they must be actively enabled. “It’s not a case of it’s an optional extra, it should be turned on by default,” Chris stressed.
Additional configuration steps:
When you buy a new laptop, it typically runs in administrator mode, allowing system-wide changes. This is convenient but dangerous. Chris recommended creating a standard user account for day-to-day work instead. This limits what malware can do if it gets onto your device, as standard users cannot install software or make system-wide changes.
4. Use BitLocker to encrypt your data
BitLocker encrypts data on storage devices, protecting it even if your device is lost or stolen. “If you drop it or gets left on a bus or anything like that, you’ve still got that protection around the device. They can’t get to the hard drive,” Chris explained.
This applies to all storage devices:
- Laptops and desktop computers
- External hard drives
- USB memory sticks
Encryption ensures that even if someone physically obtains your storage device, they cannot access the data without the encryption key.
5. Back up your data regularly
The ICO recommends backing up data regularly, storing backups somewhere other than your main workplace, encrypting them, and ensuring they’re not connected to your live data source.
Why backups matter:
Ransomware attacks have become increasingly common. Ransomware incidents have seen a significant 70% increase compared to previous years. These attacks encrypt your files and demand payment for the decryption key. With proper backups, you can restore your data without paying the ransom.
Best practices for backups:
- Automate backups to run weekly at minimum (daily for critical data)
- Store backups off-site or in cloud storage
- Ensure backups are encrypted
- Test your backups regularly to confirm they actually work
- Keep backups disconnected from live systems to prevent ransomware spreading to them
Understanding Cyber Essentials: Your security baseline
While individual security measures help, Cyber Essentials provides a comprehensive framework that brings everything together. It’s a government-backed certification scheme that covers five key technical controls, and it’s becoming increasingly important for UK businesses.
Why Cyber Essentials matters
The statistics tell a compelling story. Organisations with Cyber Essentials controls in place make 92% fewer insurance claims compared to those without certification5.
Chris highlighted a powerful case study: “There’s a company called St. James Place Wealth Management Company, they implemented Cyber Essentials across their whole supply chain and they reduced – in the first year after that happened – all their incidents by 80%.”
Who needs Cyber Essentials?
The certification is particularly relevant for:
- Government contractors: Required for most public sector contracts
- Supply chain partners: Many larger organisations now require their suppliers to have Cyber Essentials
- Ministry of Defence suppliers: Essential for defence-related work
- Any business seeking to demonstrate security commitment: Increasingly expected by customers and partners
As Chris noted, supply chain security has become crucial: “If you’re part of the supply chain, you’re only as strong as your weakest link.” Recent high-profile incidents have affected small businesses that support larger organisations, making certification increasingly important.
The cost and process
Cyber Essentials certification typically starts from £350 for the basic self-assessment route. The Plus version, which includes an external technical assessment, starts from £1,250 per day.
The scheme is reviewed annually by IASME, the governing body, ensuring it stays current with evolving threats. Even if you don’t pursue certification immediately, working through the self-assessment helps identify gaps in your security posture.
Securing your cloud services: The Microsoft 365 challenge
For startups and sole traders, cloud services like Microsoft 365 have become the default IT infrastructure. But Chris highlighted a critical problem: these services come with security features available, but none of them are configured by default.
“The product’s good. The weakness is the connection with the product,” he explained. “You connecting to the product and telling how you want that product to behave. And if you don’t get the security configuration, the connection between you logging in and that device, you get that a little bit wrong, then that’s where your weakness and exploit is.”
What needs configuring in Microsoft 365
The Business Premium licence bundles extensive security features, but they require proper configuration:
- Multi-factor authentication for all users
- Conditional access policies
- Data loss prevention rules
- Mobile device management
- Email security settings
- User permission levels
- External sharing restrictions
Critical timing:
All of this configuration should happen before you start uploading company data, connecting websites, or creating customer portals. Hardening your cloud tenancy before filling it with information is crucial.
Beyond Microsoft 365
This applies to any cloud software you adopt – whether for invoicing, calendars, customer relationship management, or e-commerce. The connections between these different services are where vulnerabilities often appear.
Chris gave a practical example: “It could be simple, couldn’t it? Like you own a bakery, you spin up a website and you have a shopping basket, so you buy 10 croissants and five cakes. Because customers now want this click and collect.”
Each of these integrations – the website, the payment processor, the booking system, the customer portal – needs proper security configuration. The more connected your business becomes, the more potential entry points exist for attackers.
Making cyber security tangible: Physical world comparisons
Throughout our conversation, Chris drew helpful parallels between digital and physical security. These comparisons make abstract concepts immediately understandable.
The office building analogy
Consider how you secure a physical office building:
- Access control: Doors only open when allowed (like firewalls controlling network access)
- Reception validation: Staff check names, appointments, and purpose (like authentication)
- Turnstiles for staff: Identity access management with badge systems (like user permissions)
- Maintenance teams: Fix broken items like toilet seats (like security updates)
- CCTV and alarms: Monitor for threats (like security monitoring software)
“We’re doing it in a conventional world,” Chris said. “What’s the point of me breaking into a building, in the conventional sense, when actually it’s probably easier if I just go through your router because you’ve not put the firewall on.”
The broken door lock comparison
Chris used another vivid comparison for ignoring update notifications: “That’s like you getting home and seeing that your front door lock is broken on the house door. Would you be comfortable just going to sleep all night knowing that that door lock is broken or would you fix it?”
These physical analogies help business owners understand that digital security deserves the same attention and investment as physical security. You wouldn’t leave your office unlocked overnight. Why would you leave your digital assets unprotected?
What we can learn from cybercriminals
Chris shared valuable insights from his experience interviewing arrested cybercriminals. When asked what sophisticated tools they used, some responded surprisingly: they didn’t need advanced methods because “the public or the business owners are making it so easy for us.”
This reinforces a crucial point: you don’t need to be impenetrable. You just need to be more secure than the easiest targets. Basic cyber hygiene significantly raises the barrier to entry, causing automated attacks to move on to softer targets.
Think of it like bicycle locks. A determined thief with proper tools can defeat any lock given enough time. But most bike thieves are opportunistic – they look for unlocked bikes or weak locks and move on when they encounter proper security. Cyber attacks work the same way.
The South East Cyber Resilience Centre: Free support for UK businesses
One of the most valuable takeaways from our conversation was learning about the free support available through the Cyber Resilience Centres network.
The South East Cyber Resilience Centre is one of nine regional centres across England and Wales, established by the Home Office and law enforcement to support small businesses, charities, and SMEs with cyber security guidance.
“We’ve been stood up by Home Office and Law Enforcement to offer cyber security guidance and help, services to those small businesses, be it a charity or an SME, just to get their computers safer online,” Chris explained.
What the centres offer
The centre’s work includes:
- Speaking with cybercrime victims through police channels
- Attending B2B expos and community events
- Working with managed service providers
- Providing free security assessments
- Delivering staff training on current threats
- Offering guidance on security configurations
“It’s a fully funded public service that we’re offering now,” Chris noted. “We’ve got 10 services now which we can offer small business organisations.”
Why this matters
These services address a fundamental challenge: many businesses don’t take cyber security seriously until they experience an incident. By then, the damage is done – financially, reputationally, and operationally.
The centres aim to reach businesses before they become victims, providing practical guidance accessible to organisations without dedicated IT staff. It’s essentially “boots on the ground” policing for the digital age.
Where to start to create your cybersecurity action plan
If you’re feeling overwhelmed, here’s a practical roadmap organised by timeframe:
Today (30 minutes)
- Enable automatic updates on all business devices
- Restart any devices showing update notifications
- Check if firewalls are enabled on all computers
- Review which staff have administrator privileges (most shouldn’t)
This week (2-3 hours)
- Set up authenticator apps for critical accounts (email, banking, cloud services)
- Audit your current passwords – ensure all meet the 12-character minimum
- Enable BitLocker on all laptops and storage devices
- Stop saving passwords in browsers (start using a password manager if needed)
This month (1 day)
- Configure your Microsoft 365 security settings properly
- Set up automated backups for critical data
- Test your backups to ensure they actually work
- Create standard user accounts for daily work (not administrator accounts)
- Review and update access permissions – remove former employees, limit current access
This quarter (ongoing)
- Investigate Cyber Essentials certification for your business
- Schedule staff training on recognising phishing emails
- Document your security policies and procedures
- Contact your local Cyber Resilience Centre for a free assessment
- Review your cyber insurance coverage
Making it sustainable
Chris emphasised that staff education extends beyond the workplace: “When staff are at work, yes, they’re protecting the crown jewels, your company assets, but when they’re at home, it’s Instagram, it’s Facebook, it’s Tesco, Amazon, ebay, Sainsbury’s. We all have current accounts, savings accounts and mortgages. The same principles apply to us in our own lives.”
When staff understand cyber security fundamentals, they protect company assets during office hours and their personal finances and accounts outside of work. Everyone benefits from better security awareness.
Common objections answered
During our conversation and in our work at ERGOS, we’ve heard every objection to implementing proper cyber security. Here are the most common ones, addressed directly:
“We can’t afford to invest in cyber security right now”
The fundamental security measures we’ve discussed cost little to nothing:
- Enabling updates: Free
- Using strong passwords: Free
- Setting up MFA: Free
- Enabling firewalls: Free (built into operating systems)
- BitLocker: Included with Windows Pro
Even Cyber Essentials certification (£300-£500) costs far less than recovering from a single cyber attack. The average cost per attack for UK businesses reporting breaches is £4,200.
The question isn’t whether you can afford to protect yourself – it’s whether you can afford not to.
“Our staff don’t have time for this”
Most of these measures take minutes, not hours:
- Enabling auto-updates: 2 minutes per device
- Restarting devices: 5 minutes
- Setting up MFA: 5-10 minutes per account
- Creating standard user accounts: 10 minutes
Compare this to the weeks or months of disruption following a cyber attack.
“Technology changes too fast to keep up”
While specific threats evolve, the fundamental principles remain remarkably consistent:
- Keep systems updated
- Use strong authentication
- Configure security features properly
- Educate your team
- Back up your data
These principles have been best practice for years and will remain so for the foreseeable future.
“We’re already using Microsoft 365, so we’re protected”
As we discussed earlier, Microsoft 365 includes excellent security features – but they’re not configured by default. Having the tools available isn’t the same as using them properly.
“We’ve never had a problem before”
This is like saying you don’t need home insurance because your house hasn’t burned down yet. 43% of UK businesses experienced a cyber security breach or attack in 2025. The statistics suggest it’s not a question of if, but when.
The ERGOS approach to SME cyber security
At ERGOS, we work with SMEs daily to implement these practical security measures. We’ve seen first-hand how proper configuration of Microsoft 365, regular security reviews, and staff training transform an organisation’s security posture.
Our approach focuses on:
- Practical implementation: We don’t just recommend security measures; we implement them with you
- Business continuity: Ensuring security measures support rather than hinder your operations
- Ongoing support: Cyber security isn’t a one-time project; it’s an ongoing process
- Cost-effective solutions: Leveraging built-in security features before recommending additional spending
- Staff training: Helping your team become your first line of defence
We understand that as an SME owner, you’re already managing sales, marketing, HR, and countless other responsibilities. You need IT support that takes security off your plate without requiring constant attention or breaking the budget.
The bigger picture: Why security awareness matters
Chris’s work at the South East Cyber Resilience Centre addresses something fundamental: many businesses don’t take cyber security seriously until they experience an incident. The centre’s role is to reach businesses before they become victims.
“We certainly go out to a lot of B2B expos. We speak to cybercrime victims that come through to the police,” Chris said. The pattern is clear: businesses that suffer attacks wish they’d taken basic precautions earlier.
The domino effect of poor security
Poor cyber security doesn’t just affect your business. If you’re part of a supply chain, a breach at your company can provide attackers with access to your clients or partners. This is why larger organisations increasingly require Cyber Essentials certification from their suppliers.
The positive reinforcement loop
Conversely, good security practices create positive effects:
- Customers trust you more with their data
- Partners are more willing to work with you
- Insurance premiums may be lower
- You sleep better at night knowing your business is protected
- Staff feel more confident in your organisation’s professionalism
Looking ahead: The evolving threat landscape
The threat landscape will continue to evolve. The National Cyber Security Centre managed 20 significant ransomware incidents in 2024, with 13 classified as nationally significant6 – a threefold increase from the previous year.
But the fundamentals remain constant. Keep systems updated, use strong authentication, configure security features properly, and educate your team. These steps won’t make you invulnerable, but they will make you a much harder target.
As Chris noted multiple times during our conversation, criminals follow the path of least resistance. By implementing these basic measures, you significantly reduce your risk profile.
Taking action: Your next steps
Cyber security for small businesses doesn’t require a huge budget or technical expertise. It requires a shift in mindset – recognising that your digital assets are as valuable as your physical ones, and that basic security measures provide substantial protection.
If you’re uncertain where to start or need help implementing these measures:
- Contact ERGOS: Visit www.ergos.uk to learn more about our IT support and cyber security services for SMEs
- Reach out to your local Cyber Resilience Centre: These free services can provide security assessments and guidance Home – National CRC Group
- Start with the basics today: Enable updates, set up MFA, and ensure firewalls are active
- Work toward Cyber Essentials: Even if you don’t need certification now, the framework provides an excellent roadmap
Remember Chris’s words throughout our conversation: the same security principles that protect your business also protect your personal digital life. The effort you invest benefits everyone.
In cyber security, the best time to act was yesterday. The second-best time is now. Don’t wait until you’re the one explaining to customers, partners, or insurers why you didn’t take basic precautions when you had the chance.
Frequently asked questions about small business cyber security
I’m just a sole trader working from home – do I really need to worry about cyber security?
Absolutely. Your size doesn’t matter to automated attacks – in fact, sole traders are often targeted because criminals assume you have weaker defences. Even working from home, you have valuable assets: your reputation, client data, email accounts, and financial information. As Chris explained, taking control of any of these can disrupt your business and cost you money. Plus, if you’re part of a larger supply chain, a breach at your level could affect your clients, potentially ending business relationships and damaging your reputation permanently.
How much does Cyber Essentials certification cost, and is it actually worth it?
Cyber Essentials certification typically starts at £350 for the basic self-assessment route, whilst the Plus version (with external technical assessment) ranges upwards from £1,250 per day. The return on investment is substantial. Organisations with Cyber Essentials make 92% fewer insurance claims, and the St. James Place case study showed an 80% reduction in incidents. More importantly, many larger organisations and all government contracts now require it, so it can unlock business opportunities you’d otherwise miss. Even if you don’t pursue certification immediately, working through the self-assessment identifies critical gaps in your security.
We use Microsoft 365 – doesn’t that automatically protect us?
Microsoft 365 includes excellent security features, particularly with the Business Premium licence. However, as Chris emphasised, “the product’s good, the weakness is the connection with the product.” None of these features are configured by default. Your 365 tenancy needs proper hardening before you upload company data or connect external services. This includes enabling multi-factor authentication, configuring access policies, setting up data loss prevention, managing user permissions, and securing external sharing. The tools are there, but someone needs to set them up correctly – they don’t protect you automatically.
My team complains about restarting their computers because they have multiple tabs open – is it really necessary?
Yes, it’s absolutely critical. Updates don’t fully apply until you restart, which means known vulnerabilities remain exposed. Chris compared this to discovering your front door lock is broken and choosing to sleep anyway – would you really do that? The solution is straightforward: have your team bookmark important pages rather than relying on open tabs. Modern browsers can even restore sessions if needed. This takes five minutes to set up and saves time in the long run. Plus, regular restarts clear system resources, making computers run faster. Schedule restarts during lunch breaks or end of day to minimise disruption to workflow.
We’ve been in business for years without any cyber security problems – why should we worry now?
This reasoning is like saying you don’t need home insurance because your house hasn’t burned down yet. The statistics are stark: 43% of UK businesses experienced a cyber attack in 2025. When Chris interviewed arrested cybercriminals, they admitted they don’t need sophisticated tools because businesses make it so easy by neglecting basic security. The threat landscape has fundamentally changed with automation—botnets continuously scan for vulnerable targets. The fundamental protections (updates, firewalls, strong passwords, MFA) cost little or nothing to implement, and the South East Cyber Resilience Centre even offers free guidance. The real question isn’t whether you can afford to protect yourself – it’s whether you can afford the disruption, financial loss, and reputational damage when an attack finally succeeds.
About the author: Stuart Black is Managing Director at ERGOS, providing IT support and cyber security services to SMEs across the UK. With years of experience helping businesses implement practical security measures, Stuart understands the unique challenges facing time-strapped business owners who need reliable IT support without the complexity.
About our guest: Chris White is Head of Cyber at the South East Cyber Resilience Centre, a free, police-led service helping businesses across Surrey, Sussex, Hampshire, Isle of Wight, and Thames Valley strengthen their cyber defences. The centre is one of nine regional centres established by the Home Office and law enforcement to support UK businesses, charities, and SMEs with practical cyber security guidance. Learn more at www.secrc.co.uk.
Sources
1 – Cyber security breaches survey 2024 – GOV.UK
2 – Cyber security breaches survey 2025 – GOV.UK
3 – 60% of European SMEs that are cyber-attacked have to close after six months | Startups Magazine
4 – Three random words – NCSC.GOV.UK
5 – https://www.gov.uk/government/publications/cyber-essentials-scheme-overview