How to protect your business from cyber attacks

Cyber attacks are no longer just a problem for large corporations. UK small and medium-sized businesses (SMBs) are increasingly being targeted by cyber criminals because they are often seen as easier targets, with fewer security controls in place.

In the National Cyber Security Centre’s (NCSC) 2025 annual review, CEO Richard Thorne said:

“The new normal is that cyber criminals will target organisations of all sizes, operating in any sector. From local coffee shops to providers of critical national infrastructure, every organisation must understand their exposure, build their defences, and have a plan for how they would continue to operate without their IT (and rebuild that IT at pace) were an attack to get through.”

Why does cybersecurity matter for SMBs?

There are several reasons why SMB owners should take cyber security seriously and protect their business from cyber attacks:

• SMBs are attractive targets for cyber criminals due to more limited IT resources and security controls compared to larger companies.
• Cyber attacks can have a significant financial impact, including lost revenue, recovery costs to fix systems, data breach fines from regulators and increased cyber insurance premiums.
• System breaches can cause significant disruption to business operations, such as the shut-down of websites and employees being locked out of critical systems.
• Cyber security helps you to comply with legal and regulatory requirements such as the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
• A cyber attack which compromises your data can damage your business’ reputation and reduce customer trust.

What are the most common cyber threats facing SMBs?

Here are some of the most common cyber threats facing UK SMBs:

Phishing attacks

In the Government’s annual cyber security breaches survey, phishing is consistently the most common type of cyber attack experienced by businesses.

Phishing involves cyber criminals using scam emails, texts or phone calls that trick the recipient into giving access to data or downloading a computer virus.

Phishing attacks often impersonate official organisations such as banks and HMRC. Scammers may even pretend to be individuals that the recipient knows. An example is acting as the boss of a company to trick employees into transferring money or revealing sensitive data.

Phishing attacks often use a sense of urgency to encourage people to click on malicious links or fill in scam forms.

Malware

Malware (short for malicious software) is scam software which aims to damage or disrupt computer systems, networks or data to steal sensitive information. It is usually released to its victims by someone downloading email attachments or visiting a fake website.

Ransomware

Ransomware is a type of malware used by cyber criminals to block access to data or systems. The scammers then demand payment to restore access.

Denial of Service (DoS) attacks

This cyber attack involves overwhelming a website or server with traffic so it can’t be accessed by legitimate users.

Weak passwords

Scammers may use simple or reused passwords to gain access to email accounts, social media profiles, websites and computer systems.

Outdated software

Criminals look for outdated software to exploit unpatched vulnerabilities and install malware.

What are some practical cyber security steps SMBs can take?

Cyber security actions for SMBs include:

Use strong passwords, multi-factor authentication and passkeys

To protect your personal and business information, you should use strong passwords. NCSC recommends using different passwords for different accounts. If you use the same one and scammers get hold of it, they could get access to everything.

Avoid easy to guess passwords such as ‘password’ or ‘abc123, and don’t base them on personal information like dates of birth, names of family members etc.

Password managers are useful for securely creating and storing passwords across devices.

Multi-factor authentication, also known as two-factor authentication (2FA), is an effective way to protect your accounts, systems and devices. When 2FA is set up, you’ll be sent a PIN or code to a pre-agreed agreed mobile phone, email address or other device, which you’ll need to enter as well as your password and email address.

Passkeys are a new and more secure alternative to passwords. Rather than typing a password, you sign in using a method already built into your phone or computer such as face scan, finger print or PIN. Your device stores the passkey and proves it’s really you when you’re logging in. They are much harder for scammers to access.

The availability of passkeys is increasing, and NCSC recommends that you opt for passkeys over passwords wherever they are available. More advice here.

Keep software and devices updated

All your software and devices should always be updated to the latest version to prevent cyber criminals exploiting vulnerabilities. Switch on automatic updates where available so you’re always up to date.

Use antivirus software and firewalls

Ensure your devices have software to prevent harmful computer viruses and firewalls to block unwanted connections.

Train employees to spot scams

Human error is a leading cause of cyber breaches so your employees should be fully trained in how to spot scams and other cyber security techniques such as creating safe passwords, protecting devices and reporting incidents.

The National Cyber Security Centre provides free cyber security resources for SMBs, including the ‘Staying Safe Online: Top Tips for Staff’ e-learning course.

You can also pay for training from cyber security advisers and training companies.

Back up your data regularly

Regular back-ups mean that if you do experience a cyber attack, you can restore your files and data. You should ensure you always have at least one copy of all your data, including your website, emails, documents, presentations, contacts and customer information.

Back-ups can be stored online using services like iCloud, Google Drive and OneDrive, or on external devices like USB sticks and external hard drives.

Switch on automatic back-ups to ensure your information is constantly updated.

Cyber Essentials certification

Cyber Essentials is a certification scheme developed by the NCSC and is the minimum standard of cyber security recommended by the government for all businesses.

The cost of Cyber Essentials depends on the size of your business. You can also pay for help from a cyber security adviser or certification body.

The scheme is focused on five technical controls that protect businesses from the most common internet-based cyber security threats. The controls are:

• Firewalls
• Secure configuration
• Security update management
• User access control
• Malware protection

Businesses with a turnover of up to £20 million that receive Cyber Essentials certification also get free cyber liability insurance of up to £25,000.

Take action to protect your business

Even simple, low-cost measures can significantly reduce the risk of a cyber attack on your small business.

 

 

First published 9 Jun 2026

Share

This article is intended to inform rather than advise and is based on legislation and practice at the time. Taxpayer’s circumstances do vary and if you feel that the information provided is beneficial it is important that you contact us before implementation. If you take, or do not take action as a result of reading this article, before receiving our written endorsement, we will accept no responsibility for any financial loss incurred.

---