Small organisations are often told to take cyber security seriously, but the advice can become too broad too quickly. The focus should be on the controls that can be improved now, without waiting for a large security project, a new team, or a major budget.
The National Cyber Security Centre’s (NCSC) Small Organisations Guide cuts through some of that complexity by focusing on basic controls: backups, devices, email, online accounts and recognising attacks early.
The NCSC says there are 5.5 million small organisations in the UK with between 0 and 49 employees, and that one in two small businesses suffer a cyber incident every year. It also reminds us that many of the recommendations below can be completed in as little as five minutes.
That does not mean cyber security becomes easy. It means the first steps are often clearer than people expect (and at little or no cost).
Many organisations are unwittingly exposed because they are unaware of the tools they already have to improve their security position. Business users of Microsoft 365, for instance, have tools for security, identity, privacy, and device management built into the M365 environment.
1. Lock down ALL devices connected to your IT environment
Phones, laptops and tablets hold business information. They also leave the office, sit in cars, move between home and work, and connect to public networks.
If a criminal accesses a business device, they may be able to view private information, change passwords, take over accounts, make purchases or cause financial and reputational damage.
The basic low-cost controls need to be consistent here.
Every work device should have a strong PIN, password, fingerprint access or face recognition. Default passwords should be changed. Common passwords should be removed. Personal information, such as dates of birth or pet names, should not be used.
The check should match the device. On iPhones and iPads, confirm that a passcode, Face ID or Touch ID is enabled. On Android phones and tablets, check the screen lock, fingerprint or face unlock settings. On Windows laptops, review password settings and Windows Hello, where available. On Macs, check that each user has a login password and that shared devices are not left open.
Devices, software and apps also need regular updates. Updates fix weaknesses that criminals may use to gain access. Check Android updates, iPhone and iPad updates, macOS updates, Windows updates and app updates. Delete apps that are no longer used, especially on devices that hold work email, customer data, payment information or access to business systems.
Unsupported devices also need to be addressed.
If a phone, laptop or computer no longer receives updates, it should be replaced with a device that does. This does not mean buying the latest model. It means using something that still receives security updates.
A simple device list will show where attention is needed. Record who has each device, what it is used for, when it was last updated and whether it is still supported. Include personal devices if they are used for work. A phone used to access business email, shared files or banking alerts still creates risk, even if the business does not own it.
M365 Business Premium subscriptions can provide a comprehensive list of connected devices, including:
– Windows PCs
– Macs
– iPhones/iPads
– Android devices
2. Treat email as one of your most sensitive systems
“EMAIL IS THE MOST COMMON METHOD OF ENTRY.”
Email is often the route into everything else. If an attacker gains access to a business mailbox, they may be able to read private information, impersonate the business, reset passwords for other services and gain access to further accounts. The NCSC also notes that business emails qualify as data, so email protection forms part of GDPR obligations.
Every email account should have a strong and unique password. Reused passwords are a common weakness because a single exposed password can compromise multiple accounts. The NCSC recommends using a password manager or the password tools built into devices and browsers to create and store different passwords.
This applies whether the business uses Outlook, Gmail, Apple Mail, Yahoo, BT or another provider. The email password should be different from any personal account password. Staff should not save business passwords in unmanaged notes, spreadsheets or shared documents.
The next step is 2-step verification, also known as 2SV MFA or two-factor authentication. The NCSC describes this as one of the most effective ways to protect email and other accounts because it can keep criminals out even if they know the password.
Where the provider offers 2SV, switch it on for every mailbox used for work. That includes shared mailboxes, finance accounts, admin accounts, old addresses that still receive messages and any mailbox used to reset passwords for other services.
It is not enough to enable 2SV on the owner’s mailbox while leaving finance, shared mailboxes, admin accounts or supplier-facing accounts outside the control. Attackers look for the account that was missed.
3. Secure the accounts that could stop the business from operating
“MFA IS ONE OF THE STRONGEST METHODS OF PREVENTING CREDENTIALS COMPROMISE.”
Once the email is protected, review the accounts the business relies on. The NCSC points to banking, HR, payroll, social media, online storage, company websites, domain hosting and point of sale software as important online accounts.
In day-to-day terms, that may include Microsoft accounts, Google accounts, Apple IDs, OneDrive, Google Drive, iCloud, LinkedIn, Facebook, Instagram, X, TikTok, Amazon, PayPal, website hosting, domain management, payroll software, payment platforms, and point-of-sale systems.
Keep a simple register of these accounts. It should show:
– Who owns the account?
– Who has access?
– Is 2SV turned on?
– Is the password unique?
– Are any former staff, suppliers or contractors still active?
– When was access last reviewed?
Check recovery details as well. An account linked to an old mobile number, a former employee’s email address or a supplier account nobody monitors can delay recovery when access is needed quickly.
Access should be reviewed every few months. Remove or disable accounts that are no longer used. This reduces the number of routes into the business and makes account ownership clearer during an incident.
4. Make suspicious activity easy to report
Cyber attacks often start quietly. The NCSC lists warning signs such as unusual emails, customers receiving messages you did not send, login alerts you do not recognise, slow or unexpected device behaviour and unauthorised payments. It also says 85% of cyber attacks against businesses start with a scam email.
Staff do not need to become security experts, but they do need to know what to report.
That may include an unexpected Microsoft or Google login alert, a customer receiving an email the business did not send, a social media post nobody recognises, an unusual payment request, or a device suddenly behaving strangely. These signs should be reported quickly and without blame.
The reporting route should be clear. Who should the staff contact? What should they do if they clicked a link? Should they disconnect the device? Should they call the bank? Who can reset passwords? Who contacts customers if a mailbox has been used to send fraudulent emails?
The NCSC advises businesses to have a cyber attack response plan that defines who does what and when, in case something goes wrong or is about to go wrong. Prompt responses to suspicious activities or emails can catch issues before they become a crisis.
A short plan is better than a long document nobody reads. It should cover the first hour: who leads, who investigates, who communicates, who contacts suppliers, who checks backups, who speaks to the bank and who records the decisions made.
5. Know what you would need to restore
Most businesses now rely on digital information to keep operating. That may include email, invoices, customer records, documents, website content, contacts, accounting data and supplier information. The NCSC advises small organisations to back up the data they need to operate, either through online storage or an external device, and to check that backups can be restored.
For many small businesses, this means checking the services already in use. Apple users can use iCloud, Google Workspace, or Android users can use Google Drive or Google’s backup tools, and Microsoft 365 or Windows users can use OneDrive or Windows backup. An external drive can still be useful, especially where internet access is unreliable, but it should be stored securely and disconnected when not in use.
At that point, we should remember that storage is not recovery.
A backup means a copy exists somewhere. Recovery means the business can get the right data back, in the right order, within a timeframe it can live with.
For a small business, its recovery arrangements need to be built around the following considerations:
1. What data do we need to trade tomorrow morning?
2. Is any of the organisation’s data subject to laws or regulations regarding privacy or statutory retention?
3. Who knows how to operate the restore process?
4. Where are the instructions kept?
5. Can we access the backup if email is unavailable?
6. Has anyone tested a restore recently?
The test does not need to be complicated. Restore one important file, mailbox, folder, system export or customer record set. Then record the result. If the restore fails, the business has found the weakness before an attacker, hardware failure, or accidental deletion exposes it.
Backups also need separation. If an external device is left permanently connected, some malware can affect that device as well. The NCSC specifically warns that storage devices should not stay connected when not in use.
Many organisations make the incorrect assumption that their data is automatically backed up. In most cases, copies or prior versions of files are maintained, BUT:
– They may be subject to retention periods.
– Whilst back-up copies exist, they may exist in silos, compromising an efficient organisation-wide restoration process.
– Most “native” back-up features do not protect the back-ups themselves, so once the organisation’s IT environment is compromised, so are any back-ups.
This is one area where specialised services will be required to provide higher levels of protection, expedient restoration processes and the capability to regularly test restoration processes.
Final thoughts on the basic controls that can save your business
Good cyber security for a small business starts with ordinary discipline. Back up the right data. Test the restore. Lock devices. Update software. Protect email. Turn on 2-step verification. Remove old accounts. Make reporting easy.
None of these steps removes every risk. They do make the most common routes into the business harder to use, and they give the organisation a better chance of recovering cleanly if something goes wrong.
For many small organisations, that is the right first objective: reduce easy exposure, improve evidence, and make recovery possible. Ensure you have the means to ensure these controls are operating and maintained effectively.
If you want to review your current cyber security and recovery position, CiContinuity’s consultants can help assess your controls, identify weak points and put practical improvements in place across security, backup and business continuity.
About the Author
Steve Dance, MBCS
Steve is an experienced consultant with in-depth experience of operational risk, resilience, business continuity, and information security management. He has worked with technical and non-technical management teams to develop and improve business continuity and information security capabilities for their organisation, including risk & exposure assessment, incident response & recovery, and the deployment of oversight, governance processes.
