Applying Cybersecutity Good Practice to a Small Business
Applying cybersecurity good practice in a small business is less about buying expensive tools and more about building a few reliable habits: protect accounts, keep systems updated, back up what matters, and prepare for the day something goes wrong. The UK National Cyber Security Centre (NCSC) publishes a practical Small Business Guide that’s designed specifically to help smaller organisations do the basics well, quickly.
Why small businesses are targeted
Attackers often prefer smaller firms because they can be easier to compromise, and they still hold valuable assets, customer data, invoices, card payments, email accounts, and access to larger clients. A single hijacked mailbox can be enough for criminals to impersonate your business, redirect bank details on invoices, or trick staff into paying fraudulent requests.
Good practice focuses on reducing the “common attack” surface, phishing, stolen passwords, malware, unpatched systems, and making recovery fast if an incident happens.
Start with your “crown jewels”
Before choosing controls, list what you’re protecting and where it lives. That usually includes: customer contact details, payroll information, supplier bank details, your email accounts, your website/admin panels, and any cloud storage containing contracts or designs.
Then identify the handful of systems and accounts that would hurt most if compromised (often email, banking, and cloud admin). For those, apply the strongest protections first, rather than trying to do everything everywhere on day one.
Account security that actually works
Most breaches still start with account takeover, so make identity and access your first priority.
- Turn on multi-factor authentication (MFA/2FA) for important accounts like email and banking whenever it’s available; it adds significant protection for relatively little effort.
- Update your password approach: avoid forcing regular password changes; change passwords when you suspect compromise, and focus on strong unique passwords and enabling MFA instead.
- Reduce the number of high-privilege (“admin”) accounts and only use them when necessary; day-to-day work should be done on standard user accounts to limit damage if a user is phished.
A simple example: if you use Microsoft 365 or Google Workspace, your first hour of improvement is enabling MFA for all users, then verifying it’s enabled for admin accounts and recovery methods are correct.
Patch, configure, and protect endpoints
Many successful attacks rely on known vulnerabilities or insecure default settings. Good practice is to keep all devices and software supported, patched, and securely configured, and to maintain an inventory so you know what you’re responsible for.
For a small business, make this practical:
- Use supported operating systems and applications, and apply security updates promptly across laptops, desktops, servers, and key apps.
- Standardise devices where you can (a “baseline build”); it’s easier to secure 10 similar laptops than 10 unique ones.
- Use anti-malware protections and sensible restrictions on installing unknown software, because malware prevention is a core part of small-business resilience.
Backups: your safety net
Backups are one of the most cost-effective controls for ransomware, accidental deletion, and device loss. The NCSC Small Business Guide highlights backing up data as a key step because it turns many disasters into inconveniences, if the backup is current and restorable.
Make backup good practice concrete:
- Back up the data that matters (file shares, cloud drives, finance exports, customer databases), not just whole computers.
- Keep at least one backup copy that isn’t directly accessible from everyday user accounts (to reduce the chance ransomware encrypts it too).
- Test restores periodically; an untested backup is a hope, not a control.
Secure mobiles and remote working
Small businesses rely heavily on smartphones and tablets for email, messaging, and admin approvals, so losing a phone can become a security incident. The NCSC guidance recommends using device lock protections like PIN/biometrics and enabling 2FA for important accounts where available.
If you allow remote work:
- Require device screen locks and encryption where available, and ensure staff can report lost devices quickly.
- Keep business data in managed apps/accounts (for example, company email and cloud storage) rather than personal accounts, so access can be removed when someone leaves.
People and process: prevent the easy wins
Cybersecurity is operational: you need repeatable routines.
- Create simple policies staff can follow (acceptable use, password/MFA expectations, how to report suspicious emails), and reinforce them with short, regular reminders.
- Minimise “privilege creep”: when someone changes role or leaves, remove access promptly and review shared accounts.
- Plan incident response in advance; the NCSC “10 Steps” material emphasises having an incident response and disaster recovery capability and testing plans.
For example, write a one-page “what to do if you clicked a link” playbook: disconnect from Wi‑Fi, call the nominated internal contact, don’t keep trying passwords, and capture what happened (time, email subject, screenshots). This speeds up response and reduces panic-driven mistakes.
Data protection and legal expectations (UK)
Cybersecurity and data protection overlap: if you handle personal data, security measures are part of your compliance responsibilities. The UK Information Commissioner’s Office (ICO) provides advice and guidance aimed at small and medium organisations and offers tools to generate tailored advice and answers.
A realistic 30-day improvement plan
If you want a manageable path, implement in this order:
- Enable MFA/2FA for email, cloud admin, and finance; confirm recovery options and remove unused accounts.
- Ensure automatic updates are on for operating systems and core apps; replace or isolate any unsupported devices.
- Establish reliable backups for key data, plus a simple restore test.
- Lock down mobiles (PIN/biometrics) and require secure access to company accounts.
- Write a short incident response checklist and run a 15-minute tabletop exercise with staff.
In practice, good security also supports privacy principles: limiting access, protecting data in transit and at rest, and having a breach plan. The ICO’s small-organisation guidance hub is a sensible starting point for understanding expectations and finding the right self-serve tools.