According to the UK government's Cyber Security Breaches Survey, 50% of UK businesses reported a cyber security breach or attack in the past year. Yet the vast majority of small businesses have no formal IT policy, no tested backup, and no incident response plan. The good news: most of the risks can be addressed with six straightforward checks.
1. Check your data backups are actually working
Backing up your data is not the same as having a working backup. Many businesses discover their backup solution has been silently failing for months — only when they desperately need to restore it. Run a test restore today. Pick a folder, restore it to a different location, and confirm the files are complete and uncorrupted. Do this quarterly at minimum.
Follow the 3-2-1 rule: three copies of your data, on two different types of media, with one copy kept offsite or in the cloud. Cloud services such as Microsoft 365 Backup or Google Workspace Vault provide an automated offsite copy for a low monthly cost.
2. Enable multi-factor authentication everywhere
A stolen password alone is rarely enough to compromise an account if multi-factor authentication (MFA) is enabled. MFA requires a second proof of identity — typically a code from an app on your phone — before anyone can log in. Enable it on every account your business uses: email, cloud storage, banking, accounting software, and social media.
Microsoft reports that MFA blocks over 99.9% of account compromise attacks. It costs nothing to enable and takes less than five minutes per account. There is no good reason not to use it.
3. Keep all software and firmware up to date
Outdated software is one of the most exploited attack vectors in cyber security. When a vulnerability is discovered in Windows, a browser, or a router's firmware, attackers begin scanning for unpatched systems within hours of the public disclosure. Enable automatic updates for Windows or macOS, your browsers, your antivirus, and your router's firmware. If you're running software that is no longer receiving security updates — like Windows 10 (support ends October 2025) — migrating is urgent, not optional.
4. Audit who has access to what
Access control is often overlooked in small businesses where everyone shares admin credentials "for convenience." This is a significant risk. If one account is compromised, an attacker gains access to everything. Conduct an access audit: list every system and account your business uses, and ensure each person only has the access they need for their role. Remove accounts for staff who have left. Change shared passwords to individual credentials.
Use a password manager such as Bitwarden or 1Password to enforce strong, unique passwords across your team without requiring anyone to memorise dozens of complex strings.
5. Train your team to spot phishing
The NCSC's data shows that phishing — fraudulent emails designed to steal credentials or install malware — is the entry point for the vast majority of UK cyber incidents. Technology alone cannot fully stop phishing; human awareness is essential. Run a short phishing awareness session with your team. Cover the warning signs: unexpected sender addresses, urgent requests for payment or credentials, links that don't match the displayed text, and requests to bypass normal approval processes.
Free resources from the NCSC's Cyber Aware programme provide ready-made training materials suitable for non-technical staff.
6. Have a clear plan for when things go wrong
No system is completely failproof. The question is not whether something will go wrong, but how quickly you can recover when it does. Document a simple IT incident checklist: who to call, where backups are stored, how to access critical systems if your primary machines are unavailable, and which services are most important to restore first. Share this document with at least two people in your business.
If you don't have in-house IT expertise, a managed IT support contract gives you a professional on call when you need it most — without the cost of a full-time IT employee.
Frequently asked questions
Need IT support for your business?
KomTek provides managed IT support for UK small businesses — from proactive monitoring and security to on-call helpdesk. Get in touch for a free IT review.